Bug#1040498: Should we consider the transition ready (Was: Bug#1040498: transition: r-bioc-biocgenerics)
Hi Andreas Sorry for the incomplete reply. I'll respond to the other points when I have more time. On Wed, 16 Aug 2023 at 11:24, Andreas Tille wrote: > Do you see any further blockers? tracker.d.o. is having some issues (see #1043546), but you can still access up-to-date excuses here: https://qa.debian.org/excuses.php?package=r-bioc-biocgenerics The current blocker I see is: Implicit dependency: r-bioc-biocgenerics r-bioc-decoupler (not considered) Regards Graham
Bug#1049902: [Pkg-raspi-maintainers] Bug#1049902: bookworm-pu: package raspi-firmware/20220830+ds-1+deb12u1
Hi Gunnar, Gunnar Wolf (2023-08-16): > [ Risks ] > The code is very simple. Cassandra being my middle name, I'd advocate for more caution: The code change is relatively simple, but raspi-firmware hooks are not trivial… > The only risk I can think of is that the bug might still impact users > of non-Raspberry ARM systems. However, the likelihood of having it > installed is minor (due to the available hardware being different). Live images as of 12.0.0 installed all firmware packages, including that one, so that likelihood is *definitely not minor*. > [ Changes ] > Postinst will now check whether the architecture is ARM*, and exit > otherwise without doing the firmware install dance. > > [ Other info ] > A more proper fix would be to create a separate package with the wireless > Broadcom firmware. I have requested for the kernel team (maintainers of > firmware-brcm80211) to do so, but have got no positive response. I'd call that an orthogonal topic. In the extra checks department, I'd suggest making sure that once raspi-firmware is installed on say an amd64 machine, upgrading it to the proposed version makes it possible to upgrade a kernel (which has been the major pain point up to now) and also to… remove raspi-firmware. As far as I can remember from user horror stories, they couldn't even remove the package, and had to manually remove hooks under /etc before being able to finally remove the package. Pinch of salt, don't trust my memory. Cheers, -- Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/ signature.asc Description: PGP signature
Processed: bookworm-pu: package raspi-firmware/20220830+ds-1+deb12u1
Processing control commands: > affects -1 + src:raspi-firmware Bug #1049902 [release.debian.org] bookworm-pu: package raspi-firmware/20220830+ds-1+deb12u1 Added indication that 1049902 affects src:raspi-firmware -- 1049902: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049902 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1049902: bookworm-pu: package raspi-firmware/20220830+ds-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: raspi-firmw...@packages.debian.org Control: affects -1 + src:raspi-firmware [ Reason ] raspi-firmware was built assuming it would be installed only in Raspberry systems. However, now that firmware-nonfree is a proper section of Debian, and there is firmware autodetection, it gets pulled in several AMD64 systems as well. When /boot/firmware is not mounted (as is the case in AMD64), postinst fails. This yields a failure on kernel upgrades. [ Impact ] Many users have reported issues when upgrading the kernel. [ Tests ] I have not yet tested this particular version (but intend to do so soon and report -- I want to get this reported to you first, though!), but the debdiff is trivial, and is backported identically to the fix I sent to unstable (and is now in testing) several weeks ago. [ Risks ] The code is very simple. The only risk I can think of is that the bug might still impact users of non-Raspberry ARM systems. However, the likelihood of having it installed is minor (due to the available hardware being different). Besides, fixing this (i.e. via detectng the Raspberry model from entries in /sys) would break other use cases, such as VM-based image building. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Postinst will now check whether the architecture is ARM*, and exit otherwise without doing the firmware install dance. [ Other info ] A more proper fix would be to create a separate package with the wireless Broadcom firmware. I have requested for the kernel team (maintainers of firmware-brcm80211) to do so, but have got no positive response. -- diff -Nru raspi-firmware-1.20220830+ds/debian/changelog raspi-firmware-20220830+ds/debian/changelog --- raspi-firmware-1.20220830+ds/debian/changelog 2022-10-03 09:11:55.0 -0500 +++ raspi-firmware-20220830+ds/debian/changelog 2023-08-16 09:51:39.0 -0600 @@ -1,3 +1,10 @@ +raspi-firmware (20220830+ds-1+deb12u1) bookworm; urgency=medium + + * Skip running postinst if installing on a system that's not arch:arm* +(Closes: #1040896, #1040485, #1042070, #1040669, #1049448) + + -- Gunnar Wolf Wed, 16 Aug 2023 09:51:39 -0600 + raspi-firmware (1.20220830+ds-1) unstable; urgency=medium [ Gunnar Wolf ] diff -Nru raspi-firmware-1.20220830+ds/debian/kernel/postinst.d/z50-raspi-firmware raspi-firmware-20220830+ds/debian/kernel/postinst.d/z50-raspi-firmware --- raspi-firmware-1.20220830+ds/debian/kernel/postinst.d/z50-raspi-firmware 2022-10-03 09:11:55.0 -0500 +++ raspi-firmware-20220830+ds/debian/kernel/postinst.d/z50-raspi-firmware 2023-08-16 09:51:39.0 -0600 @@ -27,11 +27,25 @@ grep -q 'Raspberry Pi \(Compute Module \)*4' /sys/firmware/devicetree/base/model 2>/dev/null } +is_arm_system() { + # Check to see if the host is running an arm-based system + # (i.e. whether the raspi-firmware package is useful) + DPKG_ARCH=$(dpkg --print-architecture) + case "$DPKG_ARCH" in +arm64|armel|armhf) + return 0;; +*) + return 1;; + esac +} if ischroot ; then true # chroot detected - skip mount point check elif [ -e /usr/bin/systemd-detect-virt ] && systemd-detect-virt -q ; then true # virtualization detected - skip mount point check +elif ! is_arm_system ; then + # Not running on an arm-based system, skip postinst. + exit 0 elif ! mountpoint -q /boot/firmware ; then echo "raspi-firmware: missing /boot/firmware, did you forget to mount it?" >&2 exit 1 diff -Nru raspi-firmware-1.20220830+ds/debian/raspi-firmware.postinst raspi-firmware-20220830+ds/debian/raspi-firmware.postinst --- raspi-firmware-1.20220830+ds/debian/raspi-firmware.postinst 2022-10-03 09:11:55.0 -0500 +++ raspi-firmware-20220830+ds/debian/raspi-firmware.postinst 2023-08-16 09:51:39.0 -0600 @@ -3,6 +3,18 @@ set -e +is_arm_system() { + # Check to see if the host is running an arm-based system + # (i.e. whether the raspi-firmware package is useful) + DPKG_ARCH=$(dpkg --print-architecture) + case "$DPKG_ARCH" in +arm64|armel|armhf) + return 0;; +*) + return 1;; + esac +} + case "$1" in configure) @@ -10,6 +22,9 @@ true # chroot detected - skip mount point check elif test -e /usr/bin/systemd-detect-virt && systemd-detect-virt -q ; then true # virtualization detected - skip mount point check +elif ! is_arm_system ; then + # Not running on an arm-based system, skip the postinst + exit 0 elif ! mountpoint -q /boot/firmware; then echo "Error: missing /boot/firmware, did you forget to mount it?" >&2 exit 1 signature.asc Description: PGP signature
Bug#1049899: bookworm-pu: package exim4/4.96-15+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu Control: affects -1 + src:exim4 Hello, I would like to push another round of cherry-picked upstream fixes to bookworm. They have been part of the uploads to sid up to and including 4.96-19. This was mainly triggered by + 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand TLS cert expiry date. Closes: #1043233 which borders on RC and + 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch (Upstream bug 3013) which is similar to #1025420. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog --- exim4-4.96/debian/changelog 2023-07-02 14:56:17.0 +0200 +++ exim4-4.96/debian/changelog 2023-08-16 15:12:39.0 +0200 @@ -1,3 +1,19 @@ +exim4 (4.96-15+deb12u2) bookworm; urgency=medium + + * Multiple bugfixes from upstream GIT master: ++ 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch ++ 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch + (Upstream bug 2998) ++ 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch ++ 75_78-Fix-free-of-value-after-run.patch ++ 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch + (Upstream bug 3013) ++ 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand + TLS cert expiry date. Closes: #1043233 + (Upstream bug 3014) + + -- Andreas Metzler Wed, 16 Aug 2023 15:12:39 +0200 + exim4 (4.96-15+deb12u1) bookworm; urgency=medium * 75_42-Fix-run-arg-parsing.patch (From upstream GIT master, backported by diff -Nru exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch --- exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.96/debian/patches/75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch 2023-08-16 14:59:06.0 +0200 @@ -0,0 +1,35 @@ +From 4d108ee9b8e5fb212c31812fef61529cd414 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Mon, 12 Jun 2023 22:13:46 +0100 +Subject: [PATCH] Cancel early-pipe on an observed advertising change + +--- + src/transports/smtp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/transports/smtp.c b/src/transports/smtp.c +index c72028ce9..24ee577a2 100644 +--- a/src/transports/smtp.c b/src/transports/smtp.c +@@ -,15 +,18 @@ if (pending_EHLO) + *(tls_out.active.sock < 0 + ? &sx->ehlo_resp.cleartext_features : &sx->ehlo_resp.crypted_features) = + peer_offered; + *ap = authbits; + write_ehlo_cache_entry(sx); + } + else ++ { + invalidate_ehlo_cache_entry(sx); ++ sx->early_pipe_active = FALSE; /* cancel further early-pipe on this conn */ ++ } + + return OK; /* just carry on */ + } + # ifdef EXPERIMENTAL_ESMTP_LIMITS + /* If we are handling LIMITS, compare the actual EHLO LIMITS values with the + cached values and invalidate cache if different. OK to carry on with + connect since values are advisory. */ +-- +2.40.1 + diff -Nru exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch --- exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch 1970-01-01 01:00:00.0 +0100 +++ exim4-4.96/debian/patches/75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch 2023-08-16 15:11:54.0 +0200 @@ -0,0 +1,99 @@ +From 1209e3e19e292cee517e43a2ccfe9b44b33bb1dc Mon Sep 17 00:00:00 2001 +From: Jasen Betts +Date: Sun, 23 Jul 2023 13:43:59 +0100 +Subject: [PATCH] Expansions: disallow UTF-16 surrogates from ${utf8clean:...}. + Bug 2998 + +--- + doc/ChangeLog | 4 + src/expand.c | 27 +-- + 2 files changed, 21 insertions(+), 10 deletions(-) + +--- a/src/expand.c b/src/expand.c +@@ -7731,11 +7731,11 @@ NOT_ITEM: ; + + case EOP_UTF8CLEAN: + { + int seq_len = 0, index = 0; + int bytes_left = 0; +- long codepoint = -1; ++ ulong codepoint = (ulong)-1; + int complete; + uschar seq_buff[4]; /* accumulate utf-8 here */ + + /* Manually track tainting, as we deal in individual chars below */ + +@@ -7761,40 +7761,47 @@ NOT_ITEM: ; + codepoint = (codepoint << 6) | (c & 0x3f); + seq_buff[index++] = c; + if (--bytes_left == 0) /* codepoint complete */ + if(codepoint > 0x10) /* is it too large? */ + complete = -1; /* error (RFC3629 limit) */ ++ else if ( (codepoint & 0x1FF800 ) == 0xD800 ) /* surrogate */ ++ /* A UTF-16 surrogate (which should be one of a
Processed: bookworm-pu: package exim4/4.96-15+deb12u2
Processing control commands: > affects -1 + src:exim4 Bug #1049899 [release.debian.org] bookworm-pu: package exim4/4.96-15+deb12u2 Added indication that 1049899 affects src:exim4 -- 1049899: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049899 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1040498: Should we consider the transition ready (Was: Bug#1040498: transition: r-bioc-biocgenerics)
Hi, the last new precondition was accepted so all r-bioc-* packages are uploaded and built meanwhile. The only not-transitioned package is r-bioc-bitseq where I filed a removal bug for[1]. So we have at least all r-bioc-* packages in their current version. [1] https://bugs.debian.org/1049359 Am Tue, Aug 01, 2023 at 01:06:41PM + schrieb Graham Inggs: > Hi Andreas > > You should check on the package tracker pages for all the r-bioc-* > uploads and make sure they are ready to migrate along with > r-bioc-biocgenerics, e.g. r-bioc-cummerbund [1]. > > r-bioc-biocversion appears to break the autopkgtest of > r-cran-biocmanager/1.30.21.1+dfsg-1 in testing. We now have 1.30.22+dfsg-2 in unstable which passes its tests. Do we need to do some further action? > At least the following packages are failing their own autopkgtests in > unstable (list not complete): > r-bioc-cummerbund > r-bioc-decoupler > r-bioc-monocle > r-bioc-scran > r-bioc-singler Most of those packages have autopkgtests marked as Failed (not a regression) Am I correct that we do not need to take any action regarding the transition? The only exception in this list (as far as I can see) is https://tracker.debian.org/pkg/r-bioc-scran I'm about to verify the possibly rounding error for i386 which might be fixed by relaxing the boundaries or ignoring this single test. I'm wondering about the issue with ppc64el where the log[2] says: 43s Broken autopkgtest-satdep:ppc64el Depends on r-bioc-scrnaseq:ppc64el < none @un H > 43s Considering r-bioc-scrnaseq:ppc64el 2 as a solution to autopkgtest-satdep:ppc64el -2 43s Removing autopkgtest-satdep:ppc64el rather than change r-bioc-scrnaseq:ppc64el > r-bioc-dupradar has regressed from passing to neutral, apparently due > to the use of 'skip-not-installable'. Please don't use this > restriction on all the autopkgtests in a package, otherwise there are > no tests which are not superficial, and regressions can migrate to > testing. Could you please be more verbose about this hint (may be suggesting a patch that implements your suggestion since I'm afraid I do not understand this correctly) Do you see any further blockers? Kind regards Andreas. [2] https://ci.debian.net/data/autopkgtest/testing/ppc64el/r/r-bioc-scran/36185915/log.gz -- http://fam-tille.de
Bug#1049862: bookworm-pu: package efibootguard/0.13-2+deb12u1
Package: release.debian.org Control: affects -1 + src:efibootguard X-Debbugs-Cc: efibootgu...@packages.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: bookworm Severity: normal [ Reason ] This backports the fix for CVE-2023-39950 to bookworm. The Security Team told us to go the stable-pu route. [ Impact ] The user might be vulnerable to CVE-2023-39950 in certain configurations. This will be some swupdate users in Debian. [ Tests ] I did not exploit the bug (no time for this). I checked that the patches compile okay. [ Risks ] None. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstablediff -Nru efibootguard-0.13/debian/changelog efibootguard-0.13/debian/changelog --- efibootguard-0.13/debian/changelog 2022-12-20 23:38:11.0 +0100 +++ efibootguard-0.13/debian/changelog 2023-08-10 14:51:14.0 +0200 @@ -1,3 +1,14 @@ +efibootguard (0.13-2+deb12u1) bookworm; urgency=medium + + * d/patches: Backport fix to address CVE-2023-39950 +Backport of security fix for CVE-2023-39950, Insufficient +or missing validation and sanitization of input from untrustworthy +bootloader environment files can cause crashes and probably also +code injections into `bg_setenv`) or programs using `libebgenv`. +(Closes: #1049436) + + -- Gylstorff Quirin Thu, 10 Aug 2023 14:51:14 +0200 + efibootguard (0.13-2) unstable; urgency=medium * use correct version to break/replaces libebgenv-dev 0.12-1 diff -Nru efibootguard-0.13/debian/patches/Introduce-validation-of-bgenv-prior-to-its-usage.patch efibootguard-0.13/debian/patches/Introduce-validation-of-bgenv-prior-to-its-usage.patch --- efibootguard-0.13/debian/patches/Introduce-validation-of-bgenv-prior-to-its-usage.patch 1970-01-01 01:00:00.0 +0100 +++ efibootguard-0.13/debian/patches/Introduce-validation-of-bgenv-prior-to-its-usage.patch 2023-08-10 14:51:14.0 +0200 @@ -0,0 +1,190 @@ +From 188fe5f47f9f9e8a4f67bf4e4a840ce84d80641c Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Mon, 24 Jul 2023 08:00:34 +0200 +Subject: [PATCH 5/9] Introduce validation of bgenv prior to its usage + +The parsing of user variables assumes sane input so far and can be +mislead to out-of-bounds accesses, including writes. Address this by +always validating a bgenv after reading it from a partition or a file. +If an invalid bgenv is found, it is cleared to zero internally so that +the existing code will always operate against a sane state. + +Include the CRC32 validation in the new helper as well which also +ensures that the checksum is tested when operating against a specific +file. + +Reported by Code Intelligence. + +Addresses CVE-2023-39950 + +Signed-off-by: Jan Kiszka +--- + env/env_api_fat.c | 44 ++-- + env/uservars.c | 29 + + include/env_api.h | 2 ++ + include/uservars.h | 3 +++ + tools/bg_envtools.c | 6 +- + 5 files changed, 73 insertions(+), 11 deletions(-) + +diff --git a/env/env_api_fat.c b/env/env_api_fat.c +index 0f4f474..b7540bb 100644 +--- a/env/env_api_fat.c b/env/env_api_fat.c +@@ -51,6 +51,33 @@ void bgenv_be_verbose(bool v) + ebgpart_beverbose(v); + } + ++static void clear_envdata(BG_ENVDATA *data) ++{ ++ memset(data, 0, sizeof(BG_ENVDATA)); ++ data->crc32 = crc32(0, (Bytef *)data, ++ sizeof(BG_ENVDATA) - sizeof(data->crc32)); ++} ++ ++bool validate_envdata(BG_ENVDATA *data) ++{ ++ uint32_t sum = crc32(0, (Bytef *)data, ++ sizeof(BG_ENVDATA) - sizeof(data->crc32)); ++ ++ if (data->crc32 != sum) { ++ VERBOSE(stderr, "Invalid CRC32!\n"); ++ /* clear invalid environment */ ++ clear_envdata(data); ++ return false; ++ } ++ if (!bgenv_validate_uservars(data->userdata)) { ++ VERBOSE(stderr, "Corrupt uservars!\n"); ++ /* clear invalid environment */ ++ clear_envdata(data); ++ return false; ++ } ++ return true; ++} ++ + bool read_env(CONFIG_PART *part, BG_ENVDATA *env) + { + if (!part) { +@@ -86,10 +113,16 @@ bool read_env(CONFIG_PART *part, BG_ENVDATA *env) + if (part->not_mounted) { + unmount_partition(part); + } ++ if (result == false) { ++ clear_envdata(env); ++ return false; ++ } ++ + /* enforce NULL-termination of strings */ + env->kernelfile[ENV_STRING_LENGTH - 1] = 0; + env->kernelparams[ENV_STRING_LENGTH - 1] = 0; +- return result; ++ ++ return validate_envdata(env); + } + + bool write_env(CONFIG_PART *part, BG_ENVDATA *env) +@@ -147,15 +180,6 @@ bool bgenv_init(void) + } + for (int i = 0; i < ENV_NUM_CONFIG_PARTS; i++) { +
Processed: bookworm-pu: package efibootguard/0.13-2+deb12u1
Processing control commands: > affects -1 + src:efibootguard Bug #1049862 [release.debian.org] bookworm-pu: package efibootguard/0.13-2+deb12u1 Added indication that 1049862 affects src:efibootguard -- 1049862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049862 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems