Bug#1064551: bookworm-pu: libjwt/1.10.2-1+deb11u1
On Sun, 25 Feb 2024, Jonathan Wiltshire wrote: Please go ahead. great, thanks ... ... and uploaded. Thorsten
Bug#1065326: bookworm-pu: package python3.11/3.11.2-6+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: python3...@packages.debian.org, d...@debian.org
Control: affects -1 + src:python3.11
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
A use-after-free causing a SEGV was found in python 3.11, affecting the
the Zulip chat server.
The bug is known to affect python 3.11.0 - 3.11.4. And since being fixed
upstream, there have been no known related regressions.
[ Impact ]
Potential SEGV in python3. Known to be triggered by zulip's CI when
running under coverage.
[ Tests ]
The Python stdlib testsuite is extensive and passes with this patch.
There is a stand-alone reproducer that I've manually reproduced the bug
with and verified that it's fixed.
[ Risks ]
The code is pretty straight-forward. It asserts that the f_frame hasn't
already been freed before freeing.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
diff -Nru python3.11-3.11.2/debian/changelog python3.11-3.11.2/debian/changelog
--- python3.11-3.11.2/debian/changelog 2023-03-13 08:18:29.0 -0400
+++ python3.11-3.11.2/debian/changelog 2024-03-02 16:28:50.0 -0400
@@ -1,3 +1,11 @@
+python3.11 (3.11.2-6+deb12u1) bookworm; urgency=medium
+
+ [ Anders Kaseorg ]
+ * Fix a use-after-free crash when deallocating a frame object
+(closes: #1050843).
+
+ -- Stefano Rivera Sat, 02 Mar 2024 16:28:50 -0400
+
python3.11 (3.11.2-6) unstable; urgency=high
[ Stefano Rivera ]
diff -Nru python3.11-3.11.2/debian/patches/frame_dealloc-crash.diff
python3.11-3.11.2/debian/patches/frame_dealloc-crash.diff
--- python3.11-3.11.2/debian/patches/frame_dealloc-crash.diff 1969-12-31
20:00:00.0 -0400
+++ python3.11-3.11.2/debian/patches/frame_dealloc-crash.diff 2024-03-02
16:28:50.0 -0400
@@ -0,0 +1,54 @@
+Description: Fix use-after-free crash in frame_dealloc
+ It was possible for the trashcan to delay the deallocation of a
+ PyFrameObject until after its corresponding _PyInterpreterFrame has
+ already been freed. So frame_dealloc needs to avoid dereferencing the
+ f_frame pointer unless it first checks that the pointer still points
+ to the interpreter frame within the frame object.
+Origin:
https://github.com/python/cpython/commit/46cae02085311481dc8b1ea9a5110969d9325bc7
+Bug-upstream: https://github.com/python/cpython/issues/106092
+Bug-Debian: https://bugs.debian.org/1050843
+Author: Anders Kaseorg
+Last-Update: 2023-08-29
+Applied-Upstream: 3.11.5
+
+---
+ .../2023-07-18-16-13-51.gh-issue-106092.bObgRM.rst | 2 ++
+ Objects/frameobject.c | 13 +++--
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Core and
Builtins/2023-07-18-16-13-51.gh-issue-106092.bObgRM.rst
+
+--- /dev/null
b/Misc/NEWS.d/next/Core and
Builtins/2023-07-18-16-13-51.gh-issue-106092.bObgRM.rst
+@@ -0,0 +1,2 @@
++Fix a segmentation fault caused by a use-after-free bug in ``frame_dealloc``
++when the trashcan delays the deallocation of a ``PyFrameObject``.
+--- a/Objects/frameobject.c
b/Objects/frameobject.c
+@@ -851,9 +851,6 @@
+ /* It is the responsibility of the owning generator/coroutine
+ * to have cleared the generator pointer */
+
+-assert(f->f_frame->owner != FRAME_OWNED_BY_GENERATOR ||
+-_PyFrame_GetGenerator(f->f_frame)->gi_frame_state == FRAME_CLEARED);
+-
+ if (_PyObject_GC_IS_TRACKED(f)) {
+ _PyObject_GC_UNTRACK(f);
+ }
+@@ -861,10 +858,14 @@
+ Py_TRASHCAN_BEGIN(f, frame_dealloc);
+ PyCodeObject *co = NULL;
+
++/* GH-106092: If f->f_frame was on the stack and we reached the maximum
++ * nesting depth for deallocations, the trashcan may have delayed this
++ * deallocation until after f->f_frame is freed. Avoid dereferencing
++ * f->f_frame unless we know it still points to valid memory. */
++_PyInterpreterFrame *frame = (_PyInterpreterFrame *)f->_f_frame_data;
++
+ /* Kill all local variables including specials, if we own them */
+-if (f->f_frame->owner == FRAME_OWNED_BY_FRAME_OBJECT) {
+-assert(f->f_frame == (_PyInterpreterFrame *)f->_f_frame_data);
+-_PyInterpreterFrame *frame = (_PyInterpreterFrame *)f->_f_frame_data;
++if (f->f_frame == frame && frame->owner == FRAME_OWNED_BY_FRAME_OBJECT) {
+ /* Don't clear code object until the end */
+ co = frame->f_code;
+ frame->f_code = NULL;
diff -Nru python3.11-3.11.2/debian/patches/series
python3.11-3.11.2/debian/patches/series
--- python3.11-3.11.2/debian/patches/series 2023-03-01 05:58:01.0
-0400
+++ python3.11-3.11.2/debian/patches/series 2024-03-02 16:28:50.0
-0400
@@ -39,3 +39,4 @@
fix-py_compile.diff
ntpath-import.diff
shutdown-deadlock.diff
+frame_dealloc-crash.diff
Processed: bookworm-pu: package python3.11/3.11.2-6+deb12u1
Processing control commands: > affects -1 + src:python3.11 Bug #1065326 [release.debian.org] bookworm-pu: package python3.11/3.11.2-6+deb12u1 Added indication that 1065326 affects src:python3.11 -- 1065326: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065326 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1036884: 64-bit time_t: libpam0g -> libpam0t64 -> libpam0g
On 2024-03-02 13:51:13 +0100, Aurelien Jarno wrote: > Hi, > > As part of the time_t transition, the libpam0t64 library change got > reverted, and we ended-up with a few packages not installable even on > non arm* because they depends on libpam0t64 which is now gone. Well > technically it is still there as cruft, but it conflicts with libpam0g > which is used by essential packages. > > Would it be possible to fix that for our non arm* users? I have attached > the wb commands below, but you might want to do some of them on all > architectures for multiarch sync. Scheduled. We'll need to do some MA: same version skew clean up after the transition is done, though. Cheers -- Sebastian Ramacher
Bug#1065309: transition: gnat (12 -> 13 + time_t64)
Package: release.debian.org X-Debbugs-CC: Nicolas Boulenguez when preparing GCC packages for time_t64, I noticed that we'll have an ABI change for libgnat as well. Instead of doing a gnat 12 -> 12+t64 transition, let's do a gnat 12 -> 13+t64 transition instead. According to Nicolas, packages are already prepared in experimental. Waiting with the transition until all t64 stuff is finished doesn't work well, packages which need binNMUs will ftbfs.
Bug#1036884: transition: time64_t
On Sat, Mar 02, 2024 at 02:16:59PM +0100, Sebastian Ramacher wrote: > On 2024-03-02 15:06:15 +0200, Adrian Bunk wrote: > > On Fri, Mar 01, 2024 at 11:10:22PM -0800, Steve Langasek wrote: > > >... > > > This needs to be built with dpkg-dev (>= 1.5.22), ... > > >... > > > > The correct version is 1.22.5 (and >= 1.5.22 therefore a nop). > > There was already an upload by the maintainer correcting the issue. This incorrect version seems to be pasted further, e.g. glib2.0 extra-depends have (in addition to the now corrected missing 'd') also the nop version 1.5.22 > Cheers cu Adrian
Bug#1036884: transition: time64_t
On 2024-03-02 15:06:15 +0200, Adrian Bunk wrote: > On Fri, Mar 01, 2024 at 11:10:22PM -0800, Steve Langasek wrote: > >... > > This needs to be built with dpkg-dev (>= 1.5.22), ... > >... > > The correct version is 1.22.5 (and >= 1.5.22 therefore a nop). There was already an upload by the maintainer correcting the issue. Cheers -- Sebastian Ramacher
Bug#1036884: transition: time64_t
On Fri, Mar 01, 2024 at 11:10:22PM -0800, Steve Langasek wrote: >... > This needs to be built with dpkg-dev (>= 1.5.22), ... >... The correct version is 1.22.5 (and >= 1.5.22 therefore a nop). cu Adrian
Bug#1036884: 64-bit time_t: libpam0g -> libpam0t64 -> libpam0g
Hi, As part of the time_t transition, the libpam0t64 library change got reverted, and we ended-up with a few packages not installable even on non arm* because they depends on libpam0t64 which is now gone. Well technically it is still there as cruft, but it conflicts with libpam0g which is used by essential packages. Would it be possible to fix that for our non arm* users? I have attached the wb commands below, but you might want to do some of them on all architectures for multiarch sync. Thanks Aurelien wb nmu cockpit_312-1 . amd64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cockpit_312-1 . arm64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cockpit_312-1 . i386 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cockpit_312-1 . mips64el . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cockpit_312-1 . ppc64el . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cockpit_312-1 . riscv64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cockpit_312-1 . s390x . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cron_3.0pl1-186 . amd64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cron_3.0pl1-186 . arm64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cron_3.0pl1-186 . i386 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cron_3.0pl1-186 . mips64el . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cron_3.0pl1-186 . ppc64el . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cron_3.0pl1-186 . riscv64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cron_3.0pl1-186 . s390x . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cups_2.4.7-1.2 . amd64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cups_2.4.7-1.2 . arm64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cups_2.4.7-1.2 . mips64el . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cups_2.4.7-1.2 . ppc64el . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cups_2.4.7-1.2 . riscv64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu cups_2.4.7-1.2 . s390x . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu gensio_2.8.2-6.1 . amd64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu gensio_2.8.2-6.1 . arm64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu gensio_2.8.2-6.1 . i386 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu gensio_2.8.2-6.1 . mips64el . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu gensio_2.8.2-6.1 . ppc64el . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu gensio_2.8.2-6.1 . riscv64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu gensio_2.8.2-6.1 . s390x . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu libinfinity_0.7.2-2.1 . amd64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu libinfinity_0.7.2-2.1 . arm64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu libinfinity_0.7.2-2.1 . i386 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu libinfinity_0.7.2-2.1 . mips64el . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu libinfinity_0.7.2-2.1 . ppc64el . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu libinfinity_0.7.2-2.1 . riscv64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu libinfinity_0.7.2-2.1 . s390x . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu lxc_1:5.0.3-2.1 . amd64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu lxc_1:5.0.3-2.1 . arm64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu lxc_1:5.0.3-2.1 . i386 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu lxc_1:5.0.3-2.1 . mips64el . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu lxc_1:5.0.3-2.1 . ppc64el . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu lxc_1:5.0.3-2.1 . riscv64 . -m "Rebuild against libpam0g" . --extra-depends "libpam0g-dev (>= 1.5.3-6)" wb nmu mailutils_1:
Bug#1065266: bullseye-pu: package php-phpseclib/2.0.30-2+deb11u2
Le Sat, Mar 02, 2024 at 11:22:22AM +0100, David Prévot a écrit :
[…]
> [x] attach debdiff against the package in oldstable
Second try.
diff -Nru php-phpseclib-2.0.30/debian/changelog php-phpseclib-2.0.30/debian/changelog
--- php-phpseclib-2.0.30/debian/changelog 2023-12-31 15:36:22.0 +0100
+++ php-phpseclib-2.0.30/debian/changelog 2024-02-27 21:15:41.0 +0100
@@ -1,3 +1,15 @@
+php-phpseclib (2.0.30-2+deb11u2) bullseye; urgency=medium
+
+ * Backport upstream fixes
+- BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354]
+- BigInteger: rm visibility modifiers from static variables
+- ASN1: limit OID length [CVE-2024-27355]
+- Tests: updates for phpseclib 2.0
+- BigInteger: phpseclib 2.0 updates
+- BigInteger: fix getLength()
+
+ -- David Prévot Tue, 27 Feb 2024 21:15:41 +0100
+
php-phpseclib (2.0.30-2+deb11u1) bullseye-security; urgency=medium
* Backport upstream SSH2 changes
diff -Nru php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 2024-02-27 21:15:41.0 +0100
@@ -0,0 +1,76 @@
+From: terrafrost
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 -
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 9df0bf0..bbe7c86 100644
+--- a/phpseclib/Math/BigInteger.php
b/phpseclib/Math/BigInteger.php
+@@ -729,6 +729,33 @@ class BigInteger
+ return $result;
+ }
+
++/**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++function getLength()
++{
++if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++return strlen($this->toBits());
++}
++
++$max = count($this->value) - 1;
++return $max != -1 ?
++$max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++0;
++}
++
++/**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++function getLengthInBytes()
++{
++return ceil($this->getLength() / 8);
++}
++
+ /**
+ * Copy an object
+ *
+@@ -3237,6 +3264,11 @@ class BigInteger
+ $min = $temp;
+ }
+
++$length = $max->getLength();
++if ($length > 8196) {
++user_error('Generation of random prime numbers larger than 8196 has been disabled');
++}
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new static(1);
+@@ -3344,7 +3376,14 @@ class BigInteger
+ */
+ function isPrime($t = false)
+ {
+-$length = strlen($this->toBytes());
++$length = $this->getLength();
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++if ($length > 8196) {
++user_error('Primality testing is not supported for numbers larger than 8196 bits');
++}
+
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
diff -Nru php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch
--- php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch 2024-02-27 21:15:41.0 +0100
@@ -0,0 +1,48 @@
+From: terrafrost
+Date: Fri, 23 Feb 2024 21:55:47 -0600
+Subject: BigInteger: rm visibility modifiers from static variables
+
+the non static variables don't have privacy modifiers so idk that
+the static ones ought to either. phpseclib 3.0 uses privacy
+modifiers but not the 2.0 branch
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/21
Processed: bullseye-pu: package phpseclib/1.0.19-3+deb11u2
Processing control commands: > affects -1 + src:phpseclib Bug #1065268 [release.debian.org] bullseye-pu: package phpseclib/1.0.19-3+deb11u2 Added indication that 1065268 affects src:phpseclib -- 1065268: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065268 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1065268: bullseye-pu: package phpseclib/1.0.19-3+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: phpsec...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:phpseclib
User: release.debian@packages.debian.org
Usertags: pu
Hi,
This issue is simalar to #1065264 for bookworm
I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA. This update also fixes an issue in dependency loading
similar to CVE-2024-24821 as fixed in composer/DSA-5632-1.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
TIA for considering.
Cheers,
taffit
diff -Nru phpseclib-1.0.19/debian/autoload.php.tpl phpseclib-1.0.19/debian/autoload.php.tpl
--- phpseclib-1.0.19/debian/autoload.php.tpl 2023-12-31 15:43:05.0 +0100
+++ phpseclib-1.0.19/debian/autoload.php.tpl 2024-02-27 21:27:58.0 +0100
@@ -1,7 +1,7 @@
Tue, 27 Feb 2024 21:27:58 +0100
+
phpseclib (1.0.19-3+deb11u1) bullseye-security; urgency=medium
* Track bullseye
diff -Nru phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 1970-01-01 01:00:00.0 +0100
+++ phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 2024-02-27 21:27:58.0 +0100
@@ -0,0 +1,76 @@
+From: terrafrost
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 -
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 35df7ad..1dd4729 100644
+--- a/phpseclib/Math/BigInteger.php
b/phpseclib/Math/BigInteger.php
+@@ -746,6 +746,33 @@ class Math_BigInteger
+ return $result;
+ }
+
++/**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++function getLength()
++{
++if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++return strlen($this->toBits());
++}
++
++$max = count($this->value) - 1;
++return $max != -1 ?
++$max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++0;
++}
++
++/**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++function getLengthInBytes()
++{
++return ceil($this->getLength() / 8);
++}
++
+ /**
+ * Copy an object
+ *
+@@ -3283,6 +3310,11 @@ class Math_BigInteger
+ $min = $temp;
+ }
+
++$length = $max->getLength();
++if ($length > 8196) {
++user_error('Generation of random prime numbers larger than 8196 has been disabled');
++}
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new Math_BigInteger(1);
+@@ -3390,7 +3422,14 @@ class Math_BigInteger
+ */
+ function isPrime($t = false)
+ {
+-$length = strlen($this->toBytes());
++$length = $this->getLength();
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++if ($length > 8196) {
++user_error('Primality testing is not supported for numbers larger than 8196 bits');
++}
+
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
Les fichiers binaires /tmp/q2874tUZtM/phpseclib-1.0.19/debian/patches/0030-ASN1-limit-OID-length.patch et /tmp/8dbXhTc93J/phpseclib-1.0.19/debian/patches/0030-ASN1-limit-OID-length.patch sont différents
diff -Nru phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch
--- phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch 1970-01-01 01:00:00.0 +0100
+++ phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch 2024-02-27 21:27:58.0 +0100
@@ -0,0 +1,31 @@
+From: terrafrost
+Date: Sat, 24
Processed: bullseye-pu: package php-phpseclib/2.0.30-2+deb11u2
Processing control commands: > affects -1 + src:php-phpseclib Bug #1065266 [release.debian.org] bullseye-pu: package php-phpseclib/2.0.30-2+deb11u2 Added indication that 1065266 affects src:php-phpseclib -- 1065266: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065266 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1065266: bullseye-pu: package php-phpseclib/2.0.30-2+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: php-phpsec...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-phpseclib User: release.debian@packages.debian.org Usertags: pu Hi, This issue is similar to #1065263 for bookworm I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next point release. We agreed with the security team that these issues are not worth a DSA. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable TIA for considering. Cheers, taffit signature.asc Description: PGP signature
Processed: bookworm-pu: package phpseclib/1.0.20-1+deb12u2
Processing control commands: > affects -1 + src:phpseclib Bug #1065264 [release.debian.org] bookworm-pu: package phpseclib/1.0.20-1+deb12u2 Added indication that 1065264 affects src:phpseclib -- 1065264: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065264 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1065264: bookworm-pu: package phpseclib/1.0.20-1+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: phpsec...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:phpseclib
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA. This update also fixes an issue in dependency loading
similar to CVE-2024-24821 as fixed in composer/DSA-5632-1.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
TIA for considering.
Cheers,
taffit
diff -Nru phpseclib-1.0.20/debian/changelog phpseclib-1.0.20/debian/changelog
--- phpseclib-1.0.20/debian/changelog 2023-12-31 11:37:21.0 +0100
+++ phpseclib-1.0.20/debian/changelog 2024-02-26 22:58:32.0 +0100
@@ -1,3 +1,13 @@
+phpseclib (1.0.20-1+deb12u2) bookworm; urgency=medium
+
+ * Backport upstream fixes
+- BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354]
+- ASN1: limit OID length [CVE-2024-27355]
+- BigInteger: fix getLength()
+ * Force system dependencies loading
+
+ -- David Prévot Mon, 26 Feb 2024 22:58:32 +0100
+
phpseclib (1.0.20-1+deb12u1) bookworm-security; urgency=medium
* Track Bookworm
diff -Nru phpseclib-1.0.20/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch phpseclib-1.0.20/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- phpseclib-1.0.20/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 1970-01-01 01:00:00.0 +0100
+++ phpseclib-1.0.20/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 2024-02-26 22:58:32.0 +0100
@@ -0,0 +1,76 @@
+From: terrafrost
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 -
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 961e6ca..5f6b8f3 100644
+--- a/phpseclib/Math/BigInteger.php
b/phpseclib/Math/BigInteger.php
+@@ -746,6 +746,33 @@ class Math_BigInteger
+ return $result;
+ }
+
++/**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++function getLength()
++{
++if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++return strlen($this->toBits());
++}
++
++$max = count($this->value) - 1;
++return $max != -1 ?
++$max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++0;
++}
++
++/**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++function getLengthInBytes()
++{
++return ceil($this->getLength() / 8);
++}
++
+ /**
+ * Copy an object
+ *
+@@ -3283,6 +3310,11 @@ class Math_BigInteger
+ $min = $temp;
+ }
+
++$length = $max->getLength();
++if ($length > 8196) {
++user_error('Generation of random prime numbers larger than 8196 has been disabled');
++}
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new Math_BigInteger(1);
+@@ -3390,7 +3422,14 @@ class Math_BigInteger
+ */
+ function isPrime($t = false)
+ {
+-$length = strlen($this->toBytes());
++$length = $this->getLength();
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++if ($length > 8196) {
++user_error('Primality testing is not supported for numbers larger than 8196 bits');
++}
+
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
Les fichiers binaires /tmp/iyz_ted7Do/phpseclib-1.0.20/debian/patches/0012-ASN1-limit-OID-length.patch et /tmp/6XyXWtF89o/phpseclib-1.0.20/debian/patches/0012-ASN1-limit-OID-length.patch sont différents
diff -Nru phpseclib-1.0.20/debian/patches/0013-BigInteger-fix-getLength.patch phpseclib-1.0.20/debian/patches/0013-BigInteger-fix-getLength.patch
--- phpseclib-1.0.20/debian/patches/0
Bug#1065263: bookworm-pu: package php-phpseclib/2.0.42-1+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-phpsec...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-phpseclib
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
TIA for considering.
Cheers,
taffit
diff -Nru php-phpseclib-2.0.42/debian/changelog php-phpseclib-2.0.42/debian/changelog
--- php-phpseclib-2.0.42/debian/changelog 2023-12-31 11:49:50.0 +0100
+++ php-phpseclib-2.0.42/debian/changelog 2024-02-26 23:23:19.0 +0100
@@ -1,3 +1,15 @@
+php-phpseclib (2.0.42-1+deb12u2) bookworm; urgency=medium
+
+ * Backport upstream fixes
+- BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354]
+- BigInteger: rm visibility modifiers from static variables
+- ASN1: limit OID length [CVE-2024-27355]
+- Tests: updates for phpseclib 2.0
+- BigInteger: phpseclib 2.0 updates
+- BigInteger: fix getLength()
+
+ -- David Prévot Mon, 26 Feb 2024 23:23:19 +0100
+
php-phpseclib (2.0.42-1+deb12u1) bookworm-security; urgency=medium
* Track bookworm
diff -Nru php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 2024-02-26 23:23:19.0 +0100
@@ -0,0 +1,76 @@
+From: terrafrost
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 -
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 81b69ac..fd9cd57 100644
+--- a/phpseclib/Math/BigInteger.php
b/phpseclib/Math/BigInteger.php
+@@ -729,6 +729,33 @@ class BigInteger
+ return $result;
+ }
+
++/**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++function getLength()
++{
++if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++return strlen($this->toBits());
++}
++
++$max = count($this->value) - 1;
++return $max != -1 ?
++$max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++0;
++}
++
++/**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++function getLengthInBytes()
++{
++return ceil($this->getLength() / 8);
++}
++
+ /**
+ * Copy an object
+ *
+@@ -3237,6 +3264,11 @@ class BigInteger
+ $min = $temp;
+ }
+
++$length = $max->getLength();
++if ($length > 8196) {
++user_error('Generation of random prime numbers larger than 8196 has been disabled');
++}
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new static(1);
+@@ -3344,7 +3376,14 @@ class BigInteger
+ */
+ function isPrime($t = false)
+ {
+-$length = strlen($this->toBytes());
++$length = $this->getLength();
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++if ($length > 8196) {
++user_error('Primality testing is not supported for numbers larger than 8196 bits');
++}
+
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
diff -Nru php-phpseclib-2.0.42/debian/patches/0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch php-phpseclib-2.0.42/debian/patches/0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch
--- php-phpseclib-2.0.42/debian/patches/0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib-
Processed: bookworm-pu: package php-phpseclib/2.0.42-1+deb12u2
Processing control commands: > affects -1 + src:php-phpseclib Bug #1065263 [release.debian.org] bookworm-pu: package php-phpseclib/2.0.42-1+deb12u2 Added indication that 1065263 affects src:php-phpseclib -- 1065263: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065263 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1065261: bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u3
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-phpsecl...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-phpseclib3
User: release.debian@packages.debian.org
Usertags: pu
Hi,
Iâd like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA. This update also fixes an issue in dependency loading
similar to CVE-2024-24821 as fixed in composer/DSA-5632-1.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
TIA for considering.
Cheers,
taffit
diff -Nru php-phpseclib3-3.0.19/debian/autoload.php.tpl php-phpseclib3-3.0.19/debian/autoload.php.tpl
--- php-phpseclib3-3.0.19/debian/autoload.php.tpl 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/autoload.php.tpl 2024-02-27 21:58:00.0 +0100
@@ -0,0 +1,31 @@
+ Tue, 27 Feb 2024 21:58:00 +0100
+
php-phpseclib3 (3.0.19-1+deb12u2) bookworm-security; urgency=medium
* Backport upstream SSH2 changes
diff -Nru php-phpseclib3-3.0.19/debian/clean php-phpseclib3-3.0.19/debian/clean
--- php-phpseclib3-3.0.19/debian/clean 2023-12-31 12:13:49.0 +0100
+++ php-phpseclib3-3.0.19/debian/clean 2024-02-27 21:58:00.0 +0100
@@ -1,6 +1,7 @@
-debian/autoload.php.tpl
debian/autoload.tests.php.tpl
+ParagonIE
phpseclib/autoload.php
phpseclib3
+random_compat
tests/.phpunit.result.cache
vendor/
diff -Nru php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 2024-02-27 21:58:00.0 +0100
@@ -0,0 +1,42 @@
+From: terrafrost
+Date: Sat, 24 Feb 2024 08:38:47 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/0358eb163c55a9fd7b3848b9ecc83f6b9e49dbf5
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger/Engines/Engine.php | 14 ++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/phpseclib/Math/BigInteger/Engines/Engine.php b/phpseclib/Math/BigInteger/Engines/Engine.php
+index 2b00bc3..3a735e7 100644
+--- a/phpseclib/Math/BigInteger/Engines/Engine.php
b/phpseclib/Math/BigInteger/Engines/Engine.php
+@@ -781,6 +781,11 @@ abstract class Engine implements \JsonSerializable
+ $min = $temp;
+ }
+
++$length = $max->getLength();
++if ($length > 8196) {
++throw new \RuntimeException("Generation of random prime numbers larger than 8196 has been disabled ($length)");
++}
++
+ $x = static::randomRange($min, $max);
+
+ return static::randomRangePrimeInner($x, $min, $max);
+@@ -985,6 +990,15 @@ abstract class Engine implements \JsonSerializable
+ */
+ public function isPrime($t = false)
+ {
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++$length = $this->getLength();
++if ($length > 8196) {
++throw new \RuntimeException("Primality testing is not supported for numbers larger than 8196 bits ($length)");
++}
++
+ if (!$t) {
+ $t = $this->setupIsPrime();
+ }
diff -Nru php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch
--- php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch 1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch 2024-02-27 21:58:00.0 +0100
@@ -0,0 +1,46 @@
+From: terrafrost
+Date: Sat, 24 Feb 2024 08:42:27 -0600
+Subject: Tests: add unit test for EC pub key with excessively large integer
+
+Origin: backport, https://github.com/phpseclib/phpseclib/commit/e17409a3e39baf7c8ed9635c04130802463b117b
+---
+ tests/Unit/File/X509/X509Test.php| 12
+ tests/Unit/File/X509/mal-cert-01.der | Bin 0 ->
Processed: bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u3
Processing control commands: > affects -1 + src:php-phpseclib3 Bug #1065261 [release.debian.org] bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u3 Added indication that 1065261 affects src:php-phpseclib3 -- 1065261: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065261 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1064031: rustc-web 1.70.0+dfsg1-7~deb12u1 flagged for acceptance
On 3/2/24 02:00, Andres Salomon wrote:
Actually, scratch that; I had missed #1064563.
I'll redo the deb11u2 package with conflicts/replaces for that, as well,
and then resend it shortly.
On 3/2/24 01:49, Andres Salomon wrote:
Okay, here's an updated package with fixes:
rustc-web (1.70.0+dfsg1-7~deb12u2) bookworm; urgency=medium
* Non-maintainer upload.
* Increase allowed test failures on armhf and ppc64el to fix FTBFS.
* Provide Conflicts/Replaces for rust*-mozilla*, which could still be
installed from oldstable (closes: #1064562).
rustc-web (1.70.0+dfsg1-7~deb12u2) bookworm; urgency=medium
* Non-maintainer upload.
* Increase allowed test failures on armhf and ppc64el to fix FTBFS.
* Provide Conflicts/Replaces for rust*-mozilla*, which could still be
installed from oldstable (closes: #1064562).
* Add Provides/Conflicts/Replaces for libstd-rust-1.70 (closes:
#1064563).
This should fix builds for armhf & ppc64el, and also specifies manual
conflicts/replaces with a bunch of packages from rustc-mozilla. In
addition, it adds a p/c/r in libstd-rust-web-1.70 for libstd-rust-1.70.
For the rust*mozilla* conflicts, I tested it by doing an 'apt install
rustc-mozilla rust-mozilla-src rust-mozilla-gdb libstd-rust-mozilla-dev'
from oldstable onto a bookworm environmente, and then installed the
locally built 'libstd-rust-web-1.70 libstd-rust-web-dev rust-web-gdb
rust-web-src rustc-web' packages over that. The older rustc-mozilla
packages are properly removed by apt, with the exception of
libstd-rust-mozilla-1.63 (which should be fine).
For the libstd-rust-1.70 conflict, I tested it by manually installing
the 'rustc-web libstd-rust-web-1.70 libstd-rust-web-dev' packages in a
trixie environment, and then 'apt install rustc libstd-rust-web-dev'
over that. As expected, it removed the three *-web* packages and
successfully installed the standard rustc packages.
diff -u rustc-web-1.70.0+dfsg1/debian/changelog rustc-web-1.70.0+dfsg1/debian/changelog
--- rustc-web-1.70.0+dfsg1/debian/changelog 2024-02-14 02:02:37.0 +
+++ rustc-web-1.70.0+dfsg1/debian/changelog 2024-03-02 07:23:17.763665420 +
@@ -1,3 +1,13 @@
+rustc-web (1.70.0+dfsg1-7~deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Increase allowed test failures on armhf and ppc64el to fix FTBFS.
+ * Provide Conflicts/Replaces for rust*-mozilla*, which could still be
+installed from oldstable (closes: #1064562).
+ * Add Provides/Conflicts/Replaces for libstd-rust-1.70 (closes: #1064563).
+
+ -- Andres Salomon Sat, 02 Mar 2024 07:23:15 +
+
rustc-web (1.70.0+dfsg1-7~deb12u1) bookworm; urgency=medium
* Non-maintainer upload.
diff -u rustc-web-1.70.0+dfsg1/debian/control rustc-web-1.70.0+dfsg1/debian/control
--- rustc-web-1.70.0+dfsg1/debian/control 2024-02-14 02:02:37.0 +
+++ rustc-web-1.70.0+dfsg1/debian/control 2024-03-02 07:05:53.739717477 +
@@ -58,9 +58,9 @@
Suggests:
# lld and clang are needed for wasm compilation
lld-16, clang-16,
-Conflicts: rustc
+Conflicts: rustc, rustc-mozilla
Provides: rustc (= ${binary:Version})
-Replaces: libstd-rust-dev (<< 1.25.0+dfsg1-2~~), rustc
+Replaces: libstd-rust-dev (<< 1.25.0+dfsg1-2~~), rustc, rustc-mozilla
Breaks: libstd-rust-dev (<< 1.25.0+dfsg1-2~~)
Description: Rust systems programming language
Rust is a curly-brace, block-structured expression language. It
@@ -81,6 +81,9 @@
Multi-Arch: same
Pre-Depends: ${misc:Pre-Depends}
Depends: ${shlibs:Depends}, ${misc:Depends}
+Conflicts: libstd-rust-1.70
+Replaces: libstd-rust-1.70
+Provides: libstd-rust-1.70
Description: Rust standard libraries
Rust is a curly-brace, block-structured expression language. It
visually resembles the C language family, but differs significantly
@@ -103,9 +106,9 @@
Multi-Arch: same
Depends: ${shlibs:Depends}, ${misc:Depends},
libstd-rust-web-1.70 (= ${binary:Version}),
-Conflicts: libstd-rust-dev
+Conflicts: libstd-rust-dev, libstd-rust-mozilla-dev
Provides: libstd-rust-dev (= ${binary:Version})
-Replaces: libstd-rust-dev
+Replaces: libstd-rust-dev, libstd-rust-mozilla-dev
Description: Rust standard libraries - development files
Rust is a curly-brace, block-structured expression language. It
visually resembles the C language family, but differs significantly
@@ -131,7 +134,8 @@
Recommends:
gcc-mingw-w64-x86-64-posix [amd64],
gcc-mingw-w64-i686-posix [i386],
-Conflicts: libstd-rust-dev-windows
+Conflicts: libstd-rust-dev-windows, libstd-rust-mozilla-dev-windows
+Replaces: libstd-rust-mozilla-dev-windows
Build-Profiles:
Description: Rust standard libraries - development files
Rust is a curly-brace, block-structured expression language. It
@@ -154,8 +158,8 @@
Architecture: all
Depends: gdb, ${misc:Depends}
Suggests: gdb-doc
-Conflicts: rust-gdb
-Replaces: rustc (<< 1.1.0+dfsg1-1)
+Conflicts: rust-gdb, rust-mozilla-gdb
+Replaces: rustc (<< 1.1.0+dfsg1-1), rust-mozilla-gdb
Description: Rust deb
Bug#1036884: transition: time64_t
On 2024-03-01 23:10:22 -0800, Steve Langasek wrote: > Please binNMU fyba on armhf and armel. The maintainer uploaded it without > versioned build-deps so it is renamed but has wrong ABI. > > This needs to be built with dpkg-dev (>= 1.5.22), gcc-13 (>= 13.2.0-16.1). Scheduled everywhere since it builds MA: same binaries. Cheers -- Sebastian Ramacher
