Bug#885087: Slightly improved version
I've made a small change to the package, changing the new dependency from gvfs to desktop-file-utils, since that's what's really necessary (as discovered in #885086). The new debdiff is attached. -- Eduardo M KALINOWSKI edua...@kalinowski.com.br diff -Nru kildclient-3.0.0/debian/changelog kildclient-3.0.0/debian/changelog --- kildclient-3.0.0/debian/changelog 2014-12-09 20:20:51.0 -0200 +++ kildclient-3.0.0/debian/changelog 2018-01-20 11:06:39.0 -0200 @@ -1,3 +1,10 @@ +kildclient (3.0.0-2+deb8u1) jessie; urgency=low + + * Fix for CVE-2017-17511. New dependency 'desktop-file-utils' required +in order to use GTK+ function for opening URLs. Closes: #885007 + + -- Eduardo M Kalinowski <edua...@kalinowski.com.br> Sat, 20 Jan 2018 11:06:37 -0200 + kildclient (3.0.0-2) unstable; urgency=medium * Added work-around to enable scroll-to-end feature to work with diff -Nru kildclient-3.0.0/debian/control kildclient-3.0.0/debian/control --- kildclient-3.0.0/debian/control 2014-12-09 20:20:51.0 -0200 +++ kildclient-3.0.0/debian/control 2018-01-20 11:06:18.0 -0200 @@ -10,7 +10,7 @@ Package: kildclient Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, liblocale-gettext-perl, libjson-perl +Depends: ${shlibs:Depends}, ${misc:Depends}, liblocale-gettext-perl, libjson-perl, desktop-file-utils Suggests: kildclient-doc, libgtk3-perl Description: powerful MUD client with a built-in Perl interpreter KildClient is a MUD Client written with the GTK+ windowing toolkit. diff -Nru kildclient-3.0.0/debian/NEWS.Debian kildclient-3.0.0/debian/NEWS.Debian --- kildclient-3.0.0/debian/NEWS.Debian 2014-12-09 20:20:51.0 -0200 +++ kildclient-3.0.0/debian/NEWS.Debian 2018-01-20 11:17:50.0 -0200 @@ -1,3 +1,11 @@ +kildclient (3.0.0-2+deb8u1) jessie-security; urgency=high + + * The option to define the command used to run a web browser has been +removed; the default browser (as selected by MIME types database) is +now used. + + -- Eduardo M Kalinowski <edua...@kalinowski.com.br> Sat, 20 Jan 2018 11:06:37 -0200 + kildclient (2.8.1-1) experimental; urgency=low The HTML manual is now in the package kildclient-doc. diff -Nru kildclient-3.0.0/debian/patches/cve-2017-17511.patch kildclient-3.0.0/debian/patches/cve-2017-17511.patch --- kildclient-3.0.0/debian/patches/cve-2017-17511.patch 1969-12-31 21:00:00.0 -0300 +++ kildclient-3.0.0/debian/patches/cve-2017-17511.patch 2018-01-20 11:05:35.0 -0200 @@ -0,0 +1,221 @@ +Description: Fix for CVE-2017-17511 + Uses a GTK+ function to open URLs, instead of using a command + supplied by the user or $BROWSER. +Author: Eduardo M KALINOWSKI <edua...@kalinowski.com.br> +Last-Update: 2017-12-16 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/kildclient.h b/src/kildclient.h +@@ -633,7 +633,6 @@ + GtkPositionType tab_position; + gboolean hide_single_tab; + gboolean urgency_hint; +- char*browser_command; + char*audio_player_command; + char*last_open_world; + gboolean no_plugin_help_msg; +--- a/src/prefs.c b/src/prefs.c +@@ -92,7 +92,6 @@ + GObject *txtProxyUser; + GObject *txtProxyPassword; + #ifndef __WIN32__ +- GObject *txtBrowserCommand; + GObject *txtAudioPlayerCommand; + #else + GtkWidget*tabPrograms; +@@ -178,12 +177,6 @@ + + #ifndef __WIN32__ + /* Load commands */ +-txtBrowserCommand = gtk_builder_get_object(main_builder, "txtBrowserCommand"); +-gtk_entry_set_text(GTK_ENTRY(txtBrowserCommand), +- globalPrefs.browser_command); +-g_signal_connect(txtBrowserCommand, "focus_out_event", +- G_CALLBACK(txt_cmd_focus_out_cb), +- _command); + txtAudioPlayerCommand + = gtk_builder_get_object(main_builder, "txtAudioPlayerCommand"); + gtk_entry_set_text(GTK_ENTRY(txtAudioPlayerCommand), +@@ -319,9 +312,6 @@ + } + + /* Has the commands been set? */ +- if (!globalPrefs.browser_command) { +-globalPrefs.browser_command = g_strdup("${BROWSER} \"%s\" &"); +- } + if (!globalPrefs.audio_player_command) { + globalPrefs.audio_player_command = g_strdup("play \"%s\" &"); + } +@@ -380,8 +370,6 @@ + globalPrefs.hide_single_tab = atoi(line + pos + 1); + } else if (strcmp(first_word, "urgencyhint") == 0) { + globalPrefs.urgency_hint = atoi(line + pos + 1); +-} else if (strcmp(first_word, "browsercommand") == 0) { +- globalPrefs.browser_command = g_strdup(line + pos + 1); + } else if (strcmp(first_word, "audioplayercommand") == 0) { + globalPrefs.audio_player_command = g_strdup(line + pos + 1); + } else if (strcmp(first_word, "lastopenworld") == 0)
Bug#885086: Slightly improved version
In the previous message I forgot to change the NEWS.Debian file to better describe the change; this version fixes it. -- "Atomic batteries to power, turbines to speed." -- Robin, The Boy Wonder Eduardo M KALINOWSKI edua...@kalinowski.com.br diff -Nru kildclient-3.1.0/debian/changelog kildclient-3.1.0/debian/changelog --- kildclient-3.1.0/debian/changelog 2016-12-04 20:46:22.0 -0200 +++ kildclient-3.1.0/debian/changelog 2018-01-20 10:50:25.0 -0200 @@ -1,3 +1,10 @@ +kildclient (3.1.0-1+deb9u1) stretch; urgency=low + + * Fix for CVE-2017-17511. New dependency 'desktop-file-utils' required +in order to use GTK+ function for opening URLs. Closes: #885007 + + -- Eduardo M Kalinowski <edua...@kalinowski.com.br> Sat, 20 Jan 2018 10:50:25 -0200 + kildclient (3.1.0-1) unstable; urgency=low * New upstream version: 3.1.0. diff -Nru kildclient-3.1.0/debian/control kildclient-3.1.0/debian/control --- kildclient-3.1.0/debian/control 2016-12-04 20:46:22.0 -0200 +++ kildclient-3.1.0/debian/control 2018-01-20 10:50:25.0 -0200 @@ -10,7 +10,7 @@ Package: kildclient Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, libjson-perl +Depends: ${shlibs:Depends}, ${misc:Depends}, libjson-perl, desktop-file-utils Suggests: kildclient-doc, libgtk3-perl Description: powerful MUD client with a built-in Perl interpreter KildClient is a MUD Client written with the GTK+ windowing toolkit. diff -Nru kildclient-3.1.0/debian/NEWS.Debian kildclient-3.1.0/debian/NEWS.Debian --- kildclient-3.1.0/debian/NEWS.Debian 2016-12-04 20:46:22.0 -0200 +++ kildclient-3.1.0/debian/NEWS.Debian 2018-01-20 10:50:25.0 -0200 @@ -1,3 +1,11 @@ +kildclient (3.1.0-1+deb9u1) stretch-security; urgency=high + + * The option to define the command used to run a web browser has been +removed; the default browser (as selected by MIME types database) is +now used. + + -- Eduardo M Kalinowski <edua...@kalinowski.com.br> Sat, 20 Jan 2018 10:50:25 -0200 + kildclient (2.8.1-1) experimental; urgency=low The HTML manual is now in the package kildclient-doc. diff -Nru kildclient-3.1.0/debian/patches/cve-2017-17511.patch kildclient-3.1.0/debian/patches/cve-2017-17511.patch --- kildclient-3.1.0/debian/patches/cve-2017-17511.patch 1969-12-31 21:00:00.0 -0300 +++ kildclient-3.1.0/debian/patches/cve-2017-17511.patch 2018-01-20 08:44:40.0 -0200 @@ -0,0 +1,183 @@ +Description: Fix for CVE-2017-17511 + Uses a GTK+ function to open URLs, instead of using a command + supplied by the user or $BROWSER. +Author: Eduardo M KALINOWSKI <edua...@kalinowski.com.br> +Last-Update: 2017-12-17 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/doc/C/kildclient.xml b/doc/C/kildclient.xml +@@ -1233,20 +1233,16 @@ + + + +-In this section you can configure the command that will be run +-when you right-click in a URL that appears in the MUD window and +-select Open Link. The command will be executed, +-with %s replaced with the URL's address. The +-ampersand () in the end means that the command +-is to be executed in the background, so that you can continue using +-KildClient while browsing the URL. +- +-You can also set a command used to play audio files (see In this section you can set a command used to play audio files (see ). Enter the command, with %s + in the place of the file path. The default should work (it uses the + SOX program, which is usually installed), but you can use other + commands if you use ALSA, ARTS, ESD, JACK, etc. + ++Previously it was also possible to define a command to run a web ++browser. This option has been removed, and the default browser is now ++used instead. ++ + + + +--- a/src/dlgPreferences.ui b/src/dlgPreferences.ui +@@ -521,61 +521,6 @@ + vertical + 6 + +- +-False +-bWeb browser/b +-True +-0 +-0 +- +- +-False +-True +-0 +- +- +- +- +-False +-16 +-vertical +-6 +- +- +-False +-Enter the command to run a _web browser. %s will be substituted by the web page address: +-True +-True +-txtBrowserCommand +-0 +- +- +-False +-True +-0 +- +- +- +- +-True +-
Bug#885086: Slightly improved version
I've made a small change to the package, changing the new dependency from gvfs to desktop-file-utils, since that's what's really necessary (as discovered in #885086). The new debdiff is attached. -- Eduardo M KALINOWSKI edua...@kalinowski.com.br diff -Nru kildclient-3.1.0/debian/changelog kildclient-3.1.0/debian/changelog --- kildclient-3.1.0/debian/changelog 2016-12-04 20:46:22.0 -0200 +++ kildclient-3.1.0/debian/changelog 2018-01-20 10:50:25.0 -0200 @@ -1,3 +1,10 @@ +kildclient (3.1.0-1+deb9u1) stretch; urgency=low + + * Fix for CVE-2017-17511. New dependency 'desktop-file-utils' required +in order to use GTK+ function for opening URLs. Closes: #885007 + + -- Eduardo M Kalinowski <edua...@kalinowski.com.br> Sat, 20 Jan 2018 10:50:25 -0200 + kildclient (3.1.0-1) unstable; urgency=low * New upstream version: 3.1.0. diff -Nru kildclient-3.1.0/debian/control kildclient-3.1.0/debian/control --- kildclient-3.1.0/debian/control 2016-12-04 20:46:22.0 -0200 +++ kildclient-3.1.0/debian/control 2018-01-20 10:50:25.0 -0200 @@ -10,7 +10,7 @@ Package: kildclient Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, libjson-perl +Depends: ${shlibs:Depends}, ${misc:Depends}, libjson-perl, desktop-file-utils Suggests: kildclient-doc, libgtk3-perl Description: powerful MUD client with a built-in Perl interpreter KildClient is a MUD Client written with the GTK+ windowing toolkit. diff -Nru kildclient-3.1.0/debian/NEWS.Debian kildclient-3.1.0/debian/NEWS.Debian --- kildclient-3.1.0/debian/NEWS.Debian 2016-12-04 20:46:22.0 -0200 +++ kildclient-3.1.0/debian/NEWS.Debian 2018-01-20 08:44:40.0 -0200 @@ -1,3 +1,10 @@ +kildclient (3.1.0-1+deb9u1) stretch-security; urgency=high + + * The option to define the command used to run a web browser has been +removed; the default browser (as selected by gvfs) is now used. + + -- Eduardo M Kalinowski <edua...@kalinowski.com.br> Sun, 17 Dec 2017 09:42:23 -0200 + kildclient (2.8.1-1) experimental; urgency=low The HTML manual is now in the package kildclient-doc. diff -Nru kildclient-3.1.0/debian/patches/cve-2017-17511.patch kildclient-3.1.0/debian/patches/cve-2017-17511.patch --- kildclient-3.1.0/debian/patches/cve-2017-17511.patch 1969-12-31 21:00:00.0 -0300 +++ kildclient-3.1.0/debian/patches/cve-2017-17511.patch 2018-01-20 08:44:40.0 -0200 @@ -0,0 +1,183 @@ +Description: Fix for CVE-2017-17511 + Uses a GTK+ function to open URLs, instead of using a command + supplied by the user or $BROWSER. +Author: Eduardo M KALINOWSKI <edua...@kalinowski.com.br> +Last-Update: 2017-12-17 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/doc/C/kildclient.xml b/doc/C/kildclient.xml +@@ -1233,20 +1233,16 @@ + + + +-In this section you can configure the command that will be run +-when you right-click in a URL that appears in the MUD window and +-select Open Link. The command will be executed, +-with %s replaced with the URL's address. The +-ampersand () in the end means that the command +-is to be executed in the background, so that you can continue using +-KildClient while browsing the URL. +- +-You can also set a command used to play audio files (see In this section you can set a command used to play audio files (see ). Enter the command, with %s + in the place of the file path. The default should work (it uses the + SOX program, which is usually installed), but you can use other + commands if you use ALSA, ARTS, ESD, JACK, etc. + ++Previously it was also possible to define a command to run a web ++browser. This option has been removed, and the default browser is now ++used instead. ++ + + + +--- a/src/dlgPreferences.ui b/src/dlgPreferences.ui +@@ -521,61 +521,6 @@ + vertical + 6 + +- +-False +-bWeb browser/b +-True +-0 +-0 +- +- +-False +-True +-0 +- +- +- +- +-False +-16 +-vertical +-6 +- +- +-False +-Enter the command to run a _web browser. %s will be substituted by the web page address: +-True +-True +-txtBrowserCommand +-0 +- +- +-False +-True +-0 +- +- +- +- +-True +-Specify the command used to la
Bug#885086: stretch-pu: package kildclient/3.1.0-1+deb9u1
Control: tags -1 -moreinfo On 23-12-2017 16:08, Adam D. Barratt wrote: > On Sat, 2017-12-23 at 15:56 -0200, Eduardo M Kalinowski wrote: >> I'd like to upload an update to kildclient to fix >> bug #885007 / CVE-2017-17511: > The BTS and Security Tracker metadata for that issue suggest that it > affects the version of kildlcient in unstable and is not yet fixed > there - is that correct? If so, please fix the package in unstable > first and let us know once that's done. A new upstream version has been uploaded to unstable, fixing this (and a couple other things). For the stretch (and jessie) uploads, the only changes are related to CVE in question. -- O dinheiro não traz a felicidade daquele que não o possui. -- Boris Vian Eduardo M KALINOWSKI edua...@kalinowski.com.br
Bug#885087: jessie-pu: package kildclient/3.0.0-2+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu I'd like to upload an update to kildclient to fix bug #885007 / CVE-2017-17511: | KildClient 3.1.0 does not validate strings before launching the program | specified by the BROWSER environment variable, which might allow remote | attackers to conduct argument-injection attacks via a crafted URL, | related to prefs.c and worldgui.c. This issue is of minimal impact, and the security team considered that a DSA is not necessary, but there is a simple fix that avoids the use of a user- specified command or $BROWSER, and I'd like to include it in the next point release. The debdiff is attached. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) diff -Nru kildclient-3.0.0/debian/changelog kildclient-3.0.0/debian/changelog --- kildclient-3.0.0/debian/changelog 2014-12-09 20:20:51.0 -0200 +++ kildclient-3.0.0/debian/changelog 2017-12-23 08:39:43.0 -0200 @@ -1,3 +1,10 @@ +kildclient (3.0.0-2+deb8u1) jessie; urgency=low + + * Fix for CVE-2017-17511. New dependency 'gvfs' required in order to use +GTK+ function for opening URLs. Closes: #885007 + + -- Eduardo M Kalinowski <edua...@kalinowski.com.br> Sat, 23 Dec 2017 08:39:39 -0200 + kildclient (3.0.0-2) unstable; urgency=medium * Added work-around to enable scroll-to-end feature to work with diff -Nru kildclient-3.0.0/debian/control kildclient-3.0.0/debian/control --- kildclient-3.0.0/debian/control 2014-12-09 20:20:51.0 -0200 +++ kildclient-3.0.0/debian/control 2017-12-16 17:56:28.0 -0200 @@ -10,7 +10,7 @@ Package: kildclient Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, liblocale-gettext-perl, libjson-perl +Depends: ${shlibs:Depends}, ${misc:Depends}, liblocale-gettext-perl, libjson-perl, gvfs Suggests: kildclient-doc, libgtk3-perl Description: powerful MUD client with a built-in Perl interpreter KildClient is a MUD Client written with the GTK+ windowing toolkit. diff -Nru kildclient-3.0.0/debian/NEWS.Debian kildclient-3.0.0/debian/NEWS.Debian --- kildclient-3.0.0/debian/NEWS.Debian 2014-12-09 20:20:51.0 -0200 +++ kildclient-3.0.0/debian/NEWS.Debian 2017-12-16 18:09:46.0 -0200 @@ -1,3 +1,10 @@ +kildclient (3.0.0-2+deb8u1) jessie-security; urgency=high + + * The option to define the command used to run a web browser has been +removed; the default browser (as selected by gvfs) is now used. + + -- Eduardo M Kalinowski <edua...@kalinowski.com.br> Sat, 16 Dec 2017 17:57:34 -0200 + kildclient (2.8.1-1) experimental; urgency=low The HTML manual is now in the package kildclient-doc. diff -Nru kildclient-3.0.0/debian/patches/cve-2017-17511.patch kildclient-3.0.0/debian/patches/cve-2017-17511.patch --- kildclient-3.0.0/debian/patches/cve-2017-17511.patch1969-12-31 21:00:00.0 -0300 +++ kildclient-3.0.0/debian/patches/cve-2017-17511.patch2017-12-16 18:22:25.0 -0200 @@ -0,0 +1,221 @@ +Description: Fix for CVE-2017-17511 + Uses a GTK+ function to open URLs, instead of using a command + supplied by the user or $BROWSER. +Author: Eduardo M KALINOWSKI <edua...@kalinowski.com.br> +Last-Update: 2017-12-16 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/kildclient.h b/src/kildclient.h +@@ -633,7 +633,6 @@ + GtkPositionType tab_position; + gboolean hide_single_tab; + gboolean urgency_hint; +- char*browser_command; + char*audio_player_command; + char*last_open_world; + gboolean no_plugin_help_msg; +--- a/src/prefs.c b/src/prefs.c +@@ -92,7 +92,6 @@ + GObject *txtProxyUser; + GObject *txtProxyPassword; + #ifndef __WIN32__ +- GObject *txtBrowserCommand; + GObject *txtAudioPlayerCommand; + #else + GtkWidget*tabPrograms; +@@ -178,12 +177,6 @@ + + #ifndef __WIN32__ + /* Load commands */ +-txtBrowserCommand = gtk_builder_get_object(main_builder, "txtBrowserCommand"); +-gtk_entry_set_text(GTK_ENTRY(txtBrowserCommand), +- globalPrefs.browser_command); +-g_signal_connect(txtBrowserCommand, "focus_out_event", +- G_CALLBACK(txt_cmd_focus_out_cb), +- _command); + txtAudioPlayerCommand + = gtk_builder_get_object(main_builder, "txtAudioPlayerCommand"); + gtk_entry_set_text(GTK_ENTRY(txtAudioPlayerCommand), +@@ -319,9 +312,6 @@ + } + + /* Has the commands been set? */ +- if (!globalPrefs.browser_command) { +-globalP
Bug#885086: stretch-pu: package kildclient/3.1.0-1+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu I'd like to upload an update to kildclient to fix bug #885007 / CVE-2017-17511: | KildClient 3.1.0 does not validate strings before launching the program | specified by the BROWSER environment variable, which might allow remote | attackers to conduct argument-injection attacks via a crafted URL, | related to prefs.c and worldgui.c. This issue is of minimal impact, and the security team considered that a DSA is not necessary, but there is a simple fix that avoids the use of a user- specified command or $BROWSER, and I'd like to include it in the next point release. The debdiff is attached. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) diff -Nru kildclient-3.1.0/debian/changelog kildclient-3.1.0/debian/changelog --- kildclient-3.1.0/debian/changelog 2016-12-04 20:46:22.0 -0200 +++ kildclient-3.1.0/debian/changelog 2017-12-23 08:40:07.0 -0200 @@ -1,3 +1,10 @@ +kildclient (3.1.0-1+deb9u1) stretch; urgency=low + + * Fix for CVE-2017-17511. New dependency 'gvfs' required in order to use +GTK+ function for opening URLs. Closes: #885007 + + -- Eduardo M Kalinowski <edua...@kalinowski.com.br> Sat, 23 Dec 2017 08:40:07 -0200 + kildclient (3.1.0-1) unstable; urgency=low * New upstream version: 3.1.0. diff -Nru kildclient-3.1.0/debian/control kildclient-3.1.0/debian/control --- kildclient-3.1.0/debian/control 2016-12-04 20:46:22.0 -0200 +++ kildclient-3.1.0/debian/control 2017-12-17 09:42:44.0 -0200 @@ -10,7 +10,7 @@ Package: kildclient Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, libjson-perl +Depends: ${shlibs:Depends}, ${misc:Depends}, libjson-perl, gvfs Suggests: kildclient-doc, libgtk3-perl Description: powerful MUD client with a built-in Perl interpreter KildClient is a MUD Client written with the GTK+ windowing toolkit. diff -Nru kildclient-3.1.0/debian/NEWS.Debian kildclient-3.1.0/debian/NEWS.Debian --- kildclient-3.1.0/debian/NEWS.Debian 2016-12-04 20:46:22.0 -0200 +++ kildclient-3.1.0/debian/NEWS.Debian 2017-12-17 09:43:58.0 -0200 @@ -1,3 +1,10 @@ +kildclient (3.1.0-1+deb9u1) stretch-security; urgency=high + + * The option to define the command used to run a web browser has been +removed; the default browser (as selected by gvfs) is now used. + + -- Eduardo M Kalinowski <edua...@kalinowski.com.br> Sun, 17 Dec 2017 09:42:23 -0200 + kildclient (2.8.1-1) experimental; urgency=low The HTML manual is now in the package kildclient-doc. diff -Nru kildclient-3.1.0/debian/patches/cve-2017-17511.patch kildclient-3.1.0/debian/patches/cve-2017-17511.patch --- kildclient-3.1.0/debian/patches/cve-2017-17511.patch1969-12-31 21:00:00.0 -0300 +++ kildclient-3.1.0/debian/patches/cve-2017-17511.patch2017-12-17 09:56:25.0 -0200 @@ -0,0 +1,183 @@ +Description: Fix for CVE-2017-17511 + Uses a GTK+ function to open URLs, instead of using a command + supplied by the user or $BROWSER. +Author: Eduardo M KALINOWSKI <edua...@kalinowski.com.br> +Last-Update: 2017-12-17 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/doc/C/kildclient.xml b/doc/C/kildclient.xml +@@ -1233,20 +1233,16 @@ + + + +-In this section you can configure the command that will be run +-when you right-click in a URL that appears in the MUD window and +-select Open Link. The command will be executed, +-with %s replaced with the URL's address. The +-ampersand () in the end means that the command +-is to be executed in the background, so that you can continue using +-KildClient while browsing the URL. +- +-You can also set a command used to play audio files (see In this section you can set a command used to play audio files (see ). Enter the command, with %s + in the place of the file path. The default should work (it uses the + SOX program, which is usually installed), but you can use other + commands if you use ALSA, ARTS, ESD, JACK, etc. + ++Previously it was also possible to define a command to run a web ++browser. This option has been removed, and the default browser is now ++used instead. ++ + + + +--- a/src/dlgPreferences.ui b/src/dlgPreferences.ui +@@ -521,61 +521,6 @@ + vertical + 6 + +- +-False +-bWeb browser/b +-True +-0 +-0 +- +- +-False +-True +-
Bug#772672: (pre-approval) unblock: kildclient/3.0.0-2
Control: tags -1 - moreinfo Package kildclient 3.0.0-2 has been accepted in unstable, please unblock it. Thanks, -- Quem confunde liberdade de pensamento com liberdade é porque nunca pensou em nada. --Millôr Fernandes Retirado de http://www.uol.com.br/millor Eduardo M KALINOWSKI edua...@kalinowski.com.br -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5488c929.3020...@kalinowski.com.br
Bug#772672: (pre-approval) unblock: kildclient/3.0.0-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock KildClient is a client to connect to MUDs, or text-based multi-user role- playing games. It's basically a telnet client with features specific to MUDs. Bug #772096 has been filed against it: due to some behavior changes in GTK+ = 3.13, KildClient does not scroll automatically to the bottom when text is received. This makes using the program really painful to use (if not useless), think of using a terminal emulator that does not automatically displays more output, requiring the user to scroll after each sent command. I've been able to find a very simple workaround that restores the desired behavior, and made a debian package incorporating the changes. The debdiff is attached. I'm not a DD, so if approved, I'll have to ask on -mentors for a sponsor. The package is on mentors.debian.net: https://mentors.debian.net/package/kildclient unblock kildclient/3.0.0-2 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (900, 'testing'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) diff -Nru kildclient-3.0.0/debian/changelog kildclient-3.0.0/debian/changelog --- kildclient-3.0.0/debian/changelog 2014-09-06 07:48:34.0 -0300 +++ kildclient-3.0.0/debian/changelog 2014-12-09 19:03:40.0 -0200 @@ -1,3 +1,10 @@ +kildclient (3.0.0-2) unstable; urgency=medium + + * Added work-around to enable scroll-to-end feature to work with +GTK+ = 3.13. Closes: #772096 + + -- Eduardo M Kalinowski edua...@kalinowski.com.br Mon, 08 Dec 2014 20:13:37 -0200 + kildclient (3.0.0-1) unstable; urgency=low * New upstream version: 3.0.0. diff -Nru kildclient-3.0.0/debian/control kildclient-3.0.0/debian/control --- kildclient-3.0.0/debian/control 2014-09-06 07:48:34.0 -0300 +++ kildclient-3.0.0/debian/control 2014-12-09 19:03:40.0 -0200 @@ -2,7 +2,7 @@ Section: games Priority: optional Maintainer: Eduardo M Kalinowski edua...@kalinowski.com.br -Build-Depends: debhelper (= 9), dh-autoreconf, libglib2.0-dev (= 2.32.0), libgtk-3-dev (= 3.10.0), libperl-dev (= 5.10.0), gettext (= 0.14.5), libgtkspell3-3-dev, libgnutls28-dev, zlib1g-dev +Build-Depends: debhelper (= 9), dh-autoreconf, quilt, libglib2.0-dev (= 2.32.0), libgtk-3-dev (= 3.10.0), libperl-dev (= 5.10.0), gettext (= 0.14.5), libgtkspell3-3-dev, libgnutls28-dev, zlib1g-dev Standards-Version: 3.9.5 Homepage: http://www.kildclient.org Vcs-Browser: http://sourceforge.net/p/kildclient/git/ci/master/tree/debian/ diff -Nru kildclient-3.0.0/debian/patches/fix-scroll-to-end.patch kildclient-3.0.0/debian/patches/fix-scroll-to-end.patch --- kildclient-3.0.0/debian/patches/fix-scroll-to-end.patch 1969-12-31 21:00:00.0 -0300 +++ kildclient-3.0.0/debian/patches/fix-scroll-to-end.patch 2014-12-09 19:03:40.0 -0200 @@ -0,0 +1,24 @@ +Description: Enable scroll-to-end with GTK+ = 3.13 + Starting with GTK+ 3.13, animation support in GtkAdjustment has made + the scroll-to-end function when new text is received to stop working. + This patch disables animation in the affected widget so that the + scroll-to-end functionality works again. +Author: Eduardo M Kalinowski edua...@kalinowski.com.br +Origin: upstream, http://sourceforge.net/p/kildclient/git/ci/6458ef77880967208c6481413ce631716193f8bf +Bug-Debian: http://bugs.debian.org/772096 +Last-Update: 2014-12-08 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/worldgui.c b/src/worldgui.c +@@ -153,6 +153,10 @@ + gtk_scrolled_window_set_policy(gui-scrolled_win, + GTK_POLICY_AUTOMATIC, + GTK_POLICY_ALWAYS); ++ /* With the default (on), scroll-to-end does not work with GTK+ = 3.13 */ ++ g_object_set(gtk_widget_get_settings(GTK_WIDGET(gui-scrolled_win)), ++ gtk-enable-animations, FALSE, ++ NULL); + + gui-txtView = GTK_TEXT_VIEW(gtk_text_view_new()); + gtk_text_view_set_editable(gui-txtView, FALSE); diff -Nru kildclient-3.0.0/debian/patches/series kildclient-3.0.0/debian/patches/series --- kildclient-3.0.0/debian/patches/series 1969-12-31 21:00:00.0 -0300 +++ kildclient-3.0.0/debian/patches/series 2014-12-09 19:03:40.0 -0200 @@ -0,0 +1 @@ +fix-scroll-to-end.patch diff -Nru kildclient-3.0.0/debian/rules kildclient-3.0.0/debian/rules --- kildclient-3.0.0/debian/rules 2014-09-06 07:48:34.0 -0300 +++ kildclient-3.0.0/debian/rules 2014-12-09 19:03:40.0 -0200 @@ -9,7 +9,7 @@ %: - dh $@ --with autoreconf --parallel + dh $@ --with autoreconf --with quilt --parallel override_dh_auto_install-indep: $(MAKE) -C doc DESTDIR=$(CURDIR)/debian/kildclient-doc install
Bug#772672: (pre-approval) unblock: kildclient/3.0.0-2
On 12/09/2014 08:10 PM, Adam D. Barratt wrote: Control: tags -1 + confirmed moreinfo Looking at your diff: -Build-Depends: debhelper (= 9), dh-autoreconf, libglib2.0-dev (= 2.32.0), libgtk-3-dev (= 3.10.0), libperl-dev (= 5.10.0), gettext (= 0.14.5), libgtkspell3-3-dev, libgnutls28-dev, zlib1g-dev +Build-Depends: debhelper (= 9), dh-autoreconf, quilt, libglib2.0-dev (= 2.32.0), libgtk-3-dev (= 3.10.0), libperl-dev (= 5.10.0), gettext (= 0.14.5), libgtkspell3-3-dev, libgnutls28-dev, zlib1g-dev [...] - dh $@ --with autoreconf --parallel + dh $@ --with autoreconf --with quilt --parallel That change is on the list of things /not/ to do on https://release.debian.org/jessie/freeze_policy.html#getting-unblocks It's also entirely unnecessary, as the package already declares itself to use source format 3.0 (quilt). Please revert the above changes and go ahead, removing the moreinfo tag once the package is in unstable. Thanks for the hints, I've prepared a new package without those changes. I'm attaching the new debdiff, and I'll remove the moreinfo tag once it gets in unstable. -- Some assembly required. Eduardo M KALINOWSKI edua...@kalinowski.com.br diff -Nru kildclient-3.0.0/debian/changelog kildclient-3.0.0/debian/changelog --- kildclient-3.0.0/debian/changelog 2014-09-06 07:48:34.0 -0300 +++ kildclient-3.0.0/debian/changelog 2014-12-09 20:20:51.0 -0200 @@ -1,3 +1,10 @@ +kildclient (3.0.0-2) unstable; urgency=medium + + * Added work-around to enable scroll-to-end feature to work with +GTK+ = 3.13. Closes: #772096 + + -- Eduardo M Kalinowski edua...@kalinowski.com.br Mon, 08 Dec 2014 20:13:37 -0200 + kildclient (3.0.0-1) unstable; urgency=low * New upstream version: 3.0.0. diff -Nru kildclient-3.0.0/debian/patches/fix-scroll-to-end.patch kildclient-3.0.0/debian/patches/fix-scroll-to-end.patch --- kildclient-3.0.0/debian/patches/fix-scroll-to-end.patch 1969-12-31 21:00:00.0 -0300 +++ kildclient-3.0.0/debian/patches/fix-scroll-to-end.patch 2014-12-09 20:20:51.0 -0200 @@ -0,0 +1,24 @@ +Description: Enable scroll-to-end with GTK+ = 3.13 + Starting with GTK+ 3.13, animation support in GtkAdjustment has made + the scroll-to-end function when new text is received to stop working. + This patch disables animation in the affected widget so that the + scroll-to-end functionality works again. +Author: Eduardo M Kalinowski edua...@kalinowski.com.br +Origin: upstream, http://sourceforge.net/p/kildclient/git/ci/6458ef77880967208c6481413ce631716193f8bf +Bug-Debian: http://bugs.debian.org/772096 +Last-Update: 2014-12-08 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/worldgui.c b/src/worldgui.c +@@ -153,6 +153,10 @@ + gtk_scrolled_window_set_policy(gui-scrolled_win, + GTK_POLICY_AUTOMATIC, + GTK_POLICY_ALWAYS); ++ /* With the default (on), scroll-to-end does not work with GTK+ = 3.13 */ ++ g_object_set(gtk_widget_get_settings(GTK_WIDGET(gui-scrolled_win)), ++ gtk-enable-animations, FALSE, ++ NULL); + + gui-txtView = GTK_TEXT_VIEW(gtk_text_view_new()); + gtk_text_view_set_editable(gui-txtView, FALSE); diff -Nru kildclient-3.0.0/debian/patches/series kildclient-3.0.0/debian/patches/series --- kildclient-3.0.0/debian/patches/series 1969-12-31 21:00:00.0 -0300 +++ kildclient-3.0.0/debian/patches/series 2014-12-09 20:20:51.0 -0200 @@ -0,0 +1 @@ +fix-scroll-to-end.patch
kildclient_2.7.0-1, Rebuild against latest libperl5.10 fixes #480499, i386 m68k
I'm the maintainer (but I'm not a DD) of the KildClient package, which uses libperl. Recently a new version of the package has been uploaded to the archive. However, for some of the architectures (the ones in which the build started first, as it seems) the package was build with version 5.8 of libperl, but for others it was built using the latest version, 5.10, as can be seen from http://packages.debian.org/sid/kildclient . However, libperl5.8 and libperl5.10 cannot both exist simultaneously because both depend on different versions of perl-base. Thus the packages that depend on libperl5.8 are not installable once Perl is upgraded to 5.10. There is even a bug report about this (#480499), even though it was reported against the version currently in testing (Perl 5.10 is only in unstable). I've built the program against libperl5.10 and saw that it works fine, no changes to the program are necessary, nor to the debian package. The only thing I need is to request a rebuild of the package from source for i386 and m68k. (I'm not subscribed to this list, please CC me if this gets replied.) -- BOFH excuse #306: CPU-angle has to be adjusted because of vibrations coming from the nearby road Eduardo M KALINOWSKI [EMAIL PROTECTED] http://move.to/hpkb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]