Bug#1050365: transition: yaml-cpp

[Gianfranco Costamagna]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition


All the packages are building properly, I checked in an Ubuntu ppa (and most of 
them are in sync w Debian).

Only openimageio and qtcreator have issues finding the new libyaml-cpp release, 
and this can be easily solved
by dropping the Findyaml-cpp.cmake

excluding unrelated failures and packages out of testing, it's a 18 packages 
transition.

Ben file:

title = "yaml-cpp";
is_affected = .depends ~ "libyaml-cpp0.7" | .depends ~ "libyaml-cpp0.8";
is_good = .depends ~ "libyaml-cpp0.8";
is_bad = .depends ~ "libyaml-cpp0.7";


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1006835: transition: sndio (NMU)

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: transition
Severity: normal

Hello, I would like to transition sndio from version 1.5.0 to 1.8.1,
bringing some new symbols (didn't touch any old symbol) and pkgconfig
file helping reverse-dependencies (such as vlc) find it.

All the reverse dependencies builds fine, and I would like to also do
libsoundio "transition" together with this one (the only
reverse-dependency is lmms)

11 packages are in the list:
scummvm
cubeb
lmms
openal-soft
ffmpeg
audacious-plugins
baresip
kodi
lebiniou
mpd
vlc

And all build fine (lmms builds fine with old and new libsoundio).

Ben file:

title = "sndio";
is_affected = .depends ~ "libsndio7.0" | .depends ~ "libsndio7.1";
is_good = .depends ~ "libsndio7.1";
is_bad = .depends ~ "libsndio7.0";

Bug#993564: bullseye-pu: package dlt-viewer/2.21.2+dfsg-2+deb11u1

[Gianfranco Costamagna]

control: tags -1 -moreinfo

On Tue, 7 Sep 2021 14:40:34 +0100 Jonathan Wiltshire  wrote:
> Control: tag -1 confirmed moreinfo
> 
> On Fri, Sep 03, 2021 at 08:48:41AM +0200, Gianfranco Costamagna wrote:
> > Hello, for some reasons some headers in the -dev file were not
> > installed, leading to an error in building external plugins.
> > I opened RC: #993562 to track this issue, and I would like to fix also
> > bullseye since the fix is trivial
> 
> I'm fine with this change, but your changelog doesn't mention the bug
> number that it fixes and you uploaded a binary amd64 package with it. I'm
> not bothered by the binary package but I do want the changelog fixed, so we
> may as well do both.
> 
> You will receive a REJECT message from the archive. Once you have that,
> please re-upload with the changelog updated and make it a source-only
> upload. Then remove the wontfix tag from this request bug.
> 

thanks!

reuploaded

Gianfranco

Bug#993564: bullseye-pu: package dlt-viewer/2.21.2+dfsg-2+deb11u1

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal

[ Reason ]
Hello, for some reasons some headers in the -dev file were not
installed, leading to an error in building external plugins.
I opened RC: #993562 to track this issue, and I would like to fix also
bullseye since the fix is trivial

[ Impact ]
Headers files are now installed into the include directory (4 missing
files)

[ Tests ]
I did compile custom plugins successfully with the fixed package

[ Risks ]
Risk is really low, I'm just installing 4 more header files into the system.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
I would like to use a regex instead of manually listing all the files,
like I did on sid.

diff --git a/debian/changelog b/debian/changelog
index 132a972..7d5c5a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+dlt-viewer (2.21.2+dfsg-2+deb11u1) bullseye; urgency=medium
+
+  * Add missing qdlt/qdlt*.h header files to dev package
+
+ -- Gianfranco Costamagna   Wed, 01 Sep 2021 
11:42:30 +0200
+
 dlt-viewer (2.21.2+dfsg-2) unstable; urgency=medium

   * Revert compat level bump to let package migrate to testing.
diff --git a/debian/dlt-viewer-dev.install b/debian/dlt-viewer-dev.install
index 231bd86..b8ee2ee 100644
--- a/debian/dlt-viewer-dev.install
+++ b/debian/dlt-viewer-dev.install
@@ -1,19 +1,3 @@
 usr/lib/*/*.a
 qdlt/plugininterface.h /usr/include
-qdlt/qdltbase.h/usr/include
-qdlt/qdltargument.h/usr/include
-qdlt/qdltmsg.h /usr/include
-qdlt/qdltfilter.h  /usr/include
-qdlt/qdltfilterlist.h  /usr/include
-qdlt/qdltfilterindex.h /usr/include
-qdlt/qdltdefaultfilter.h   /usr/include
-qdlt/qdltfile.h/usr/include
-qdlt/qdltcontrol.h /usr/include
-qdlt/qdltconnection.h  /usr/include
-qdlt/qdltipconnection.h/usr/include
-qdlt/qdlttcpconnection.h   /usr/include
-qdlt/qdltudpconnection.h   /usr/include
-qdlt/qdltserialconnection.h/usr/include
-qdlt/qdltplugin.h  /usr/include
-qdlt/qdltpluginmanager.h   /usr/include
-qdlt/qdlt.h/usr/include
+qdlt/qdl*.h/usr/include


[ Other info ]
None.

thanks for caring!
Gianfranco
diff -Nru dlt-viewer-2.21.2+dfsg/debian/changelog 
dlt-viewer-2.21.2+dfsg/debian/changelog
--- dlt-viewer-2.21.2+dfsg/debian/changelog 2021-04-04 11:22:20.0 
+0200
+++ dlt-viewer-2.21.2+dfsg/debian/changelog 2021-09-01 11:42:30.0 
+0200
@@ -1,3 +1,9 @@
+dlt-viewer (2.21.2+dfsg-2+deb11u1) bullseye; urgency=medium
+
+  * Add missing qdlt/qdlt*.h header files to dev package
+
+ -- Gianfranco Costamagna   Wed, 01 Sep 2021 
11:42:30 +0200
+
 dlt-viewer (2.21.2+dfsg-2) unstable; urgency=medium
 
   * Revert compat level bump to let package migrate to testing.
diff -Nru dlt-viewer-2.21.2+dfsg/debian/dlt-viewer-dev.install 
dlt-viewer-2.21.2+dfsg/debian/dlt-viewer-dev.install
--- dlt-viewer-2.21.2+dfsg/debian/dlt-viewer-dev.install2021-03-27 
09:29:15.0 +0100
+++ dlt-viewer-2.21.2+dfsg/debian/dlt-viewer-dev.install2021-09-01 
11:42:30.0 +0200
@@ -1,19 +1,3 @@
 usr/lib/*/*.a
 qdlt/plugininterface.h /usr/include
-qdlt/qdltbase.h/usr/include
-qdlt/qdltargument.h/usr/include
-qdlt/qdltmsg.h /usr/include
-qdlt/qdltfilter.h  /usr/include
-qdlt/qdltfilterlist.h  /usr/include
-qdlt/qdltfilterindex.h /usr/include
-qdlt/qdltdefaultfilter.h   /usr/include
-qdlt/qdltfile.h/usr/include
-qdlt/qdltcontrol.h /usr/include
-qdlt/qdltconnection.h  /usr/include
-qdlt/qdltipconnection.h/usr/include
-qdlt/qdlttcpconnection.h   /usr/include
-qdlt/qdltudpconnection.h   /usr/include
-qdlt/qdltserialconnection.h/usr/include
-qdlt/qdltplugin.h  /usr/include
-qdlt/qdltpluginmanager.h   /usr/include
-qdlt/qdlt.h/usr/include
+qdlt/qdl*.h/usr/include

Bug#985977: unblock: dlt-viewer/2.21.2+dfsg-1

[Gianfranco Costamagna]

On Thu, 1 Apr 2021 22:06:35 +0200 Paul Gevers  wrote:
> Hi Gianfranco,
> 
> On Mon, 29 Mar 2021 10:49:38 +0200 Sebastian Ramacher
>  wrote:
> > Seems fine without the compat bump.
> 
> Please revert.
> 
> https://release.debian.org/bullseye/FAQ.html (last section).
> 
> Paul
> 
> 
> 

done thanks!

G.

Bug#985977: unblock: dlt-viewer/2.21.2+dfsg-1

[Gianfranco Costamagna]

quot;" (
+set QWT_DIR=C:\Qwt-%QWT%_%MSVC_VERSION%_%QTVER%%DIR_POSTFIX%
+)
+
 set SOURCE_DIR=%CD%\qwt-%QWT%
-) ELSE (
+) else (
+if '%QWT_DIR%'=='' (
+set QWT_DIR=%WORKSPACE%\Qwt-%QWT%_%MSVC_VERSION%_%QTVER%%DIR_POSTFIX%
+)
+
 set SOURCE_DIR=%WORKSPACE%\qwt-%QWT%
 )
 
@@ -85,20 +88,11 @@
 set SEVENZ_DIR="C:\Program Files\7-Zip"
 )
 
-IF exist %QWT_DIR% (
-echo 
-echo ***  Delete old qwt Directory***
-echo 
-
-rmdir /s /q %QWT_DIR%
-IF %ERRORLEVEL% NEQ 0 GOTO ERROR_HANDLER
-)
-
 echo 
 echo * QTDIR = %QTDIR%
 echo * MSVC_DIR  = %MSVC_DIR%
 echo * PATH  = %PATH%
-echo * DLT_VIEWER_SDK_DIR = %DLT_VIEWER_SDK_DIR%
+echo * QWT_DIR = %QWT_DIR%
 echo * SOURCE_DIR = %SOURCE_DIR%
 echo 
 
@@ -109,6 +103,15 @@
 GOTO ERROR_HANDLER
 )
 
+IF exist %QWT_DIR% (
+echo 
+echo ***  Delete old qwt Directory***
+echo 
+
+rmdir /s /q %QWT_DIR%
+IF %ERRORLEVEL% NEQ 0 GOTO ERROR_HANDLER
+)
+
 echo 
 echo ***Unzip Archives***
 echo 
@@ -162,8 +165,9 @@
 echo 
 cd %WORKINGDIR%
 IF '%WORKSPACE%'=='' (
-pause
+pause
 )
+exit 1
 
 
 :QUIT
@@ -173,6 +177,6 @@
 echo Qwt installed in: %QWT_DIR%
 cd %WORKINGDIR%
 IF '%WORKSPACE%'=='' (
-pause
+pause
 )
 
diff -Nru dlt-viewer-2.21.1+dfsg/build_sdk_windows_qt5_MSVC.bat 
dlt-viewer-2.21.2+dfsg/build_sdk_windows_qt5_MSVC.bat
--- dlt-viewer-2.21.1+dfsg/build_sdk_windows_qt5_MSVC.bat   2021-01-18 
11:14:23.0 +0100
+++ dlt-viewer-2.21.2+dfsg/build_sdk_windows_qt5_MSVC.bat   2021-03-25 
08:41:04.0 +0100
@@ -52,7 +52,7 @@
 set BUILD_DIR=%CD%\build\release
 ) else (
 if '%DLT_VIEWER_SDK_DIR%'=='' (
-set DLT_VIEWER_SDK_DIR=%WORKSPACE%\DltViewerSDK
+set DLT_VIEWER_SDK_DIR=%WORKSPACE%\build\dist\DltViewerSDK
 )
 
 set SOURCE_DIR=%WORKSPACE%
@@ -280,26 +280,20 @@
 copy %SOURCE_DIR%\filters\* %DLT_VIEWER_SDK_DIR%\filters
 if %ERRORLEVEL% NEQ 0 GOTO ERROR_HANDLER
 
-
 GOTO QUIT
 
 :ERROR_HANDLER
 echo 
 echo ###   ERROR occured  ###
 echo 
-cd ..
-if '%WORKSPACE%'=='' (
-pause
-)
-rem exit 1
+set /p name= Continue
+exit 1
+
 
 :QUIT
 echo 
 echo ***   SUCCESS finish ***
 echo 
-cd ..
 echo SDK installed in: %DLT_VIEWER_SDK_DIR%
-if '%WORKSPACE%'=='' (
-pause
-)
-rem exit 0
+set /p name= Continue
+exit 0
diff -Nru dlt-viewer-2.21.1+dfsg/.ci/travis/build.sh 
dlt-viewer-2.21.2+dfsg/.ci/travis/build.sh
--- dlt-viewer-2.21.1+dfsg/.ci/travis/build.sh  2021-01-18 11:14:23.0 
+0100
+++ dlt-viewer-2.21.2+dfsg/.ci/travis/build.sh  1970-01-01 01:00:00.0 
+0100
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-if [[ "$(uname -s)" == 'Darwin' ]]; then
-  readonly Qt5_DIR="/usr/local/opt/qt"
-fi
-
-mkdir build
-cd build
-
-# Building with CMake
-cmake ../
-make
-
-# Cleanup
-rm -rf *
-
-# Building with QMake
-qmake ../BuildDltViewer.pro
-make
diff -Nru dlt-viewer-2.21.1+dfsg/.ci/travis/install.sh 
dlt-viewer-2.21.2+dfsg/.ci/travis/install.sh
--- dlt-viewer-2.21.1+dfsg/.ci/travis/install.sh2021-01-18 
11:14:23.0 +0100
+++ dlt-viewer-2.21.2+dfsg/.ci/travis/install.sh1970-01-01 
01:00:00.0 +0100
@@ -1,8 +0,0 @@
-#!/bin/bash
-
-if [[ "$(uname -s)" == 'Darwin' ]]; then
-brew link qt --force
-else
-sudo apt-get update
-sudo apt-get install -y build-essential qt5-default libqt5serialport5-dev
-fi
diff -Nru dlt-viewer-2.21.1+dfsg/debian/changelog 
dlt-viewer-2.21.2+dfsg/debian/changelog
--- dlt-viewer-2.21.1+dfsg/debian/changelog 2021-01-30 13:35:57.0 
+0100
+++ dlt-viewer-2.21.2+dfsg/debian/changelog 2021-03-27 09:29:15.0 
+0100
@@ -1,3 +1,12 @@
+dlt-viewer (2.21.2+dfsg-1) unstable; urgency=medium
+
+  * New upstream version 2.21.2+dfsg
+  * Add R^3: no
+  * Bump compat level to 13
+  * Also install upstream png icons
+
+ -- Gianfranco Costamagna   Sat, 27 Mar 2021 
09:29:15 +0100
+
 dlt-viewer (2.21.1+dfsg-1) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru dlt-viewer-2.21.1+dfsg/debian/control 
dlt-viewer-2.21.2+dfsg/debian/control
--- dlt-viewer-2.21.1+dfsg/debian/control   2021-01-30 13:34:29.00000 
+0100
+++ dlt-viewer-2.21.2+dfsg/debian/control   2021-03-27 09:29:15.0 
+0100
@@ -5,7 +5,7 @@
 Uploaders: Bruno "Fuddl" Kleinert ,
  Aigars Mahinovs ,
  Gianfranco Costamagna 
-Build-Depends: debhelper-compat (= 12),
+Build-Depends: debhelper-compat (= 13),
  qtbase5-dev,
  qtdeclarative5-dev,
  libqt5serialport5-dev,
@@ -13,6 +13,7 @@
  asciidoc,

Bug#983918: buster-pu: package libbsd/0.9.1-2

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

CVE-2019-20367 (no DSA) has been fixed for stretch in 0.8.3-1+deb9u1 and
for bullseye, sid with version 0.10.0-1
Buster has been left out from the patches, and since the patch is
trivial, I propose to apply it for buster too


diff -Nru libbsd-0.9.1/debian/changelog libbsd-0.9.1/debian/changelog
--- libbsd-0.9.1/debian/changelog   2019-02-25 01:33:03.0 +0100
+++ libbsd-0.9.1/debian/changelog   2021-03-03 12:03:12.0 +0100
@@ -1,3 +1,12 @@
+libbsd (0.9.1-2+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-20367
+A non-NUL terminated symbol name in the string table might
+result in a out-of-bounds read.
+
+ -- Gianfranco Costamagna   Wed, 03 Mar 2021 
12:03:12 +0100
+
 libbsd (0.9.1-2) unstable; urgency=medium
 
   * Perform a proper and correct /usr-merge transition by moving the package
diff -Nru libbsd-0.9.1/debian/patches/CVE-2019-20367.patch 
libbsd-0.9.1/debian/patches/CVE-2019-20367.patch
--- libbsd-0.9.1/debian/patches/CVE-2019-20367.patch1970-01-01 
01:00:00.0 +0100
+++ libbsd-0.9.1/debian/patches/CVE-2019-20367.patch2021-03-03 
12:00:40.0 +0100
@@ -0,0 +1,42 @@
+From 9d917aad37778a9f4a96ba358415f077f3f36f3b Mon Sep 17 00:00:00 2001
+From: Guillem Jover 
+Date: Wed, 7 Aug 2019 22:58:30 +0200
+Subject: [PATCH] nlist: Fix out-of-bounds read on strtab
+
+When doing a string comparison for a symbol name from the string table,
+we should make sure we do a bounded comparison, otherwise a non-NUL
+terminated string might make the code read out-of-bounds.
+
+Warned-by: coverity
+---
+ src/nlist.c | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/nlist.c b/src/nlist.c
+index 8aa46a2..228c220 100644
+--- a/src/nlist.c
 b/src/nlist.c
+@@ -227,16 +227,18 @@ __fdnlist(int fd, struct nlist *list)
+   symsize -= cc;
+   for (s = sbuf; cc > 0 && nent > 0; ++s, cc -= sizeof(*s)) {
+   char *name;
++  Elf_Word size;
+   struct nlist *p;
+ 
+   name = strtab + s->st_name;
+   if (name[0] == '\0')
+   continue;
++  size = symstrsize - s->st_name;
+ 
+   for (p = list; !ISLAST(p); p++) {
+   if ((p->n_un.n_name[0] == '_' &&
+-  strcmp(name, p->n_un.n_name+1) == 0)
+-  || strcmp(name, p->n_un.n_name) == 0) {
++   strncmp(name, p->n_un.n_name+1, size) == 
0) ||
++  strncmp(name, p->n_un.n_name, size) == 0) {
+   elf_sym_to_nlist(p, s, shdr,
+   ehdr.e_shnum);
+   if (--nent <= 0)
+-- 
+GitLab
+
diff -Nru libbsd-0.9.1/debian/patches/series libbsd-0.9.1/debian/patches/series
--- libbsd-0.9.1/debian/patches/series  1970-01-01 01:00:00.0 +0100
+++ libbsd-0.9.1/debian/patches/series  2021-03-03 12:01:48.0 +0100
@@ -0,0 +1 @@
+CVE-2019-20367.patch
diff -Nru libbsd-0.9.1/debian/changelog libbsd-0.9.1/debian/changelog
--- libbsd-0.9.1/debian/changelog   2019-02-25 01:33:03.0 +0100
+++ libbsd-0.9.1/debian/changelog   2021-03-03 12:03:12.0 +0100
@@ -1,3 +1,12 @@
+libbsd (0.9.1-2+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-20367
+A non-NUL terminated symbol name in the string table might
+result in a out-of-bounds read.
+
+ -- Gianfranco Costamagna   Wed, 03 Mar 2021 
12:03:12 +0100
+
 libbsd (0.9.1-2) unstable; urgency=medium
 
   * Perform a proper and correct /usr-merge transition by moving the package
diff -Nru libbsd-0.9.1/debian/patches/CVE-2019-20367.patch 
libbsd-0.9.1/debian/patches/CVE-2019-20367.patch
--- libbsd-0.9.1/debian/patches/CVE-2019-20367.patch1970-01-01 
01:00:00.0 +0100
+++ libbsd-0.9.1/debian/patches/CVE-2019-20367.patch2021-03-03 
12:00:40.0 +0100
@@ -0,0 +1,42 @@
+From 9d917aad37778a9f4a96ba358415f077f3f36f3b Mon Sep 17 00:00:00 2001
+From: Guillem Jover 
+Date: Wed, 7 Aug 2019 22:58:30 +0200
+Subject: [PATCH] nlist: Fix out-of-bounds read on strtab
+
+When doing a string comparison for a symbol name from the string table,
+we should make sure we do a bounded comparison, otherwise a non-NUL
+terminated string might make the code read out-of-bounds.
+
+Warned-by: coverity
+---
+ src/nlist.c | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/nlist.c b/src/nlist.c
+index 8aa46a2..228c220 100644
+--- a/src/nlist.c
 b/src/nlist.c
+@@ -227,16 +227,18 @@ __fdnlist(int fd, struct nlist *list)
+   symsize -= cc;
+   for (s = 

Bug#976352: transition: libjsoncpp

[Gianfranco Costamagna]

Hello,
On Tue, 8 Dec 2020 23:13:07 +0100 Sebastian Ramacher  
wrote:
> Control: forwarded -1 
> https://release.debian.org/transitions/html/auto-libjsoncpp.html
> Control: tags -1 + confirmed
> 
> On 2020-12-08 23:04:05 +0100, Gianfranco Costamagna wrote:
> > Hello again
> > 
> > polybar is now ok too, because of the xcb-proto fix
> > 
> > remaining failures are down to 4, only one without patch and one out from 
> > testing.
> > 
> > kopanocore  fail (unrelated: #969297)
> > libseqlib   fail (#976414) forwarded upstream that might be 
> > easily patchable
> > spring  fail (#976452 with patch)
> > springlobby fail (#976451 with patch)
> 
> Please go ahead.
> 

done thanks!

G.

Bug#976352: transition: libjsoncpp

[Gianfranco Costamagna]

Hello again

polybar is now ok too, because of the xcb-proto fix

remaining failures are down to 4, only one without patch and one out from 
testing.

kopanocore  fail (unrelated: #969297)
libseqlib   fail (#976414) forwarded upstream that might be easily 
patchable
spring  fail (#976452 with patch)
springlobby fail (#976451 with patch)

G.

Bug#976352: transition: libjsoncpp

[Gianfranco Costamagna]

On Sat, 5 Dec 2020 12:33:47 +0100 Gianfranco Costamagna 
 wrote:
> After having a look at the failures,
> two of them are gone with new d-shlibs
> 
> Remaining are failing for unrelated stuff, or have patches:
> 
> kopanocore  fail (unrelated: #969297)
> polybar fail (unrelated: #975795)
> libseqlib   fail (#976414) forwarded upstream that might be 
> easily patchable
> mrptfail (#976420) forwarded upstream and its already 
> being worked on
> open3d  ok (might need one additional build deps due to new 
> qt)
> spring  fail (#976452 with patch)
> springlobby fail (#976451 with patch)
> vtk6fail (unrelated: #976424 with patch)

mrpt, vtk6, open3d looks ok now

remaining failures:

kopanocore  fail (unrelated: #969297)
polybar fail (unrelated: #975795)
libseqlib   fail (#976414) forwarded upstream that might be easily 
patchable
spring  fail (#976452 with patch)
springlobby fail (#976451 with patch)

G.

Bug#976352: transition: libjsoncpp

[Gianfranco Costamagna]

After having a look at the failures,
two of them are gone with new d-shlibs

Remaining are failing for unrelated stuff, or have patches:

kopanocore  fail (unrelated: #969297)
polybar fail (unrelated: #975795)
libseqlib   fail (#976414) forwarded upstream that might be easily 
patchable
mrptfail (#976420) forwarded upstream and its already being 
worked on
open3d  ok (might need one additional build deps due to new qt)
spring  fail (#976452 with patch)
springlobby fail (#976451 with patch)
vtk6fail (unrelated: #976424 with patch)

thanks

Gianfranco

Bug#976352: transition: libjsoncpp

[Gianfranco Costamagna]

Of the 44 involved packages, 34 of them are binNMU ok, rebuilds were fine.

Of the remaining 10, 1 is an unrelated FTBFS, one is trivially fixable and the 
other are ongoing.

I'll open bugs with patches in the next few days.

G.

cmake   ok
bamtoolsok
chromiumok
dublin-traceroute   ok
ignition-fuel-tools ok
iptux   ok
kodi-pvr-argustvok
kodi-pvr-hdhomerun  ok
lgogdownloader  ok
libjson-rpc-cpp ok
libopenshot ok
minetestok
mstflintok
oomdok
opendht ok
openvr  ok
openxr-sdk-source   ok
orthanc ok
ossim   ok
securefsok
sysdig  ok
vtk7ok
vtk9ok
waybar  ok
ginkgocadx  ok
orthanc-dicomwebok
orthanc-gdcmok
orthanc-mysql   ok
orthanc-postgresql  ok
orthanc-python  ok
orthanc-webviewer   ok
orthanc-wsi ok
ringok
tvc ok
kopanocore  fail (unrelated: #969297)
libseqlib   fail
mrptfail (json)
odilfail
open3d  fail
polybar fail (unrelated: #975795)
seqtoolsfail (dh_shlibs trivial fix)
spring  fail
springlobby fail
vtk6fail

Bug#976352: transition: libjsoncpp

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: transition
Severity: normal

Hello, I would like to finally do this libjsoncpp transition before freeze.
The version in sid has lots of bugs, and its really outdated.

We have ~30 reverse-dependencies, last time I checked they were all building 
fine, I'm doing test rebuilds again and will update this bug report in a day or 
two with a complete list.

Ben file:

title = "libjsoncpp";
is_affected = .depends ~ "libjsoncpp1" | .depends ~ "libjsoncpp24";
is_good = .depends ~ "libjsoncpp24";
is_bad = .depends ~ "libjsoncpp1";


thanks

Gianfranco

Bug#974649: release.debian.org: new libnifti2 broke runtime (see #968730)

[Gianfranco Costamagna]

Package: release.debian.org
Severity: normal

Hello, looks like new libnifti2 changed the runtime library name without 
changing soname (See #968730 for underground issue), so
now reverse-dependencies are having troubles to start without a binNMU.

We might just ask libnifti2 people to restore a symlink for compatibility, but 
I think its better to just binNMU reverse-dependencies and then break old 
version to ensure good upgrade paths.

This is the list of stuff that needs binNMUs

reverse-depends -r hirsute -b libnifti-dev
Reverse-Build-Depends
* dicomnifti
* elastix
* fsl
* gifticlib
* insighttoolkit4
* libminc
* mia
* minc-tools
* odin
* xmedcon

thanks

Gianfranco

Bug#941571: buster-pu: package sane-backends/1.0.27-3.2

[Gianfranco Costamagna]

control: tags -1 -moreinfo
On Wed, 02 Oct 2019 08:54:06 +0100 "Adam D. Barratt"  
wrote:
> Control: tags -1 + moreinfo
> 
> On 2019-10-02 08:02, Jörg Frings-Fürst wrote:
> > the udev rules missing the group scanner.
> > The new file debian/99-libsane.rules add them.
> 
> This needs to be resolved in unstable first. (The package currently has 
> the same version in stable and unstable, so it cannot be fixed there 
> already.)
> 

now the fix should be in testing.

G.

> Regards,
> 
> Adam
> 
> 

Bug#940995: nmu: ntopng_3.8+dfsg1-2.1

[Gianfranco Costamagna]

On Mon, 23 Sep 2019 10:26:42 +0200 Gianfranco Costamagna 
 wrote:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: binnmu
> Severity: normal
> 
> nmu ntopng_3.8+dfsg1-2.1 . armhf . unstable . -m "no change rebuild with an 
> higher version, to avoid same version as stable"
> 
> (current armhf package is getting rejected by dak because of this)
> 
> thanks
> 
> G.
> 

it should be a +b2 version, because +b1 got removed previously

thanks

G.
> 

Bug#940995: nmu: ntopng_3.8+dfsg1-2.1

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: binnmu
Severity: normal

nmu ntopng_3.8+dfsg1-2.1 . armhf . unstable . -m "no change rebuild with an 
higher version, to avoid same version as stable"

(current armhf package is getting rejected by dak because of this)

thanks

G.

Bug#904418: transition: json-c

[Gianfranco Costamagna]

Hello,
>Please go ahead in unstable.

done!
G.  

Bug#904418: transition: json-c

[Gianfranco Costamagna]

Hello,
On Mon, 8 Jul 2019 08:47:19 +0200 Gianfranco Costamagna 
 wrote:
> Hello all,
> 
> > > So yeah 0.12.1-2 should be alright for sid/buster, and 0.13 will have to 
> > > wait
> > > for bullseye after the freeze.
> > 
> > Thank you very much Boyuan  <3
> > 
> > I will have a look in a moment.
> > 
> 
> Hello, I fixed all the failing reverse-dependencies in Ubuntu, and completed 
> the transition
> successfully there (and posted patches on BTS).
> The only remaining issue is syslog-ng on i386 and s390x, but the maintainer 
> is already working on (and we fixed with a patch in Ubuntu)
> I would like to do this one before gcc changes default or something else 
> entangles, it should be a trivial one,
> I plan to NMU as needed.
> 


syslog-ng is now fine.

Can we go ahead?

G.
> thanks
> 
> G.
> 
> 

Bug#904418: transition: json-c

[Gianfranco Costamagna]

Hello all,

> > So yeah 0.12.1-2 should be alright for sid/buster, and 0.13 will have to 
> > wait
> > for bullseye after the freeze.
> 
> Thank you very much Boyuan  <3
> 
> I will have a look in a moment.
> 

Hello, I fixed all the failing reverse-dependencies in Ubuntu, and completed 
the transition
successfully there (and posted patches on BTS).
The only remaining issue is syslog-ng on i386 and s390x, but the maintainer is 
already working on (and we fixed with a patch in Ubuntu)
I would like to do this one before gcc changes default or something else 
entangles, it should be a trivial one,
I plan to NMU as needed.

thanks

G.

Bug#929813: unblock: pugixml/1.9-3

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hello, looks like pugixml has been installing the cmake files into a 
non-standard path:
usr/share/pugixml-dev/cmake
instead of:
/usr/lib/$(DEB_HOST_MULTIARCH)/cmake/pugixml

I fixed that and uploaded in unstable, after a cmake developer pointed this out 
to us.

I also checked, and now the cmake file is correctly parsed.

thanks for caring,

Gianfranco

debdiff:
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+pugixml (1.9-3) unstable; urgency=medium
+
+  * Team upload
+  * Fixup dev package creation, cmake was put in wrong place
+(Closes: #929792)
+
+ -- Gianfranco Costamagna   Fri, 31 May 2019 
13:00:23 +0200
+
 pugixml (1.9-2) unstable; urgency=medium
 
   * Upload to unstable
diff --git a/debian/rules b/debian/rules
index a910c39..0ca135d 100755
--- a/debian/rules
+++ b/debian/rules
@@ -80,7 +80,7 @@ debian/stamp-local-shlibs-$(lib): \
--override s/$(lib)$(major)-dev/$(lib)-dev/ \
--movedev "debian/tmp/usr/include/*" usr/include/ \
--movedev "debian/tmp/usr/lib/*/cmake/pugixml/*" \
-   usr/share/$(lib)-dev/cmake \
+   /usr/lib/$(DEB_HOST_MULTIARCH)/cmake/pugixml \
--movedev "debian/tmp/usr/lib/pkgconfig/*" \
usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig \
debian/tmp/usr/lib/*/$(lib).so

Bug#926630: unblock: libpng1.6/1.6.36-6

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package libpng1.6

Finally, the arm issue we are facing since a lot of time (upstream had a look, 
to understand if the failing test
was a real bug or a testsuite one, and now it seems to be a real missing free 
in the code).

Previously, to let the package migrate, I uncommented part of the upstream fix, 
because it was making the test pass on arm*.

Now, with this updated and fixed approach, I have been able to:
1) uncomment the 70d122aac42933ab8a708c538f973c3307853212 (this fix was needed 
but was making things worse, now with the followup
commits it works again)
2) add  82ae623ec9bc3cb5c68aad22596a766e86d593b7 and 
a627bd26a375f5c41d54f90a47c838157d1bec97, the two proper fixes for this issue
3) comment 272 proposed patch, this is now superseded by the above.

I also tweaked the patch description for the CVE fix, so we have a link to the 
upstream commit that merged it.
I also took the possibility to update the maintainers list to fix bug 925014

debdiff attached

thanks for caring,

unblock libpng1.6/1.6.36-6

diff -Nru libpng1.6-1.6.36/debian/changelog libpng1.6-1.6.36/debian/changelog
--- libpng1.6-1.6.36/debian/changelog   2019-02-05 12:54:50.0 +0100
+++ libpng1.6-1.6.36/debian/changelog   2019-04-08 10:55:25.0 +0200
@@ -1,3 +1,21 @@
+libpng1.6 (1.6.36-6) unstable; urgency=medium
+
+  * Upload to unstable
+
+ -- Gianfranco Costamagna   Mon, 08 Apr 2019 
10:55:25 +0200
+
+libpng1.6 (1.6.36-5exp1) experimental; urgency=medium
+
+  * Drop Anibal from uploaders list,
+thank you for your nice work! (Closes: #925014)
+  * Update copyright years.
+  * Drop patch 272.patch, superseeded by upstream commits:
+70d122aac42933ab8a708c538f973c3307853212.patch (uncommented)
+82ae623ec9bc3cb5c68aad22596a766e86d593b7.patch
+a627bd26a375f5c41d54f90a47c838157d1bec97.patch
+
+ -- Gianfranco Costamagna   Wed, 20 Mar 2019 
11:58:35 +0100
+
 libpng1.6 (1.6.36-5) unstable; urgency=medium
 
   * Tweak old 272 patch to add the only relevant part of commit
@@ -11,7 +29,7 @@
 
   * debian/patches/70d122aac42933ab8a708c538f973c3307853212.patch,
 debian/patches/8439534daa1d3a5705ba92e653eda9251246dd61.patch:
-- new fixes for arm64 and general test failures (and leaks) 
+- new fixes for arm64 and general test failures (and leaks)
   * debian/patches/CVE-2019-7317.patch:
 - fix for CVE 2019-7317 (Closes: #921355)
   Thanks Salvatore Bonaccorso for your report!
diff -Nru libpng1.6-1.6.36/debian/control libpng1.6-1.6.36/debian/control
--- libpng1.6-1.6.36/debian/control 2019-01-15 09:59:23.0 +0100
+++ libpng1.6-1.6.36/debian/control 2019-04-08 10:55:25.0 +0200
@@ -1,7 +1,7 @@
 Source: libpng1.6
 Section: libs
 Priority: optional
-Maintainer: Anibal Monsalve Salazar 
+Maintainer: Maintainers of libpng1.6 packages 
 Uploaders: Nobuhiro Iwamatsu ,
Gianfranco Costamagna ,
Tobias Frost 
diff -Nru libpng1.6-1.6.36/debian/copyright libpng1.6-1.6.36/debian/copyright
--- libpng1.6-1.6.36/debian/copyright   2019-01-15 09:59:23.0 +0100
+++ libpng1.6-1.6.36/debian/copyright   2019-04-08 09:58:28.0 +0200
@@ -3,8 +3,9 @@
 Source: http://www.libpng.org/pub/png/
 
 Files: *
-Copyright: 1998-2018 Glenn Randers-Pehrson
-   2018 Cosmin Truta
+Copyright: 1995-2019 The PNG Reference Library Authors.
+   1998-2018 Glenn Randers-Pehrson
+   2018-2019 Cosmin Truta
 License: libpng
 
 Files: arm/arm_init.c
diff -Nru 
libpng1.6-1.6.36/debian/patches/70d122aac42933ab8a708c538f973c3307853212.patch 
libpng1.6-1.6.36/debian/patches/70d122aac42933ab8a708c538f973c3307853212.patch
--- 
libpng1.6-1.6.36/debian/patches/70d122aac42933ab8a708c538f973c3307853212.patch  
2019-02-05 12:54:50.0 +0100
+++ 
libpng1.6-1.6.36/debian/patches/70d122aac42933ab8a708c538f973c3307853212.patch  
2019-04-08 10:08:21.0 +0200
@@ -149,23 +149,23 @@
   * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
   * Copyright (c) 1996-1997 Andreas Dilger
   * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
-#@@ -1079,6 +1079,12 @@
-#png_ptr->chunk_list = NULL;
-# #endif
-# 
-#+#if defined(PNG_READ_EXPAND_SUPPORTED) && \
-#+defined(PNG_ARM_NEON_IMPLEMENTATION)
-#+   png_free(png_ptr, png_ptr->riffled_palette);
-#+   png_ptr->riffled_palette = NULL;
-#+#endif
-#+
-#/* NOTE: the 'setjmp' buffer may still be allocated and the memory and 
error
-# * callbacks are still set at this point.  They are required to complete 
the
-# * destruction of the png_struct itself.
-Index: libpng1.6/pngrtran.c
-===
 libpng1.6.orig/pngrtran.c
-+++ libpng1.6/pngrtran.c
+@@ -1075,6 +1075,12 @@
+png_ptr->chunk_list = NULL;
+ #endif
+ 
++#if defined(PNG_READ_EXPAND_SUPPORTED) && \
++defined

Bug#924124: unblock: virtualbox/6.0.4-dfsg-7

[Gianfranco Costamagna]

control: retitle -1 unblock: virtualbox/6.0.4-dfsg-7

I had to add a new patch for the guest tools, following removals of ttm structs

https://github.com/torvalds/linux/commit/a64f784bb14a56bfdfad2dc397dd67e4564e3a29
and 
https://github.com/torvalds/linux/commit/2bb42410b1bd324912389c6ac748df1c1befd69f

and I added the previous missing changelog entry.

Please unblock virtualbox/6.0.4-dfsg-7

thanks

Gianfranco

Bug#924124: unblock: virtualbox/6.0.4-dfsg-6

[Gianfranco Costamagna]

Control: tag -1 -moreinfo

>> > - Added a Security.Debian.news file (or whatever is called), asked by 
>> > security team
>> 
>> Not mentioned in changelog.


sorry for that, I forgot to run gbp dch before committing, so the git history 
didn't get fully reflected in changelog

>> > - added a two line build fix for kernel 5.0
>> 
>> Not relevant for buster.

while you are right, it is not useless because people like to try new kernels 
on stable releases, and having this fix would
make their lives better.
(there is a vbox-source that can make it work with module-assistant, but since 
this is just a one-line build fix, I think
this should be in)

>> > - dropped a non-used patch.
>> 
>> Not mentioned in changelog.
>> 
>> (I am not very impressed by this.)

this one was intentional, I need it for backports, and I don't need for 
unstable.
I still don't know if it is better to keep it commented, or just leave it out 
in a different git branch.
In any case it shouldn't be something the end user should care.

Opinion on how to proceed? Should I reupload a no-change fixed changelog (I 
think not)

let me know your best opinion, thanks!

Gianfranco

Bug#924124: unblock: virtualbox/6.0.4-dfsg-6

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package virtualbox

- Added a Security.Debian.news file (or whatever is called), asked by security 
team
- added a two line build fix for kernel 5.0
- dropped a non-used patch.

debdiff attached.

unblock virtualbox/6.0.4-dfsg-6
diff --git a/debian/README.Debian.security b/debian/README.Debian.security
new file mode 100644
index 0..f64508dca
--- /dev/null
+++ b/debian/README.Debian.security
@@ -0,0 +1,7 @@
+Virtualbox package is in contrib, and upstream refuses to give patches for 
security bugs.
+Their attitude is to update to the latest version, something not feasible for 
stable
+releases, specially when the minor releases of a particular major version are 
not
+published anymore.
+For this reason, virtualbox might not be covered by security.debian.org 
support,
+nor by stable-proposed-updates in case the maintaining is impossible due to
+lack of upstream support.
diff --git a/debian/changelog b/debian/changelog
index 99021d52c..c3f155286 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+virtualbox (6.0.4-dfsg-6) unstable; urgency=medium
+
+  * Upstream build fix with kernel 5.0 (LP: #1813071)
+
+ -- Gianfranco Costamagna   Sat, 09 Mar 2019 
13:50:34 +0100
+
 virtualbox (6.0.4-dfsg-5) unstable; urgency=medium
 
   * Tweak java patch with upstream approach
diff --git a/debian/patches/77542.patch b/debian/patches/77542.patch
new file mode 100644
index 0..7f97cd7da
--- /dev/null
+++ b/debian/patches/77542.patch
@@ -0,0 +1,17 @@
+Description: fix build with kernel 5.0
+Origin: upstream
+Index: virtualbox/src/VBox/Additions/linux/sharedfolders/vfsmod.c
+===
+--- virtualbox.orig/src/VBox/Additions/linux/sharedfolders/vfsmod.c
 virtualbox/src/VBox/Additions/linux/sharedfolders/vfsmod.c
+@@ -40,7 +40,9 @@
+ #include "revision-generated.h"
+ #include "product-generated.h"
+ #include "VBoxGuestR0LibInternal.h"
+-#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 3, 0)
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
++# include  /* for MS_REMOUNT */
++#elif LINUX_VERSION_CODE < KERNEL_VERSION(3, 3, 0)
+ # include 
+ #endif
+ #include 
diff --git a/debian/patches/fix-backports.patch 
b/debian/patches/fix-backports.patch
deleted file mode 100644
index 43d97638b..0
--- a/debian/patches/fix-backports.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Description: We should not just don't care about security issues, but this 
needs fixes in gsoap(stable)
-Author: Gianfranco Costamagna 
-Last-Update: 2019-01-17
-
-Index: virtualbox/src/VBox/Main/webservice/vboxweb.cpp
-===
 virtualbox.orig/src/VBox/Main/webservice/vboxweb.cpp
-+++ virtualbox/src/VBox/Main/webservice/vboxweb.cpp
-@@ -616,11 +616,13 @@
- // keepalive, otherwise stale connections tie up worker threads.
- m_soap->send_timeout = 60;
- m_soap->recv_timeout = 60;
-+#if GSOAP_VERSION >= 20850
- // Limit the maximum SOAP request size to a generous amount, just to
- // be on the safe side (SOAP is quite wordy when representing arrays,
- // and some API uses need to deal with large arrays). Good that binary
- // data is no longer represented by byte arrays...
- m_soap->recv_maxlength = _16M;
-+#endif
- // process the request; this goes into the COM code in methodmaps.cpp
- do {
- #ifdef WITH_OPENSSL
diff --git a/debian/patches/series b/debian/patches/series
index 71127fc9e..6f0774885 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@
 do-not-run-if-not-in-vm.patch
 77040.patch
 java11-upstream.patch
+77542.patch

Bug#911580: [britney2] missing trigger with breaks relationship

[Gianfranco Costamagna]

 Hello,
>Out of curiosity: I couldn't spot the virtualbox-5.2 package in the
>archive, what are you trying to achieve with having that as alternative?
>Is that to support upstream binaries or something like that?

yes, exactly the upstream version.
G.

 

Bug#906239: stretch-pu: package libb2/0.97-2+deb9u1

[Gianfranco Costamagna]

On Thu, 01 Nov 2018 20:35:10 + "Adam D. Barratt"  
wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2018-08-15 at 22:41 +0200, Gianfranco Costamagna wrote:
> > The library has a serious issue in stable, because it tries to use
> > AVX without knowing if it is available or not.
> 
> It's "normal" according to the BTS. :-p
> 
> Please go ahead; sorry for the delay.
> 

uploaded, thanks!

G.
> Regards,
> 
> Adam
> 
> 

Bug#911580: [britney2] missing trigger with breaks relationship

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: britney
Severity: normal

As said, britney fails to add the appropriate trigger for virtualbox
when a major release is out, and for this reason the ext-pack fails to
install reliably on ci.d.o without additional manual triggers.

"virtualbox (>= 5.2.20-dfsg-0~) | virtualbox-5.2,  virtualbox (<< 
5.2.20-dfsg-z) | virtualbox-5.2"

should be a valid relationship.

thanks for having a look,

Gianfranco

Bug#907679: please link key_packages.yaml.cgi from release.debian.org

[Gianfranco Costamagna]

Package: release.debian.org
Severity: normal

As said, I find difficult to google for "debian key packages", and that
udd page is not really shown on documentation, as jmm suggests, better
have a link on release.debian.org, pointing to
https://udd.debian.org/cgi-bin/key_packages.yaml.cgi

thanks for caring

Gianfranco

Bug#906239: stretch-pu: package libb2/0.97-2+deb9u1

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

The library has a serious issue in stable, because it tries to use AVX
without knowing if it is available or not.

The patch comes from upstream, and is part already of
sid/buster/stretch-bpo.
the full upstream analysis can be seen there:

https://github.com/BLAKE2/libb2/issues/13

Please accept the attached patch if possible.

diff -Nru libb2-0.97/debian/changelog libb2-0.97/debian/changelog
--- libb2-0.97/debian/changelog 2015-10-28 17:23:28.0 +0100
+++ libb2-0.97/debian/changelog 2018-08-15 22:33:56.0 +0200
@@ -1,3 +1,11 @@
+libb2 (0.97-2+deb9u1) stretch; urgency=medium
+
+  * debian/patches/60ea749837362c226e8501718f505ab138e5c19d.patch:
+detect if the system can use AVX before actually using it
+(Closes: #884958)
+
+ -- Gianfranco Costamagna   Wed, 15 Aug 2018 
22:33:56 +0200
+
 libb2 (0.97-2) unstable; urgency=medium
 
   * debian/control: Point Vcs-Git at Alioth repo
diff -Nru 
libb2-0.97/debian/patches/60ea749837362c226e8501718f505ab138e5c19d.patch 
libb2-0.97/debian/patches/60ea749837362c226e8501718f505ab138e5c19d.patch
--- libb2-0.97/debian/patches/60ea749837362c226e8501718f505ab138e5c19d.patch
1970-01-01 01:00:00.0 +0100
+++ libb2-0.97/debian/patches/60ea749837362c226e8501718f505ab138e5c19d.patch
2018-08-15 22:33:56.0 +0200
@@ -0,0 +1,47 @@
+From 60ea749837362c226e8501718f505ab138e5c19d Mon Sep 17 00:00:00 2001
+From: Samuel Neves 
+Date: Mon, 25 Dec 2017 12:34:30 +
+Subject: [PATCH] detect whether the operating system can use AVX
+
+---
+ src/blake2-dispatch.c | 19 ++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/src/blake2-dispatch.c b/src/blake2-dispatch.c
+index 2b1ccc8..96bb340 100644
+--- a/src/blake2-dispatch.c
 b/src/blake2-dispatch.c
+@@ -63,6 +63,18 @@ static inline void cpuid( uint32_t *eax, uint32_t *ebx, 
uint32_t *ecx, uint32_t
+ : "=a"( *eax ), "=b"( *ebx ), "=c"( *ecx ), "=d"( *edx ) : "a"( *eax ) );
+ #endif
+ }
++
++static inline uint64_t xgetbv(uint32_t xcr)
++{
++  uint32_t a, d;
++  __asm__ __volatile__(
++"xgetbv"
++:  "=a"(a),"=d"(d)
++: "c"(xcr)
++  );
++  return ((uint64_t)d << 32) | a;
++}
++
+ #elif defined(_MSC_VER)
+ #include 
+ static inline void cpuid( uint32_t *eax, uint32_t *ebx, uint32_t *ecx, 
uint32_t *edx )
+@@ -106,8 +118,13 @@ static inline cpu_feature_t get_cpu_features( void )
+   if( IsProcessorFeaturePresent(17) ) /* Some environments don't know about 
PF_XSAVE_ENABLED */
+ #endif
+   {
+-if( 1 & ( ecx >> 28 ) )
++/* check for AVX and OSXSAVE bits */
++if( 1 & ( ecx >> 28 ) & (ecx >> 27) ) {
++#if !defined(WIN32) /* Already checked for this in WIN32 */
++if( (xgetbv(0) & 6) == 6 ) /* XCR0 */
++#endif
+   feature = AVX;
++}
+ 
+ 
+ eax = 0x8001;
diff -Nru libb2-0.97/debian/patches/series libb2-0.97/debian/patches/series
--- libb2-0.97/debian/patches/series1970-01-01 01:00:00.0 +0100
+++ libb2-0.97/debian/patches/series2018-08-15 22:33:56.0 +0200
@@ -0,0 +1 @@
+60ea749837362c226e8501718f505ab138e5c19d.patch
diff -Nru libb2-0.97/debian/changelog libb2-0.97/debian/changelog
--- libb2-0.97/debian/changelog 2015-10-28 17:23:28.0 +0100
+++ libb2-0.97/debian/changelog 2018-08-15 22:33:56.0 +0200
@@ -1,3 +1,11 @@
+libb2 (0.97-2+deb9u1) stretch; urgency=medium
+
+  * debian/patches/60ea749837362c226e8501718f505ab138e5c19d.patch:
+detect if the system can use AVX before actually using it
+(Closes: #884958)
+
+ -- Gianfranco Costamagna   Wed, 15 Aug 2018 
22:33:56 +0200
+
 libb2 (0.97-2) unstable; urgency=medium
 
   * debian/control: Point Vcs-Git at Alioth repo
diff -Nru 
libb2-0.97/debian/patches/60ea749837362c226e8501718f505ab138e5c19d.patch 
libb2-0.97/debian/patches/60ea749837362c226e8501718f505ab138e5c19d.patch
--- libb2-0.97/debian/patches/60ea749837362c226e8501718f505ab138e5c19d.patch
1970-01-01 01:00:00.0 +0100
+++ libb2-0.97/debian/patches/60ea749837362c226e8501718f505ab138e5c19d.patch
2018-08-15 22:33:56.0 +0200
@@ -0,0 +1,47 @@
+From 60ea749837362c226e8501718f505ab138e5c19d Mon Sep 17 00:00:00 2001
+From: Samuel Neves 
+Date: Mon, 25 Dec 2017 12:34:30 +
+Subject: [PATCH] detect whether the operating system can use AVX
+
+---
+ src/blake2-dispatch.c | 19 ++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/src/blake2-dispatch.c b/src/blake2-dispatch.c
+index 2b1ccc8..96bb340 100644
+--- a/src/blake2-dispatch.c
 b/src/blake2-dispatch.c
+@@ -63,6 +63,18 @@ static inline void cpuid( uint32_t *eax, uint32_t *ebx, 
uint32_t *ecx, uint32_t
+ : "=a"( *eax ), "=b"( *ebx ), "=c"( *ecx ), "=d"( *edx ) : "a&quo

Bug#831459: jessie-pu: package virtualbox-guest-additions-iso

[Gianfranco Costamagna]

On Wed, 13 Jun 2018 20:52:32 +0100 "Adam D. Barratt"  
wrote:
> Control: tags -1 + confirmed
> 
> On Thu, 2016-09-29 at 17:45 +0100, Adam D. Barratt wrote:
> > On 2016-09-29 14:37, Gianfranco Costamagna wrote:
> > > control: tags -1 -moreinfo
> > > > (I'm not removing moreinfo tag)
> > > 
> > > removing it now.
> > 
> > fwiw the mail you're replying to does not appear to have made it to 
> > debian-release.
> > 
> 
> If you're still interested in getting this updated in jessie before it
> becomes LTS, please go ahead, bearing in mind the time constraints.
> 

on my way

G.
> Regards,
> 
> Adam
> 
> 

Bug#837458: jessie-pu: package mactelnet/0.4.0-1

[Gianfranco Costamagna]

Hello Adam,

On Wed, 13 Jun 2018 21:22:50 +0100 "Adam D. Barratt"  
wrote:
> Control: tags -1 -moreinfo
> 
> On Thu, 2017-01-05 at 20:06 +, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Sun, 2016-09-11 at 19:55 +0200, haakon.nessj...@gmail.com wrote:
> > 
> > > Request for uploading to stable, as there is posted a CVE for a bug
> > > in mactelnet-client.
> > > This update is a backport of the fix that is done upstream, that
> > > fixes only the mentioned bug.
> > > 
> > > Mor information here: https://security-tracker.debian.org/tracker/C
> > > VE-2016-7115
> > > and here: https://bugs.debian.org/836320
> > 
> > +mactelnet (0.4.0-2) stable; urgency=low
> > 
> > The version should be 0.4.0-1+deb8u1. With that change, please go
> > ahead.
> > 
> 
> And the distribution should be "jessie". If this is still of interest,
> please upload *soon*.
> 


done!

G.

> Regards,
> 
> Adam
> 
> 

Bug#837458: jessie-pu: package mactelnet/0.4.0-1

[Gianfranco Costamagna]

Hello Adam,

On Sat, 12 Aug 2017 10:16:06 -0400 "Adam D. Barratt" <a...@adam-barratt.org.uk> 
wrote:
> On Thu, 2017-01-12 at 14:26 +0100, Gianfranco Costamagna wrote:
> > Control: tags -1 - confirmed
> > Control: tags -1 + moreinfo
> [...]
> > while the version is good, we need some more changes according to the CVE 
> > fix in github [1]
> > 
> > so I'm removing the confirmed tag and adding moreinfo, haakon please fix 
> > and remove moreinfo once done.
> > 
> > thanks
> > 
> > G.
> > 
> > [1] 
> > https://github.com/haakonnessjoen/MAC-Telnet/commit/b69d11727d4f0f8cf719c79e3fb700f55ca03e9a
> 
> What's the status of this?

I think we might be good with the previous patch version, backporting that 
upstream commit is really invasive, because the underlying
code has changed too much in the meanwhile.

sorry for the delay, I tried to cherry-pick rebase a lot of stuff, but I failed.

So, probably better an incomplete but working patch than none...

G.

> 
> Regards,
> 
> Adam
> 
> 
> 

Bug#886146: stretch-pu: package sqlcipher/3.2.0-2+deb9u1

[Gianfranco Costamagna]

> It'd be better for it to be fixed with a version, rather than imply it's
> invalid.

Changed that to reflect that the version that fixed it is: 3.4.1-1
> 
> Can you please also describe what if any testing was done on the
> proposed update, and why this breakage wasn't caught before release?

this has been explained in this bug, message 29, do you think it is enough or
do you want any more testing? (also testing has been performed in 863530#25 )

maybe the bug hasn't been caught before release because people using sql stuff 
prefer
to use stable and not testing? :)

thanks!

Gianfranco

Bug#886146: stretch-pu: package sqlcipher/3.2.0-2+deb9u1

[Gianfranco Costamagna]

Control: tag -1 - moreinfo
On Sat, 10 Feb 2018 11:48:12 +0100 Julien Cristau <jcris...@debian.org> wrote:
> Control: tag -1 moreinfo
> 
> On Tue, Jan  2, 2018 at 17:59:07 +0100, Gianfranco Costamagna wrote:
> 
> > +sqlcipher (3.2.0-2+deb9u1) stretch; urgency=medium
> > +
> > +  [ Philipp Berger ]
> > +  * Fixup previous patch, to avoid a crash when opening file
> > +(Closes: #863530)
> > +
> 
> That bug is still open, implying it still affects sid?
> 

I closed it, that patch comes from the new release, actually part of sid/buster

sorry for not closing it in advance

G.



signature.asc
Description: OpenPGP digital signature

Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1

[Gianfranco Costamagna]

Hello,
>This is. :-)


thanks and sorry for using it in the wrong way!
G.

Bug#885027: stretch-pu: package mosquitto/1.4.10-3+deb9u1

[Gianfranco Costamagna]

control: tags -1 pending
On Sat, 10 Feb 2018 14:47:51 + Holger Levsen  wrote:
> On Sat, Feb 10, 2018 at 01:39:12PM +, Roger Light wrote:
> > I'm neither a DD nor a DM, should I just get my normal sponsor to
> > upload or if not then who?
> 
> yes, ask your usual sponsor to upload.
> 

doing it in a few minutes

G.



signature.asc
Description: OpenPGP digital signature

Bug#888751: gdbm: bumping severity, transition has started

[Gianfranco Costamagna]

control: severity 888752 serious
control: severity 888753 serious
control: severity 888754 serious

Hello, the fun has started.

slgdbm started failing with 1.14.1 but not with 1.13, and this is the only 
regression I spotted
in the complete rebuild test I did today.

This is a QA package, and the reason is the change from gdbm_errno to 
gdbm_errno_location.
I prepared a patch and I'll upload it as soon as it starts building.

thanks

Gianfranco



signature.asc
Description: OpenPGP digital signature

Bug#888751: transition: gdbm

[Gianfranco Costamagna]

>Let's do this.


I'm rebuilding against 1.14.1, will upload to unstable in a few hours and raise 
bug reports to serious,
in case nothing appears.

G.

Bug#888751: transition: gdbm

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: transition
Severity: normal

Hello Release team, I think it is time to do the transition.
(KAction is MIA now, I prefer to not delay it any longer)

Affected packages:
am-utils
apr-util
clisp
courier-authlib
couriergrey
elk
gauche
gnarwl
gnu-smalltalk
ifmail
librep
magicrescue
man-db
metview
mit-scheme
modem-manager-gui
nis
pam-shield
perdition
perl
pypy
python-stdlib-extensions
python3-stdlib-extensions
ruby2.3
ruby2.5
sjeng
slgdbm
sortmail
avahi
courier
freeradius
fsvs
lighttpd
maildrop
qsf
pike7.8


Bad packages:
ifmail/sortmail -> patch (adding the compat package to depends)
pike7.8 -> patch (cherry-pick from pike8.0 the build fix, undef an already 
defined variable)

clisp -> fix available in gdbm 1.14.1 (currently in binNEW).

I'll push for gdbm 1.14 once it clears new and I get an ack (rebuilds against 
the new release are ongoing, nothing should
have been changed looking at the diff)

I'm opening right now the bugs for ifmail, sortmail and pike7.8, blocking this 
one.

Ben file not needed, the auto-tracker seems to be fine

Gianfranco



signature.asc
Description: OpenPGP digital signature

Bug#886146: stretch-pu: package sqlcipher/3.2.0-2+deb9u1

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

Hello, I request an update to fix segfaults for sqlcipher, due to 
wrong/incomplete openssl patch

summary of the changes is here (and debdiff attached)


+sqlcipher (3.2.0-2+deb9u1) stretch; urgency=medium
+
+  [ Philipp Berger ]
+  * Fixup previous patch, to avoid a crash when opening file
+(Closes: #863530)
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Sat, 02 Dec 2017 
11:24:26 +0100
+

thanks!

Gianfranco
diff -Nru sqlcipher-3.2.0/debian/changelog sqlcipher-3.2.0/debian/changelog
--- sqlcipher-3.2.0/debian/changelog2016-12-23 11:00:19.0 +0100
+++ sqlcipher-3.2.0/debian/changelog2017-12-02 11:24:26.0 +0100
@@ -1,3 +1,11 @@
+sqlcipher (3.2.0-2+deb9u1) stretch; urgency=medium
+
+  [ Philipp Berger ]
+  * Fixup previous patch, to avoid a crash when opening file
+(Closes: #863530)
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Sat, 02 Dec 2017 
11:24:26 +0100
+
 sqlcipher (3.2.0-2) unstable; urgency=medium
 
   * support building with openssl 1.1 (Closes: #828555)
diff -Nru sqlcipher-3.2.0/debian/patches/33-openssl_1.1.patch 
sqlcipher-3.2.0/debian/patches/33-openssl_1.1.patch
--- sqlcipher-3.2.0/debian/patches/33-openssl_1.1.patch 2016-12-23 
10:59:43.0 +0100
+++ sqlcipher-3.2.0/debian/patches/33-openssl_1.1.patch 2017-12-02 
11:24:15.0 +0100
@@ -1,14 +1,23 @@
 --- a/src/crypto_openssl.c
 +++ b/src/crypto_openssl.c
-@@ -155,14 +155,24 @@
+@@ -109,6 +109,8 @@
+is called by SQLCipher internally. This should prevent SQLCipher from 
+"cleaning up" openssl when it was initialized externally by the 
program */
+   EVP_cleanup();
++} else {
++  openssl_external_init = 0;
+ }
+ #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
+ sqlite3_mutex_free(openssl_rand_mutex);
+@@ -143,14 +145,24 @@
  }
  
  static int sqlcipher_openssl_hmac(void *ctx, unsigned char *hmac_key, int 
key_sz, unsigned char *in, int in_sz, unsigned char *in2, int in2_sz, unsigned 
char *out) {
 -  HMAC_CTX hctx;
unsigned int outlen;
 +#if OPENSSL_VERSION_NUMBER >= 0x1011L
-+  HMAC_CTX *hctx;
-+  hctx = HMAC_CTX_new();
++  HMAC_CTX* hctx = HMAC_CTX_new();
++  if(hctx == NULL) return SQLITE_ERROR;
 +  HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha1(), NULL);
 +  HMAC_Update(hctx, in, in_sz);
 +  HMAC_Update(hctx, in2, in2_sz);
@@ -26,7 +35,7 @@
return SQLITE_OK; 
  }
  
-@@ -172,9 +182,23 @@
+@@ -160,9 +172,23 @@
  }
  
  static int sqlcipher_openssl_cipher(void *ctx, int mode, unsigned char *key, 
int key_sz, unsigned char *iv, unsigned char *in, int in_sz, unsigned char 
*out) {
@@ -34,15 +43,15 @@
int tmp_csz, csz;
   
 +#if OPENSSL_VERSION_NUMBER >= 0x1011L
-+  EVP_CIPHER_CTX *ectx;
-+  ectx = EVP_CIPHER_CTX_new();
-+  EVP_CipherInit(ectx, ((openssl_ctx *)ctx)->evp_cipher, NULL, NULL, mode);
++  EVP_CIPHER_CTX* ectx = EVP_CIPHER_CTX_new();
++  if(ectx == NULL) return SQLITE_ERROR;
++  EVP_CipherInit_ex(ectx, ((openssl_ctx *)ctx)->evp_cipher, NULL, NULL, NULL, 
mode);
 +  EVP_CIPHER_CTX_set_padding(ectx, 0); // no padding
-+  EVP_CipherInit(ectx, NULL, key, iv, mode);
++  EVP_CipherInit_ex(ectx, NULL, NULL, key, iv, mode);
 +  EVP_CipherUpdate(ectx, out, _csz, in, in_sz);
 +  csz = tmp_csz;  
 +  out += tmp_csz;
-+  EVP_CipherFinal(ectx, out, _csz);
++  EVP_CipherFinal_ex(ectx, out, _csz);
 +  csz += tmp_csz;
 +  EVP_CIPHER_CTX_free(ectx);
 +
@@ -51,7 +60,7 @@
EVP_CipherInit(, ((openssl_ctx *)ctx)->evp_cipher, NULL, NULL, mode);
EVP_CIPHER_CTX_set_padding(, 0); // no padding
EVP_CipherInit(, NULL, key, iv, mode);
-@@ -184,7 +208,9 @@
+@@ -172,14 +198,19 @@
EVP_CipherFinal(, out, _csz);
csz += tmp_csz;
EVP_CIPHER_CTX_cleanup();
@@ -61,3 +70,15 @@
return SQLITE_OK; 
  }
  
+ static int sqlcipher_openssl_set_cipher(void *ctx, const char *cipher_name) {
+   openssl_ctx *o_ctx = (openssl_ctx *)ctx;
+-  o_ctx->evp_cipher = (EVP_CIPHER *) EVP_get_cipherbyname(cipher_name);
+-  return SQLITE_OK;
++  EVP_CIPHER* cipher = (EVP_CIPHER *) EVP_get_cipherbyname(cipher_name);
++  if(cipher != NULL) {
++o_ctx->evp_cipher = cipher;
++  }
++  return cipher != NULL ? SQLITE_OK : SQLITE_ERROR;
+ }
+ 
+ static const char* sqlcipher_openssl_get_cipher(void *ctx) {


signature.asc
Description: OpenPGP digital signature

Bug#852849: jessie-pu: package keyringer/0.3.7-1

[Gianfranco Costamagna]

> Please go ahead.
> 
ok uploaded.

G.



signature.asc
Description: OpenPGP digital signature

Bug#877168: transition: ldc

[Gianfranco Costamagna]

On Tue, 7 Nov 2017 02:02:30 +0100 Matthias Klumpp  wrote:
> Hi!
> 
> 2017-10-04 13:36 GMT+02:00 Matthias Klumpp :
> > 2017-10-04 9:39 GMT+02:00 Emilio Pozuelo Monfort :
> >> [...]
> > Thank you!
> > Both issues are reported upstream:
> > ppc64el: https://github.com/ldc-developers/ldc/issues/2356
> > sambamba assert: https://github.com/ldc-developers/ldc/issues/2357
> 
> Just a quick heads up: There is a new version of LDC soon in unstable
> that will fix at least the Sambamba issue, and maybe (hopefully?) also
> the ppc64el issue.
> This will restart this transition though - unstable ABIs are a lot of fun...
> 

please update the tracker 74 -> 75

thanks

G.



signature.asc
Description: OpenPGP digital signature

Re: Bug#868558: Would you please not upload new r-* packages until transition is finalised (Re: r-api-3.4)

[Gianfranco Costamagna]

Hello Dirk,

>The "tag" you kids you badly wanted was introduced with 3.4.2, and hence as a
>test with the to-be-replaced-anyway 3.4.1.20170921.
>
>In short, you seem to not really know what you're talking about.  But at
>least you make up for in volume.
>
>No, I played along as maintainer of r-base when my still-simpler approach was
>rejected.  The transition was argued for, and then handled, by other people.
>That is still not "my transition".


I did play *no* role in this transition, so the "you" can't really be referred
to me :)

but reading this bug report (with zero knowledge on the topic) seems to bring 
the
idea that the whole world (at least the part participating in this thread), has 
a different
opinion than you.

Not sure who is correct, if you or the rest of the world, and honestly I don't 
care.
Uploading stuff when the transition is finishing is just useless and disturbing 
for
everybody.

If you care about your end users you should care about making r-base migrate, 
not
trying to make things harder for Release Team.

thanks for understanding,

(I refrained many times from taking part in this discussion, and I won't take 
part anymore from this post,
you are taking everything personally, and I really don't care about who is 
right and who is wrong,
I care about buster and nothing more)

G.

Re: Bug#868558: Would you please not upload new r-* packages until transition is finalised (Re: r-api-3.4)

[Gianfranco Costamagna]

Hello,

>s/you/Seb/   to make it correct.  Not my transition at all.

who-uploads r-base
Uploads for r-base:
3.4.2-1 to unstable: Dirk Eddelbuettel 
3.4.1.20170921-1 to unstable: Dirk Eddelbuettel 
3.4.1-2 to unstable: Dirk Eddelbuettel 

yes, I would say this is *your* transition.
You tried your best to make it go in testing (even if you seems to be trying to 
hide it), and once you got
the ack you continued to do uploads, delaying it and forcing Release Team to 
urgent packages with zero
day delays.

Waiting some more days would have made people happier, and things better (e.g. 
packages migrating with some
testing instead of forcing them).

just my .02$

(I keep the opportunity to also close this shameful bug).

G.



signature.asc
Description: OpenPGP digital signature

Bug#869414: package smplayer/16.11.0~ds0-1+deb9u1

[Gianfranco Costamagna]

>What about #870233, sounds like a good opportunity to fix that along?


it was really too late for that one :)

Mateusz, can you please prepare an update in case you want it fixed?

G.

Bug#869414: package smplayer/16.11.0~ds0-1+deb9u1

[Gianfranco Costamagna]

On Sun, 6 Aug 2017 13:40:28 +0100 Jonathan Wiltshire  wrote:
> Control: tag -1 confirmed

uploaded.

G.



signature.asc
Description: OpenPGP digital signature

Bug#869762: NMU: libundead_1.0.6-2 . ANY . -m "Rebuild against new ldc"

[Gianfranco Costamagna]

>Adding ldc to depends would be cheap - but how to switch to shared
>versions?  I did the package with the help of Debian D team and
>have no idea how to do this.


I have no idea too :)

I looked at the meson stuff, and changed "static" to "shared" and the build
is now producing an .so file.

I think adding versioning to that function will result in the usual soname stuff

but you should probably create a libundead0 or whatever package
in the 

debian/patches/01_meson-build.patch.patch file

+undead_lib = shared_library('undead',

works
http://mesonbuild.com/Porting-from-autotools.html

I think for now binNMUing is fine, but in the future splitting the package, and 
add that
library shared is preferred (but please talk to D people, and try to understand 
how much
the ABI is stable

HTH

G.
Hi Gianfranco,

On Wed, Jul 26, 2017 at 09:52:17AM +, Gianfranco Costamagna wrote:
> 
> >> Package: release.debian.org
> >> Severity: normal
> >> User: release.debian@packages.debian.org
> >> Usertags: binnmu
> >> 
> >> nmu libundead_1.0.6-2 . ANY . -m "Rebuild against new ldc72"
> >> 
> >> For some reasons libundead changed some symbols with new ldc, and a 
> >> rebuild of libundead fixes
> >> libbiod.
> >
> >ldc is ongoing a library transition. I wonder if libundead-dev should depend 
> >on ldc?
> 
> 
> maybe the problem is that Andreas uses static libraries?
> 
> Andreas can you please add the dependency and use shared versions?

Adding ldc to depends would be cheap - but how to switch to shared
versions?  I did the package with the help of Debian D team and
have no idea how to do this.

> such bugs are nasty, because they embed wrong/old code, and aren't picked up 
> in transitions

Feel free to NMU - ACLs are set in the repository and any DD can
commit.

Sorry to be that less helpful

   Andreas.

-- 
http://fam-tille.de

Bug#869762: NMU: libundead_1.0.6-2 . ANY . -m "Rebuild against new ldc"

[Gianfranco Costamagna]

>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: binnmu
>> 
>> nmu libundead_1.0.6-2 . ANY . -m "Rebuild against new ldc72"
>> 
>> For some reasons libundead changed some symbols with new ldc, and a rebuild 
>> of libundead fixes
>> libbiod.
>
>ldc is ongoing a library transition. I wonder if libundead-dev should depend 
>on ldc?


maybe the problem is that Andreas uses static libraries?

Andreas can you please add the dependency and use shared versions?
such bugs are nasty, because they embed wrong/old code, and aren't picked up in 
transitions


G.

Bug#869762: NMU: libundead_1.0.6-2 . ANY . -m "Rebuild against new ldc"

[Gianfranco Costamagna]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

nmu libundead_1.0.6-2 . ANY . -m "Rebuild against new ldc72"

For some reasons libundead changed some symbols with new ldc, and a rebuild of 
libundead fixes
libbiod.

thanks
Gianfranco



signature.asc
Description: OpenPGP digital signature

Bug#856240: jessie-pu: package elog/2.9.2+2014.05.11git44800a7-2+deb8u1

[Gianfranco Costamagna]

Hello,
> I don't see see your package in jessie-new; the next jessie point release
> is coming up shortly, so feel free to prod your sponsor again if you want
> to have a chance of fixing this in jessie. :)
> 
sponsored, sorry for the delay

G.



signature.asc
Description: OpenPGP digital signature

Bug#866967: Bug#867149: RFS: galternatives/0.13.5+nmu3+deb8u1

[Gianfranco Costamagna]

Hello,
>I am looking for a sponsor for my package "galternatives" into *oldstable* 
>(jessie-pu).


uploaded.

G.


signature.asc
Description: PGP signature

Bug#843701: jessie-pu: package boinc/7.4.23+dfsg-1

[Gianfranco Costamagna]

Hello Cyril,

>Looks better to me, thanks. Feel free to upload.

thanks!
>Also, please use reply-all on the BTS.


ack

G.

Bug#864757: stretch-pu: package galternatives/0.13.5+nmu4+deb9u1

[Gianfranco Costamagna]

>Flagged for acceptance, thanks.


thanks to you
>(Please use reply-all on the BTS.)


ack, I don't want to spam with double emails, but ok :)
>FWIW this might make sense to fix this in jessie as well? If you agree,
>feel free to open a jessie-pu bug report to track it.


this is not something I know, Boyuan, please do the paperwork
and prod me in case you are ok with fixing it in jessie too

G.

Bug#866582: nmu: petsc_3.7.5+dfsg1-4

[Gianfranco Costamagna]

Package: release.debian.org

User: release.debian@packages.debian.org

Usertags: binnmu

Severity: normal


nmu petsc_3.7.5+dfsg1-4 . ANY . unstable . -m "Rebuild against openmpi 2.1.1"



as said on irc, I don't know why that check is so strict, but better safe than 
sorry
and lets the stack migrate


thanks!

Bug#843701: jessie-pu: package boinc/7.4.23+dfsg-1

[Gianfranco Costamagna]

control: tags -1 -moreinfo


>I'm interested in seeing an updated debdiff with a better wording for
>the xhost issue. The proposed one suggests a syntax error but says
>nothing about the permission issues which need a fix.

ok, fair enough, updated

>Similarly, the OOM_ADJ handling could be more descriptive, something
>like “Try both oom_score_adj and oom_adj when adjusting the OOM score
>(Closes: #843663).”?

this seems really better and more descriptive, indeed.

Updated debdiff attached

thanks

G.
diff -Nru boinc-7.4.23+dfsg/debian/boinc-client.init 
boinc-7.4.23+dfsg/debian/boinc-client.init
--- boinc-7.4.23+dfsg/debian/boinc-client.init  2014-10-17 17:10:09.0 
+0200
+++ boinc-7.4.23+dfsg/debian/boinc-client.init  2016-11-08 21:53:59.0 
+0100
@@ -29,6 +29,7 @@
 BOINC_DIR=/var/lib/boinc-client
 BOINC_CLIENT=/usr/bin/boinc
 BOINC_OOM_ADJ=15
+BOINC_OOM_SCORE_ADJ=1000
 
 #VALGRIND_OPTIONS="-v --log-file=/tmp/valgrind_boinc.log "
 VALGRIND_OPTIONS=""
@@ -106,7 +107,7 @@
   else
 if [ -n "$DISPLAY" -a -x /usr/bin/xhost ]; then
# grant the boinc client to perform GPU computing
-   xhost local:boinc || echo -n "xhost error ignored, GPU computing may 
not be possible"
+   xhost +si:localuser:$BOINC_USER || echo -n "xhost error ignored, GPU 
computing may not be possible"
 fi
 if [ -n "$VALGRIND_OPTIONS" ]; then
   start-stop-daemon --start --quiet --background --pidfile $PIDFILE \
@@ -206,10 +207,13 @@
   fi
 fi
 for BPID in ${pid} ${children}; do
-  if [ -w /proc/${BPID}/oom_adj ]; then
-echo ${BOINC_OOM_AD} > /proc/${BPID}/oom_adj 2>/dev/null || true
+  # Fallback to old oom_adj if oom_score_adj doesn't exist
+  if [ -w /proc/${BPID}/oom_score_adj ]; then
+echo ${BOINC_OOM_SCORE_ADJ} > /proc/${BPID}/oom_score_adj 2>/dev/null 
|| true
+  elif [ -w /proc/${BPID}/oom_adj ]; then
+echo ${BOINC_OOM_ADJ} > /proc/${BPID}/oom_adj 2>/dev/null || true
   else
-echo "Could not write to /proc/${BPID}/oom_adj"
+echo "Could not adjust oom_score of task"
   fi
 done
   fi
diff -Nru boinc-7.4.23+dfsg/debian/changelog boinc-7.4.23+dfsg/debian/changelog
--- boinc-7.4.23+dfsg/debian/changelog  2014-10-17 17:19:50.0 +0200
+++ boinc-7.4.23+dfsg/debian/changelog  2016-11-08 21:53:59.0 +0100
@@ -1,3 +1,16 @@
+boinc (7.4.23+dfsg-1+deb8u1) jessie; urgency=medium
+
+  [ Tom Downes ]
+  * Try both oom_score_adj and oom_adj when adjusting the OOM score
+(Closes: #843663).
+
+  [ Mike Brennan <deb...@u4ear.com> ]
+  * Fix xhost syntax. (Closes: #841665)
+- the xhost permissions syntax requires a "localuser" keyword for locally
+  specified users.
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Tue, 08 Nov 2016 
21:53:59 +0100
+
 boinc (7.4.23+dfsg-1) unstable; urgency=medium
 
   * New upstream release candidate.


signature.asc
Description: OpenPGP digital signature

Bug#864757: stretch-pu: package galternatives/0.13.5+nmu4+deb9u1

[Gianfranco Costamagna]

> Looks good to me, feel free to upload.
> 

uploaded.

G.



signature.asc
Description: OpenPGP digital signature

Bug#864419: unblock: ettercap (CVE)

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team

Please unblock package ettercap, we fixed CVE 2017-8366, but the asan enable 
patch is not intended for production use.
I commented out that part
http://www.openwall.com/lists/oss-security/2016/02/17/9

unblock ettercap/1:0.8.2-6

debdiff attached

thanks

G.

diff -Nru ettercap-0.8.2/debian/changelog ettercap-0.8.2/debian/changelog
--- ettercap-0.8.2/debian/changelog 2017-06-04 09:27:11.0 +0200
+++ ettercap-0.8.2/debian/changelog 2017-06-08 14:20:58.0 +0200
@@ -1,3 +1,10 @@
+ettercap (1:0.8.2-6) unstable; urgency=medium
+
+  * Tweak 803.patch, disable asan.
+(it is not intended for production) 
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Thu, 08 Jun 2017 
14:20:29 +0200
+
 ettercap (1:0.8.2-5) unstable; urgency=high
 
   [ Alexander Koeppe ]
diff -Nru ettercap-0.8.2/debian/patches/803.patch 
ettercap-0.8.2/debian/patches/803.patch
--- ettercap-0.8.2/debian/patches/803.patch 2017-06-04 09:25:14.0 
+0200
+++ ettercap-0.8.2/debian/patches/803.patch 2017-06-08 14:21:18.0 
+0200
@@ -8,37 +8,37 @@
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 Index: ettercap-0.8.2/CMakeLists.txt
-===
 ettercap-0.8.2.orig/CMakeLists.txt
-+++ ettercap-0.8.2/CMakeLists.txt
-@@ -125,7 +125,27 @@
-   # library dir path in our RPATH.
-   set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
- endif(NOT DISABLE_RPATH)
-+
-+# set general build flags for debug build-type
- set(CMAKE_C_FLAGS_DEBUG "-O0 -ggdb3 -DDEBUG -Wall -Wno-pointer-sign 
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wextra 
-Wredundant-decls" CACHE STRING "" FORCE)
-+# append ASAN build flags if compiler version has support
-+if ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU")
-+   if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
-+  set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address 
-fno-omit-frame-pointer" CACHE STRING "" FORCE)
-+  message("Building with ASAN support (GNU compiler)")
-+   else (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
-+  message("Building without ASAN support (GNU compiler)")
-+   endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
-+elseif ("${CMAKE_C_COMPILER_ID}" STREQUAL "Clang")
-+   if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
-+  set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address 
-fno-omit-frame-pointer" CACHE STRING "" FORCE)
-+  message("Building with ASAN support (Clang compiler)")
-+   elseif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
-+  message("Building without ASAN support (Clang compiler)")
-+   endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
-+endif ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU")
-+
-+# set build flags for release build-type
- set(CMAKE_C_FLAGS_RELEASE "-O2 -w -D_FORTIFY_SOURCE=2" CACHE STRING "" FORCE)
- 
- if(OS_DARWIN)
+#===
+#--- ettercap-0.8.2.orig/CMakeLists.txt
+#+++ ettercap-0.8.2/CMakeLists.txt
+#@@ -125,7 +125,27 @@
+# 8  # library dir path in our RPATH.
+#   set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
+# endif(NOT DISABLE_RPATH)
+#+
+#+# set general build flags for debug build-type
+# set(CMAKE_C_FLAGS_DEBUG "-O0 -ggdb3 -DDEBUG -Wall -Wno-pointer-sign 
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wextra 
-Wredundant-decls" CACHE STRING "" FORCE)
+#+# append ASAN build flags if compiler version has support
+#+if ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU")
+#+   if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
+#+  set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address 
-fno-omit-frame-pointer" CACHE STRING "" FORCE)
+#+  message("Building with ASAN support (GNU compiler)")
+#+   else (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
+#+  message("Building without ASAN support (GNU compiler)")
+#+   endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
+#+elseif ("${CMAKE_C_COMPILER_ID}" STREQUAL "Clang")
+#+   if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
+#+  set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address 
-fno-omit-frame-pointer" CACHE STRING "" FORCE)
+#+  message("Building with ASAN support (Clang compiler)")
+#+   elseif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
+#+  message("Building without ASAN support (Clang compiler)")
+#+   endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
+#+endif ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU")
+#+
+#+# set build flags for release build-type
+# set(

Bug#864091: unblock: ettercap (CVE)

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team

Please unblock package ettercap, we fixed CVE 2017-8366

unblock ettercap/1:0.8.2-5

debdiff attached
diff -Nru ettercap-0.8.2/debian/changelog ettercap-0.8.2/debian/changelog
--- ettercap-0.8.2/debian/changelog 2017-03-07 21:28:07.0 +0100
+++ ettercap-0.8.2/debian/changelog 2017-06-04 09:27:11.0 +0200
@@ -1,3 +1,12 @@
+ettercap (1:0.8.2-5) unstable; urgency=high
+
+  [ Alexander Koeppe ]
+  * debian/patches/803.patch: Fix buffer overflow/underflow
+with bad filters (Closes: #861604).
+CVE-2017-8366
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Sun, 04 Jun 2017 
09:24:59 +0200
+
 ettercap (1:0.8.2-4) unstable; urgency=high
 
   * debian/patches/626dc56686f15f2dda13c48f78c2a666cb6d8506.patch:
diff -Nru ettercap-0.8.2/debian/patches/803.patch 
ettercap-0.8.2/debian/patches/803.patch
--- ettercap-0.8.2/debian/patches/803.patch 1970-01-01 01:00:00.0 
+0100
+++ ettercap-0.8.2/debian/patches/803.patch 2017-06-04 09:25:14.0 
+0200
@@ -0,0 +1,210 @@
+From d14d2558da14a33abf7baab28957488a75d16af1 Mon Sep 17 00:00:00 2001
+From: Alexander Koeppe <forma...@online.de>
+Date: Thu, 1 Jun 2017 08:56:23 +0200
+Subject: [PATCH 1/4] Add ASAN compiler flags in DEBUG build type
+
+---
+ CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: ettercap-0.8.2/CMakeLists.txt
+===
+--- ettercap-0.8.2.orig/CMakeLists.txt
 ettercap-0.8.2/CMakeLists.txt
+@@ -125,7 +125,27 @@
+   # library dir path in our RPATH.
+   set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
+ endif(NOT DISABLE_RPATH)
++
++# set general build flags for debug build-type
+ set(CMAKE_C_FLAGS_DEBUG "-O0 -ggdb3 -DDEBUG -Wall -Wno-pointer-sign 
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wextra 
-Wredundant-decls" CACHE STRING "" FORCE)
++# append ASAN build flags if compiler version has support
++if ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU")
++   if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
++  set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address 
-fno-omit-frame-pointer" CACHE STRING "" FORCE)
++  message("Building with ASAN support (GNU compiler)")
++   else (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
++  message("Building without ASAN support (GNU compiler)")
++   endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.8)
++elseif ("${CMAKE_C_COMPILER_ID}" STREQUAL "Clang")
++   if (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
++  set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -fsanitize=address 
-fno-omit-frame-pointer" CACHE STRING "" FORCE)
++  message("Building with ASAN support (Clang compiler)")
++   elseif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
++  message("Building without ASAN support (Clang compiler)")
++   endif (CMAKE_C_COMPILER_VERSION VERSION_GREATER 3.1)
++endif ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU")
++
++# set build flags for release build-type
+ set(CMAKE_C_FLAGS_RELEASE "-O2 -w -D_FORTIFY_SOURCE=2" CACHE STRING "" FORCE)
+ 
+ if(OS_DARWIN)
+Index: ettercap-0.8.2/include/ec_strings.h
+===
+--- ettercap-0.8.2.orig/include/ec_strings.h
 ettercap-0.8.2/include/ec_strings.h
+@@ -40,7 +40,7 @@
+ 
+ EC_API_EXTERN int match_pattern(const char *s, const char *pattern);
+ EC_API_EXTERN int base64_decode(char *bufplain, const char *bufcoded);
+-EC_API_EXTERN int strescape(char *dst, char *src);
++EC_API_EXTERN int strescape(char *dst, char *src, size_t len);
+ EC_API_EXTERN int str_replace(char **text, const char *s, const char *d);   
+ EC_API_EXTERN size_t strlen_utf8(const char *s);
+ EC_API_EXTERN char * ec_strtok(char *s, const char *delim, char **ptrptr);
+Index: ettercap-0.8.2/src/ec_strings.c
+===
+--- ettercap-0.8.2.orig/src/ec_strings.c
 ettercap-0.8.2/src/ec_strings.c
+@@ -167,13 +167,14 @@
+ /* 
+  * convert the escaped string into a binary one
+  */
+-int strescape(char *dst, char *src)
++int strescape(char *dst, char *src, size_t len)
+ {
+char  *olddst = dst;
++   char  *oldsrc = src;
+int   c;
+int   val;
+ 
+-   while ((c = *src++) != '\0') {
++   while ((c = *src++) != '\0' && (size_t)(src - oldsrc) <= len) {
+   if (c == '\\') {
+  switch ((c = *src++)) {
+ case '\0':
+@@ -218,9 +219,11 @@
+   if (c >= '0' && c <= '7')
+  val = (val << 3) | (c - '0');
+   else 
+- --src;
++ if (src > oldsrc) /* protect against buffer 

Bug#864092: unblock: llvm-toolchain-3.8

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team

Please unblock package llvm-toolchain-3.8, we fixed the Julia build
(bad arm64 generated code), and also fixed a sanitizer hang on newer kernels
(it is an upstream patch, it might be incomplete, we tested and it worked, but
it hanged again on one buildd)


unblock llvm-toolchain-3.8/1:3.8.1-24

thanks

G.
diff -Nru llvm-toolchain-3.8-3.8.1/debian/changelog 
llvm-toolchain-3.8-3.8.1/debian/changelog
--- llvm-toolchain-3.8-3.8.1/debian/changelog   2017-04-25 19:46:34.0 
+0200
+++ llvm-toolchain-3.8-3.8.1/debian/changelog   2017-06-02 15:15:49.0 
+0200
@@ -1,3 +1,14 @@
+llvm-toolchain-3.8 (1:3.8.1-24) unstable; urgency=medium
+
+  * Team upload
+  * debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch:
+fix relocation issue, preventing Julia from working correctly on
+arm64 (Closes: #862360, #861484)
+  * debian/patches/asan-48bit-VMA-aarch64.patch:
+- fix asan testsuite hang with some arm64 builders.
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Fri, 02 Jun 2017 
15:11:29 +0200
+
 llvm-toolchain-3.8 (1:3.8.1-23) unstable; urgency=medium
 
   * Oups, same player try again (wrong package name, sorry)
diff -Nru llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch 
llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch
--- llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch
1970-01-01 01:00:00.0 +0100
+++ llvm-toolchain-3.8-3.8.1/debian/patches/asan-48bit-VMA-aarch64.patch
2017-06-02 15:12:44.0 +0200
@@ -0,0 +1,16 @@
+Description: [asan] Enable 48-bit VMA support on aarch64
+Origin: upstream, https://reviews.llvm.org/D22095?id=63084
+Bug-Debian: https://bugs.debian.org/862360
+Author: Adhemerval Zanella <adhemerval.zane...@linaro.org>
+Last-Update: 2016-07-07
+--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform.h
 b/compiler-rt/lib/sanitizer_common/sanitizer_platform.h
+@@ -114,6 +114,8 @@
+ // will still work but will consume more memory for TwoLevelByteMap.
+ #if defined(__mips__)
+ # define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 40)
++#elif defined(__aarch64__)
++# define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 48)
+ #else
+ # define SANITIZER_MMAP_RANGE_SIZE FIRST_32_SECOND_64(1ULL << 32, 1ULL << 47)
+ #endif
diff -Nru 
llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
 
llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
--- 
llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
 1970-01-01 01:00:00.0 +0100
+++ 
llvm-toolchain-3.8-3.8.1/debian/patches/fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
 2017-06-02 15:14:37.0 +0200
@@ -0,0 +1,16 @@
+Description: Fix R_AARCH64_MOVW_UABS_G3 relocation
+Origin: upstream, https://reviews.llvm.org/D27609?id=80860
+Bug-Debian: https://bugs.debian.org/862360
+Author: Yichao Yu <yyc1...@gmail.com>
+Last-Update: 2016-12-15
+--- a/lib/ExecutionEngine/RuntimeDyld/RuntimeDyldELF.cpp
 b/lib/ExecutionEngine/RuntimeDyld/RuntimeDyldELF.cpp
+@@ -357,7 +357,7 @@
+ // bits affected by the relocation on entry is garbage.
+ *TargetPtr &= 0xffe0001fU;
+ // Immediate goes in bits 20:5 of MOVZ/MOVK instruction
+-*TargetPtr |= Result >> (48 - 5);
++*TargetPtr |= (Result & 0xULL) >> (48 - 5);
+ // Shift must be "lsl #48", in bits 22:21
+ assert((*TargetPtr >> 21 & 0x3) == 3 && "invalid shift for relocation");
+ break;
diff -Nru llvm-toolchain-3.8-3.8.1/debian/patches/series 
llvm-toolchain-3.8-3.8.1/debian/patches/series
--- llvm-toolchain-3.8-3.8.1/debian/patches/series  2017-03-19 
22:10:46.0 +0100
+++ llvm-toolchain-3.8-3.8.1/debian/patches/series  2017-06-02 
15:11:44.0 +0200
@@ -57,3 +57,5 @@
 lldb-server-path.diff
 lldb-server-link.diff
 add_symbols_versioning.patch
+fix-R_AARCH64_MOVW_UABS_G3-relocation.patch
+asan-48bit-VMA-aarch64.patch


signature.asc
Description: OpenPGP digital signature

Bug#863715: unblock: boinc 7.6.33+dfsg-12

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock


Hi Release Team

Please unblock package boinc

unblock boinc/7.6.33+dfsg-12

We refactored a little bit with the upstream version a patch already in Stretch,
and I removed the fglrx package, uninstallable because fglrx is now dead

debdiff here:

diff -Nru boinc-7.6.33+dfsg/debian/changelog boinc-7.6.33+dfsg/debian/changelog
--- boinc-7.6.33+dfsg/debian/changelog  2017-04-04 08:08:14.0 +0200
+++ boinc-7.6.33+dfsg/debian/changelog  2017-05-30 11:40:51.0 +0200
@@ -1,3 +1,22 @@
+boinc (7.6.33+dfsg-12) unstable; urgency=medium
+
+  [ Steffen Moeller ]
+  * Added dependency on  lsb-base (>= 3.0-6) of boinc-client for the init
+script. Thanks to Lintian and the Package Tracker for spotting that.
+
+  [ Gianfranco Costamagna ]
+  * Update the previous boinc-issue-1177.patch with the upstream merged patch.
+  * Remove boinc-client-fglrx: dead, depends on removed fglrx libraries.
+(Closes: #863699)
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Tue, 30 May 2017 
11:39:31 +0200
+
+boinc (7.6.33+dfsg-11exp1) experimental; urgency=medium
+
+  * Upload to experimental again, with the boinc-server-* packages.
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Tue, 04 Apr 2017 
08:10:03 +0200
+
 boinc (7.6.33+dfsg-11) unstable; urgency=medium
 
   * Upload to unstable
diff -Nru boinc-7.6.33+dfsg/debian/control boinc-7.6.33+dfsg/debian/control
--- boinc-7.6.33+dfsg/debian/control2017-04-04 08:09:03.0 +0200
+++ boinc-7.6.33+dfsg/debian/control2017-05-30 11:41:46.0 +0200
@@ -103,37 +103,16 @@
  non-free section to the regular boinc package. This also meant this
  binary package to be redistributed in the contrib section of Debian.
 
-Package: boinc-client-fglrx
-Architecture: amd64 i386
-Section: contrib/net
-Priority: extra
-Breaks: boinc-nvidia-cuda
-Replaces: boinc-nvidia-cuda
-Depends: ${misc:Depends}, boinc-client
-Recommends: libfglrx | fglrx-updates | fglrx
-Description: metapackage for AMD/ATI fglrx-savvy BOINC client and manager
- The Berkeley Open Infrastructure for Network Computing (BOINC) is a
- software platform for distributed computing: several initiatives of
- various scientific disciplines all compete for the idle time of
- desktop computers. The developers' web site at the University of
- Berkeley serves as a common portal to the otherwise independently run
- projects.
- .
- Regular users (righteously) often find it an unbearable nuisance to
- care for the configuration of BOINC for the fglrx-savvy AMD/ATI
- graphics cards.  This package adds a series of dependencies from the
- non-free section to the regular boinc package. This also meant this
- binary package to be redistributed in the contrib section of Debian.
-
 Package: boinc-client
 Architecture: any
 Depends: adduser,
  ca-certificates,
+ lsb-base (>= 3.0-6),
  libboinc7 (= ${binary:Version}),
  ${misc:Depends},
  ${python:Depends},
  ${shlibs:Depends}
-Suggests: boinc-client-opencl, boinc-client-fglrx, boinc-client-nvidia-cuda, 
boinc-manager, x11-xserver-utils
+Suggests: boinc-client-opencl, boinc-client-nvidia-cuda, boinc-manager, 
x11-xserver-utils
 Description: core client for the BOINC distributed computing infrastructure
  The Berkeley Open Infrastructure for Network Computing (BOINC) is a
  software platform for distributed computing: several initiatives of
diff -Nru boinc-7.6.33+dfsg/debian/control.in 
boinc-7.6.33+dfsg/debian/control.in
--- boinc-7.6.33+dfsg/debian/control.in 2017-03-14 12:22:46.0 +0100
+++ boinc-7.6.33+dfsg/debian/control.in 2017-05-30 11:38:56.0 +0200
@@ -103,37 +103,16 @@
 @ non-free section to the regular boinc package. This also meant this
 @ binary package to be redistributed in the contrib section of Debian.
 @
-@Package: boinc-client-fglrx
-@Architecture: amd64 i386
-@Section: contrib/net
-@Priority: extra
-@Breaks: boinc-nvidia-cuda
-@Replaces: boinc-nvidia-cuda
-@Depends: ${misc:Depends}, boinc-client
-@Recommends: libfglrx | fglrx-updates | fglrx
-@Description: metapackage for AMD/ATI fglrx-savvy BOINC client and manager
-@ The Berkeley Open Infrastructure for Network Computing (BOINC) is a
-@ software platform for distributed computing: several initiatives of
-@ various scientific disciplines all compete for the idle time of
-@ desktop computers. The developers' web site at the University of
-@ Berkeley serves as a common portal to the otherwise independently run
-@ projects.
-@ .
-@ Regular users (righteously) often find it an unbearable nuisance to
-@ care for the configuration of BOINC for the fglrx-savvy AMD/ATI
-@ graphics cards.  This package adds a series of dependencies from the
-@ non-free section to the regular boinc package. This also meant this
-@ binary package to be redistributed in the contrib section of Debian.
-@
 @Package: boinc-client
 @Architecture: any

Bug#863645: unblock: cqrlog 2.0.2-1.1

[Gianfranco Costamagna]

Hi,
>> unblock cqrlog/2.0.2-1.1
>
>Doesn't seem to be in the archive?


this is true, I forgot to mention this is in deferred/2, so you can see it as a
pre-approval bug (this is an NMU for an RC I just opened)


We might even avoid to pull the compatibility package by cherry-picking this 
upstream commit
https://github.com/ok2cqr/cqrlog/commit/3f2dd3d0025658b57b03715f3cc60919b661eed2#diff-b8baf5712e548bba85056ce31a9d3df9

your choice, probably the upstream fix is better because it pulls one less 
package from the archive :)
G.

Bug#863645: unblock: cqrlog 2.0.2-1.1

[Gianfranco Costamagna]

Package: release.debian.org

User: release.debian@packages.debian.org

Usertags: unblock


Hi release team


Please unblock package cqrlog

unblock cqrlog/2.0.2-1.1

I found a bug that was preventing the package from working if the mysql compat 
library
was not installed.
The code is doing the pascal "dlopen" call to find libmysqlclient.so, and this 
is not available
anymore since mariadb switch.



Using the compat package brings a symlink that makes the program behave 
correctly.

thanks

G.


diff -Nru cqrlog-2.0.2/debian/changelog cqrlog-2.0.2/debian/changelog

--- cqrlog-2.0.2/debian/changelog2016-09-09 14:58:50.0 +0200

+++ cqrlog-2.0.2/debian/changelog2017-05-29 19:06:55.0 +0200

@@ -1,3 +1,13 @@

+cqrlog (2.0.2-1.1) unstable; urgency=medium

+

+  * Non-maintainer upload.

+  * Depent on virtual mysql server implementation (Closes: #848430)

+  * Depend on default-libmysqlclient-dev, to have the libmysqlclient.so

+symlink available at runtime (function TdmData.GetMySQLLib

+loads it dynamically Closes: #863644.

+

+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Mon, 29 May 2017 
17:29:07 +0200

+

cqrlog (2.0.2-1) unstable; urgency=medium


* New upstream bugfix release.

diff -Nru cqrlog-2.0.2/debian/control cqrlog-2.0.2/debian/control

--- cqrlog-2.0.2/debian/control2016-05-03 10:56:29.0 +0200

+++ cqrlog-2.0.2/debian/control2017-05-29 19:05:57.0 +0200

@@ -13,8 +13,8 @@


Package: cqrlog

Architecture: any

-Depends: ${shlibs:Depends}, ${misc:Depends}, libssl-dev, mysql-client | 
mariadb-client, libhamlib2 (>= 1.2.10), libhamlib-utils (>= 1.2.10)

-Recommends: mysql-server | mariadb-server, xplanet

+Depends: ${shlibs:Depends}, ${misc:Depends}, libssl-dev, default-mysql-client 
| virtual-mysql-client, default-libmysqlclient-dev, libhamlib2 (>= 1.2.10), 
libhamlib-utils (>= 1.2.10)

+Recommends: default-mysql-server | virtual-mysql-server, xplanet

Description: Advanced logging program for hamradio operators

CQRLOG is an advanced ham radio logger based on MySQL embedded database. 

Provides radio control based on hamlib libraries (currently support of 140+ 

Bug#861985: unblock: variety/0.6.3-5 (pre-upload approval)

[Gianfranco Costamagna]

control: tags -1 -moreinfo
> Ack, please go ahead and remove the moreinfo tag once the upload is in
> unstable and have built on all relevant release architectures.
> 
it should be ok now

thanks!

G.




signature.asc
Description: OpenPGP digital signature

Bug#861376: unblock: variety/0.6.3-4 (pre-upload approval)

[Gianfranco Costamagna]

control: tags -1 -moreinfo
> Please go ahead with the upload and remove the moreinfo tag from this bug once
> the package built on all the relevant architectures in unstable.
> 
uploaded a few seconds ago :)

thanks a lot!
G.



signature.asc
Description: OpenPGP digital signature

Bug#860803: nmu: openldap_2.4.44+dfsg-4

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: binnmu
Severity: normal

nmu openldap_2.4.44+dfsg-4 . ANY . unstable . -m "rebuild after ppc64el 
bootstrap"


I did successfully the ppc64el bootstrap, I think however a binNMU will make
me confident that the bootstrap issue cycle is working correctly from apt 
perspective.

Please do it for ANY because of Multi-Arch :)

(not sure if this is needed, I did the "better safe then sorry approach", since 
this is my first
bootstrap)

thanks,

Gianfranco

Bug#860448: Bug#860598: RFS: openldap/2.4.44+dfsg-4 [RC]

[Gianfranco Costamagna]

control: tags 860448 -moreinfo

Hello,
>I am looking for a sponsor to upload an updated openldap package targeted at
>stretch. The changes have already been pre-approved by the release team in
>#860448. The upload fixes one RC bug and one important bug and updates the

>debconf translations.

Removed moreinfo block, and uploaded

thanks

G.Package: sponsorship-requests
Severity: important

Dear mentors,

I am looking for a sponsor to upload an updated openldap package targeted at
stretch. The changes have already been pre-approved by the release team in
#860448. The upload fixes one RC bug and one important bug and updates the
debconf translations.

The package can be found on mentors:

https://mentors.debian.net/debian/pool/main/o/openldap/openldap_2.4.44+dfsg-4.dsc

https://mentors.debian.net/package/openldap

Thanks,
Ryan

Bug#860074: unblock: wxpython3.0/3.0.2.0+dfsg-4 wxwidgets3.0/3.0.2+dfsg-4

[Gianfranco Costamagna]

Package: release.debian.org

Severity: normal

User: release.debian@packages.debian.org

Usertags: unblock


Hello Release Team, a gtk bug has been reported to poedit users/developers,

and it turned out to be a wxwidgets3.0/wxpython3.0 issue (poedit

can't workaround it).


I uploaded a fix in Debian, both wxwidgets and wxpython (they share the same

codebase), and I'm requesting to unblock them.


upstream patch is here:

(the patch comes from poedit developers, and upstream accepted it, and 
backported

it to wx3.0 stable branch)



diff --git a/src/gtk/dataview.cpp b/src/gtk/dataview.cpp

index 87217e2..0be3273 100644

--- a/src/gtk/dataview.cpp

+++ b/src/gtk/dataview.cpp

@@ -135,9 +135,11 @@ class wxGtkTreePathList : public wxGtkList


// Implementation note: it could be expected that setting the selection

// function in this class ctor and resetting it back to the old value in its

-// dtor would work. However currently gtk_tree_selection_get_select_function()

-// can't be passed NULL (see https://bugzilla.gnome.org/show_bug.cgi?id=626276)

-// so we can't do this. Instead, we always use the selection function (which

+// dtor would work, However in GTK+2 gtk_tree_selection_get_select_function()

+// can't be passed NULL (see https://bugzilla.gnome.org/show_bug.cgi?id=626276

+// which was only fixed in 2.90.5-304-g316b9da) so we can't do this.

+//

+// Instead, we always use the selection function (which

// imposes extra overhead, albeit minimal one, on all selection operations) and

// just set/reset the flag telling it whether it should allow or forbid the

// selection.

@@ -168,7 +170,15 @@ class wxGtkTreeSelectionLock


ms_instance = this;


-CheckCurrentSelectionFunc(NULL);

+if ( ms_firstTime )

+{

+ms_firstTime = false;

+CheckCurrentSelectionFunc(NULL);

+}

+else

+{

+CheckCurrentSelectionFunc(wxdataview_selection_func);

+}


// Pass some non-NULL pointer as "data" for the callback, it doesn't

// matter what it is as long as it's non-NULL.

@@ -215,6 +225,7 @@ class wxGtkTreeSelectionLock

}


static wxGtkTreeSelectionLock *ms_instance;

+static bool ms_firstTime;


GtkTreeSelection * const m_selection;


@@ -222,6 +233,7 @@ class wxGtkTreeSelectionLock

};


wxGtkTreeSelectionLock *wxGtkTreeSelectionLock::ms_instance = NULL;

+bool wxGtkTreeSelectionLock::ms_firstTime = true;


//-

// wxDataViewCtrlInternal



please let me know if you want a debdiff


https://anonscm.debian.org/cgit/freewx/wx.git/commit/?h=wxpy3.0-debian=14e985d712d6f68f86bae8e56eaa8cc82979ff02

https://anonscm.debian.org/cgit/freewx/wx.git/commit/?h=wx3.0-debian=782ede3b9c5e7c3af8c625f34a5ecfac6b650813


poedit having this issue is only in experimental for now (it seems to be 
affecting only poedit2),

but it should fix also such assertions on other wx-based tools.


thanks!


Gianfranco

Bug#859486: unblock: boinc/7.6.33+dfsg-11

[Gianfranco Costamagna]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package boinc

unblock boinc/7.6.33+dfsg-11

I'm asking to unblock, mainly because of bugs: LP: #1115607, BTS: #857218, 
#859352

I had to do some testing for the spawn shell fix, and now it is really fixed
(I missed an use-case where users spawns them by the cmdline tool, but now it 
works correctly
and the patch is upstream)

diff (excluding changelog)

# fix broken symlink
--- a/debian/libboinc-app-dev.links
+++ b/debian/libboinc-app-dev.links
-usr/include/boinc/boinc_win.h   usr/share/boinc-dev/lib/boinc_win.h
+usr/include/boinc/lib/boinc_win.h   usr/share/boinc-dev/lib/boinc_win.h

# remove useless pie
--- a/debian/rules
+++ b/debian/rules
-export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all

# fix new spawn from cmdline
--- a/clientgui/AdvancedFrame.cpp
+++ b/clientgui/AdvancedFrame.cpp
-wxGetApp().GetRootDirectory().mb_str(),
+wxGetApp().GetDataDirectory().mb_str(),

# read current process name from arguments, to correctly spawn a new process
--- a/clientgui/BOINCGUIApp.cpp
+++ b/clientgui/BOINCGUIApp.cpp
+#else
+char path[PATH_MAX];
+memset(path,0,sizeof(path));
+int ret = readlink("/proc/self/exe", path, PATH_MAX);
+if ( ret >= 0) {
+path[ret] = '\0'; // readlink does not null terminate
+char* name = strrchr(path, '/') + 1;
+m_strBOINCMGRExecutableName = name;
+} else {
+perror("readlink");
+}

+#else
+char path[PATH_MAX];
+memset(path,0,sizeof(path));
+int ret = readlink("/proc/self/exe", path, PATH_MAX);
+if ( ret >= 0) {
+path[ret] = '\0'; // readlink does not null terminate
+char* name = strrchr(path, '/') + 1;
+*name = '\0';
+m_strBOINCMGRRootDirectory = path;
+} else {
+perror("readlink");
+}

# add patch to patch queue
--- a/debian/patches/series
+++ b/debian/patches/series
+boinc-issue-1177.patch

the full debdiff is attached to this email, I just wanted to highlight the 
changes
(BTW since this has been not working for a long time, I don't foresee 
regression risks)

G.

diff
Description: Binary data

Re: Bug#856603: RFS: arc-theme/20170302-1

[Gianfranco Costamagna]

Hello,


>> 3.22.9-1 is a whole new upstream release, with changes that actively break
>> unrelated packages.  As you just mentioned, it does at least require themes
>> to be updated, and, as usual for GTK 3 new releases, probably a bunch of
>> gtk-3 using programs as well.
>
>That's not usual for point releases, in this case a bad change slipped through.
>That has been fixed in 3.22.9-3.
>That bug was introduced in 3.22.9, it doesn't affect 3.22.8. So no, nothing
>needs to go through tpu.
>
>BTW thanks for the notice about this regression.


so, now that 3.22.11 is going to go in testing... can we upload this one?

G.

Bug#857076: unblock: ettercap

[Gianfranco Costamagna]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package ettercap

It fixes an CVE issue (no DSA),

debdiff attached, I also added a few tweaks on non-release architectures
(using lua on hurd, and not using it on mips64el, so we should have at least
a non-lua build here, because until now it was bd-uninstallable)

debdiff attached.

unblock ettercap 1:0.8.2-4

thanks

G.


debdiff
Description: Binary data

Bug#855109: unblock: pyrit/0.4.0-7.1

[Gianfranco Costamagna]

Hi,

>This failed to build on i386.


I saw it already, and I'm having difficulties in understanding why
(builds fine on pbuilder sid i386, debomatic sbuild i386, bad on barriere
i386 dchroot).

Asked for help on -mentors mail list

thanks

G.

Bug#855109: unblock: pyrit/0.4.0-7.1

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package pyrit

RC bug fixed (FTBFS). Trivial upstream patch


unblock pyrit/0.4.0-7.1

thanks

G.
diff -Nru pyrit-0.4.0/debian/changelog pyrit-0.4.0/debian/changelog
--- pyrit-0.4.0/debian/changelog	2016-04-17 16:31:10.0 +0200
+++ pyrit-0.4.0/debian/changelog	2017-02-14 10:28:20.0 +0100
@@ -1,3 +1,12 @@
+pyrit (0.4.0-7.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  [ Sophie Brun ]
+  * debian/patches/update-for-scapy-2.3.3.patch:
+- fix build failure with new python-scapy (Closes: #850692)
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Tue, 14 Feb 2017 10:27:30 +0100
+
 pyrit (0.4.0-7) unstable; urgency=medium
 
   * d/control:
diff -Nru pyrit-0.4.0/debian/patches/series pyrit-0.4.0/debian/patches/series
--- pyrit-0.4.0/debian/patches/series	2016-03-21 22:33:10.0 +0100
+++ pyrit-0.4.0/debian/patches/series	2017-02-14 10:27:30.0 +0100
@@ -1,3 +1,4 @@
 0006-custom-config-file.patch
 0014-performancecounter-handle-empty-result-gracefully.patch
 0015-increase-timeout-in-unittests.patch
+update-for-scapy-2.3.3.patch
diff -Nru pyrit-0.4.0/debian/patches/update-for-scapy-2.3.3.patch pyrit-0.4.0/debian/patches/update-for-scapy-2.3.3.patch
--- pyrit-0.4.0/debian/patches/update-for-scapy-2.3.3.patch	1970-01-01 01:00:00.0 +0100
+++ pyrit-0.4.0/debian/patches/update-for-scapy-2.3.3.patch	2017-02-14 10:35:17.0 +0100
@@ -0,0 +1,45 @@
+Subject: Update isinstance(EnumField) for scapy 2.3.3+
+ scapy 2.3.2- requires that scapy.fields.EnumField is passed to
+ isinstance, while scapy 2.3.3+ needs scapy.fields._EnumField.
+ This patch accomodates pyrit for both versions.
+Author: Ilya Terentyev <bacondrop...@gmail.com>
+Origin: https://github.com/JPaulMora/Pyrit/commit/14ec997174b8e8fd20d22b6a97c57e19633f12a0
+Bug: https://github.com/JPaulMora/Pyrit/issues/500
+Bug-Kali: https://bugs.kali.org/view.php?id=3801
+Date: Tue, 1 Nov 2016 20:40:15 +0300
+Forwarded: not-needed
+Last-Update: 2017-01-06
+
+---
+ cpyrit/pckttools.py | 13 -
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/cpyrit/pckttools.py b/cpyrit/pckttools.py
+index 326829d..d58fff1 100644
+--- a/cpyrit/pckttools.py
 b/cpyrit/pckttools.py
+@@ -54,12 +54,23 @@
+ scapy.layers.dot11.PrismHeader)
+ 
+ 
++def isEnumField(f):
++"""Return True if f is an instance of EnumField.  This function tries to be
++   portable: scapy versions 2.3.2 and earlier need isinstance(EnumField),
++   while scapy 2.3.3+ requires isinstance(_EnumField).
++"""
++try:
++return isinstance(f, scapy.fields._EnumField)
++except AttributeError:
++return isinstance(f, scapy.fields.EnumField)
++
++
+ def isFlagSet(self, name, value):
+ """Return True if the given field 'includes' the given value.
+Exact behaviour of this function is specific to the field-type.
+ """
+ field, val = self.getfield_and_val(name)
+-if isinstance(field, scapy.fields.EnumField):
++if isEnumField(field):
+ if val not in field.i2s:
+ return False
+ return field.i2s[val] == value

Bug#854384: RM [RoM] virtualbox-guest-additions-iso

[Gianfranco Costamagna]

Package: release.debian.org
Severity: normal


As said, for reasons including #794466, virtualbox-guest-additions-iso is not
suitable for a Stable Release.

please kick it out of testing,

Gianfranco

Bug#837458: jessie-pu: package mactelnet/0.4.0-1

[Gianfranco Costamagna]

Control: tags -1 - confirmed
Control: tags -1 + moreinfo
On Thu, 05 Jan 2017 20:06:47 + "Adam D. Barratt"  
wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2016-09-11 at 19:55 +0200, haakon.nessj...@gmail.com wrote:
> 
> > Request for uploading to stable, as there is posted a CVE for a bug in 
> > mactelnet-client.
> > This update is a backport of the fix that is done upstream, that fixes only 
> > the mentioned bug.
> > 
> > Mor information here: 
> > https://security-tracker.debian.org/tracker/CVE-2016-7115
> > and here: https://bugs.debian.org/836320
> 
> +mactelnet (0.4.0-2) stable; urgency=low
> 
> The version should be 0.4.0-1+deb8u1. With that change, please go ahead.
> 

while the version is good, we need some more changes according to the CVE fix 
in github [1]

so I'm removing the confirmed tag and adding moreinfo, haakon please fix and 
remove moreinfo once done.

thanks

G.

[1] 
https://github.com/haakonnessjoen/MAC-Telnet/commit/b69d11727d4f0f8cf719c79e3fb700f55ca03e9a




signature.asc
Description: OpenPGP digital signature

Bug#849962: jessie-pu: package libpng/1.2.50-2+deb8u3

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

CVE-2016-10087 is not worth a DSA, Security Team asked for a point release 
update.

diff -Nru libpng-1.2.50/debian/changelog libpng-1.2.50/debian/changelog
--- libpng-1.2.50/debian/changelog  2016-01-07 20:39:14.0 +0100
+++ libpng-1.2.50/debian/changelog  2017-01-02 18:24:35.0 +0100
@@ -1,3 +1,10 @@
+libpng (1.2.50-2+deb8u3) jessie; urgency=medium
+
+  * debian/patches/CVE-2016-10087.patch:
+- cherry-pick upstream fix for CVE-2016-10087
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Mon, 02 Jan 2017 
18:21:33 +0100
+
libpng (1.2.50-2+deb8u2) jessie-security; urgency=high

* Non-maintainer upload by the Security Team.
diff -Nru libpng-1.2.50/debian/patches/CVE-2016-10087.patch 
libpng-1.2.50/debian/patches/CVE-2016-10087.patch
--- libpng-1.2.50/debian/patches/CVE-2016-10087.patch   1970-01-01 
01:00:00.0 +0100
+++ libpng-1.2.50/debian/patches/CVE-2016-10087.patch   2017-01-02 
18:23:04.0 +0100
@@ -0,0 +1,12 @@
+Description: Fix CVE 2016-10087
+Origin: 
https://sourceforge.net/p/libpng/code/ci/794a15fad6add4d636369d0b46f603a02995b2e2/
+--- a/png.c
 b/png.c
+@@ -387,6 +387,7 @@
+  png_free(png_ptr, info_ptr->text);
+  info_ptr->text = NULL;
+  info_ptr->num_text=0;
++ info_ptr->max_text=0;
+   }
+}
+ #endif
diff -Nru libpng-1.2.50/debian/patches/series 
libpng-1.2.50/debian/patches/series
--- libpng-1.2.50/debian/patches/series 2016-01-07 20:39:14.0 +0100
+++ libpng-1.2.50/debian/patches/series 2017-01-02 18:21:33.0 +0100
@@ -8,3 +8,4 @@
CVE-2015-8472/0002-Use-unsigned-constants-in-buffer-length-com.patch
CVE-2015-8472/0003-Fixed-bug-recently-introduced-in-png_set_PL.patch
CVE-2015-8540.patch
+CVE-2016-10087.patch
(attached debdiff)




please ping if you want me to upload it


Il Lunedì 2 Gennaio 2017 7:19, Salvatore Bonaccorso <car...@debian.org> ha 
scritto:
Hi Gianfranco,

libpng has one issue which is below the threshold for fixing it
in a DSA due to minor impact:

https://security-tracker.debian.org/tracker/CVE-2016-10087

There's still the possibility to fix this via a stable point update
[1], so I was wondering whether anything of that sort is planned by
you. The next point release is scheduled for the 14th of january[2].

Regards,
Salvatore

[1] 
https://www.debian.org/doc/manuals/developers-reference/ch05.html#upload-stable
[2] https://lists.debian.org/debian-release/2016/12/msg00412.html


debdiff
Description: Binary data

Bug#843701: jessie-pu: package boinc/7.4.23+dfsg-1

[Gianfranco Costamagna]

control: tags -1 -moreinfo




Hi,
>Your mail client mangled the diff.



sorry for that

> the diff is simple:> +  [ Tom Downes ]
> +  * Fix OOM_ADJ handling with a backportable approach
> +(Closes: #843663)
> 
> ^^ a typo in a variable name was preventing OOM_ADJ from being correctly set 
> in the init script
> 

What's the impact of that bug?

when kernel is OOM, boinc tasks should be killed before other tasks.
boinc is something that shouldn't impact the rest of the system
(voluntary computing), so it runs with lower nice level, and should
be killed before other programs in case the system gets out of memory.

this typo was preventing the second OOM handling to be correctly set, so people 
might have got
some other program killed instead of a boinc task.

>How can that possibly work?  The init script doesn't have an X>display...

this is a known problem/issue, usually people can do GPU computing with a 
reload of the boinc-client
daemon, in this case the init system picks the X server up.
(this is how things should work, I'm clueless about such stuff and I avoid 
touching it when it
"works")

thanks for the review,

G.

Re: connman: libxtables.so.11 No such file or directory

[Gianfranco Costamagna]

control: severity -1 gravecontrol: reassign -1 src:iptablescontrol: found -1 
1.6.0+snapshot20161117-1control: notfound -1 1.6.0-4control: affect -1 
src:connmancontrol: retitle -1 "iptables: bumped library version without soname 
change, breaking reverse dependencies"
Thanks Alf for reporting this to me, and Debianer for the bug report.
Reassigned to iptables.
G.(sorry for top posting, on mobile right now)

On Fri, 18 Nov 2016 19:07:45 +0100 Debianer  wrote:> Package: 
connman
> Version: 1.33-1
> Severity: important
> 
> Dear Maintainer,
> 
> with the latest libxtables11 in Debian stretch/sid connmand does not start 
> any longer:
> 
> /usr/sbin/connmand -n
> /usr/sbin/connmand: error while loading shared libraries: libxtables.so.11: 
> cannot open shared object file: 1
> 
> This is since libxtables11 1.6.0+snapshot20161117-1, which installs 
> libxtables.so.12:
> 
> /usr/lib/x86_64-linux-gnu# ls -la libxtables*
> lrwxrwxrwx 1 root root    20 Nov 18 17:55 libxtables.so.12 -> 
> libxtables.so.12.0.0
> -rw-r--r-- 1 root root 52088 Nov 17 11:46 libxtables.so.12.0.0
> 
> I would expect libxtables.so.11 in that path.
> 
> Thank you.
> 
> 
> -- System Information:
> Debian Release: stretch/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.8.0-1-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages connman depends on:
> ii  dbus 1.10.12-1
> ii  init-system-helpers  1.46
> ii  libc6    2.24-5
> ii  libdbus-1-3  1.10.12-1
> ii  libglib2.0-0 2.50.2-1
> ii  libgnutls30  3.5.6-4
> ii  libreadline7 7.0-1
> ii  libxtables11 1.6.0+snapshot20161117-1
> ii  lsb-base 9.20161101
> 
> Versions of packages connman recommends:
> pn  bluez  
> pn  ofono  
> ii  wpasupplicant  2.5-2+v2.4-3+b1
> 
> Versions of packages connman suggests:
> pn  indicator-network  
> 
> -- no debconf information
> 
> 

Sent from Yahoo Mail on Android

Bug#842699: nmu: lirc reverse-dependencies

[Gianfranco Costamagna]

control: tags -1 -moreinfo

I removed the lirc block (after 10 days), and should migrate today:
updated list:

nmu audacious-plugins_3.7.2-2 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu banshee-community-extensions_2.4.0-4 . ANY . unstable . -m "rebuild to get 
rid of old liblircclient0 transitional dependency"
nmu bino_1.6.3-1 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu geeqie_1:1.3-1 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu gkrellm-radio_2.0.4-1.1 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu gxine_0.5.908-3.1 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu kradio4_4.0.8+git20160618-1 . ANY . unstable . -m "rebuild to get rid of 
old liblircclient0 transitional dependency"
nmu lcdproc_0.5.7-7 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu lxmms2_0.1.3-2 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu mplayer_2:1.3.0-4 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu pulseaudio_9.0-4 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu pylirc_0.0.5-3 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu rhythmbox_3.4.1-2 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu rosegarden_1:16.06-1 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu totem_3.22.0-2 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu vlc_2.2.4-7 . ANY . unstable . -m "rebuild to get rid of old liblircclient0 
transitional dependency"
nmu wawtv_3.103-4 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu xine-ui_0.99.9-1.2 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu zapping_0.10~cvs6-10 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"

thanks,

Gianfranco

Bug#843701: jessie-pu: package boinc/7.4.23+dfsg-1

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Boinc has a functionality problem in stable, the fix is already backported and 
I did upload
a new version in unstable a few hours ago
(just to make it backportable with older kernels)

the diff is simple:
+  [ Tom Downes ]
+  * Fix OOM_ADJ handling with a backportable approach
+(Closes: #843663)

^^ a typo in a variable name was preventing OOM_ADJ from being correctly set in 
the init script


+  [ Mike Brennan  ]
+  * Fix xhost syntax. (Closes: #841665)
^^ this is a potential security issue that still affects stable, so I would 
like to also address it.

diff -Nru boinc-7.4.23+dfsg/debian/boinc-client.init 
boinc-7.4.23+dfsg/debian/boinc-client.init
--- boinc-7.4.23+dfsg/debian/boinc-client.init  2014-10-17 17:10:09.0 
+0200
+++ boinc-7.4.23+dfsg/debian/boinc-client.init  2016-11-08 19:39:13.0 
+0100
@@ -29,6 +29,7 @@
BOINC_DIR=/var/lib/boinc-client
BOINC_CLIENT=/usr/bin/boinc
BOINC_OOM_ADJ=15
+BOINC_OOM_SCORE_ADJ=1000

#VALGRIND_OPTIONS="-v --log-file=/tmp/valgrind_boinc.log "
VALGRIND_OPTIONS=""
@@ -106,7 +107,7 @@
else
if [ -n "$DISPLAY" -a -x /usr/bin/xhost ]; then
# grant the boinc client to perform GPU computing
-   xhost local:boinc || echo -n "xhost error ignored, GPU computing may 
not be possible"
+   xhost +si:localuser:$BOINC_USER || echo -n "xhost error ignored, GPU 
computing may not be possible"
fi
if [ -n "$VALGRIND_OPTIONS" ]; then
start-stop-daemon --start --quiet --background --pidfile $PIDFILE \
@@ -206,10 +207,13 @@
fi
fi
for BPID in ${pid} ${children}; do
-  if [ -w /proc/${BPID}/oom_adj ]; then
-echo ${BOINC_OOM_AD} > /proc/${BPID}/oom_adj 2>/dev/null || true
+  # Fallback to old oom_adj if oom_score_adj doesn't exist
+  if [ -w /proc/${BPID}/oom_score_adj ]; then
+echo ${BOINC_OOM_SCORE_ADJ} > /proc/${BPID}/oom_score_adj 2>/dev/null 
|| true
+  elif [ -w /proc/${BPID}/oom_adj ]; then
+echo ${BOINC_OOM_ADJ} > /proc/${BPID}/oom_adj 2>/dev/null || true
else
-echo "Could not write to /proc/${BPID}/oom_adj"
+echo "Could not adjust oom_score of task"
fi
done
fi


thanks,

Gianfranco


debdiff
Description: Binary data

Bug#843420: nmu: datapacker_1.0.1+nmu2

[Gianfranco Costamagna]

control: reassign -1 src:datapacker

>Can't binNMU it as it is uploaded and not installed. This may need a sourceful
>upload (unless there's a way to convince wanna-build to binNMU it anyway,
>possibly with wanna-build rather than the wb tool).


I don't want to loose more of your precious time :)

NMUed.

thanks!

G.

Bug#843420: nmu: datapacker_1.0.1+nmu2

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: binnmu
Severity: normal

nmu datapacker_1.0.1+nmu2 . armel . unstable . -m "rebuild to increase the 
version, due to armel haskell stack removal"


as discussed over irc #buildd, that package got removed during haskell armel 
removals
and never entered unstable / testing again on armel.

Please consider a binNMU, even if somebody pointed out that it might be 
problematic because the package is not in the archive
anymore for such arch
(and a gb can't help because jessie has the same version).

I hope I reported this correctly,

thanks

G.

Bug#842699: nmu: lirc reverse-dependencies

[Gianfranco Costamagna]

Hi,


>nmu ncmpc_0.24-1 . ANY . unstable . -m "rebuild to get rid of old 
>liblircclient0 transitional dependency"
>nmu squeezelite_1.8-3 . ANY . unstable . -m "rebuild to get rid of old 
>liblircclient0 transitional dependency"


they need an NMU (already in deferred queue), so not needed to binNMU right now


G.

Bug#842699: nmu: lirc reverse-dependencies

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: binnmu
Severity: normal
Control: block -1 by 842695
Control: tags -1 moreinfo
nmu audacious-plugins_3.7.2-2 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu banshee-community-extensions_2.4.0-4 . ANY . unstable . -m "rebuild to get 
rid of old liblircclient0 transitional dependency"
nmu bino_1.6.3-1 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu geeqie_1:1.3-1 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu gkrellm-radio_2.0.4-1.1 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu gxine_0.5.908-3.1 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu kradio4_4.0.8+git20160618-1 . ANY . unstable . -m "rebuild to get rid of 
old liblircclient0 transitional dependency"
nmu lcdproc_0.5.7-7 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu lxmms2_0.1.3-2 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu mplayer_2:1.3.0-4 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu ncmpc_0.24-1 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu pulseaudio_9.0-4 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu pylirc_0.0.5-3 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu rhythmbox_3.4.1-2 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu rosegarden_1:16.06-1 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu squeezelite_1.8-3 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu totem_3.22.0-2 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu vlc_2.2.4-7 . ANY . unstable . -m "rebuild to get rid of old liblircclient0 
transitional dependency"
nmu wawtv_3.103-4 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu xine-ui_0.99.9-1.2 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"
nmu zapping_0.10~cvs6-10 . ANY . unstable . -m "rebuild to get rid of old 
liblircclient0 transitional dependency"


lets try to get rid of the transitional library :)

G.

Bug#841203: libfl_pic.a needs more than a binNMU

[Gianfranco Costamagna]

Control: reopen -1

> 
> #837658 is different from many other PIE issues:
> 
> This is a _pic.a library that includes the non-PIC objects instead of 
> the PIC objects it should contain.
> 
> A binNMU with -fPIE would not fix the root cause that this library is 
> supposed to contain PIC code.
> 
> See the flex README.Debian for background.

while this might be true, in practice it works.
I did a no change binNMU of flex, and now the reverse dependencies can be built 
correctly.

So, please binNMU and feel free to study flex issue more deeply if you care
(right now there is a libfl.a and libfl_pic.a with the same md5sum, so 
binNMUing it
won't make things worse, but fix at least reverse-dependencies)

thanks

Gianfranco



signature.asc
Description: OpenPGP digital signature

Bug#841203: nmu: flex_2.6.1-1

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: binnmu
Severity: normal

nmu flex_2.6.1-1 . ANY . unstable . -m "rebuild with default fPIC flag  (cfr: 
#837658)"


please add an additional build dependency on gcc6_6.2.0-7 to be sure it picks up
the flags, thanks!

G.

Bug#840927: nmu: llvm-toolchain-3.8_1:3.8.1-12

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: binnmu
Severity: normal

nmu llvm-toolchain-3.8_1:3.8.1-12 . mips64el . unstable . -m "rebuild to fix 
wrongly removed binaries (cfr: #839033)"

yes, such packages have been wrongly removed with the llvm-toolchain-snapshot 
decruft.

And now they are preventing 3.8 from migration.
Please binNMU them when you got why they have been removed, or whenever you 
prefer


thanks

Gianfranco

Bug#828097: Possible to keep old tidy?

[Gianfranco Costamagna]

Hi,
(not sure why this bug is still open)


>The upgrade of tidy to the newer version breaks what MediaWiki expects
>(see test failures:
>), and updating
>MediaWiki to be compatible with the newer tidy isn't an option either:
>.

>>So is it possible to keep the older version of tidy around? Preferably
>also via the php-tidy library, though I'm not sure exactly how that
>integration would work.


I really don't think this is possible.
There can be only one tidy implementation, and we have maintainer choose
the actively maintained one (also Fedora did, and I'm sure other distro too).

Fix the code with the new library is your best solution.
Or make somebody upload the old tidy with a different library name, and patch
the code to use that one.
(I would oppose such bad way to deal with a library update btw)

G.

Bug#831459: jessie-pu: package virtualbox-guest-additions-iso

[Gianfranco Costamagna]

control: tags -1 -moreinfo
> (I'm not removing moreinfo tag)
removing it now.

G.



signature.asc
Description: OpenPGP digital signature

Bug#831447: firefox-branding-iceweasel 0.4.0 MIGRATED to testing

[Gianfranco Costamagna]

Hi,

>(I assume it's not bringing back /etc/iceweasel and /usr/share/iceweasel 

>(and probably a bunch of others). For Debian Edu the changed look is not 

>so much the problem as are changed pathes.)

maybe you can ask as a feature to have symlinks :)
(not sure if it works)

Gianfranco

Bug#831447: firefox-branding-iceweasel 0.4.0 MIGRATED to testing

[Gianfranco Costamagna]

Hi Antonio and Holger,


>> And while I applaud and understand why firefox-esr has replaced

>> iceweasel in stable, I was also surprised. And I also saw Debian Edu
>> stable break because of this… and we're still fixing it, waiting for
>> 8.6 to bring these fixes to our users.
>> 
>> (The latter is not related to this bug report except that they are
>> caused by the same change. We are fixing Debian Edu to use firefox-esr.)

is firefox-branding-iceweasel able to mitigate this issue?

>I understand, but we would have to cope with the change at some point,
>unless we were to keep the broken situation forever. Dealing with it now

>is not worse than dealing with it later.

I fully agree, but how does an additional package in the archive, not
automatically installed, hurts your plan?

We already have the package in testing, we can keep it for a couple of
releases and then drop it (on unstable).
I don't see why disrupt our end users life when we can avoid it.

thanks for the input, it was appreciated ;)

Gianfranco

Bug#831447: firefox-branding-iceweasel 0.4.0 MIGRATED to testing

[Gianfranco Costamagna]

Hi Adam!




>You're answering a different question, namely "why". I was asking for
>some information / pointers as to how you know they're being confused.
>Presumably there are several mailing list posts, IRC conversations, etc.


I didn't say the original statement, so I leave nord-stream answering here :)

>It's only in proposed-updates because it was in stable-security. This is
>not a change that was made via p-u.


now I see everything differently!

>You've just agreed with me. :-) The log for #815006 includes "I see esr>is in 
>wheezy-updates and jessie-updates, not backports." which your
>paste has clearly demonstrated is incorrect.


that was a typo, I didn't pay too much attention to that statement while writing
it.

>(It's in security.d.o:wheezy/updates, security.d.o:jessie/updates and as
>a side-effect of the latter also in jessie-proposed-updates. It's in
>neither of wheezy-updates or jessie-updates.)


yep, it is clear now, thanks
>I don't see how it can possibly be off-topic. You're discussing a
>package that's intended to allow users to revert changes made in a
>package that _was released via the security archive_.


it is off-topic, until you say something like "hey, the change was made
by security, and having in p-u is just a side effect, please close this bug
and coordinate with security team"

it is just off-topic because security isn't in cc and involved (yet).
>Sure. As I said, I'm not disagreeing with the concept, just whether p-u
>is the right means of delivering it. (and, no, "the change is in p-u"
>isn't an argument, as above - the change is in security, it just happens

>to be copied to p-u.)

now that this is clear and thanks a lot for that, would you like to close this
one and ask -security team?

thanks for the *helpful* answer,

Gianfranco

Bug#831447: firefox-branding-iceweasel 0.4.0 MIGRATED to testing

[Gianfranco Costamagna]

Hi,



>If they're interested, they can follow the bug. They don't all need to 

>be CCed on every message.

Indeed, I follow the bug :)
and I propose to drop the cc in the next message
>Who are these "quite a few users"? Where are they being confused?


because they used to have an iceweasel package, and now they have a firefox 
instead
(different desktop file, different branding)
>> With this in stable, we can say to anyone who wants to keep Iceweasel:
>> "Run this command:
>> sudo apt-get install xul-ext-iceweasel-branding"
>> 
>> Without bothering about backports.
>
>I understand the idea. I'm just not sure why this package is so special 
>that they shouldn't "bother with backports".


the change iceweasel/firefox is in proposed-updates, so I proposed to have
the package in the same suite

>The relevant bits of that bug appear to be confused between the security 
>archive, proposed-updates and stable-updates, which is unfortunate. 
>(e.g. there is no firefox or iceweasel package in jessie-updates, nor 
>has there ever been one.)


I'm not sure I follow here, but I tried to call rmadison on my machine
(I might have given the wrong command, sorry in advance)

son -u debian firefox-esr
firefox-esr | 45.2.0esr-1~deb8u1 | proposed-updates | source, amd64, arm64, 
armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x
firefox-esr | 45.2.0esr-1| testing  | source, amd64, arm64, 
armel, armhf, i386, mips, mipsel, powerpc, ppc64el, s390x
firefox-esr | 45.2.0esr-1| unstable | source, amd64, arm64, 
armel, armhf, i386, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, 
ppc64el, s390x


so, my proposal was to upload firefox-branding-iceweasel to proposed-updates

(security is OT here, and I don't want to discuss that suite here)
>I suspect we disagree as to whether this is a "bug" to begin with.
>
>It was an intentional choice on the part of the maintainers and the 
>security team, and was announced in the corresponding DSA. Are there 
>really users who aren't reading DSAs but are happy to install software 
>as root just because you told them to?


there might be users that wants their name back, not sure who they are,
I don't want to have to answer here, but I still think giving users the choice
is something sane that might avoid troubles or complains.

Just my .02$

G.

Bug#831459: jessie-pu: package virtualbox-guest-additions-iso

[Gianfranco Costamagna]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu


Forwarding the email from security team.

the debdiff is the new iso file and a new changelog entry, nothing more.



you can grab the file from here
http://debomatic-amd64.debian.net/distribution#stable/virtualbox-guest-additions-iso/4.3.36-1+deb8u1/buildlog

this is the changelog entry

diff -Nru virtualbox-guest-additions-iso-4.3.18/debian/changelog 
virtualbox-guest-additions-iso-4.3.36/debian/changelog
--- virtualbox-guest-additions-iso-4.3.18/debian/changelog  2015-03-26 
11:39:19.0 +0100
+++ virtualbox-guest-additions-iso-4.3.36/debian/changelog  2016-07-16 
13:19:14.0 +0200
@@ -1,3 +1,14 @@
+virtualbox-guest-additions-iso (4.3.36-1+deb8u1) jessie; urgency=medium
+
+  * New upstream bugfix release.
+- Addressed CVE-2016-0592,
+  CVE-2016-0495, CVE-2015-8104,
+  CVE-2015-7183, CVE-2015-5307,
+  CVE-2015-7183, CVE-2015-4813,
+  CVE-2015-4896, CVE-2015-3456
+
+ -- Gianfranco Costamagna <locutusofb...@debian.org>  Fri, 15 Jul 2016 
18:11:50 +0200
+
virtualbox-guest-additions-iso (4.3.18-3) unstable; urgency=high

* Reuploading the previous package, the -2 got removed because of
Binary files 
/tmp/0fmDQ7p0Ij/virtualbox-guest-additions-iso-4.3.18/VBoxGuestAdditions_4.3.18.iso
 and 
/tmp/BRDWMDWXw8/virtualbox-guest-additions-iso-4.3.36/VBoxGuestAdditions_4.3.18.iso
 differ
Binary files 
/tmp/0fmDQ7p0Ij/virtualbox-guest-additions-iso-4.3.18/VBoxGuestAdditions_4.3.36.iso
 and 
/tmp/BRDWMDWXw8/virtualbox-guest-additions-iso-4.3.36/VBoxGuestAdditions_4.3.36.iso
 differ


cheers,

Gianfranco


Il Venerdì 15 Luglio 2016 20:25, Salvatore Bonaccorso <car...@debian.org> ha 
scritto:



Hi Gianfranco,


On Fri, Jul 15, 2016 at 04:10:38PM +, Gianfranco Costamagna wrote:
> Hi Security Team, a while ago we got virtualbox updated from 4.3.18
> to 4.3.36 as security > upload.
> 
> This was a complete success, but now we have two "issues" 1) there
> is a mismatch between virtualbox and virtualbox-guest-additions-iso
> packages (this isn't a big issue, since it is just a warning)
> 
> 
> 2) the guest-additions-iso package is an iso file that contains some
> source code (from virtualbox) and builds kernel modules and some
> tools used in the guest machines.
> 
> I don't know, but it might be affected by some/many of the same CVEs
> that we fixed in virtualbox, so I think it is a sane idea to have a
> security upload also for this package.
> 
> What is your opinion?  I can upload a 4.3.36 in a few minutes if
> needed, it is just a matter of packing an iso and creating a
> changelog entry.

The package beeing non-free in all supported suites is not really
supported via security.d.o. Could you contact the stable release
managers to have an update sheduled via a point release?

Cf.
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable

Regards,
Salvatore

debdiff
Description: Binary data

Bug#650601: libpng Package in experimental

[Gianfranco Costamagna]

Hi, I raised the bugs to RC with the upload to unstable (I thought some 
notification did happen since they were blocking this one)
Feel free to drop some lines on debian-devel :)
It is mostly built and installed everywhere 
Cheers,
Gianfranco

Sent from Yahoo Mail on Android 
 
  On Wed, 6 Apr, 2016 at 20:33, Tobias Frost<t...@debian.org> wrote:   Am 
Mittwoch, den 06.04.2016, 15:33 + schrieb Gianfranco Costamagna:
> Hi,
> 
> 
> > Ack. :)
> 
> 
> 
> I don't let you change your mind now :)
> uploaded on debomatic-amd64, and on unstable a few seconds ago.
> 
> lets the *fun* start!
> 
> BTW I added me and Tobias in uploaders list, as per private mail
> exchange with the
> current maintainers.
> 
> thanks!
> 
> Gianfranco
> 

Thanks Gianfranco! 
Yeah, up to mooore fun, *cough*.. 
let's take bets how many packages will make it ;-)

(Next, I'll raise the remaining bugs to RC and post an update to
-devel.)

 ...

-- 
tobi  

Bug#650601: libpng Package in experimental

[Gianfranco Costamagna]

Hi,


>Ack. :)



I don't let you change your mind now :)
uploaded on debomatic-amd64, and on unstable a few seconds ago.

lets the *fun* start!

BTW I added me and Tobias in uploaders list, as per private mail exchange with 
the
current maintainers.

thanks!

Gianfranco

Bug#650601: R: Bug#650601: libpng Package in experimental

[Gianfranco Costamagna]

Ho dear Tobias and Emilio
 
> Regarding libpng-config, I do not have a
> complete list, but during the
> rebuilds I
> made a list of affected packages, but I faintly 
> remember
> that there were at one-two others. 
> They were leafpackages though, so no need 
> Also, I'm prepared to dedicated any free
> time to fix breakages during
> the transition..

I merged libpng-config back in the -dev package, so no issue bere for now.

Today I think three transitions ended, I hope to see a possible slot soon, also 
Mattia is proposing to help here :)

Cheers,

Gianfranco

Bug#650601: libpng Package in experimental

[Gianfranco Costamagna]

Hi,

> rename libpng16-tools to libpng-tools,
> merge libpng16-devtools with libpng-dev.
> 
> If and when poeple will want to have a multiarch development package, we will 
> split, patch and start
> a new transition against ~50 packages not against ~500.
> 
> We are almost ready, there is no need to overcomplicate stuff here.
> 
> So, I put my proposed package (debdiff attached) in deferred/5.
> 

because of the experimental breakage I speeded up the deferred, and with an 
ftpmaster *really fast* accept we are
now in place and ready for the transition.

I think we are ready for the ack.

thanks,

Gianfranco



signature.asc
Description: OpenPGP digital signature

Bug#650601: libpng Package in experimental

[Gianfranco Costamagna]

An alternative is to have a multiarch library, and a non-multiarch development 
package with the config script.

to me it makes no real sense to split the config file into a separate package, 
specially because
1) it is in the same dev package on other linux distros
2) it was in the same dev package on libpng12
3) it serves the same purpose.

people expects to be able to build stuff depending on png without having to 
know that there is something else
other than a libpng-dev package.

It makes little sense to me.
So, my todo is:


rename libpng16-tools to libpng-tools,
merge libpng16-devtools with libpng-dev.

If and when poeple will want to have a multiarch development package, we will 
split, patch and start
a new transition against ~50 packages not against ~500.

We are almost ready, there is no need to overcomplicate stuff here.

So, I put my proposed package (debdiff attached) in deferred/5.

Note: it will require a new trip in new queue.
This way we should avoid issues with the current status quo of the rebuild
testing.

I hope to have found a better solution wrt this transition.

thanks,

Gianfranco


debdiff.filtered
Description: Binary data

Bug#650601: libpng Package in experimental

[Gianfranco Costamagna]

Hi,

>(that package has a script libpng-config in usr/bin that contains arch-dep 
>information)
>e.g.
>
>"libdir="${prefix}/lib/x86_64-linux-gnu""
We shouldn't remove that file, I see it is used widely also by other distros.

Instead, we can patch packages failing in configure script and add the required 
dependency.

If you have a list we can do an MBF, or fix them with NMUs when the binNMUs 
will fail.

https://codesearch.debian.net/perpackage-results/libpng-config/2/page_0

I see 47 packages that might be problematic, even if I'm sure the real number 
will
be much lower.
(many of them have fallbacks in case that file is not available).

Anyway, 47 NMUs with an added dependency are somewhat a good number for me.

BTW @all

I uploaded in deferred/3 libpng 1.6.2, having a small delta but one nice bugfix 
and
I think a CVE fixed.

It should be safe to upload straight away.

Gianfranco