Bug#1057175: transition: libsfml
Package: release.debian.org Control: affects -1 + src:libsfml X-Debbugs-Cc: libs...@packages.debian.org User: release.debian@packages.debian.org Usertags: transition Severity: normal Hi, libsfml needs a transition due to an ABI bump from 2.5 to 2.6. It's currently in experimental and built everywhere except mips64el where it's waiting to be built. The rdeps are: casparcg-server (in contrib) dolphin-emu extremetuxracer libcsfml marsshooter python-sfml seriousproton I did a test rebuild against 2.6 and everything builds on amd64 except for seriousproton which already FTBFS for other reasons and is not in testing. The auto-libsfml tracker looks correct to me. Thanks, James Ben file: title = "libsfml"; is_affected = .depends ~ "libsfml-audio2.5" | .depends ~ "libsfml-graphics2.5" | .depends ~ "libsfml-network2.5" | .depends ~ "libsfml-system2.5" | .depends ~ "libsfml-window2.5" | .depends ~ "libsfml-audio2.6" | .depends ~ "libsfml-graphics2.6" | .depends ~ "libsfml-network2.6" | .depends ~ "libsfml-system2.6" | .depends ~ "libsfml-window2.6"; is_good = .depends ~ "libsfml-audio2.6" | .depends ~ "libsfml-graphics2.6" | .depends ~ "libsfml-network2.6" | .depends ~ "libsfml-system2.6" | .depends ~ "libsfml-window2.6"; is_bad = .depends ~ "libsfml-audio2.5" | .depends ~ "libsfml-graphics2.5" | .depends ~ "libsfml-network2.5" | .depends ~ "libsfml-system2.5" | .depends ~ "libsfml-window2.5";
Bug#884635: transition: libupnp
Hi, On 05/11/2018 17:28, Uwe Kleine-König wrote: > Hello Emilio, > > [adding jcowgill to recipients] > > On 11/05/2018 04:37 PM, Emilio Pozuelo Monfort wrote: >> Please get this started, and bump the bug severities to serious. > > I never did a transition before, so I'm not entirely clear what should > happen now. > > The following steps should be done: > > a) upload pupnp-1.8 providing libupnp-dev to unstable > b) rebuild reverse dependencies of libupnp-dev > c) remove src:libupnp from unstable > d) remove src:libupnp from testing > e) remove the binary packages of src:libupnp from unstable > f) remove the binary packages of src:libupnp from testing > g) for b in 884243 884996 912066 885025; do bts severity $b serious;done > h) remove djmount and linux-igd from unstable and testing > i) apply patch from 884996 to amule and upload to unstable Yeah we can start this transition now that 1.8.4 was released (which resolved the ABI related issues). I'll upload it soon. The order is this: a) I upload pupnp-1.8 (which "hijacks" libupnp-dev from src:libupnp) g) Update bug severities b) binNMU all rdeps of libupnp-dev [time passes] i) NMU amule / any other package if not fixed soon [time passes - eventually all broken rdeps are autoremoved from testing] d and f) Happen automatically at this point [transition complete (with respect to testing)] h) File requests to remove remaining packages c and e) File request to remove src:libupnp James signature.asc Description: OpenPGP digital signature
Bug#910271: transition: mbedtls
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi, mbedTLS needs a transition because upstream bumped the SONAME of libmbedtls in 2.13 due to some symbol changes. I have also changed the SONAME of libmbedcrypto to realign it with upstream. Previously upstream had bumped the SONAME for no reason, so I reverted that change. Since we now need a transition anyway, it seems sensible to me to use upstream's SONAME again. The auto-mbedtls transition tracker looks correct. These packages need binNMUing: bctoolbox bibledit charybdis dislocker dolphin-emu gatling julia libgit2 lief mongrel2 ncbi-blast+ ncbi-vdb neko shadowsocks-libev sra-sdk All the packages build fine in a test rebuild except for dolphin-emu which FTBFS for unrelated reasons which I will fix soon (#910268). sra-sdk is waiting on this ftpmaster removal bug before it can migrate to testing: #907266 Thanks, James Ben file: title = "mbedtls"; is_affected = .depends ~ "libmbedcrypto1" | .depends ~ "libmbedtls10" | .depends ~ "libmbedcrypto3" | .depends ~ "libmbedtls12"; is_good = .depends ~ "libmbedcrypto3" | .depends ~ "libmbedtls12"; is_bad = .depends ~ "libmbedcrypto1" | .depends ~ "libmbedtls10"; -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.18.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled signature.asc Description: OpenPGP digital signature
Bug#893749: stretch-pu: package easytag/2.4.3-1+deb9u1
Control: tags -1 - moreinfo Hi, Sorry for the delay. I completely forgot about this bug! I've attached v2 of the patch to fix #855251. After submitting the original stretch-pu bug, I discovered (after someone mentioned this on the upstream bug report) the root cause and reverted the relevant upstream commit. This fix has been in unstable since 2.4.3-4 (about 7 months) without any issues. I've done some brief testing of in a stretch build and it seems to work fine there as well. Thanks, James diff -Nru easytag-2.4.3/debian/changelog easytag-2.4.3/debian/changelog --- easytag-2.4.3/debian/changelog 2016-12-05 23:46:24.0 + +++ easytag-2.4.3/debian/changelog 2018-09-24 18:31:35.0 +0100 @@ -1,3 +1,11 @@ +easytag (2.4.3-1+deb9u1) stretch; urgency=medium + + * debian/patches: +- Add patch to revert upstream commit which causes OGG corruption. + (Closes: #855251) + + -- James Cowgill Mon, 24 Sep 2018 18:31:35 +0100 + easytag (2.4.3-1) unstable; urgency=medium * New upstream release. diff -Nru easytag-2.4.3/debian/gbp.conf easytag-2.4.3/debian/gbp.conf --- easytag-2.4.3/debian/gbp.conf 2016-12-05 20:47:35.0 + +++ easytag-2.4.3/debian/gbp.conf 2018-09-24 18:31:35.0 +0100 @@ -1,3 +1,4 @@ [DEFAULT] pristine-tar = True compression = xz +debian-branch = debian/stretch diff -Nru easytag-2.4.3/debian/patches/02_fix-ogg-corruption.patch easytag-2.4.3/debian/patches/02_fix-ogg-corruption.patch --- easytag-2.4.3/debian/patches/02_fix-ogg-corruption.patch1970-01-01 01:00:00.0 +0100 +++ easytag-2.4.3/debian/patches/02_fix-ogg-corruption.patch2018-09-24 18:31:35.0 +0100 @@ -0,0 +1,241 @@ +Description: Revert upstream commit which causes OGG file corruption + Revert "Do not maintain an open handle on Ogg files" + This reverts commit e5c640ca3f259f1b74e716723345521987a7bd68. +Author: James Cowgill +Author: David King +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=776110 +Bug-Debian: https://bugs.debian.org/855251 +Bug-Debian: https://bugs.debian.org/886272 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/tags/vcedit.c b/src/tags/vcedit.c +@@ -35,6 +35,7 @@ + struct _EtOggState + { + /*< private >*/ ++GFileInputStream *in; + #ifdef ENABLE_SPEEX + SpeexHeader *si; + #endif +@@ -125,6 +126,11 @@ vcedit_clear_internals (EtOggState *stat + } + #endif /* ENABLE_OPUS */ + ++if (state->in) ++{ ++g_object_unref (state->in); ++} ++ + memset (state, 0, sizeof (*state)); + } + +@@ -239,7 +245,6 @@ _blocksize (EtOggState *s, + + static gboolean + _fetch_next_packet (EtOggState *s, +-GInputStream *istream, + ogg_packet *p, + ogg_page *page, + GError **error) +@@ -269,8 +274,8 @@ _fetch_next_packet (EtOggState *s, + while (ogg_sync_pageout (s->oy, page) <= 0) + { + buffer = ogg_sync_buffer (s->oy, CHUNKSIZE); +-bytes = g_input_stream_read (istream, buffer, CHUNKSIZE, NULL, +- error); ++bytes = g_input_stream_read (G_INPUT_STREAM (s->in), buffer, ++ CHUNKSIZE, NULL, error); + ogg_sync_wrote (s->oy, bytes); + + if(bytes == 0) +@@ -303,7 +308,7 @@ _fetch_next_packet (EtOggState *s, + + g_assert (error == NULL || *error == NULL); + ogg_stream_pagein (s->os, page); +-return _fetch_next_packet (s, istream, p, page, error); ++return _fetch_next_packet (s, p, page, error); + } + } + +@@ -402,13 +407,14 @@ vcedit_open (EtOggState *state, + return FALSE; + } + ++state->in = istream; + state->oy = g_slice_new (ogg_sync_state); + ogg_sync_init (state->oy); + + while(1) + { + buffer = ogg_sync_buffer (state->oy, CHUNKSIZE); +-bytes = g_input_stream_read (G_INPUT_STREAM (istream), buffer, ++bytes = g_input_stream_read (G_INPUT_STREAM (state->in), buffer, + CHUNKSIZE, NULL, error); + if (bytes == -1) + { +@@ -648,7 +654,7 @@ vcedit_open (EtOggState *state, + } + + buffer = ogg_sync_buffer (state->oy, CHUNKSIZE); +-bytes = g_input_stream_read (G_INPUT_STREAM (istream), buffer, ++bytes = g_input_stream_read (G_INPUT_STREAM (state->in), buffer, + CHUNKSIZE, NULL, error); + + if (bytes == -1) +@@ -670,14 +676,11 @@ vcedit_open (EtOggState *state, + + /* Headers are done! */ + g_assert (error == NULL || *error == NULL); +-/* TODO: Handle error during stream close. */ +-g_object_unref (istream); + + return TRUE; + + err: + g_assert (error == NULL || *error != NULL); +-g_object_unref (istream); + vcedit_clear
Bug#898918: transition: libsfml
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi, libsfml 2.5 has bumped its SONAME and therefore needs a transition. The package is in experimental and has not yet failed on any release architecture (with mips64el and mipsel left to be built). These packages will need binNMUs. They all build successfully. dolphin-emu extremetuxracer marsshooter python-sfml The only other package is libcsfml but that will need a source upload due to #898913. I maintain this package and the fix is already submitted upstream. It is possible to fix this to work with both 2.4 and 2.5, but I would rather use the "modern" CMake config files to fix it which are only available in libsfml 2.5 so I would like to upload this package after the transition has started (with strict build dependency). The "auto-libsfml" transition in the transition tracker looks correct. Thanks, James -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled signature.asc Description: OpenPGP digital signature
Bug#896893: transition: ffmpeg
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi, FFmpeg 4.0 is the new major release of FFmpeg and as such upstream has bumped the SONAMEs of all libraries so there needs to be a transition. The new package is in experimental. It currently has a few issues, but I think all except one autopkgtest failure are fixed in git. I'll upload a new version once that is fixed. I performed a rebuild of all rdeps with a pre-release version of FFmpeg three months ago and have just done another rebuild. I have filed the bugs here (and will add them as blocking bugs of this bug): https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=ffmpeg-4.0-transition;users=debian-multime...@lists.debian.org At the time of writing, there are 54 open bugs where packages FTBFS with the new version. We could delay the transition a bit to reduce the number of bugs before it starts, but given that it's been three months since most were filed, I'm not sure how much that would help. Fixing all of them myself sounds like a lot of work :) The list of packages on the transition page looks about right. Thanks, James Ben file: title = "ffmpeg"; is_affected = .depends ~ "libavcodec57" | .depends ~ "libavcodec-extra57" | .depends ~ "libavfilter6" | .depends ~ "libavfilter-extra6" | .depends ~ "libavformat57" | .depends ~ "libavresample3" | .depends ~ "libavutil55" | .depends ~ "libpostproc54" | .depends ~ "libswresample2" | .depends ~ "libswscale4" | .depends ~ "libavcodec58" | .depends ~ "libavcodec-extra58" | .depends ~ "libavfilter7" | .depends ~ "libavfilter-extra7" | .depends ~ "libavformat58" | .depends ~ "libavresample4" | .depends ~ "libavutil56" | .depends ~ "libpostproc55" | .depends ~ "libswresample3" | .depends ~ "libswscale5"; is_good = .depends ~ "libavcodec58" | .depends ~ "libavcodec-extra58" | .depends ~ "libavfilter7" | .depends ~ "libavfilter-extra7" | .depends ~ "libavformat58" | .depends ~ "libavresample4" | .depends ~ "libavutil56" | .depends ~ "libpostproc55" | .depends ~ "libswresample3" | .depends ~ "libswscale5"; is_bad = .depends ~ "libavcodec57" | .depends ~ "libavcodec-extra57" | .depends ~ "libavfilter6" | .depends ~ "libavfilter-extra6" | .depends ~ "libavformat57" | .depends ~ "libavresample3" | .depends ~ "libavutil55" | .depends ~ "libpostproc54" | .depends ~ "libswresample2" | .depends ~ "libswscale4"; -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled signature.asc Description: OpenPGP digital signature
Bug#895537: stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u3
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: stretch Severity: normal Hi, This fixes CVE-2018-10017 which is a security bug tagged as "no-DSA" by the security team. The fix is quite simple and looks correct to me. I've done some testing to make sure things still work after this update. Thanks, James -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.15.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru libopenmpt-0.2.7386~beta20.3/debian/changelog libopenmpt-0.2.7386~beta20.3/debian/changelog --- libopenmpt-0.2.7386~beta20.3/debian/changelog 2017-07-15 18:33:57.0 +0100 +++ libopenmpt-0.2.7386~beta20.3/debian/changelog 2018-04-12 10:14:53.0 +0100 @@ -1,3 +1,10 @@ +libopenmpt (0.2.7386~beta20.3-3+deb9u3) stretch; urgency=medium + + * Add patch to fix CVE-2018-10017 (Closes: #895406). +- up11: Out-of-bounds read loading IT / MO3 files with many pattern loops. + + -- James Cowgill <jcowg...@debian.org> Thu, 12 Apr 2018 10:14:53 +0100 + libopenmpt (0.2.7386~beta20.3-3+deb9u2) stretch; urgency=medium * Add security patches (Closes: #867579). diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/series libopenmpt-0.2.7386~beta20.3/debian/patches/series --- libopenmpt-0.2.7386~beta20.3/debian/patches/series 2017-07-15 16:49:37.0 +0100 +++ libopenmpt-0.2.7386~beta20.3/debian/patches/series 2018-04-12 10:13:10.0 +0100 @@ -6,3 +6,4 @@ up6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch up8-out-of-bounds-read-plm.patch up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch +up11-out-of-bounds-read-it-itp-mo3.patch diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/up11-out-of-bounds-read-it-itp-mo3.patch libopenmpt-0.2.7386~beta20.3/debian/patches/up11-out-of-bounds-read-it-itp-mo3.patch --- libopenmpt-0.2.7386~beta20.3/debian/patches/up11-out-of-bounds-read-it-itp-mo3.patch 1970-01-01 01:00:00.0 +0100 +++ libopenmpt-0.2.7386~beta20.3/debian/patches/up11-out-of-bounds-read-it-itp-mo3.patch 2018-04-12 10:14:53.0 +0100 @@ -0,0 +1,20 @@ +Description: Fix CVE-2018-10017 + See https://lib.openmpt.org/libopenmpt/2018/04/08/security-updates-0.3.8-0.2-beta31-0.2.7561-beta20.5-p8-0.2.7386-beta20.3-p11/ + Fix possible out-of-bounds memory read with IT and MO3 files containing many + nested pattern loops. +Origin: upstream, https://source.openmpt.org/browse/openmpt?op=revision=10042 +Bug-Debian: https://bugs.debian.org/895406 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/soundlib/Snd_fx.cpp b/soundlib/Snd_fx.cpp +@@ -1042,7 +1042,8 @@ std::vector CSoundFile::G + if(GetType() == MOD_TYPE_IT) + { + // IT pattern loop start row update - at the end of a pattern loop, set pattern loop start to next row (for upcoming pattern loops with missing SB0) +- for(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); nChn++) ++ pChn = memory.state.Chn; ++ for(CHANNELINDEX nChn = 0; nChn < GetNumChannels(); nChn++, pChn++) + { + if((pChn->rowCommand.command == CMD_S3MCMDEX && pChn->rowCommand.param >= 0xB1 && pChn->rowCommand.param <= 0xBF)) + { signature.asc Description: OpenPGP digital signature
Bug#893749: stretch-pu: package easytag/2.4.3-1+deb9u1
Control: tags -1 moreinfo Hi, On 22/03/18 00:05, James Cowgill wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: release.debian@packages.debian.org > Usertags: pu > > Hi, > > The purpose of this update to easytag is to fix #855251 where easytag > will sometimes corrupt ogg (and related) files it tags. The corruption > causes some of the music data to be overwritten near the start of the > file. This causes an audible click and various tools print errors about > trying to play a corrupt file. The upstream bug has now been open since > late 2016, is apparently very difficult to fix (lots of code to be > written) and there is no fix in progress which I can see. A potential workaround for this has appeared which could mean we don't have to disable OGG. Please ignore this bug until I've looked into it a bit more. Thanks, James signature.asc Description: OpenPGP digital signature
Bug#893749: stretch-pu: package easytag/2.4.3-1+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, The purpose of this update to easytag is to fix #855251 where easytag will sometimes corrupt ogg (and related) files it tags. The corruption causes some of the music data to be overwritten near the start of the file. This causes an audible click and various tools print errors about trying to play a corrupt file. The upstream bug has now been open since late 2016, is apparently very difficult to fix (lots of code to be written) and there is no fix in progress which I can see. Due to this, I have completely disabled ogg support in unstable and I think doing the same in stable is the best cause of action to prevent people from corrupting their music collection. Debdiff attached. It also contains a related change to the control file. I thought about adding a NEWS entry but I wasn't sure (I did not add one for unstable). Thanks, James -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, mipsel Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru easytag-2.4.3/debian/changelog easytag-2.4.3/debian/changelog --- easytag-2.4.3/debian/changelog 2016-12-05 23:46:24.0 + +++ easytag-2.4.3/debian/changelog 2018-03-08 22:20:29.0 + @@ -1,3 +1,13 @@ +easytag (2.4.3-1+deb9u1) stretch; urgency=medium + + [ James Cowgill ] + * Disable OGG, OPUS and Speex. (Closes: #855251) + + [ Bruno Kleinert ] + * Do not mention OGG support in package description. (Closes: #886369) + + -- James Cowgill <jcowg...@debian.org> Thu, 08 Mar 2018 22:20:29 + + easytag (2.4.3-1) unstable; urgency=medium * New upstream release. diff -Nru easytag-2.4.3/debian/control easytag-2.4.3/debian/control --- easytag-2.4.3/debian/control2016-12-05 20:47:35.0 + +++ easytag-2.4.3/debian/control2018-03-08 22:18:48.0 + @@ -50,9 +50,8 @@ . Currently EasyTAG supports the following: - View, edit, write tags of MP3, MP2 files (ID3 tag), FLAC files (FLAC Vorbis -tag), Ogg Opus, Ogg Speex and Ogg Vorbis files (Ogg Vorbis tag), -MP4/M4A/AAC files (MPEG-4 Part 10 tag), and MusePack, Monkey's Audio files -(APE tag); +tag), MP4/M4A/AAC files (MPEG-4 Part 10 tag), and MusePack, Monkey's Audio +files (APE tag); - Auto tagging: parse file and directory names using masks to automatically fill in tag fields; - Cover art support for all formats; @@ -72,6 +71,10 @@ - A playlist generator window; - A file searching window; - Simple and explicit interface. + . + OGG support is currently disabled in this package because of a data corruption + bug. To edit tags in OGG files you may consider one of these packages: exfalso, + puddletag, kid3-qt, entagged. Package: easytag-nautilus Architecture: any diff -Nru easytag-2.4.3/debian/gbp.conf easytag-2.4.3/debian/gbp.conf --- easytag-2.4.3/debian/gbp.conf 2016-12-05 20:47:35.0 + +++ easytag-2.4.3/debian/gbp.conf 2018-03-08 22:17:33.0 + @@ -1,3 +1,4 @@ [DEFAULT] pristine-tar = True compression = xz +debian-branch = debian/stretch diff -Nru easytag-2.4.3/debian/rules easytag-2.4.3/debian/rules --- easytag-2.4.3/debian/rules 2016-12-05 20:47:35.0 + +++ easytag-2.4.3/debian/rules 2018-03-08 22:18:29.0 + @@ -10,7 +10,9 @@ dh_autoreconf --as-needed override_dh_auto_configure: - dh_auto_configure -- --disable-silent-rules --disable-Werror + # OGG, OPUS and Speex disabled due to #855251 + dh_auto_configure -- --disable-silent-rules --disable-Werror \ + --disable-ogg --disable-opus --disable-speex override_dh_installdocs: dh_installdocs --link-doc=easytag signature.asc Description: OpenPGP digital signature
Bug#892703: nmu: lots of libraries on mips + mipsel for fpxx
Hi, On 15/03/18 10:27, Emilio Pozuelo Monfort wrote: > All the rest scheduled now, with slightly decreased build priority so it > doesn't > stall the rest of the packages for a couple of days. The build queue is > practically empty anyway so these should build rather quickly. Thanks! > BTW you guys requested this during the stretch cycle in #825342, but in the > end > closed it as not needed. On Tue, 26 Jul 2016 12:39:11 +0800 YunQiang Suwrote: > Yes. It is a problem. It is due to my script detect some wrong files. > > While it seems that FPXX doesn't really stop our process to MIPS32r2, > as we have some more Octeon machines. > > So this is out release goal, while not need binNMU now. *sigh* It should not have been closed then. I guess I wasn't aware of the bug or must have missed it. One of the advantages in FPXX was to help workaround some Loongson quirks and these were needed much less after we increased the number of Octeon buildds. However the original reason FPXX was created in the first place was for MSA where we still needed the binNMUs. James signature.asc Description: OpenPGP digital signature
Bug#892703: nmu: lots of libraries on mips + mipsel for fpxx
Hi, On 12/03/18 11:50, James Cowgill wrote: > Control: retitle -1 nmu: lots of libraries on mips + mipsel for fpxx > > [+ CC debian-mips] > > Hi, > > On Mon, 12 Mar 2018 12:15:38 +0800 YunQiang Su <wzss...@gmail.com> wrote: >> Package: release.debian.org >> User: release.debian@packages.debian.org >> Usertags: binnmu >> Severity: normal >> >> For mips and mipsel, we are working on FPXX migration, and this package >> seems quite old, >> So the rebuilding is needed to use the current default gcc options. > > Background: FPXX was enabled in Debian in gcc-5 in the middle of 2015. > FPXX needs to be enabled in all libraries loaded into the same address > space to be able to use the alternative FR1 mode on 32-bit MIPS which is > required to use MSA. Now some people have complained that MSA does not > work in some complex packages because they depend on libraries without > FPXX enabled. > > I scanned the archive for libraries built without FPXX and were last > built over 2 years ago. I generated the following list of 201 packages > which would be useful to binNMU on mips and mipsel. Does this seem > reasonable? I have binNMUed these 4 packages which I have seen complaints about. The rest of the packages should still be done but are not as important. ALREADY DONE == nmu uriparser_0.8.4-1 . mips mipsel . -m 'Rebuild with FPXX ABI' nmu libglu_9.0.0-2.1 . mips mipsel . -m 'Rebuild with FPXX ABI' nmu libxt_1:1.1.5-1 . mips mipsel . -m 'Rebuild with FPXX ABI' nmu libxmu_2:1.1.2-2 . mips mipsel . -m 'Rebuild with FPXX ABI' == Thanks. James signature.asc Description: OpenPGP digital signature
Bug#892703: nmu: lots of libraries on mips + mipsel for fpxx
Control: retitle -1 nmu: lots of libraries on mips + mipsel for fpxx [+ CC debian-mips] Hi, On Mon, 12 Mar 2018 12:15:38 +0800 YunQiang Suwrote: > Package: release.debian.org > User: release.debian@packages.debian.org > Usertags: binnmu > Severity: normal > > For mips and mipsel, we are working on FPXX migration, and this package > seems quite old, > So the rebuilding is needed to use the current default gcc options. Background: FPXX was enabled in Debian in gcc-5 in the middle of 2015. FPXX needs to be enabled in all libraries loaded into the same address space to be able to use the alternative FR1 mode on 32-bit MIPS which is required to use MSA. Now some people have complained that MSA does not work in some complex packages because they depend on libraries without FPXX enabled. I scanned the archive for libraries built without FPXX and were last built over 2 years ago. I generated the following list of 201 packages which would be useful to binNMU on mips and mipsel. Does this seem reasonable? Thanks, James actor-framework apache-mod-auth-ntlm-winbind apache-upload-progress-module apache2-mod-xforward attica avw.lv2 bambamc biblesync blepvco bochs buddy chise-base cl-uffi clalsadrv coinor-flopc++ coolkey cowbell cunit cxxtools dleyna-connector-dbus dnscrypt-proxy egenix-mx-base evince-hwp fdsend flatzebra flowcanvas flxmlrpc gadfly gdome2 giggle gkrellm2-cpufreq gkrelltop gnome-keyring-sharp gnome-sharp2 goocanvas gst-fluendo-mp3 gtk-nodoka-engine gtkgl2 guifications gumbo-parser hyperic-sigar ido inotifyx juman kaa-base kaa-imlib2 kaa-metadata keybinder kytea lam libapache-mod-auth-radius libapache-mod-evasive libapache2-mod-authnz-external libapache2-mod-fcgid libapache2-mod-ldap-userdir libasr libbase58 libcdaudio libcddb libchardet libcli libcommoncpp2 libcoverart libdispatch libdjconsole libdockapp libg15render libglademm2.4 libglu libgnomecanvasmm2.6 libgooglepinyin libgrss libhbaapi libhbalinux libidl libinklevel libkaz liblastfm liblbfgs liblip libmimic libnetfilter-queue libnss-pgsql libnzb libpcre++ libpqtypes libpthread-workqueue libpulse-java librcc libserial libsignon-glib libsnl libtpl libtrace3 libunibreak libusb-java libusbtc08 libverto libview libvistaio libxdg-basedir libxkbfile libxmu libxsettings libxt libydpdict lua-wsapi memchan mlpy mmpong moblin-gtk-engine mod-authz-securepass mod-mime-xattr mod-mono mod-proxy-msrpc mod-vhost-ldap mono-fuse moonshot-trust-router muparser notify-python npapi-vlc ntrack ois olsrd openvpn-auth-radius pam-dbus pam-pgsql pcapy pidgin-latex plasma-widget-yawp proxychains pyalsaaudio pyao pybluez pychm pyfribidi pygpiv pygts pylibssh2 pymc pymca pymilter pymtbl pynifti pyogg pythia8 python-adns python-biggles python-cjson python-clamav python-geohash python-lzma python-omniorb python-osd python-pysqlite1.1 python-pysqlite2 python-pytc python-sqlite pyvorbis pyxmpp quixote quixote1 rabbyt rainbow readline5 rfoo rlog roboptim-core safe-iop scgi scim-m17n scim-pinyin scim-skk scim-unikey sciscipy sfarklib shhopt sigx smart snack sonata spice-xpi synopsis tclex thunar-media-tags-plugin thunar-vcs-plugin ucimf-sunpinyin uriparser usbtc08-python wnn6-sdk xbae xfce4-cpugraph-plugin xfce4-power-manager xfce4-quicklauncher-plugin xfce4-sensors-plugin xfce4-systemload-plugin xmpi xpyb yaml-cpp0.3 yorick-curses yum-metadata-parser actor-framework apache-mod-auth-ntlm-winbind apache-upload-progress-module apache2-mod-xforward attica avw.lv2 bambamc biblesync blepvco bochs buddy chise-base cl-uffi clalsadrv coinor-flopc++ coolkey cowbell cunit cxxtools dleyna-connector-dbus dnscrypt-proxy egenix-mx-base evince-hwp fdsend flatzebra flowcanvas flxmlrpc gadfly gdome2 giggle gkrellm2-cpufreq gkrelltop gnome-keyring-sharp gnome-sharp2 goocanvas gst-fluendo-mp3 gtk-nodoka-engine gtkgl2 guifications gumbo-parser hyperic-sigar ido inotifyx juman kaa-base kaa-imlib2 kaa-metadata keybinder kytea lam libapache-mod-auth-radius libapache-mod-evasive libapache2-mod-authnz-external libapache2-mod-fcgid libapache2-mod-ldap-userdir libasr libbase58 libcdaudio libcddb libchardet libcli libcommoncpp2 libcoverart libdispatch libdjconsole libdockapp libg15render libglademm2.4 libglu libgnomecanvasmm2.6 libgooglepinyin libgrss libhbaapi libhbalinux libidl libinklevel libkaz liblastfm liblbfgs liblip libmimic libnetfilter-queue libnss-pgsql libnzb libpcre++ libpqtypes libpthread-workqueue libpulse-java librcc libserial libsignon-glib libsnl libtpl libtrace3 libunibreak libusb-java libusbtc08 libverto libview libvistaio libxdg-basedir libxkbfile libxmu libxsettings libxt libydpdict lua-wsapi memchan mlpy mmpong moblin-gtk-engine mod-authz-securepass mod-mime-xattr mod-mono mod-proxy-msrpc mod-vhost-ldap mono-fuse moonshot-trust-router muparser notify-python npapi-vlc ntrack ois olsrd openvpn-auth-radius pam-dbus pam-pgsql pcapy pidgin-latex plasma-widget-yawp proxychains pyalsaaudio pyao pybluez pychm pyfribidi pygpiv pygts
Bug#890448: transition: mbedtls
On 15/02/18 17:47, Emilio Pozuelo Monfort wrote: > Control: tags -1 confirmed > > On 14/02/18 22:01, James Cowgill wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: transition >> >> Hi, >> >> mbedtls bumped the SONAME of one of its libraries (libmbedcrypto) so it >> needs a transition. The new version is currently in experimental. >> >> These reverse dependencies built successfully first time: >> charybdis >> dislocker >> dolphin-emu >> gatling >> ncbi-vdb >> neko >> shadowsocks-libev >> >> bctoolbox was fixed about an hour ago (#890417). >> >> mongrel2 still fails, but this is caused by an mbedtls bug which I have >> queued up ready to upload (the fix is obvious): >> https://salsa.debian.org/debian/mbedtls/commit/f2769d8c7cb1edb2a8e6fb3e6d8527638550927d > > Go ahead. Thanks. I've uploaded it. James signature.asc Description: OpenPGP digital signature
Bug#890448: transition: mbedtls
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi, mbedtls bumped the SONAME of one of its libraries (libmbedcrypto) so it needs a transition. The new version is currently in experimental. These reverse dependencies built successfully first time: charybdis dislocker dolphin-emu gatling ncbi-vdb neko shadowsocks-libev bctoolbox was fixed about an hour ago (#890417). mongrel2 still fails, but this is caused by an mbedtls bug which I have queued up ready to upload (the fix is obvious): https://salsa.debian.org/debian/mbedtls/commit/f2769d8c7cb1edb2a8e6fb3e6d8527638550927d Thanks, James Ben file: title = "mbedtls"; is_affected = .depends ~ "libmbedcrypto0" | .depends ~ "libmbedcrypto1"; is_good = .depends ~ "libmbedcrypto1"; is_bad = .depends ~ "libmbedcrypto0"; -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled signature.asc Description: OpenPGP digital signature
Bug#886237: transition: libgig
Hi Mattia, On 03/01/18 13:18, Mattia Rizzolo wrote: > Control: tag -1 moreinfo > > On Wed, Jan 03, 2018 at 12:55:40PM +0100, Jaromír Mikeš wrote: >> Can I upload new upstream version of gigedit now to experimental? ... >> I am not DD just having DM flag for qsampler > > Usually uploading to experimental comes *before* opening a transition > bug. > Please upload to experimental and ping this bug once it passed new (and > the reverse-depends still builds fine). I think you have misunderstood. libgig is the library undergoing a transition and is already in experimental. gigedit is a reverse dependency of libgig which currently FTBFS but a fix is ready to be uploaded. Thanks, James signature.asc Description: OpenPGP digital signature
Bug#885533: jessie-pu: package soundtouch/1.8.0-1+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, [This is #885531 but for jessie instead of stretch] This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856, and #870857. I have tested the package on jessie and with the attached debdiff, soundstretch still works and the proof of concepts for the 3 security issues behave correctly now. The patch under debian/patches uses DOS line endings because the file it modifies also uses DOS line endings. Thanks, James -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru soundtouch-1.8.0/debian/changelog soundtouch-1.8.0/debian/changelog --- soundtouch-1.8.0/debian/changelog 2014-06-21 13:58:52.0 +0100 +++ soundtouch-1.8.0/debian/changelog 2017-12-27 16:37:31.0 + @@ -1,3 +1,13 @@ +soundtouch (1.8.0-1+deb8u1) jessie; urgency=medium + + [ Gabor Karsay ] + * Add patch to fix +- CVE-2017-9258 (Closes: #870854) +- CVE-2017-9259 (Closes: #870856) +- CVE-2017-9260 (Closes: #870857) + + -- James Cowgill <jcowg...@debian.org> Wed, 27 Dec 2017 16:37:31 + + soundtouch (1.8.0-1) unstable; urgency=low * New upstream release. diff -Nru soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch --- soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 1970-01-01 01:00:00.0 +0100 +++ soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 2017-12-27 16:37:31.0 + @@ -0,0 +1,36 @@ +Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260 + Based on an upstream commit, original commit message was: "Added sanity + checks against illegal input audio stream parameters e.g. wildly excessive + samplerate". + . + There is no reference to CVEs or bugs, the commit was made after disclosure + of the CVEs and all three proofs of concept (crafted wav files) fail after + this commit. + . + The commit was made after version 2.0.0, so that version is also vulnerable. + . + Unrelated changes were stripped away by patch author, upstream commit author + is Olli Parviainen <oparv...@iki.fi>. +Author: Gabor Karsay <gabor.kar...@gmx.at> +Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/ +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/source/SoundTouch/TDStretch.cpp b/source/SoundTouch/TDStretch.cpp +@@ -126,7 +126,12 @@ void TDStretch::setParameters(int aSampl + int aSeekWindowMS, int aOverlapMS) + { + // accept only positive parameter values - if zero or negative, use old values instead +-if (aSampleRate > 0) this->sampleRate = aSampleRate; ++if (aSampleRate > 0) ++{ ++if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive samplerate"); ++this->sampleRate = aSampleRate; ++} ++ + if (aOverlapMS > 0)this->overlapMs = aOverlapMS; + + if (aSequenceMS > 0) diff -Nru soundtouch-1.8.0/debian/patches/series soundtouch-1.8.0/debian/patches/series --- soundtouch-1.8.0/debian/patches/series 2014-06-21 13:58:33.0 +0100 +++ soundtouch-1.8.0/debian/patches/series 2017-12-27 16:37:31.0 + @@ -1,2 +1,3 @@ dont-use-integers-if-softfp.patch fix-fp-rounding-error.patch +cve-2017-92xx.patch signature.asc Description: OpenPGP digital signature
Bug#885531: stretch-pu: package soundtouch/1.9.2-2+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856, and #870857. I have tested the package on stretch and with the attached debdiff, soundstretch still works and the proof of concepts for the 3 security issues behave correctly now. The patch under debian/patches uses DOS line endings because the file it modifies also uses DOS line endings. Thanks, James -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru soundtouch-1.9.2/debian/changelog soundtouch-1.9.2/debian/changelog --- soundtouch-1.9.2/debian/changelog 2015-09-28 15:13:28.0 +0100 +++ soundtouch-1.9.2/debian/changelog 2017-12-27 16:34:15.0 + @@ -1,3 +1,13 @@ +soundtouch (1.9.2-2+deb9u1) stretch; urgency=medium + + [ Gabor Karsay ] + * Add patch to fix +- CVE-2017-9258 (Closes: #870854) +- CVE-2017-9259 (Closes: #870856) +- CVE-2017-9260 (Closes: #870857) + + -- James Cowgill <jcowg...@debian.org> Wed, 27 Dec 2017 16:34:15 + + soundtouch (1.9.2-2) unstable; urgency=medium * Upload to unstable. diff -Nru soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch --- soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch 1970-01-01 01:00:00.0 +0100 +++ soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch 2017-12-27 16:34:15.0 + @@ -0,0 +1,36 @@ +Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260 + Based on an upstream commit, original commit message was: "Added sanity + checks against illegal input audio stream parameters e.g. wildly excessive + samplerate". + . + There is no reference to CVEs or bugs, the commit was made after disclosure + of the CVEs and all three proofs of concept (crafted wav files) fail after + this commit. + . + The commit was made after version 2.0.0, so that version is also vulnerable. + . + Unrelated changes were stripped away by patch author, upstream commit author + is Olli Parviainen <oparv...@iki.fi>. +Author: Gabor Karsay <gabor.kar...@gmx.at> +Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/ +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/source/SoundTouch/TDStretch.cpp b/source/SoundTouch/TDStretch.cpp +@@ -128,7 +128,12 @@ + int aSeekWindowMS, int aOverlapMS) + { + // accept only positive parameter values - if zero or negative, use old values instead +-if (aSampleRate > 0) this->sampleRate = aSampleRate; ++if (aSampleRate > 0) ++{ ++if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive samplerate"); ++this->sampleRate = aSampleRate; ++} ++ + if (aOverlapMS > 0)this->overlapMs = aOverlapMS; + + if (aSequenceMS > 0) diff -Nru soundtouch-1.9.2/debian/patches/series soundtouch-1.9.2/debian/patches/series --- soundtouch-1.9.2/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ soundtouch-1.9.2/debian/patches/series 2017-12-27 16:34:15.0 + @@ -0,0 +1 @@ +cve-2017-92xx.patch signature.asc Description: OpenPGP digital signature
Bug#884635: transition: libupnp
Control: block -1 by 882377 884252 884243 884245 884246 884247 884248 Control: block -1 by 884249 884250 884251 Hi, On 17/12/17 21:07, Uwe Kleine-König wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > > Hello, > > Currently there are two versions of libupnp in the archive: > > - src:libupnp providing the 1.6.x branch of libupnp which is considered >legacy by upstream > - src:pupnp-1.8 providing the 1.8.x branch of libupnp > > I want to get rid of libupnp6 converting all rdeps to the newer libupnp > package. > > There are not that many reverse dependencies for libupnp6: [...] > I know about mpd upstream already supporting both versions. The Debian > maintainer of vlc already invested some work in making vlc support both > versions. I'm about to send a bug about silverjuke with a patch > implementing a simple conversion which makes it support both versions. > The Debian maintainer of wmaloader asked me to report an RM bug. I've added blocks for the bugs I think need to be fixed before starting the transition. Most were filed by Sebastian Ramacher who (very kindly) did a rebuild of all the rdeps against pupnp 1.8. mpd, silverjuke and wmaloader all have bugs already filed against them. > James Cowgill (= maintainer of src:pupnp-1.8) already uploaded a version > of src:pupnp-1.8 providing libupnp-dev to experimental. > https://release.debian.org/transitions/ doesn't have an automatic > transition though (probably because there are two packages involved). > > Ben file: > > title = "libupnp"; > is_affected = .depends ~ "libupnp6" | .depends ~ "libupnp10"; > is_good = .depends ~ "libupnp10"; > is_bad = .depends ~ "libupnp6"; One slight issue is #882377. In pupnp 1.8.3 upstream broke the ABI which I pointed out to them. As a result they have bumped the SONAME in upstream git (not yet released). To avoid having to do two transitions, we should wait to use the new SONAME. Since the damage is already done, I guess we could use the new SONAME right now, although I am always a little cautious in doing that in case upstream changes something else :) In any case, the ben file will need to be changed at some point. Also thanks to the people working on this. I know I haven't done as much as I probably should be doing. Thanks, James signature.asc Description: OpenPGP digital signature
Bug#868468: stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u2
On 15/07/17 20:50, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2017-07-15 at 20:37 +0100, James Cowgill wrote: >> Some more security issues were discovered in libopenmpt so it will need >> another stretch update. One of the issues looked potentially serious so >> I had CVE-2017-11311 allocated for it. That CVE has been marked as >> no-dsa by the security team. >> >> Also, sorry this is pretty late for 9.1. > > It is, but if it's uploaded in time then it still might make it. Thankyou! Uploaded. James signature.asc Description: OpenPGP digital signature
Bug#868468: stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, Some more security issues were discovered in libopenmpt so it will need another stretch update. One of the issues looked potentially serious so I had CVE-2017-11311 allocated for it. That CVE has been marked as no-dsa by the security team. Also, sorry this is pretty late for 9.1. Debdiff against 0.2.7386~beta20.3-3+deb9u1 (which is already in stretch-pu) attached. Thanks, James -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, mips Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru libopenmpt-0.2.7386~beta20.3/debian/changelog libopenmpt-0.2.7386~beta20.3/debian/changelog --- libopenmpt-0.2.7386~beta20.3/debian/changelog 2017-06-20 08:58:50.0 +0100 +++ libopenmpt-0.2.7386~beta20.3/debian/changelog 2017-07-15 18:33:57.0 +0100 @@ -1,3 +1,11 @@ +libopenmpt (0.2.7386~beta20.3-3+deb9u2) stretch; urgency=medium + + * Add security patches (Closes: #867579). +- up8: Out-of-bounds read while loading a malfomed PLM file. +- up10: CVE-2017-11311: Arbitrary code execution by a crafted PSM file. + + -- James Cowgill <jcowg...@debian.org> Sat, 15 Jul 2017 18:33:57 +0100 + libopenmpt (0.2.7386~beta20.3-3+deb9u1) stretch; urgency=medium * Add various security patches (Closes: #864195). diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/series libopenmpt-0.2.7386~beta20.3/debian/patches/series --- libopenmpt-0.2.7386~beta20.3/debian/patches/series 2017-06-20 08:58:50.0 +0100 +++ libopenmpt-0.2.7386~beta20.3/debian/patches/series 2017-07-15 16:49:37.0 +0100 @@ -4,3 +4,5 @@ up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch up5-excessive-cpu-consumption-on-malformed-files-ams.patch up6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch +up8-out-of-bounds-read-plm.patch +up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch --- libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch 1970-01-01 01:00:00.0 +0100 +++ libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch 2017-07-15 17:59:44.0 +0100 @@ -0,0 +1,30 @@ +Description: Fix CVE-2017-11311 + See https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html + Fix heap buffer overflow which may allow arbitrary code execution via a + crafted PSM File. +Origin: upstream, https://source.openmpt.org/browse/openmpt?op=revision=8460 +Bug-Debian: https://bugs.debian.org/867579 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/soundlib/Load_psm.cpp b/soundlib/Load_psm.cpp +@@ -1187,15 +1187,16 @@ bool CSoundFile::ReadPSM16(FileReader + } + + SAMPLEINDEX smp = sampleHeader.sampleNumber; +- if(smp < MAX_SAMPLES) ++ if(smp > 0 && smp < MAX_SAMPLES) + { + m_nSamples = std::max(m_nSamples, smp); + +- mpt::String::Read(m_szNames[smp], sampleHeader.name); + sampleHeader.ConvertToMPT(Samples[smp]); ++ mpt::String::Read(m_szNames[smp], sampleHeader.name); + +- if((loadFlags & loadSampleData) && file.Seek(sampleHeader.offset)) ++ if(loadFlags & loadSampleData) + { ++ file.Seek(sampleHeader.offset); + sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file); + } + } diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch --- libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch 1970-01-01 01:00:00.0 +0100 +++ libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch 2017-07-15 18:04:11.0 +0100 @@ -0,0 +1,25 @@ +Descriptio
Bug#865355: stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u1
Hi again, On 25/06/17 23:11, James Cowgill wrote: > On 25/06/17 22:46, Cyril Brulebois wrote: >> James Cowgill <jcowg...@debian.org> (2017-06-20): >>> This update contains a number of security fixes to libopenmpt which >>> upstream has specifically asked me to get into stretch. Upstream asked >>> me to fix these earlier this month and since none of them looked >>> "critical" I decided to wait and file a stretch-pu bug (although maybe >>> I was a little lazy...) The worst bugs fixed here are NULL pointer >>> dereferences - I don't think there is any remote code execution here. >> >> I suspect it would be best to check with the security team anyway? > > OK I've asked them in the original bug report. Salvatore Bonaccorso replied and said this was OK to do in a point release. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864195#72 Thanks, James signature.asc Description: OpenPGP digital signature
Bug#865355: stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u1
Hi, On 25/06/17 22:46, Cyril Brulebois wrote: > James Cowgill <jcowg...@debian.org> (2017-06-20): >> This update contains a number of security fixes to libopenmpt which >> upstream has specifically asked me to get into stretch. Upstream asked >> me to fix these earlier this month and since none of them looked >> "critical" I decided to wait and file a stretch-pu bug (although maybe >> I was a little lazy...) The worst bugs fixed here are NULL pointer >> dereferences - I don't think there is any remote code execution here. > > I suspect it would be best to check with the security team anyway? OK I've asked them in the original bug report. >> Upstream kindly backported all the fixes to the version Debian has in >> stretch and they were taken from this announcement: >> https://lib.openmpt.org/libopenmpt/md_announce-2017-06-02.html >> >> I omitted 2 patches which seem to be impossible to exploit or which >> only have minor cosmetic effects. >> >> Debdiff attached. >> > > Patch: > debian/patches/up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch >> --- >> libopenmpt-0.2.7386~beta20.3/debian/patches/up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch >>1970-01-01 01:00:00.0 +0100 >> +++ >> libopenmpt-0.2.7386~beta20.3/debian/patches/up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch >>2017-06-20 08:58:50.0 +0100 >> @@ -0,0 +1,351 @@ >> +Description: Fix excessive CPU consumption on malformed DMF and MDL files >> + See https://lib.openmpt.org/libopenmpt/md_announce-2017-06-02.html >> + This patch prevents loading of DMF and MDL modules taking multiple minutes >> if >> + the module contains truncated compressed samples. >> +Origin: upstream, >> https://source.openmpt.org/browse/openmpt?op=revision=8237 >> +Bug-Debian: https://bugs.debian.org/864195 >> +--- >> +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ >> +--- a/soundlib/Load_dmf.cpp >> b/soundlib/Load_dmf.cpp >> +@@ -16,6 +16,7 @@ >> + #include "stdafx.h" >> + #include "Loaders.h" >> + #include "ChunkReader.h" >> ++#include >> + >> + OPENMPT_NAMESPACE_BEGIN >> + >> +@@ -1087,68 +1088,66 @@ struct DMFHTree >> +int bitnum; >> +int lastnode, nodecount; >> +DMFHNode nodes[256]; >> +-}; >> +- > > ^^^ This update seems to be putting DMFReadBits() and DMFNewNode() > functions “inside” the DMFHTree struct? I'm not a C overlord, but that's > a construction I haven't seen yet. :) It's perfectly legal in C++ though :) > Anyway all I could spot was this structure update, and a function > signature update, both of which not being exported as far as I can tell. > > So that looks good to me, except for the security team question in my > first paragraph. Thanks, James signature.asc Description: OpenPGP digital signature
Bug#865355: stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, This update contains a number of security fixes to libopenmpt which upstream has specifically asked me to get into stretch. Upstream asked me to fix these earlier this month and since none of them looked "critical" I decided to wait and file a stretch-pu bug (although maybe I was a little lazy...) The worst bugs fixed here are NULL pointer dereferences - I don't think there is any remote code execution here. Upstream kindly backported all the fixes to the version Debian has in stretch and they were taken from this announcement: https://lib.openmpt.org/libopenmpt/md_announce-2017-06-02.html I omitted 2 patches which seem to be impossible to exploit or which only have minor cosmetic effects. Debdiff attached. Thanks, James -- System Information: Debian Release: 9.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru libopenmpt-0.2.7386~beta20.3/debian/changelog libopenmpt-0.2.7386~beta20.3/debian/changelog --- libopenmpt-0.2.7386~beta20.3/debian/changelog 2017-01-12 17:17:13.0 + +++ libopenmpt-0.2.7386~beta20.3/debian/changelog 2017-06-20 08:58:50.0 +0100 @@ -1,3 +1,14 @@ +libopenmpt (0.2.7386~beta20.3-3+deb9u1) stretch; urgency=medium + + * Add various security patches (Closes: #864195). +- up1: Division by zero in temp calculation. +- up2: Infinite loop with cyclic plugin routing. +- up3: Excessive CPU consumption on malformed DMF and MDL files. +- up5: Excessive CPU consumption on malformed AMS files. +- up6: Invalid memory read when applying NNAs to effect plugins. + + -- James Cowgill <jcowg...@debian.org> Tue, 20 Jun 2017 08:58:50 +0100 + libopenmpt (0.2.7386~beta20.3-3) unstable; urgency=medium * debian/tests: diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/series libopenmpt-0.2.7386~beta20.3/debian/patches/series --- libopenmpt-0.2.7386~beta20.3/debian/patches/series 2017-01-12 17:09:08.0 + +++ libopenmpt-0.2.7386~beta20.3/debian/patches/series 2017-06-20 08:58:50.0 +0100 @@ -1 +1,6 @@ 01_libmodplug_symver.patch +up1-division-by-zero-in-tempo-calculation.patch +up2-infinite-loop-in-plugin-routing.patch +up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch +up5-excessive-cpu-consumption-on-malformed-files-ams.patch +up6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/up1-division-by-zero-in-tempo-calculation.patch libopenmpt-0.2.7386~beta20.3/debian/patches/up1-division-by-zero-in-tempo-calculation.patch --- libopenmpt-0.2.7386~beta20.3/debian/patches/up1-division-by-zero-in-tempo-calculation.patch 1970-01-01 01:00:00.0 +0100 +++ libopenmpt-0.2.7386~beta20.3/debian/patches/up1-division-by-zero-in-tempo-calculation.patch 2017-06-20 08:58:50.0 +0100 @@ -0,0 +1,51 @@ +Description: Guard against division by zero in tempo calculation + See https://lib.openmpt.org/libopenmpt/md_announce-2017-06-02.html +Origin: upstream, https://source.openmpt.org/browse/openmpt?op=revision=8235 +Bug-Debian: https://bugs.debian.org/864195 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/soundlib/Sndfile.cpp b/soundlib/Sndfile.cpp +@@ -1542,15 +1542,15 @@ void CSoundFile::RecalculateSamplesPerTi + { + case tempoModeClassic: + default: +- m_PlayState.m_nSamplesPerTick = Util::muldiv(m_MixerSettings.gdwMixingFreq, 5 * TEMPO::fractFact, m_PlayState.m_nMusicTempo.GetRaw() << 1); ++ m_PlayState.m_nSamplesPerTick = Util::muldiv(m_MixerSettings.gdwMixingFreq, 5 * TEMPO::fractFact, std::max(TEMPO::store_t(1), m_PlayState.m_nMusicTempo.GetRaw() << 1)); + break; + + case tempoModeModern: +- m_PlayState.m_nSamplesPerTick = static_cast((Util::mul32to64_unsigned(m_MixerSettings.gdwMixingFreq, 60 * TEMPO::fractFact) * Util::mul32to64_unsigned(m_PlayState.m_nMusicSpeed, m_PlayState.m_nCurrentRowsPerBeat)) / m_PlayState.m_nMusicTempo.GetRaw()); ++ m_PlayState.m_nSamplesPerTick = static_cast((Util::mul32to64_unsigned(m_MixerSettings.gdwMixingFreq, 60 * TEMPO::fractFact) / std::max(uint64(1), Util::mul32to64_unsigned(m_PlayState.m_nMusicSpeed, m_PlayState.m_nCurrentRowsPerBeat) * m_PlayState.m_nMusicTempo.GetRaw(; + break; + + case tempoModeAlternative: +- m_PlayState.m_nSamplesPerTick = Util::muldiv(m_MixerSettings.gdwMixingFreq, TEMPO::fractFact, m_Pl
Bug#862167: jessie-pu: package polarssl/1.3.9-2.1+deb8u2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, This polarssl update fixes CVE-2017-2784 (Freeing of memory allocated on stack when validating a public key with a secp224k1 curve) which is a no-DSA security issue. I've tested the CVE with the testcase which was added to mbedtls (and it passes only after the patch is applied). Unfortunately the test system is broken in polarssl (doesn't handle crashes) so adding the test to jessie won't have any affect on the builds unless the test system is fixed as well. Debdiff attached. Thanks, James -- System Information: Debian Release: 9.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) diff -Nru polarssl-1.3.9/debian/changelog polarssl-1.3.9/debian/changelog --- polarssl-1.3.9/debian/changelog 2016-02-06 13:29:38.0 + +++ polarssl-1.3.9/debian/changelog 2017-05-09 09:42:21.0 +0100 @@ -1,3 +1,10 @@ +polarssl (1.3.9-2.1+deb8u2) jessie; urgency=high + + * Fix CVE-2017-2784: Freeing of memory allocated on stack when +validating a public key with a secp224k1 curve. (Closes: #857561) + + -- James Cowgill <jcowg...@debian.org> Tue, 09 May 2017 09:42:21 +0100 + polarssl (1.3.9-2.1+deb8u1) jessie-security; urgency=high * Non-maintainer upload. diff -Nru polarssl-1.3.9/debian/patches/CVE-2017-2784.patch polarssl-1.3.9/debian/patches/CVE-2017-2784.patch --- polarssl-1.3.9/debian/patches/CVE-2017-2784.patch 1970-01-01 01:00:00.0 +0100 +++ polarssl-1.3.9/debian/patches/CVE-2017-2784.patch 2017-05-09 09:36:13.0 +0100 @@ -0,0 +1,49 @@ +Description: Fix for CVE-2017-2784 + Fixed a bug that caused freeing a buffer that was allocated on the stack, + when verifying the validity of a key on secp224k1. This could be + triggered remotely for example with a maliciously constructed certificate + and might have led to remote code execution on some exotic embedded + platforms. Reported independently by rongsaws and Regina Wilson. + . + The function ecp_mod_koblitz computed the space for the result of a + multiplication optimally for that specific case, but unfortunately + the function mbedtls_mpi_mul_mpi performs a generic, suboptimal + calculation and needs one more limb for the result. Since the result's + buffer is on the stack, the best case scenario is that the program + stops. + . + This only happened on 64 bit platforms. +Origin: upstream, https://github.com/ARMmbed/mbedtls/commit/f5ffc79896681daddf7530646c0908f51a887dbd +Bug-Debian: https://bugs.debian.org/857561 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ + +--- a/library/ecp_curves.c b/library/ecp_curves.c +@@ -1268,7 +1268,7 @@ static inline int ecp_mod_koblitz( mpi * + int ret; + size_t i; + mpi M, R; +-t_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R]; ++t_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1]; + + if( N->n < p_limbs ) + return( 0 ); +@@ -1290,7 +1290,7 @@ static inline int ecp_mod_koblitz( mpi * + memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( t_uint ) ); + if( shift != 0 ) + MPI_CHK( mpi_shift_r( , shift ) ); +-M.n += R.n - adjust; /* Make room for multiplication by R */ ++M.n += R.n; /* Make room for multiplication by R */ + + /* N = A0 */ + if( mask != 0 ) +@@ -1312,7 +1312,7 @@ static inline int ecp_mod_koblitz( mpi * + memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( t_uint ) ); + if( shift != 0 ) + MPI_CHK( mpi_shift_r( , shift ) ); +-M.n += R.n - adjust; /* Make room for multiplication by R */ ++M.n += R.n; /* Make room for multiplication by R */ + + /* N = A0 */ + if( mask != 0 ) diff -Nru polarssl-1.3.9/debian/patches/series polarssl-1.3.9/debian/patches/series --- polarssl-1.3.9/debian/patches/series2016-02-05 12:25:30.0 + +++ polarssl-1.3.9/debian/patches/series2017-05-09 09:42:14.0 +0100 @@ -5,3 +5,4 @@ CVE-2015-8036-Added-bounds-checking-for-TLS-extensions.patch CVE-2015-8036-Reordered-extension-fields-and-added-to-Cha.patch CVE-2015-8036-Add-extra-check-before-integer-conversion.patch +CVE-2017-2784.patch signature.asc Description: OpenPGP digital signature
Bug#862061: nmu: raincat_1.1.1.2-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hi, raincat needs binNMUing against haskell-glut 2.7.0.10-4 to fix the RC bug #861957. This should pick up the fixes to haskell-glut in #861976 so raincat can start again. It needs binNMUing to pick up the changes because these are both haskell packages (so it's statically linked). Thanks, James nmu raincat_1.1.1.2-3 . ANY . unstable . -m "rebuild against haskell-glut 2.7.0.10-4 to fix #861957" -- System Information: Debian Release: 9.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) signature.asc Description: OpenPGP digital signature
Bug#860887: unblock: bind9/1:9.10.3.dfsg.P4-12.2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, Please unblock package bind9 This version fixes RC bug #778720 where bind9 randomly crashes on MIPS. The MIPS atomics implementation was buggy (register constraints were wrong and there were no memory barriers) and to fix it I just replaced it with C11 atomics. Only the MIPS part was replaced - this update should have no effect on other architectures. I've tested the new version under heavy load for an hour or so on the 3 MIPS architectures and it seems to be OK. Previously it would crash within 5 mins. I've attached the debdiff. Since that isn't the easiest to read, I also attach the diff of lib/isc/mips/include/isc/atomic.h (the only file changed) between the version in testing and unstable. There is another RC bug affecting bind9 (#860225), but that bug is not a regression from stretch. Thanks, James unblock bind9/1:9.10.3.dfsg.P4-12.2 diff -Nru bind9-9.10.3.dfsg.P4/debian/changelog bind9-9.10.3.dfsg.P4/debian/changelog --- bind9-9.10.3.dfsg.P4/debian/changelog 2017-03-17 18:07:16.0 + +++ bind9-9.10.3.dfsg.P4/debian/changelog 2017-04-18 16:42:50.0 +0100 @@ -1,3 +1,11 @@ +bind9 (1:9.10.3.dfsg.P4-12.2) unstable; urgency=medium + + * Non-maintainer upload. + * Replace 32_mips_atomic.diff with a version that uses C11 atomics. Fixes +hangs and crashes on MIPS. (Closes: #778720) + + -- James Cowgill <jcowg...@debian.org> Tue, 18 Apr 2017 16:42:50 +0100 + bind9 (1:9.10.3.dfsg.P4-12.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru bind9-9.10.3.dfsg.P4/debian/patches/32_mips_atomic.diff bind9-9.10.3.dfsg.P4/debian/patches/32_mips_atomic.diff --- bind9-9.10.3.dfsg.P4/debian/patches/32_mips_atomic.diff 2017-02-19 22:38:45.0 + +++ bind9-9.10.3.dfsg.P4/debian/patches/32_mips_atomic.diff 2017-04-18 16:42:50.0 +0100 @@ -1,22 +1,29 @@ -Author: Thiemo Seufer <t...@networkno.de> -Date: Thu Nov 8 15:11:48 2007 -0700 -Forwarded: yes RT#41965 - -mips:atomic.h: improve implementation of atomic ops, fix mips{el,64} - -The appended patch extends the configure check to cover mips64 and -mipsel, and improves the mips atomics implementation. - -See http://bugs.debian.org/406409 for more detail. - -Signed-off-by: LaMont Jones <lam...@debian.org> +Description: Replace MIPS atomics assembly with calls to C11 atomic functions + This fixes various hangs and crashes on MIPS. +Author: James Cowgill <jcowg...@debian.org> +Forwarded: no +Bug-Debian: https://bugs.debian.org/778720 --- a/lib/isc/mips/include/isc/atomic.h +++ b/lib/isc/mips/include/isc/atomic.h -@@ -31,18 +31,20 @@ - isc_atomic_xadd(isc_int32_t *p, int val) { - isc_int32_t orig; +@@ -19,32 +19,19 @@ + #ifndef ISC_ATOMIC_H + #define ISC_ATOMIC_H 1 + ++#include ++ + #include + #include +-#ifdef ISC_PLATFORM_USEGCCASM + /* + * This routine atomically increments the value stored in 'p' by 'val', and + * returns the previous value. + */ + static inline isc_int32_t + isc_atomic_xadd(isc_int32_t *p, int val) { +- isc_int32_t orig; +- - /* add is a cheat, since MIPS has no mov instruction */ - __asm__ volatile ( - "1:" @@ -29,24 +36,13 @@ - : "m"(*p), "r"(val) - : "memory", "$3" - ); -+ __asm__ __volatile__ ( -+ " .setpush\n" -+ " .setmips2 \n" -+ " .setnoreorder \n" -+ " .setnoat\n" -+ "1: ll $1, %1 \n" -+ " addu%0, $1, %2 \n" -+ " sc %0, %1 \n" -+ " beqz%0, 1b \n" -+ " move%0, $1 \n" -+ " .setpop \n" -+ : "=" (orig), "+R" (*p) -+ : "r" (val) -+ : "memory"); - return (orig); +- return (orig); ++ return atomic_fetch_add(p, val); } -@@ -52,16 +54,7 @@ + + /* +@@ -52,16 +39,7 @@ isc_atomic_xadd(isc_int32_t *p, int val) */ static inline void isc_atomic_store(isc_int32_t *p, isc_int32_t val) { @@ -60,16 +56,16 @@ - : "m"(*p), "r"(val) - : "memory", "$3" - ); -+ *p = val; ++ atomic_store(p, val); } /* -@@ -72,20 +65,23 @@ +@@ -71,28 +49,8 @@ isc_atomic_store(isc_int32_t *p, isc_int + */ static inline isc_int32_t isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) { - isc_int32_t orig; -+ isc_int32_t tmp; - +- isc_int32_t orig; +- - __asm__ volatile( - "1:" - "ll $3, %1\n" @@ -83,21 +79,15 @@ - : "m&qu
Bug#859471: unblock: swh-plugins/0.4.17-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, Please unblock package swh-plugins It fixes RC bug #859395 where one of the plugins was not linked correctly and ld.so refused to load it. I also fixed the Breaks / Replaces on vocoder-ladspa because 0.4.17-1 was so wrong I couldn't just leave it. I've moved it into the correct paragraph of the control file, and changed the package to "vocoder-ladspa" which was the actual package containing the vocoder plugin which was moved to swh-plugins (see #826110). Thanks, James unblock swh-plugins/0.4.17-2 -- System Information: Debian Release: 9.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru swh-plugins-0.4.17/debian/changelog swh-plugins-0.4.17/debian/changelog --- swh-plugins-0.4.17/debian/changelog 2016-11-05 04:47:12.0 + +++ swh-plugins-0.4.17/debian/changelog 2017-04-03 19:54:39.0 +0100 @@ -1,3 +1,12 @@ +swh-plugins (0.4.17-2) unstable; urgency=medium + + * Team upload. + * Link gsm_1215.so plugin against system libgsm. (Closes: #859395) + * Fix vocoder-ladspa Breaks/Replaces (replacing the faulty lmms +Breaks/Replaces). + + -- James Cowgill <jcowg...@debian.org> Mon, 03 Apr 2017 19:54:39 +0100 + swh-plugins (0.4.17-1) unstable; urgency=medium * Exclude .gitignore file from upstream tarball. diff -Nru swh-plugins-0.4.17/debian/control swh-plugins-0.4.17/debian/control --- swh-plugins-0.4.17/debian/control 2016-11-05 04:47:12.0 + +++ swh-plugins-0.4.17/debian/control 2017-04-03 19:54:39.0 +0100 @@ -16,11 +16,6 @@ libxml-parser-perl, libgsm1-dev, pkg-config -Replaces: - lmms (<= 1.1.3-2) - ${cdbs:Replaces} -Breaks: - lmms (<= 1.1.3-2) Standards-Version: 3.9.8 Homepage: http://plugin.org.uk/ Vcs-Git: https://anonscm.debian.org/git/pkg-multimedia/swh-plugins.git @@ -31,6 +26,11 @@ Depends: ${misc:Depends}, ${shlibs:Depends} +Replaces: + vocoder-ladspa (<< 1.1.3-3~), + ${cdbs:Replaces} +Breaks: + vocoder-ladspa (<< 1.1.3-3~) Provides: ladspa-plugin Description: Steve Harris's LADSPA plugins diff -Nru swh-plugins-0.4.17/debian/patches/08-gsm_plugin.patch swh-plugins-0.4.17/debian/patches/08-gsm_plugin.patch --- swh-plugins-0.4.17/debian/patches/08-gsm_plugin.patch 2016-06-02 00:32:48.0 +0100 +++ swh-plugins-0.4.17/debian/patches/08-gsm_plugin.patch 2017-04-03 19:54:39.0 +0100 @@ -45,7 +45,7 @@ sc4m_1916_la_LIBADD = -Lutil -ldb -lrms se4_1883_la_LIBADD = -Lutil -ldb -lrms -gsm_1215_la_LIBADD = gsm/libgsm.a -+#gsm_1215_la_LIBADD = gsm/libgsm.a ++gsm_1215_la_LIBADD = -lgsm gverb_1216_la_LIBADD = -Lgverb -lgverb lcr_delay_1436_la_DEPENDENCIES = util/biquad.h signature.asc Description: OpenPGP digital signature
Bug#857579: unblock: mbedtls/2.4.2-1 (pre-approval)
Control: tags -1 - moreinfo Control: retitle -1 unblock: mbedtls/2.4.2-1 Hi, On 13/03/17 20:20, Niels Thykier wrote: > James Cowgill: >> Hi, >> >> I am wondering whether it's possible to include mbedtls 2.4.2 in >> stretch. While it does fix an RC security bug (#857560), it also >> contains a lot of other stuff - all of it bugfixes though. [...] > Hi, > > I have reviewed it and I agree that upstream release looks preferable > with one remark: > > * The test suite appears to be "time-bombed" via >"tests/data_files/test-ca2_cat-future-invalid.crt". > * Ideally, the buildability should not expire. > * Furthermore, its "expire" date is "Sep 22 15:49:49 2023" which is >uncomfortably close stretch's expected EOL on the LTS release >(Said EOL is currently estimated to some time in 2022 and counting). Thanks for discovering that! I've adjusted the package to run the testsuite inside faketime until upstream fixes this. > Please resolve that, upload and remove the moreinfo tag once the upload > has been processed and built on all relevant release architectures. Uploaded, and built on all release arches. Thanks, James signature.asc Description: OpenPGP digital signature
Bug#856228: unblock: libnids/1.23-2.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, Please unblock package libnids This fixes 2 RC bugs in the package: - #851060 where the package doesn't work on armhf. The package contains numerous violations of the strict-aliasing rule so I added -fno-strict-aliasing as an easy workaround which does fix the bug on armhf. - #855602 where the package assumes the old gnu89 inline semantics but this was never caught because the undefined references only occur when building another package which links against libnids. The bug only happens after being rebuilt and on mips64el where it's already broken. two separate patches are needed to fix this - one concerning 'after' and 'before' which is already applied upstream, and another concerning some i386 only functions. Thanks, James unblock libnids/1.23-2.1 -- System Information: Debian Release: 9.0 APT prefers unstable-debug APT policy:(500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru libnids-1.23/debian/changelog libnids-1.23/debian/changelog --- libnids-1.23/debian/changelog 2010-07-21 20:23:34.0 +0100 +++ libnids-1.23/debian/changelog 2017-02-26 16:25:37.0 + @@ -1,3 +1,13 @@ +libnids (1.23-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix assembly of TCP streams on armhf by adding -fno-strict-aliasing. +(Closes: #851060) + * Fix use of "inline" with GCC >= 5 which causes undefined references in +applications linked against libnids. (Closes: #855602) + + -- James Cowgill <jcowg...@debian.org> Sun, 26 Feb 2017 16:25:37 + + libnids (1.23-2) unstable; urgency=high * Update my email address (closes: #574042). diff -Nru libnids-1.23/debian/patches/01_before-after.patch libnids-1.23/debian/patches/01_before-after.patch --- libnids-1.23/debian/patches/01_before-after.patch 1970-01-01 01:00:00.0 +0100 +++ libnids-1.23/debian/patches/01_before-after.patch 2017-02-26 16:25:37.0 + @@ -0,0 +1,52 @@ +Description: fix before and after declarations + Fix declarations of before and after functions so that they just happen in the header file to fix undefined references in libnids.so. +Origin: upstream, http://downloads.sourceforge.net/project/libnids/libnids/1.24/libnids-1.24.tar.gz +Bug-Debian: https://bugs.debian.org/855602 +Applied-Upstream: 1.24 +Last-Update: 2015-12-06 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/util.c b/src/util.c +@@ -29,18 +29,6 @@ test_malloc(int x) + return ret; + } + +-inline int +-before(u_int seq1, u_int seq2) +-{ +- return ((int)(seq1 - seq2) < 0); +-} +- +-inline int +-after(u_int seq1, u_int seq2) +-{ +- return ((int)(seq2 - seq1) < 0); +-} +- + void + register_callback(struct proc_node **procs, void (*x)) + { +--- a/src/util.h b/src/util.h +@@ -23,8 +23,18 @@ struct lurker_node { + + void nids_no_mem(char *); + char *test_malloc(int); +-inline int before(u_int seq1, u_int seq2); +-inline int after(u_int seq1, u_int seq2); ++ ++static inline int ++before(u_int seq1, u_int seq2) ++{ ++ return ((int)(seq1 - seq2) < 0); ++} ++ ++static inline int ++after(u_int seq1, u_int seq2) ++{ ++ return ((int)(seq2 - seq1) < 0); ++} + void register_callback(struct proc_node **procs, void (*x)); + void unregister_callback(struct proc_node **procs, void (*x)); + diff -Nru libnids-1.23/debian/patches/02_inline.patch libnids-1.23/debian/patches/02_inline.patch --- libnids-1.23/debian/patches/02_inline.patch 1970-01-01 01:00:00.0 +0100 +++ libnids-1.23/debian/patches/02_inline.patch 2017-02-25 17:50:03.0 + @@ -0,0 +1,45 @@ +Description: Fix more undefined references when using GCC-5. + Avoids making the functions ip_fast_csum, ip_compute_csum, my_tcp_check and + my_udp_check inline. See https://github.com/aol/moloch/issues/440 as well. +Author: Robert Scheck <rob...@fedoraproject.org> +Origin: vendor, http://pkgs.fedoraproject.org/cgit/rpms/libnids.git/commit/?id=ecafb692f20e0acad555f66c3cc1646997a82dae +Bug-Debian: https://bugs.debian.org/855602 +--- +This patch header follows DEP-3: https://dep.debian.net/deps/dep3/ + +--- a/src/checksum.c b/src/checksum.c +@@ -120,7 +120,7 @@ csum_partial(const u_char * buff, int le + By Jorge Cwik <jo...@laser.satlink.net>, adapted for linux by Arnt + Gulbrandsen. + */ +-inline u_short ip_fast_csum(u_char * iph, u_int ihl) ++u_short ip_fast_csum(u_char * iph, u_int ihl) + { + u_int sum; + if (dontchksum(((struct ip*)iph)->ip_src.s_addr)) +@@ -191,13 +191,13 @@ csum_tcpudp_magic(u_int saddr, u_int dad + this routine is used for miscellaneous IP-like checksums, mainly in + icmp.c + */ +-inline u_s
Bug#856204: unblock: libsfml/2.4.1+dfsg-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, Please unblock package libsfml This fixes the important bug #855404 where SFML can in certain situations deadlock inside the GL context handling code. Upstream have explicitly asked me to try and include this fix into stretch. The patch originates from version 2.4.2 which is in experimental but was too late to get into stretch. I've tested the patch with reverse-dependencies in Debian and everything still works AFAIK. Thanks, James unblock libsfml/2.4.1+dfsg-3 -- System Information: Debian Release: 9.0 APT prefers unstable-debug APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru libsfml-2.4.1+dfsg/debian/changelog libsfml-2.4.1+dfsg/debian/changelog --- libsfml-2.4.1+dfsg/debian/changelog 2016-12-30 19:02:05.0 + +++ libsfml-2.4.1+dfsg/debian/changelog 2017-02-20 20:11:38.0 + @@ -1,3 +1,9 @@ +libsfml (2.4.1+dfsg-3) unstable; urgency=medium + + * Apply upstream patch to fix TransientContext deadlocks. (Closes: #855404) + + -- James Cowgill <jcowg...@debian.org> Mon, 20 Feb 2017 20:11:38 + + libsfml (2.4.1+dfsg-2) unstable; urgency=medium * Fix segfaults triggered by sf::Window::setIcon. (Closes: #849750) diff -Nru libsfml-2.4.1+dfsg/debian/patches/08_fix-transientcontext-deadlocks.patch libsfml-2.4.1+dfsg/debian/patches/08_fix-transientcontext-deadlocks.patch --- libsfml-2.4.1+dfsg/debian/patches/08_fix-transientcontext-deadlocks.patch 1970-01-01 01:00:00.0 +0100 +++ libsfml-2.4.1+dfsg/debian/patches/08_fix-transientcontext-deadlocks.patch 2017-02-20 20:11:38.0 + @@ -0,0 +1,435 @@ +From 2857207cae8ccd8677ef3586add44102790dea92 Mon Sep 17 00:00:00 2001 +From: binary1248 <binary1...@hotmail.com> +Date: Sun, 27 Nov 2016 18:31:21 +0100 +Subject: [PATCH] Replaced TransientContextLock implementation with a more + elaborate one which relies on locking a single mutex and thus avoids lock + order inversion. Fixes #1165. + +--- + src/SFML/Window/GlContext.cpp | 206 + + src/SFML/Window/GlContext.hpp | 25 +++-- + src/SFML/Window/GlResource.cpp | 48 +- + 3 files changed, 161 insertions(+), 118 deletions(-) + +diff --git a/src/SFML/Window/GlContext.cpp b/src/SFML/Window/GlContext.cpp +index 8ae4b3ab..d773ed00 100644 +--- a/src/SFML/Window/GlContext.cpp b/src/SFML/Window/GlContext.cpp +@@ -26,6 +26,7 @@ + // Headers + + #include ++#include + #include + #include + #include +@@ -131,18 +132,70 @@ namespace + // We need to make sure that no operating system context + // or pixel format operations are performed simultaneously + // This mutex is also used to protect the shared context +-// from being locked on multiple threads ++// from being locked on multiple threads and for managing ++// the resource count + sf::Mutex mutex; + ++// OpenGL resources counter ++unsigned int resourceCount = 0; ++ + // This per-thread variable holds the current context for each thread + sf::ThreadLocalPtr currentContext(NULL); + + // The hidden, inactive context that will be shared with all other contexts + ContextType* sharedContext = NULL; + +-// This per-thread variable is set to point to the shared context +-// if we had to acquire it when a TransientContextLock was required +-sf::ThreadLocalPtr currentSharedContext(NULL); ++// This structure contains all the state necessary to ++// track TransientContext usage ++struct TransientContext : private sf::NonCopyable ++{ ++ ++/// \brief Constructor ++/// ++ ++TransientContext() : ++referenceCount (0), ++context (0), ++sharedContextLock(0), ++useSharedContext (false) ++{ ++if (resourceCount == 0) ++{ ++context = new sf::Context; ++} ++else if (!currentContext) ++{ ++sharedContextLock = new sf::Lock(mutex); ++useSharedContext = true; ++sharedContext->setActive(true); ++} ++} ++ ++ ++/// \brief Destructor ++/// ++ ++~TransientContext() ++{ ++if (useSharedContext) ++sharedContext->setActive(false); ++ ++delete
Bug#855258: unblock: spice/0.12.8-2.1
Control: tags -1 - moreinfo Hi, On Fri, 17 Feb 2017 21:11:44 +0100 Salvatore Bonaccorsowrote: > Hi Moarkus, hi Emilio, > > On Thu, Feb 16, 2017 at 10:50:34PM +0100, Markus Koschany wrote: > > On 16.02.2017 22:23, Emilio Pozuelo Monfort wrote: > > > Control: tags -1 moreinfo > > > > > > On 16/02/17 06:06, Salvatore Bonaccorso wrote: > > >> Package: release.debian.org > > >> Severity: normal > > >> User: release.debian@packages.debian.org > > >> Usertags: unblock > > >> > > >> Hi > > >> > > >> Please unblock package spice > > [...] > > > That failed to build on mips(64)el: > > > > > > https://buildd.debian.org/status/package.php?p=spice > > > > Hi, > > > > I think this is unrelated to our security fix. The package already > > failed on mips64el last month (2017/01/06) with the same build failure. > > FTR, yes I think this is true, that the failure is *not* related to > the security fixes. I built both 0.12.8-2 and 0.12.8-2.1 on eller.d.o, > and it failed both there. I have not futher investigated. The build failure was caused by the lesser form of the binutils bug (#844227 - scroll to the bottom) which has just been fixed. I rebuilt spice with an extra-depends on binutils and it now builds ok. Thanks, James signature.asc Description: OpenPGP digital signature
Bug#855204: libpetsc3.7.5-dev: uninstallable - Depends: libopenmpi-dev (< 2.0.2~git.20161226)
On 15/02/17 13:41, Mattia Rizzolo wrote: > Control: reassign -1 release.debian.org > Control: forcemerge 854905 -1 > > On Wed, Feb 15, 2017 at 01:09:16PM +, James Cowgill wrote: >> Package: libpetsc3.7.5-dev >> Version: 3.7.5+dfsg1-3 >> Severity: serious >> Tags: sid stretch > > Please look for already reported bugs before reporting new ones (there > is an "affect" so it is in libpetsc3.7.5-dev bugs list). Well I did check petsc (not release.debian.org), but affects on binary packages don't actually show up on the main bugs page - #636689 James signature.asc Description: OpenPGP digital signature
Bug#855087: unblock: mpv/0.23.0-2
Attaching the debdiff this time... James diff -Nru mpv-0.23.0/debian/changelog mpv-0.23.0/debian/changelog --- mpv-0.23.0/debian/changelog 2016-12-27 23:02:13.0 + +++ mpv-0.23.0/debian/changelog 2017-02-13 21:39:28.0 + @@ -1,3 +1,10 @@ +mpv (0.23.0-2) unstable; urgency=medium + + * Add patch from upstream fix segfaults on tv input. +Thanks to Frédéric Brière. (Closes: #853798) + + -- James Cowgill <jcowg...@debian.org> Mon, 13 Feb 2017 21:39:28 + + mpv (0.23.0-1) unstable; urgency=medium * New upstream release. diff -Nru mpv-0.23.0/debian/patches/07_segfaults-on-tv-input.patch mpv-0.23.0/debian/patches/07_segfaults-on-tv-input.patch --- mpv-0.23.0/debian/patches/07_segfaults-on-tv-input.patch1970-01-01 01:00:00.0 +0100 +++ mpv-0.23.0/debian/patches/07_segfaults-on-tv-input.patch2017-02-13 21:35:21.0 + @@ -0,0 +1,42 @@ +From aaad2d847e60a5bbd8fbf9c89f100a9ef9abd008 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Bri=C3=A8re?= <fbri...@fbriere.net> +Date: Fri, 3 Feb 2017 12:57:47 -0500 +Subject: [PATCH] tv: Zero-out newly-allocated handle in tv_new_handle() + +Some fields (notably tv_channel_list) were left uninitialized, +potentially causing problems later on. + +Fixes #4096 +--- + stream/tv.c | 5 + + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/stream/tv.c b/stream/tv.c +index 0b34b566d..89783374f 100644 +--- a/stream/tv.c b/stream/tv.c +@@ -145,7 +145,7 @@ const struct m_sub_options tv_params_conf = { + + tvi_handle_t *tv_new_handle(int size, struct mp_log *log, const tvi_functions_t *functions) + { +-tvi_handle_t *h = malloc(sizeof(*h)); ++tvi_handle_t *h = calloc(1, sizeof(*h)); + + if (!h) + return NULL; +@@ -159,12 +159,9 @@ tvi_handle_t *tv_new_handle(int size, struct mp_log *log, const tvi_functions_t + + h->log= log; + h->functions = functions; +-h->seq= 0; + h->chanlist = -1; +-h->chanlist_s = NULL; + h->norm = -1; + h->channel= -1; +-h->scan = NULL; + + return h; + } +-- +2.11.0 + diff -Nru mpv-0.23.0/debian/patches/series mpv-0.23.0/debian/patches/series --- mpv-0.23.0/debian/patches/series2016-12-27 22:55:48.0 + +++ mpv-0.23.0/debian/patches/series2017-02-13 21:36:32.0 + @@ -3,3 +3,4 @@ 04_waf-pie.patch 05_add-keywords.patch 06_ffmpeg-abi.patch +07_segfaults-on-tv-input.patch signature.asc Description: OpenPGP digital signature
Bug#855087: unblock: mpv/0.23.0-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, Please unblock package mpv This upload fixes important bug #853798 where mpv segfaults when used with particular tv input devices. The patch is backported from upstream 0.24.0 which was recently released. Thanks, James unblock mpv/0.23.0-2 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) signature.asc Description: OpenPGP digital signature
Bug#854505: unblock: make-dfsg/4.1-9.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-CC: sriva...@debian.org Hi, Please unblock package make-dfsg This fixes the important bug #853213 in make which should in turn fix the RC bug #853214 in openjdk-8 (without any changes needed to that package). The debdiff is attached. Thanks, James unblock make-dfsg/4.1-9.1 -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) diff -u make-dfsg-4.1/debian/changelog make-dfsg-4.1/debian/changelog --- make-dfsg-4.1/debian/changelog +++ make-dfsg-4.1/debian/changelog @@ -1,3 +1,11 @@ +make-dfsg (4.1-9.1) unstable; urgency=medium + + * Non-maintainer upload. + * Ensure the stack limit is reset when make re-execs itself. +(Closes: #853213) + + -- James Cowgill <jcowg...@debian.org> Tue, 31 Jan 2017 16:31:57 + + make-dfsg (4.1-9) unstable; urgency=low * Reword the manual page. While the wording included in the manual page diff -u make-dfsg-4.1/main.c make-dfsg-4.1/main.c --- make-dfsg-4.1/main.c +++ make-dfsg-4.1/main.c @@ -2423,6 +2423,11 @@ exit (WIFEXITED(r) ? WEXITSTATUS(r) : EXIT_FAILURE); } #else +#ifdef SET_STACK_SIZE + /* Reset limits, if necessary. */ + if (stack_limit.rlim_cur) +setrlimit (RLIMIT_STACK, _limit); +#endif exec_command ((char **)nargv, environ); #endif free (aargv); signature.asc Description: OpenPGP digital signature
Bug#853152: unblock: codelite/10.0+dfsg-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, Please unblock package codelite. I recently uploaded a new version of codelite and was hoping for it to be included in stretch. It was uploaded "within the time" but unfortunately (?) I switched from LLVM 3.8 to 3.9 and it built on armel, so it depends on the newer version of LLVM 3.9 which is not in testing yet. Would it be possible to unblock codelite so it migrates when LLVM 3.9 does? I understand if you don't want this in stretch and it was pretty late - it isn't a hugely important update. Alternatively, could you age LLVM 3.9 so codelite doesn't need an unblock? Thanks, James unblock codelite/10.0+dfsg-1 signature.asc Description: OpenPGP digital signature
Bug#838109: release.debian.org: binNMU for ccache/amd64 to rebuild against stable
Hi, On Sun, 18 Sep 2016 00:03:17 +0100 "Adam D. Barratt"wrote: > Control: tags -1 + pending > > On Sat, 2016-09-17 at 13:00 +0100, Adam D. Barratt wrote: > > Whilst performing some checks during today's point release, we noticed > > that a new "ccache-dbgsym" binary package appeared on amd64. Neither the > > debhelper version in stable nor stable-backports will generate such > > packages, implying that the upload was built in another, or unclean, > > environment. > > I scheduled the binNMU, and it's now in proposed-updates. (Since I also just noticed this package) Should the ccache-dbgsym package now be removed from stable? Thanks, James signature.asc Description: OpenPGP digital signature
Bug#852042: nmu: jackd2_1.9.10+20150825git1ed50c92~dfsg-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Control: block 848285 by -1 Hi, Please binNMU jackd2. It is affected by the RC bug #848285 which was caused by a GCC regression in gcc-6_6.2.0-13 and has now been fixed in gcc-6_6.3.0-3. It probably needs this extra dependency forcing when rebuilt. nmu jackd2_1.9.10+20150825git1ed50c92~dfsg-4 . ANY . unstable . -m "rebuild with newer gcc to fix #848285" Thanks, James -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) signature.asc Description: OpenPGP digital signature
Re: Bug#850887: Decide proper solution for binutils' mips* bug
Hi, On 12/01/17 14:54, Lisandro Damián Nicanor Pérez Meyer wrote: > I would like to point out that it would be preferable if, in case a patch is > preferable over going back to the last know version to work, either Matthias > or a mips porter points out which of the two proposed patches is preferable. > > For the time being I'm testing the patch I submited to the bug, but I have no > preference over any of them (nor technical grounds to discuss). Both patches posted in the upstream bug should work. The first one fixes a bug in the MIPS back end so that local symbols are sorted before global symbols. This is probably the safer (although larger) patch because it only touches the MIPS back end to try and bring it into line with other architectures. The second patch prevents the questionable local symbols from every appearing (so no sorting is necessary). This should also be correct, although it will visibly change the contents of the dynamic symbol table on all arches so I am slightly more apprehensive because of that. Side note: the patch you uploaded is not totally correct because it isn't applied when building cross binutils (__mips__ will not be defined there). Thanks, James signature.asc Description: OpenPGP digital signature
Re: binutils on mips*
Hi, On 09/01/17 10:51, Julien Cristau wrote: > On 01/08/2017 11:40 PM, Matthias Klose wrote: >> On 08.01.2017 14:29, Lisandro Damián Nicanor Pérez Meyer wrote: >>> Matthias: this bug is stopping a lot of packages from migrating and in >>> doing >>> so near the freeze is hurting many teams (and their users!) like the Qt/KDE >>> one, so I'm planning to NMU it to the last working version. >>> >>> Do we know which was the last version to properly work on mips*? Is there >>> any >>> drawback in going back to that version? >>> >>> Of course if you have a better course of action suitable for a fast fix, >>> I'll >>> be glad to read it. >> >> Please don't. I'm fine to apply work arounds for port architectures, but not >> for release architectures (I didn't decide on this status). The binutils >> update >> plan was announced last June [1], and I plan to stick to it. At least one of >> the mips toolchain maintainers (out of the five who committed to in the >> architecture qualification process) seems to address RC issues, and >> according to >> the upstream issue, there's work in progress. >> > Work in progress is not enough. This has been filed almost two months > ago, and keeping an RC issue in the toolchain open for this long right > around freeze time is irresponsible on your part, so please don't block > others fixing it if you don't want to apply a workaround yourself. (I'm > also disappointed that none of the mips porters saw fit to get this > fixed in sid sooner.) As a MIPS porter, I'm not really sure what more I could have done about this bug. I provided a patch in November and it still hasn't been fixed in Debian. I do not control upstream binutils and cannot make them commit anything. Occasionally I've been pinging Maciej, but nothing has happened (though he cannot be blamed for the situation Debian finds itself in). What was I supposed to do? James signature.asc Description: OpenPGP digital signature
Bug#850482: nmu: ardour_1:5.5.0~dfsg-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hi, Please can ardour be binNMUed against fftw3 3.3.5-3. That version of fftw3 tightens the package dependencies which is needed for a new API used by ardour. Thanks, James nmu ardour_1:5.5.0~dfsg-1 . ANY . unstable . -m "rebuild for stricter fftw3 dependency" -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) signature.asc Description: OpenPGP digital signature
Bug#847001: nmu: libjack dependencies using new port_rename APIs
Package: release.debian.org User: release.debian@packages.debian.org Usertags: binnmu Severity: normal X-Debbugs-CC: pkg-multimedia-maintain...@lists.alioth.debian.org Hi, In #845654 and #845655, the dependencies generated by libjack were tightened after a new API was added to both jack implementations. The packages which use the new API need to be binNMUed to get the new dependency. I checked codesearch for packages using the affected functions (jack_set_port_rename_callback and jack_port_rename) and these were the only 3 packages affected. I already knew about hydrogen and libsoundio though. ardour and hydrogen need to wait for the new libjack-dev to be installed, while libsoundio needs to wait for the new libjack-jackd2-dev. Does this seem right? nmu ardour_1:5.4.0~dfsg-2 . ANY . unstable . -m "rebuild for tighter libjack dependency" nmu hydrogen_0.9.7-1 . ANY . unstable . -m "rebuild for tighter libjack dependency" nmu libsoundio_1.0.2-1 . ANY . unstable . -m "rebuild for tighter libjack dependency" dw ardour_1:5.4.0~dfsg-2 . ANY . unstable . -m 'libjack-dev (>= 1:0.125.0-2)' dw hydrogen_0.9.7-1 . ANY . unstable . -m 'libjack-dev (>= 1:0.125.0-2)' dw libsoundio_1.0.2-1 . ANY . unstable . -m 'libjack-jackd2-dev (>= 1.9.10+20150825git1ed50c92~dfsg-4)' Thanks, James signature.asc Description: OpenPGP digital signature
Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu X-Debbugs-CC: Thomas Goirand <z...@debian.org> Hi, The attached debdiff fixes #816759 (minissdpd: CVE-2016-3178 CVE-2016-3179) for jessie. Both CVEs are taged 'no-DSA' by the security team. Thanks, James -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) diff -Nru minissdpd-1.2.20130907/debian/changelog minissdpd-1.2.20130907/debian/changelog --- minissdpd-1.2.20130907/debian/changelog 2014-07-14 08:02:57.0 +0100 +++ minissdpd-1.2.20130907/debian/changelog 2016-10-24 22:46:46.0 +0100 @@ -1,3 +1,15 @@ +minissdpd (1.2.20130907-3+deb8u1) jessie; urgency=high + + * Non-maintainer upload. + * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759) +The minissdpd daemon contains a improper validation of array index +vulnerability (CWE-129) when processing requests sent to the Unix +socket at /var/run/minissdpd.sock the Unix socket can be accessed +by an unprivileged user to send invalid request causes an +out-of-bounds memory access that crashes the minissdpd daemon. + + -- James Cowgill <jcowg...@debian.org> Mon, 24 Oct 2016 22:46:46 +0100 + minissdpd (1.2.20130907-3) unstable; urgency=medium * Removed $all from init.d script. diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch --- minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch 1970-01-01 01:00:00.0 +0100 +++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch 2016-10-24 22:43:23.0 +0100 @@ -0,0 +1,95 @@ +Description: Fix CVE-2016-3178 + buffer overflow while handling negative length request +Author: Salva Peiró <speir...@gmail.com> +Origin: upstream, https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47 +Bug-Debian: https://bugs.debian.org/816759 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/minissdpd.c b/minissdpd.c +@@ -555,7 +555,7 @@ void processRequest(struct reqelem * req + type = buf[0]; + p = buf + 1; + DECODELENGTH_CHECKLIMIT(l, p, buf + n); +- if(p+l > buf+n) { ++ if(l > (unsigned)(buf+n-p)) { + syslog(LOG_WARNING, "bad request (length encoding)"); + goto error; + } +@@ -661,7 +661,7 @@ void processRequest(struct reqelem * req + goto error; + } + DECODELENGTH_CHECKLIMIT(l, p, buf + n); +- if(p+l > buf+n) { ++ if(l > (unsigned)(buf+n-p)) { + syslog(LOG_WARNING, "bad request (length encoding)"); + goto error; + } +@@ -679,7 +679,7 @@ void processRequest(struct reqelem * req + newserv->usn[l] = '\0'; + p += l; + DECODELENGTH_CHECKLIMIT(l, p, buf + n); +- if(p+l > buf+n) { ++ if(l > (unsigned)(buf+n-p)) { + syslog(LOG_WARNING, "bad request (length encoding)"); + goto error; + } +@@ -697,7 +697,7 @@ void processRequest(struct reqelem * req + newserv->server[l] = '\0'; + p += l; + DECODELENGTH_CHECKLIMIT(l, p, buf + n); +- if(p+l > buf+n) { ++ if(l > (unsigned)(buf+n-p)) { + syslog(LOG_WARNING, "bad request (length encoding)"); + goto error; + } +--- a/testminissdpd.c b/testminissdpd.c +@@ -45,6 +45,23 @@ void printresponse(const unsigned char * + #define SENDCOMMAND(command, size) write(s, command, size); \ + printf("Command written type=%u\n", (unsigned)command[0]); + ++int connect_unix_socket(const char * sockpath) ++{ ++ int s; ++ struct sockaddr_un addr; ++ ++ s = socket(AF_UNIX, SOCK_STREAM, 0); ++ addr.sun_family = AF_UNIX; ++ strncpy(addr.sun_path, sockpath, sizeof(addr.sun_path)); ++ if(connect(s, (struct sockaddr *), sizeof(struct sockaddr_un)) < 0) { ++ fprintf(stderr, "connecting to %s : ", addr.sun_path); ++ perror("connect"); ++ exit(1); ++ } ++ printf("Connected to %s\n", addr.sun_path); ++ return s; ++} ++ + /* test program for minissdpd */ + int + main(int argc, char * * argv) +@@ -52,6 +69,7 @@ main(int argc, char * * argv) + char command1
Bug#839731: jessie-pu: package mpg123/1.20.1-2+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-multimedia-maintain...@lists.alioth.debian.org Hi, A security issue was reported against mpg123 in bug #838960. Since it was marked no-DSA by the security team, it needs a normal jessie-pu update to fix it in jessie. The debdiff is attached. I've tested it on jessie against the testcase provided in the upstream bug report (https://mpg123.org/bugs/240). Thanks, James -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.4.0-36-generic (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect diff -Nru mpg123-1.20.1/debian/changelog mpg123-1.20.1/debian/changelog --- mpg123-1.20.1/debian/changelog 2014-08-31 10:51:53.0 +0100 +++ mpg123-1.20.1/debian/changelog 2016-10-04 11:42:56.0 +0100 @@ -1,3 +1,10 @@ +mpg123 (1.20.1-2+deb8u1) jessie; urgency=high + + * Team upload. + * Fix DoS with crafted ID3v2 tags. (Closes: #838960) + + -- James Cowgill <jcowg...@debian.org> Tue, 04 Oct 2016 11:42:56 +0100 + mpg123 (1.20.1-2) unstable; urgency=medium * Team upload. diff -Nru mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch --- mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch 1970-01-01 01:00:00.0 +0100 +++ mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch 2016-10-04 11:41:20.0 +0100 @@ -0,0 +1,18 @@ +Description: Fix DoS with crafted ID3v2 tags +Author: Thomas Orgis <thomas-fo...@orgis.org> +Bug: https://sourceforge.net/p/mpg123/bugs/240/ +Bug-Debian: https://bugs.debian.org/838960 +Applied-Upstream: 1.23.8 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/libmpg123/id3.c b/src/libmpg123/id3.c +@@ -752,7 +752,7 @@ int parse_new_id3(mpg123_handle *fr, uns + unsigned long fflags; /* need 16 bits, actually */ + id[4] = 0; + /* pos now advanced after ext head, now a frame has to follow */ +- while(tagpos < length-10) /* I want to read at least a full header */ ++ while(length >= 10 && tagpos < length-10) /* I want to read at least a full header */ + { + int i = 0; + unsigned long pos = tagpos; diff -Nru mpg123-1.20.1/debian/patches/series mpg123-1.20.1/debian/patches/series --- mpg123-1.20.1/debian/patches/series 2014-08-30 20:39:33.0 +0100 +++ mpg123-1.20.1/debian/patches/series 2016-10-04 11:41:20.0 +0100 @@ -1 +1,2 @@ 0001-disable_not_public_funcs.patch +0002-dos-crafted-id3v2-tags.patch signature.asc Description: OpenPGP digital signature
Re: fact++ is marked for autoremoval from testing
Hi, On 29/08/16 09:43, Jonas Smedegaard wrote: > Hi, > > [please cc me on replies: I am not subscribed] > > I am puzzled about this one: > > Quoting Debian testing autoremoval watch (2016-08-29 06:39:03) >> fact++ 1.6.4~dfsg-1 is marked for autoremoval from testing on 2016-08-31 >> >> It (build-)depends on packages with these RC bugs: >> 806865: ppl: FTBFS when built with dpkg-buildpackage -A (No rule to make >> ppl_c.h) >> 811825: ppl: FTBFS with GCC 6: no match for > > As I understand it, packages ppl (mentioned above) and cloog-ppl > (build-dependency of fact++) are independent projects. > > Could this be a flaw somewhere in the autoremoval scripts? cloog-ppl depends on libppl-c4 and libppl13v5 from the ppl source package, so fact++ is being autoremoved due to transitive dependencies. James signature.asc Description: OpenPGP digital signature
Bug#835784: nmu: mpv_0.20.0-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hi, As I wrote in #835645, some of the ffmpeg symbols in 7:3.1.2-1 do not generate tight enough dependencies and if mpv is used with an old version of ffmpeg, it segfaults. This is fixed in ffmpeg 3.1.3-1 so please binNMU mpv against that version. nmu mpv_0.20.0-1 . ANY . unstable . -m "Rebuild against ffmpeg 3.1.3-1 for correct dependencies" dw mpv_0.20.0-1 . ANY . unstable . -m 'libavformat57 (>= 7:3.1.3-1)' Thanks, James -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) signature.asc Description: OpenPGP digital signature
Re: Porter roll call for Debian Stretch
Hi, On 17/08/16 21:05, ni...@thykier.net wrote: > Like last release, we are doing a roll call for porters of all release > architectures. If you are an active porter behind one of the [release > architectures] for the entire lifetime of Debian Stretch (est. end of > 2020), please respond with a signed email containing the following > before Friday, the 9th of September: > > * Which architectures are you committing to be an active porter for? I'm an active porter for mips, mipsel and mips64el. > * Please describe recent relevant porter contributions. Numerous mips64el related bugs and some assistance bootstrapping parts of it. Lately I've been looking at some toolchain issues and bugs in various other packages. > * Are you running/using Debian testing or sid on said port(s)? Yes we have a number of mips machines running testing. They are mostly used for development (some quite heavily used). I test common packages on them (I'd be surprised if anyone can claim they test *all* packages on their arch). > * Are you testing/patching d-i for the port(s)? I don't use d-i a huge amount with the port unfortunately. Having said that I am about to setup another machine so I'll try it out on that :) > * If we were to enable -fPIE/-pie by default in GCC-6, should that change >also apply to this port? [0] I'm not aware of any issues with enabling -fPIC on mips arches so I think you can go ahead with it. PIE is already enabled in a number of packages and there doesn't seem to be any issues with them mips. I'm a DD James signature.asc Description: OpenPGP digital signature
Bug#834105: transition: libsfml
On 12/08/16 09:33, Emilio Pozuelo Monfort wrote: > On 12/08/16 00:21, James Cowgill wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: transition >> >> Hi, >> >> The new upstream version of libsfml bumped the SONAME and therefore >> requires a transition. >> >> These packages will need rebuilding: >> dolphin-emu >> extremetuxracer >> libcsfml >> marsshooter >> python-sfml >> >> I did a test rebuild of all of them and they all built fine with the new >> SFML. > > Go ahead. Thanks! Uploaded and built on all arches. James signature.asc Description: OpenPGP digital signature
Bug#834105: transition: libsfml
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi, The new upstream version of libsfml bumped the SONAME and therefore requires a transition. These packages will need rebuilding: dolphin-emu extremetuxracer libcsfml marsshooter python-sfml I did a test rebuild of all of them and they all built fine with the new SFML. Thanks, James Ben file: title = "libsfml"; is_affected = .depends ~ /libsfml-[a-z]*2\.3v5/ | .depends ~ /libsfml-[a-z]*2\.4/; is_good = .depends ~ /libsfml-[a-z]*2\.4/; is_bad = .depends ~ /libsfml-[a-z]*2\.3v5/; -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, mips Kernel: Linux 4.7.0-rc4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) signature.asc Description: OpenPGP digital signature
Bug#827288: jessie-pu: package audiofile/0.3.6-2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, This update fixes CVE-2015-7747 (#801102). The security bug is marked no-DSA, so the security team asked me to submit it as a normal stable update. The patch is copied directly from this Ubuntu bug (and is already applied in Ubuntu): https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721 Thanks, James -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog --- audiofile-0.3.6/debian/changelog 2016-06-14 14:21:11.0 +0100 +++ audiofile-0.3.6/debian/changelog 2016-06-14 16:39:56.0 +0100 @@ -1,3 +1,11 @@ +audiofile (0.3.6-2+deb8u1) jessie; urgency=high + + * Team upload. + * Fix CVE-2015-7747: buffer overflow when changing both sample format and +number of channels. (Closes: #801102) + + -- James Cowgill <jcowg...@debian.org> Tue, 14 Jun 2016 16:39:49 +0100 + audiofile (0.3.6-2) unstable; urgency=low * Upload to unstable. diff -Nru audiofile-0.3.6/debian/patches/CVE-2015-7747.patch audiofile-0.3.6/debian/patches/CVE-2015-7747.patch --- audiofile-0.3.6/debian/patches/CVE-2015-7747.patch 1970-01-01 01:00:00.0 +0100 +++ audiofile-0.3.6/debian/patches/CVE-2015-7747.patch 2016-06-14 16:19:51.0 +0100 @@ -0,0 +1,161 @@ +Description: fix buffer overflow when changing both sample format and + number of channels +Origin: backport, https://github.com/mpruett/audiofile/pull/25 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801102 + +Index: audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp +=== +--- audiofile-0.3.6.orig/libaudiofile/modules/ModuleState.cpp 2015-10-20 08:00:58.036128202 -0400 audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp 2015-10-20 08:00:58.036128202 -0400 +@@ -402,7 +402,7 @@ + addModule(new Transform(outfc, in.pcm, out.pcm)); + + if (in.channelCount != out.channelCount) +- addModule(new ApplyChannelMatrix(infc, isReading, ++ addModule(new ApplyChannelMatrix(outfc, isReading, + in.channelCount, out.channelCount, + in.pcm.minClip, in.pcm.maxClip, + track->channelMatrix)); +Index: audiofile-0.3.6/test/Makefile.am +=== +--- audiofile-0.3.6.orig/test/Makefile.am 2015-10-20 08:00:58.036128202 -0400 audiofile-0.3.6/test/Makefile.am 2015-10-20 08:00:58.036128202 -0400 +@@ -26,6 +26,7 @@ + VirtualFile \ + floatto24 \ + query2 \ ++ sixteen-stereo-to-eight-mono \ + sixteen-to-eight \ + testchannelmatrix \ + testdouble \ +@@ -139,6 +140,7 @@ + printmarkers_LDADD = $(LIBAUDIOFILE) -lm + + sixteen_to_eight_SOURCES = sixteen-to-eight.c TestUtilities.cpp TestUtilities.h ++sixteen_stereo_to_eight_mono_SOURCES = sixteen-stereo-to-eight-mono.c TestUtilities.cpp TestUtilities.h + + testchannelmatrix_SOURCES = testchannelmatrix.c TestUtilities.cpp TestUtilities.h + +Index: audiofile-0.3.6/test/sixteen-stereo-to-eight-mono.c +=== +--- /dev/null 1970-01-01 00:00:00.0 + audiofile-0.3.6/test/sixteen-stereo-to-eight-mono.c 2015-10-20 08:33:57.512286416 -0400 +@@ -0,0 +1,117 @@ ++/* ++ Audio File Library ++ ++ Copyright 2000, Silicon Graphics, Inc. ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License along ++ with this program; if not, write to the Free Software Foundation, Inc., ++ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++*/ ++ ++/* ++ sixteen-stereo-to-eight-mono.c ++ ++ This program tests the conversion from 2-channel 16-bit integers to ++ 1-channel 8-bit integers. ++*/ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include "TestUtilities.h" ++ ++int main (int argc, char **argv) ++{ ++ AFfilehandle file; +
Bug#650601: fixed in elastix 4.8-3
Control: reopen -1 On Thu, 2016-01-07 at 15:50 +, Gert Wollny wrote: > Source: elastix > Source-Version: 4.8-3 > > We believe that the bug you reported is fixed in the latest version of > elastix, which is due to be installed in the Debian FTP archive. [...] > [ Gert Wollny ] > * Update dependency for libdcmtk-dev to unversioned package > * Rebuild against itk-4.8.2-3, Closes: #650601 Wrong bug number? Did you mean #809889 "elastix: FTBFS with libpng16"? You just closed the global libpng1.6 transition tracking bug. James signature.asc Description: This is a digitally signed message part
Bug#803997: transition: polarssl
Hi, On Mon, 2015-11-09 at 19:19 +0100, Emilio Pozuelo Monfort wrote: > On 04/11/15 04:02, James Cowgill wrote: > > Package: release.debian.org > > User: release.debian@packages.debian.org > > Usertags: transition > > Severity: normal > > Forwarded: https://release.debian.org/transitions/html/auto-polarssl.html > > X-Debbugs-CC: polar...@packages.debian.org > > > > Hi, > > > > polarssl needs a library transition. The name of the upstream project > > changed to 'mbedtls' so the SONAME has become 'libmbedtls9'. I've kept > > the name of the dev package as 'libpolarssl-dev' for the 1.3 series so > > every package doesn't need to be changed. > > Shouldn't there be a new libmbedtls-dev package, with libpolarssl-dev > becoming a > transitional one? > > Shouldn't the source be renamed? Earlier this year (in 1.3.10) upstream renamed the project mbedTLS. In the 1.3 series they changed the soname, but not the API (ie all the headers, functions, etc are still called "polarssl"). A few months later they released 2.0 which completely changed the API by renaming all the functions and doing various cleanups to the API which would brake many programs. The new 2.0 series is in NEW right now and called 'mbedtls' and contains a libmbedtls-dev package. I didn't want to rename the dev package since it would end up conflicting with the new 2.0 series and although the "brand" name is mbedTLS, it still follows polarssl's API. > > The new version of polarssl fixes a grave security bug (#801413). I > > havn't got a response from the package maintainer at all in dealing > > with this so I NMUed the version currently in experimental. > > Doing this transition as a NMU seems a bit odd to me. Though hijacking the > package seems a bit premature since that bug was opened only a month ago. > If you renamed the source, then maybe you could get away with it :p Okay sorry I didn't mean to hijack anyone's package, I was just trying to fix this security bug affecting one of my packages and nothing seemed to be happening on it. Although my upload of mbedtls 2 does now feel like a bit of a hijack :/ Thinking about this, I could probably avoid this transition by waiting for mbedtls to pass NEW, porting all the rdeps, and then having polarssl removed from the archive. This would be the "end" goal anyway. This transition is effectively a temporary fix since I don't know how long that will take, and in the mean time there will be a grave security bug affecting polarssl. If you're wondering why a transition has to happen to fix this bug at all, upstream basically said "do not try to backport any of these commits" when I asked them about the security bug (see some of the links in #801413). Thanks, James signature.asc Description: This is a digitally signed message part
Bug#803997: transition: polarssl
Package: release.debian.org User: release.debian@packages.debian.org Usertags: transition Severity: normal Forwarded: https://release.debian.org/transitions/html/auto-polarssl.html X-Debbugs-CC: polar...@packages.debian.org Hi, polarssl needs a library transition. The name of the upstream project changed to 'mbedtls' so the SONAME has become 'libmbedtls9'. I've kept the name of the dev package as 'libpolarssl-dev' for the 1.3 series so every package doesn't need to be changed. The new version of polarssl fixes a grave security bug (#801413). I havn't got a response from the package maintainer at all in dealing with this so I NMUed the version currently in experimental. There is a build failure on s309x, but the fix should be a 1 line change which I'd like to make when I upload the package to unstable. If you'd prefer I could make another NMU to experimental instead. Thanks, James Ben file (the automatic one is fine): title = "polarssl"; is_affected = .depends ~ "libpolarssl7" | .depends ~ "libmbedtls9"; is_good = .depends ~ "libmbedtls9"; is_bad = .depends ~ "libpolarssl7"; signature.asc Description: This is a digitally signed message part
Bug#791166: libsfml: library transition may be needed when GCC 5 is the default
Hi, Can I upload this to unstable (it's in experimental)? All the reverse dependencies build except python-sfml because cython is currently uninstallable (See #793227, #794511). https://release.debian.org/transitions/html/auto-libsfml.html Thanks, James signature.asc Description: This is a digitally signed message part
Bug#794486: release.debian.org: auto transition trackers incorrectly handle addition of suffixes (including GCC 5 related transitions)
Package: release.debian.org User: release.debian@packages.debian.org Usertags: tools Hi, I don't think any of the automatic transition trackers for the libstdcxx / GCC 5 packages are working correctly. Currently cmake has been rebuilt against both the new versions of GCC 5 and libjsoncpp, and shows up good on this tracker: https://release.debian.org/transitions/html/libstdc++6.html but bad on this tracker: https://release.debian.org/transitions/html/auto-libjsoncpp.html The auto-libjsoncpp ben file contains this: is_affected = .depends ~ /libjsoncpp0v5|libjsoncpp0v5\-dbg|libjsoncpp0|libjsoncpp0\-dbg/; is_good = .depends ~ /libjsoncpp0v5|libjsoncpp0v5\-dbg/; is_bad = .depends ~ /libjsoncpp0|libjsoncpp0\-dbg/; Here, packages depending on libjsoncpp0v5 match both the is_good and is_bad regexes so ben marks them as bad. The regexes for is_good and is_bad should probably have ^ and $ inserted before and after each package name to fix this. Thanks, James signature.asc Description: This is a digitally signed message part
Bug#794486: release.debian.org: auto transition trackers incorrectly handle addition of suffixes (including GCC 5 related transitions)
On Mon, 2015-08-03 at 18:09 +0200, Julien Cristau wrote: On Mon, Aug 3, 2015 at 16:44:32 +0100, James Cowgill wrote: Package: release.debian.org User: release.debian@packages.debian.org Usertags: tools Hi, I don't think any of the automatic transition trackers for the libstdcxx / GCC 5 packages are working correctly. Currently cmake has been rebuilt against both the new versions of GCC 5 and libjsoncpp, and shows up good on this tracker: https://release.debian.org/transitions/html/libstdc++6.html but bad on this tracker: https://release.debian.org/transitions/html/auto-libjsoncpp.html The auto-libjsoncpp ben file contains this: is_affected = .depends ~ /libjsoncpp0v5|libjsoncpp0v5\-dbg|libjsoncpp0|libjsoncpp0\-dbg/; is_good = .depends ~ /libjsoncpp0v5|libjsoncpp0v5\-dbg/; is_bad = .depends ~ /libjsoncpp0|libjsoncpp0\-dbg/; Here, packages depending on libjsoncpp0v5 match both the is_good and is_bad regexes so ben marks them as bad. I've made a manual tracker for libjsoncpp, see https://release.debian.org/transitions/html/libjsoncpp.html That looks better. I tried one I suggested with ^ and $ and it didn't work properly, so I guess ben applies the regex to the entire Depends line? The automatic solution could be a little more complex than I thought. Any other broken ones? After a quick skim these trackers are probably broken: ccfits csound geos libconfig libdap libgig libmusicbrainz5 libquvi-scripts (not gcc 5) log4cxx spatialindex wxwidgets3.0 James signature.asc Description: This is a digitally signed message part
Bug#736808: nmu: github-backup_1.20131203
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hi, github-backup is still compiled against libicu48 on some architetures nmu github-backup_1.20131203 . amd64 i386 powerpc sparc . -m rebuild against libicu52 James -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (100, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1390771717.13046.1.camel@angel.local