Bug#1057175: transition: libsfml

[James Cowgill]

Package: release.debian.org
Control: affects -1 + src:libsfml
X-Debbugs-Cc: libs...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: transition
Severity: normal

Hi,

libsfml needs a transition due to an ABI bump from 2.5 to 2.6. It's
currently in experimental and built everywhere except mips64el where
it's waiting to be built.

The rdeps are:

casparcg-server (in contrib)
dolphin-emu
extremetuxracer
libcsfml
marsshooter
python-sfml
seriousproton

I did a test rebuild against 2.6 and everything builds on amd64 except
for seriousproton which already FTBFS for other reasons and is not in
testing.

The auto-libsfml tracker looks correct to me.

Thanks,
James

Ben file:

title = "libsfml";
is_affected = .depends ~ "libsfml-audio2.5" | .depends ~ "libsfml-graphics2.5" 
| .depends ~ "libsfml-network2.5" | .depends ~ "libsfml-system2.5" | .depends ~ 
"libsfml-window2.5" | .depends ~ "libsfml-audio2.6" | .depends ~ 
"libsfml-graphics2.6" | .depends ~ "libsfml-network2.6" | .depends ~ 
"libsfml-system2.6" | .depends ~ "libsfml-window2.6";
is_good = .depends ~ "libsfml-audio2.6" | .depends ~ "libsfml-graphics2.6" | 
.depends ~ "libsfml-network2.6" | .depends ~ "libsfml-system2.6" | .depends ~ 
"libsfml-window2.6";
is_bad = .depends ~ "libsfml-audio2.5" | .depends ~ "libsfml-graphics2.5" | 
.depends ~ "libsfml-network2.5" | .depends ~ "libsfml-system2.5" | .depends ~ 
"libsfml-window2.5";

Bug#884635: transition: libupnp

[James Cowgill]

Hi,

On 05/11/2018 17:28, Uwe Kleine-König wrote:
> Hello Emilio,
> 
> [adding jcowgill to recipients]
> 
> On 11/05/2018 04:37 PM, Emilio Pozuelo Monfort wrote:
>> Please get this started, and bump the bug severities to serious.
> 
> I never did a transition before, so I'm not entirely clear what should
> happen now.
> 
> The following steps should be done:
> 
> a) upload pupnp-1.8 providing libupnp-dev to unstable
> b) rebuild reverse dependencies of libupnp-dev
> c) remove src:libupnp from unstable
> d) remove src:libupnp from testing
> e) remove the binary packages of src:libupnp from unstable
> f) remove the binary packages of src:libupnp from testing
> g) for b in 884243 884996 912066 885025; do bts severity $b serious;done
> h) remove djmount and linux-igd from unstable and testing
> i) apply patch from 884996 to amule and upload to unstable

Yeah we can start this transition now that 1.8.4 was released (which
resolved the ABI related issues). I'll upload it soon.

The order is this:

a) I upload pupnp-1.8 (which "hijacks" libupnp-dev from src:libupnp)
g) Update bug severities
b) binNMU all rdeps of libupnp-dev
[time passes]
i) NMU amule / any other package if not fixed soon
[time passes - eventually all broken rdeps are autoremoved from testing]
d and f) Happen automatically at this point
[transition complete (with respect to testing)]
h) File requests to remove remaining packages
c and e) File request to remove src:libupnp

James



signature.asc
Description: OpenPGP digital signature

Bug#910271: transition: mbedtls

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hi,

mbedTLS needs a transition because upstream bumped the SONAME of
libmbedtls in 2.13 due to some symbol changes. I have also changed the
SONAME of libmbedcrypto to realign it with upstream. Previously upstream
had bumped the SONAME for no reason, so I reverted that change. Since we
now need a transition anyway, it seems sensible to me to use upstream's
SONAME again.

The auto-mbedtls transition tracker looks correct. These packages need
binNMUing:
 bctoolbox
 bibledit
 charybdis
 dislocker
 dolphin-emu
 gatling
 julia
 libgit2
 lief
 mongrel2
 ncbi-blast+
 ncbi-vdb
 neko
 shadowsocks-libev
 sra-sdk

All the packages build fine in a test rebuild except for dolphin-emu
which FTBFS for unrelated reasons which I will fix soon (#910268).

sra-sdk is waiting on this ftpmaster removal bug before it can migrate
to testing: #907266

Thanks,
James

Ben file:

title = "mbedtls";
is_affected = .depends ~ "libmbedcrypto1" | .depends ~ "libmbedtls10" |
.depends ~ "libmbedcrypto3" | .depends ~ "libmbedtls12";
is_good = .depends ~ "libmbedcrypto3" | .depends ~ "libmbedtls12";
is_bad = .depends ~ "libmbedcrypto1" | .depends ~ "libmbedtls10";


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.18.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled



signature.asc
Description: OpenPGP digital signature

Bug#893749: stretch-pu: package easytag/2.4.3-1+deb9u1

[James Cowgill]

Control: tags -1 - moreinfo

Hi,

Sorry for the delay. I completely forgot about this bug!

I've attached v2 of the patch to fix #855251. After submitting the
original stretch-pu bug, I discovered (after someone mentioned this on
the upstream bug report) the root cause and reverted the relevant
upstream commit. This fix has been in unstable since 2.4.3-4 (about 7
months) without any issues. I've done some brief testing of in a stretch
build and it seems to work fine there as well.

Thanks,
James
diff -Nru easytag-2.4.3/debian/changelog easytag-2.4.3/debian/changelog
--- easytag-2.4.3/debian/changelog  2016-12-05 23:46:24.0 +
+++ easytag-2.4.3/debian/changelog  2018-09-24 18:31:35.0 +0100
@@ -1,3 +1,11 @@
+easytag (2.4.3-1+deb9u1) stretch; urgency=medium
+
+  * debian/patches:
+- Add patch to revert upstream commit which causes OGG corruption.
+  (Closes: #855251)
+
+ -- James Cowgill   Mon, 24 Sep 2018 18:31:35 +0100
+
 easytag (2.4.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru easytag-2.4.3/debian/gbp.conf easytag-2.4.3/debian/gbp.conf
--- easytag-2.4.3/debian/gbp.conf   2016-12-05 20:47:35.0 +
+++ easytag-2.4.3/debian/gbp.conf   2018-09-24 18:31:35.0 +0100
@@ -1,3 +1,4 @@
 [DEFAULT]
 pristine-tar = True
 compression = xz
+debian-branch = debian/stretch
diff -Nru easytag-2.4.3/debian/patches/02_fix-ogg-corruption.patch 
easytag-2.4.3/debian/patches/02_fix-ogg-corruption.patch
--- easytag-2.4.3/debian/patches/02_fix-ogg-corruption.patch1970-01-01 
01:00:00.0 +0100
+++ easytag-2.4.3/debian/patches/02_fix-ogg-corruption.patch2018-09-24 
18:31:35.0 +0100
@@ -0,0 +1,241 @@
+Description: Revert upstream commit which causes OGG file corruption
+ Revert "Do not maintain an open handle on Ogg files"
+ This reverts commit e5c640ca3f259f1b74e716723345521987a7bd68.
+Author: James Cowgill 
+Author: David King 
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=776110
+Bug-Debian: https://bugs.debian.org/855251
+Bug-Debian: https://bugs.debian.org/886272
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/tags/vcedit.c
 b/src/tags/vcedit.c
+@@ -35,6 +35,7 @@
+ struct _EtOggState
+ {
+ /*< private >*/
++GFileInputStream *in;
+ #ifdef ENABLE_SPEEX
+ SpeexHeader *si;
+ #endif
+@@ -125,6 +126,11 @@ vcedit_clear_internals (EtOggState *stat
+ }
+ #endif /* ENABLE_OPUS */
+ 
++if (state->in)
++{
++g_object_unref (state->in);
++}
++
+ memset (state, 0, sizeof (*state));
+ }
+ 
+@@ -239,7 +245,6 @@ _blocksize (EtOggState *s,
+ 
+ static gboolean
+ _fetch_next_packet (EtOggState *s,
+-GInputStream *istream,
+ ogg_packet *p,
+ ogg_page *page,
+ GError **error)
+@@ -269,8 +274,8 @@ _fetch_next_packet (EtOggState *s,
+ while (ogg_sync_pageout (s->oy, page) <= 0)
+ {
+ buffer = ogg_sync_buffer (s->oy, CHUNKSIZE);
+-bytes = g_input_stream_read (istream, buffer, CHUNKSIZE, NULL,
+- error);
++bytes = g_input_stream_read (G_INPUT_STREAM (s->in), buffer,
++ CHUNKSIZE, NULL, error);
+ ogg_sync_wrote (s->oy, bytes);
+ 
+ if(bytes == 0)
+@@ -303,7 +308,7 @@ _fetch_next_packet (EtOggState *s,
+ 
+ g_assert (error == NULL || *error == NULL);
+ ogg_stream_pagein (s->os, page);
+-return _fetch_next_packet (s, istream, p, page, error);
++return _fetch_next_packet (s, p, page, error);
+ }
+ }
+ 
+@@ -402,13 +407,14 @@ vcedit_open (EtOggState *state,
+ return FALSE;
+ }
+ 
++state->in = istream;
+ state->oy = g_slice_new (ogg_sync_state);
+ ogg_sync_init (state->oy);
+ 
+ while(1)
+ {
+ buffer = ogg_sync_buffer (state->oy, CHUNKSIZE);
+-bytes = g_input_stream_read (G_INPUT_STREAM (istream), buffer,
++bytes = g_input_stream_read (G_INPUT_STREAM (state->in), buffer,
+  CHUNKSIZE, NULL, error);
+ if (bytes == -1)
+ {
+@@ -648,7 +654,7 @@ vcedit_open (EtOggState *state,
+ }
+ 
+ buffer = ogg_sync_buffer (state->oy, CHUNKSIZE);
+-bytes = g_input_stream_read (G_INPUT_STREAM (istream), buffer,
++bytes = g_input_stream_read (G_INPUT_STREAM (state->in), buffer,
+  CHUNKSIZE, NULL, error);
+ 
+ if (bytes == -1)
+@@ -670,14 +676,11 @@ vcedit_open (EtOggState *state,
+ 
+ /* Headers are done! */
+ g_assert (error == NULL || *error == NULL);
+-/* TODO: Handle error during stream close. */
+-g_object_unref (istream);
+ 
+ return TRUE;
+ 
+ err:
+ g_assert (error == NULL || *error != NULL);
+-g_object_unref (istream);
+ vcedit_clear

Bug#898918: transition: libsfml

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hi,

libsfml 2.5 has bumped its SONAME and therefore needs a transition. The
package is in experimental and has not yet failed on any release
architecture (with mips64el and mipsel left to be built).

These packages will need binNMUs. They all build successfully.
 dolphin-emu
 extremetuxracer
 marsshooter
 python-sfml

The only other package is libcsfml but that will need a source upload
due to #898913. I maintain this package and the fix is already submitted
upstream. It is possible to fix this to work with both 2.4 and 2.5, but
I would rather use the "modern" CMake config files to fix it which are
only available in libsfml 2.5 so I would like to upload this package
after the transition has started (with strict build dependency).

The "auto-libsfml" transition in the transition tracker looks correct.

Thanks,
James

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled



signature.asc
Description: OpenPGP digital signature

Bug#896893: transition: ffmpeg

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hi,

FFmpeg 4.0 is the new major release of FFmpeg and as such upstream has
bumped the SONAMEs of all libraries so there needs to be a transition.

The new package is in experimental. It currently has a few issues, but I
think all except one autopkgtest failure are fixed in git. I'll upload a
new version once that is fixed.

I performed a rebuild of all rdeps with a pre-release version of FFmpeg
three months ago and have just done another rebuild. I have filed the
bugs here (and will add them as blocking bugs of this bug):
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=ffmpeg-4.0-transition;users=debian-multime...@lists.debian.org

At the time of writing, there are 54 open bugs where packages FTBFS with
the new version. We could delay the transition a bit to reduce the
number of bugs before it starts, but given that it's been three months
since most were filed, I'm not sure how much that would help. Fixing all
of them myself sounds like a lot of work :)

The list of packages on the transition page looks about right.

Thanks,
James

Ben file:

title = "ffmpeg";
is_affected = .depends ~ "libavcodec57" | .depends ~
"libavcodec-extra57" | .depends ~ "libavfilter6" | .depends ~
"libavfilter-extra6" | .depends ~ "libavformat57" | .depends ~
"libavresample3" | .depends ~ "libavutil55" | .depends ~ "libpostproc54"
| .depends ~ "libswresample2" | .depends ~ "libswscale4" | .depends ~
"libavcodec58" | .depends ~ "libavcodec-extra58" | .depends ~
"libavfilter7" | .depends ~ "libavfilter-extra7" | .depends ~
"libavformat58" | .depends ~ "libavresample4" | .depends ~ "libavutil56"
| .depends ~ "libpostproc55" | .depends ~ "libswresample3" | .depends ~
"libswscale5";
is_good = .depends ~ "libavcodec58" | .depends ~ "libavcodec-extra58" |
.depends ~ "libavfilter7" | .depends ~ "libavfilter-extra7" | .depends ~
"libavformat58" | .depends ~ "libavresample4" | .depends ~ "libavutil56"
| .depends ~ "libpostproc55" | .depends ~ "libswresample3" | .depends ~
"libswscale5";
is_bad = .depends ~ "libavcodec57" | .depends ~ "libavcodec-extra57" |
.depends ~ "libavfilter6" | .depends ~ "libavfilter-extra6" | .depends ~
"libavformat57" | .depends ~ "libavresample3" | .depends ~ "libavutil55"
| .depends ~ "libpostproc54" | .depends ~ "libswresample2" | .depends ~
"libswscale4";


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled



signature.asc
Description: OpenPGP digital signature

Bug#895537: stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u3

[James Cowgill]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

Hi,

This fixes CVE-2018-10017 which is a security bug tagged as "no-DSA" by
the security team.

The fix is quite simple and looks correct to me. I've done some testing
to make sure things still work after this update.

Thanks,
James

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/changelog 
libopenmpt-0.2.7386~beta20.3/debian/changelog
--- libopenmpt-0.2.7386~beta20.3/debian/changelog   2017-07-15 
18:33:57.0 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/changelog   2018-04-12 
10:14:53.0 +0100
@@ -1,3 +1,10 @@
+libopenmpt (0.2.7386~beta20.3-3+deb9u3) stretch; urgency=medium
+
+  * Add patch to fix CVE-2018-10017 (Closes: #895406).
+- up11: Out-of-bounds read loading IT / MO3 files with many pattern loops.
+
+ -- James Cowgill <jcowg...@debian.org>  Thu, 12 Apr 2018 10:14:53 +0100
+
 libopenmpt (0.2.7386~beta20.3-3+deb9u2) stretch; urgency=medium
 
   * Add security patches (Closes: #867579).
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/series 
libopenmpt-0.2.7386~beta20.3/debian/patches/series
--- libopenmpt-0.2.7386~beta20.3/debian/patches/series  2017-07-15 
16:49:37.0 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/patches/series  2018-04-12 
10:13:10.0 +0100
@@ -6,3 +6,4 @@
 up6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch
 up8-out-of-bounds-read-plm.patch
 up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
+up11-out-of-bounds-read-it-itp-mo3.patch
diff -Nru 
libopenmpt-0.2.7386~beta20.3/debian/patches/up11-out-of-bounds-read-it-itp-mo3.patch
 
libopenmpt-0.2.7386~beta20.3/debian/patches/up11-out-of-bounds-read-it-itp-mo3.patch
--- 
libopenmpt-0.2.7386~beta20.3/debian/patches/up11-out-of-bounds-read-it-itp-mo3.patch
1970-01-01 01:00:00.0 +0100
+++ 
libopenmpt-0.2.7386~beta20.3/debian/patches/up11-out-of-bounds-read-it-itp-mo3.patch
2018-04-12 10:14:53.0 +0100
@@ -0,0 +1,20 @@
+Description: Fix CVE-2018-10017
+ See 
https://lib.openmpt.org/libopenmpt/2018/04/08/security-updates-0.3.8-0.2-beta31-0.2.7561-beta20.5-p8-0.2.7386-beta20.3-p11/
+ Fix possible out-of-bounds memory read with IT and MO3 files containing many
+ nested pattern loops.
+Origin: upstream, 
https://source.openmpt.org/browse/openmpt?op=revision=10042
+Bug-Debian: https://bugs.debian.org/895406
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/soundlib/Snd_fx.cpp
 b/soundlib/Snd_fx.cpp
+@@ -1042,7 +1042,8 @@ std::vector CSoundFile::G
+   if(GetType() == MOD_TYPE_IT)
+   {
+   // IT pattern loop start row update - at the 
end of a pattern loop, set pattern loop start to next row (for upcoming pattern 
loops with missing SB0)
+-  for(CHANNELINDEX nChn = 0; nChn < 
GetNumChannels(); nChn++)
++  pChn = memory.state.Chn;
++  for(CHANNELINDEX nChn = 0; nChn < 
GetNumChannels(); nChn++, pChn++)
+   {
+   if((pChn->rowCommand.command == 
CMD_S3MCMDEX && pChn->rowCommand.param >= 0xB1 && pChn->rowCommand.param <= 
0xBF))
+   {


signature.asc
Description: OpenPGP digital signature

Bug#893749: stretch-pu: package easytag/2.4.3-1+deb9u1

[James Cowgill]

Control: tags -1 moreinfo

Hi,

On 22/03/18 00:05, James Cowgill wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Hi,
> 
> The purpose of this update to easytag is to fix #855251 where easytag
> will sometimes corrupt ogg (and related) files it tags. The corruption
> causes some of the music data to be overwritten near the start of the
> file. This causes an audible click and various tools print errors about
> trying to play a corrupt file. The upstream bug has now been open since
> late 2016, is apparently very difficult to fix (lots of code to be
> written) and there is no fix in progress which I can see.

A potential workaround for this has appeared which could mean we don't
have to disable OGG. Please ignore this bug until I've looked into it a
bit more.

Thanks,
James



signature.asc
Description: OpenPGP digital signature

Bug#893749: stretch-pu: package easytag/2.4.3-1+deb9u1

[James Cowgill]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

The purpose of this update to easytag is to fix #855251 where easytag
will sometimes corrupt ogg (and related) files it tags. The corruption
causes some of the music data to be overwritten near the start of the
file. This causes an audible click and various tools print errors about
trying to play a corrupt file. The upstream bug has now been open since
late 2016, is apparently very difficult to fix (lots of code to be
written) and there is no fix in progress which I can see. Due to this, I
have completely disabled ogg support in unstable and I think doing the
same in stable is the best cause of action to prevent people from
corrupting their music collection.

Debdiff attached. It also contains a related change to the control file.
I thought about adding a NEWS entry but I wasn't sure (I did not add one
for unstable).

Thanks,
James

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, mipsel

Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru easytag-2.4.3/debian/changelog easytag-2.4.3/debian/changelog
--- easytag-2.4.3/debian/changelog  2016-12-05 23:46:24.0 +
+++ easytag-2.4.3/debian/changelog  2018-03-08 22:20:29.0 +
@@ -1,3 +1,13 @@
+easytag (2.4.3-1+deb9u1) stretch; urgency=medium
+
+  [ James Cowgill ]
+  * Disable OGG, OPUS and Speex. (Closes: #855251)
+
+  [ Bruno Kleinert ]
+  * Do not mention OGG support in package description. (Closes: #886369)
+
+ -- James Cowgill <jcowg...@debian.org>  Thu, 08 Mar 2018 22:20:29 +
+
 easytag (2.4.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru easytag-2.4.3/debian/control easytag-2.4.3/debian/control
--- easytag-2.4.3/debian/control2016-12-05 20:47:35.0 +
+++ easytag-2.4.3/debian/control2018-03-08 22:18:48.0 +
@@ -50,9 +50,8 @@
  .
  Currently EasyTAG supports the following:
   - View, edit, write tags of MP3, MP2 files (ID3 tag), FLAC files (FLAC Vorbis
-tag), Ogg Opus, Ogg Speex and Ogg Vorbis files (Ogg Vorbis tag),
-MP4/M4A/AAC files (MPEG-4 Part 10 tag), and MusePack, Monkey's Audio files
-(APE tag);
+tag), MP4/M4A/AAC files (MPEG-4 Part 10 tag), and MusePack, Monkey's Audio
+files (APE tag);
   - Auto tagging: parse file and directory names using masks to automatically
 fill in tag fields;
   - Cover art support for all formats;
@@ -72,6 +71,10 @@
   - A playlist generator window;
   - A file searching window;
   - Simple and explicit interface.
+ .
+ OGG support is currently disabled in this package because of a data corruption
+ bug. To edit tags in OGG files you may consider one of these packages: 
exfalso,
+ puddletag, kid3-qt, entagged.
 
 Package: easytag-nautilus
 Architecture: any
diff -Nru easytag-2.4.3/debian/gbp.conf easytag-2.4.3/debian/gbp.conf
--- easytag-2.4.3/debian/gbp.conf   2016-12-05 20:47:35.0 +
+++ easytag-2.4.3/debian/gbp.conf   2018-03-08 22:17:33.0 +
@@ -1,3 +1,4 @@
 [DEFAULT]
 pristine-tar = True
 compression = xz
+debian-branch = debian/stretch
diff -Nru easytag-2.4.3/debian/rules easytag-2.4.3/debian/rules
--- easytag-2.4.3/debian/rules  2016-12-05 20:47:35.0 +
+++ easytag-2.4.3/debian/rules  2018-03-08 22:18:29.0 +
@@ -10,7 +10,9 @@
dh_autoreconf --as-needed
 
 override_dh_auto_configure:
-   dh_auto_configure -- --disable-silent-rules --disable-Werror
+   # OGG, OPUS and Speex disabled due to #855251
+   dh_auto_configure -- --disable-silent-rules --disable-Werror \
+   --disable-ogg --disable-opus --disable-speex
 
 override_dh_installdocs:
dh_installdocs --link-doc=easytag


signature.asc
Description: OpenPGP digital signature

Bug#892703: nmu: lots of libraries on mips + mipsel for fpxx

[James Cowgill]

Hi,

On 15/03/18 10:27, Emilio Pozuelo Monfort wrote:
> All the rest scheduled now, with slightly decreased build priority so it 
> doesn't
> stall the rest of the packages for a couple of days. The build queue is
> practically empty anyway so these should build rather quickly.

Thanks!

> BTW you guys requested this during the stretch cycle in #825342, but in the 
> end
> closed it as not needed.

On Tue, 26 Jul 2016 12:39:11 +0800 YunQiang Su  wrote:
> Yes. It is a problem. It is due to my script detect some wrong files.
>
> While it seems that FPXX doesn't really stop our process to MIPS32r2,
> as we have some more Octeon machines.
>
> So this is out release goal, while not need binNMU now.

*sigh* It should not have been closed then. I guess I wasn't aware of
the bug or must have missed it. One of the advantages in FPXX was to
help workaround some Loongson quirks and these were needed much less
after we increased the number of Octeon buildds. However the original
reason FPXX was created in the first place was for MSA where we still
needed the binNMUs.

James



signature.asc
Description: OpenPGP digital signature

Bug#892703: nmu: lots of libraries on mips + mipsel for fpxx

[James Cowgill]

Hi,

On 12/03/18 11:50, James Cowgill wrote:
> Control: retitle -1 nmu: lots of libraries on mips + mipsel for fpxx
> 
> [+ CC debian-mips]
> 
> Hi,
> 
> On Mon, 12 Mar 2018 12:15:38 +0800 YunQiang Su <wzss...@gmail.com> wrote:
>> Package: release.debian.org
>> User: release.debian@packages.debian.org
>> Usertags: binnmu
>> Severity: normal
>>
>> For mips and mipsel, we are working on FPXX migration, and this package
>> seems quite old,
>> So the rebuilding is needed to use the current default gcc options.
> 
> Background: FPXX was enabled in Debian in gcc-5 in the middle of 2015.
> FPXX needs to be enabled in all libraries loaded into the same address
> space to be able to use the alternative FR1 mode on 32-bit MIPS which is
> required to use MSA. Now some people have complained that MSA does not
> work in some complex packages because they depend on libraries without
> FPXX enabled.
> 
> I scanned the archive for libraries built without FPXX and were last
> built over 2 years ago. I generated the following list of 201 packages
> which would be useful to binNMU on mips and mipsel. Does this seem
> reasonable?

I have binNMUed these 4 packages which I have seen complaints about. The
rest of the packages should still be done but are not as important.

ALREADY DONE
==
nmu uriparser_0.8.4-1 . mips mipsel . -m 'Rebuild with FPXX ABI'
nmu libglu_9.0.0-2.1 . mips mipsel . -m 'Rebuild with FPXX ABI'
nmu libxt_1:1.1.5-1 . mips mipsel . -m 'Rebuild with FPXX ABI'
nmu libxmu_2:1.1.2-2 . mips mipsel . -m 'Rebuild with FPXX ABI'
==

Thanks.
James



signature.asc
Description: OpenPGP digital signature

Bug#892703: nmu: lots of libraries on mips + mipsel for fpxx

[James Cowgill]

Control: retitle -1 nmu: lots of libraries on mips + mipsel for fpxx

[+ CC debian-mips]

Hi,

On Mon, 12 Mar 2018 12:15:38 +0800 YunQiang Su  wrote:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: binnmu
> Severity: normal
> 
> For mips and mipsel, we are working on FPXX migration, and this package
> seems quite old,
> So the rebuilding is needed to use the current default gcc options.

Background: FPXX was enabled in Debian in gcc-5 in the middle of 2015.
FPXX needs to be enabled in all libraries loaded into the same address
space to be able to use the alternative FR1 mode on 32-bit MIPS which is
required to use MSA. Now some people have complained that MSA does not
work in some complex packages because they depend on libraries without
FPXX enabled.

I scanned the archive for libraries built without FPXX and were last
built over 2 years ago. I generated the following list of 201 packages
which would be useful to binNMU on mips and mipsel. Does this seem
reasonable?

Thanks,
James



actor-framework
apache-mod-auth-ntlm-winbind
apache-upload-progress-module
apache2-mod-xforward
attica
avw.lv2
bambamc
biblesync
blepvco
bochs
buddy
chise-base
cl-uffi
clalsadrv
coinor-flopc++
coolkey
cowbell
cunit
cxxtools
dleyna-connector-dbus
dnscrypt-proxy
egenix-mx-base
evince-hwp
fdsend
flatzebra
flowcanvas
flxmlrpc
gadfly
gdome2
giggle
gkrellm2-cpufreq
gkrelltop
gnome-keyring-sharp
gnome-sharp2
goocanvas
gst-fluendo-mp3
gtk-nodoka-engine
gtkgl2
guifications
gumbo-parser
hyperic-sigar
ido
inotifyx
juman
kaa-base
kaa-imlib2
kaa-metadata
keybinder
kytea
lam
libapache-mod-auth-radius
libapache-mod-evasive
libapache2-mod-authnz-external
libapache2-mod-fcgid
libapache2-mod-ldap-userdir
libasr
libbase58
libcdaudio
libcddb
libchardet
libcli
libcommoncpp2
libcoverart
libdispatch
libdjconsole
libdockapp
libg15render
libglademm2.4
libglu
libgnomecanvasmm2.6
libgooglepinyin
libgrss
libhbaapi
libhbalinux
libidl
libinklevel
libkaz
liblastfm
liblbfgs
liblip
libmimic
libnetfilter-queue
libnss-pgsql
libnzb
libpcre++
libpqtypes
libpthread-workqueue
libpulse-java
librcc
libserial
libsignon-glib
libsnl
libtpl
libtrace3
libunibreak
libusb-java
libusbtc08
libverto
libview
libvistaio
libxdg-basedir
libxkbfile
libxmu
libxsettings
libxt
libydpdict
lua-wsapi
memchan
mlpy
mmpong
moblin-gtk-engine
mod-authz-securepass
mod-mime-xattr
mod-mono
mod-proxy-msrpc
mod-vhost-ldap
mono-fuse
moonshot-trust-router
muparser
notify-python
npapi-vlc
ntrack
ois
olsrd
openvpn-auth-radius
pam-dbus
pam-pgsql
pcapy
pidgin-latex
plasma-widget-yawp
proxychains
pyalsaaudio
pyao
pybluez
pychm
pyfribidi
pygpiv
pygts
pylibssh2
pymc
pymca
pymilter
pymtbl
pynifti
pyogg
pythia8
python-adns
python-biggles
python-cjson
python-clamav
python-geohash
python-lzma
python-omniorb
python-osd
python-pysqlite1.1
python-pysqlite2
python-pytc
python-sqlite
pyvorbis
pyxmpp
quixote
quixote1
rabbyt
rainbow
readline5
rfoo
rlog
roboptim-core
safe-iop
scgi
scim-m17n
scim-pinyin
scim-skk
scim-unikey
sciscipy
sfarklib
shhopt
sigx
smart
snack
sonata
spice-xpi
synopsis
tclex
thunar-media-tags-plugin
thunar-vcs-plugin
ucimf-sunpinyin
uriparser
usbtc08-python
wnn6-sdk
xbae
xfce4-cpugraph-plugin
xfce4-power-manager
xfce4-quicklauncher-plugin
xfce4-sensors-plugin
xfce4-systemload-plugin
xmpi
xpyb
yaml-cpp0.3
yorick-curses
yum-metadata-parser


actor-framework
apache-mod-auth-ntlm-winbind
apache-upload-progress-module
apache2-mod-xforward
attica
avw.lv2
bambamc
biblesync
blepvco
bochs
buddy
chise-base
cl-uffi
clalsadrv
coinor-flopc++
coolkey
cowbell
cunit
cxxtools
dleyna-connector-dbus
dnscrypt-proxy
egenix-mx-base
evince-hwp
fdsend
flatzebra
flowcanvas
flxmlrpc
gadfly
gdome2
giggle
gkrellm2-cpufreq
gkrelltop
gnome-keyring-sharp
gnome-sharp2
goocanvas
gst-fluendo-mp3
gtk-nodoka-engine
gtkgl2
guifications
gumbo-parser
hyperic-sigar
ido
inotifyx
juman
kaa-base
kaa-imlib2
kaa-metadata
keybinder
kytea
lam
libapache-mod-auth-radius
libapache-mod-evasive
libapache2-mod-authnz-external
libapache2-mod-fcgid
libapache2-mod-ldap-userdir
libasr
libbase58
libcdaudio
libcddb
libchardet
libcli
libcommoncpp2
libcoverart
libdispatch
libdjconsole
libdockapp
libg15render
libglademm2.4
libglu
libgnomecanvasmm2.6
libgooglepinyin
libgrss
libhbaapi
libhbalinux
libidl
libinklevel
libkaz
liblastfm
liblbfgs
liblip
libmimic
libnetfilter-queue
libnss-pgsql
libnzb
libpcre++
libpqtypes
libpthread-workqueue
libpulse-java
librcc
libserial
libsignon-glib
libsnl
libtpl
libtrace3
libunibreak
libusb-java
libusbtc08
libverto
libview
libvistaio
libxdg-basedir
libxkbfile
libxmu
libxsettings
libxt
libydpdict
lua-wsapi
memchan
mlpy
mmpong
moblin-gtk-engine
mod-authz-securepass
mod-mime-xattr
mod-mono
mod-proxy-msrpc
mod-vhost-ldap
mono-fuse
moonshot-trust-router
muparser
notify-python
npapi-vlc
ntrack
ois
olsrd
openvpn-auth-radius
pam-dbus
pam-pgsql
pcapy
pidgin-latex
plasma-widget-yawp
proxychains
pyalsaaudio
pyao
pybluez
pychm
pyfribidi
pygpiv
pygts

Bug#890448: transition: mbedtls

[James Cowgill]

On 15/02/18 17:47, Emilio Pozuelo Monfort wrote:
> Control: tags -1 confirmed
> 
> On 14/02/18 22:01, James Cowgill wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: transition
>>
>> Hi,
>>
>> mbedtls bumped the SONAME of one of its libraries (libmbedcrypto) so it
>> needs a transition. The new version is currently in experimental.
>>
>> These reverse dependencies built successfully first time:
>> charybdis
>> dislocker
>> dolphin-emu
>> gatling
>> ncbi-vdb
>> neko
>> shadowsocks-libev
>>
>> bctoolbox was fixed about an hour ago (#890417).
>>
>> mongrel2 still fails, but this is caused by an mbedtls bug which I have
>> queued up ready to upload (the fix is obvious):
>> https://salsa.debian.org/debian/mbedtls/commit/f2769d8c7cb1edb2a8e6fb3e6d8527638550927d
> 
> Go ahead.

Thanks. I've uploaded it.

James



signature.asc
Description: OpenPGP digital signature

Bug#890448: transition: mbedtls

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hi,

mbedtls bumped the SONAME of one of its libraries (libmbedcrypto) so it
needs a transition. The new version is currently in experimental.

These reverse dependencies built successfully first time:
charybdis
dislocker
dolphin-emu
gatling
ncbi-vdb
neko
shadowsocks-libev

bctoolbox was fixed about an hour ago (#890417).

mongrel2 still fails, but this is caused by an mbedtls bug which I have
queued up ready to upload (the fix is obvious):
https://salsa.debian.org/debian/mbedtls/commit/f2769d8c7cb1edb2a8e6fb3e6d8527638550927d

Thanks,
James

Ben file:

title = "mbedtls";
is_affected = .depends ~ "libmbedcrypto0" | .depends ~ "libmbedcrypto1";
is_good = .depends ~ "libmbedcrypto1";
is_bad = .depends ~ "libmbedcrypto0";


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled



signature.asc
Description: OpenPGP digital signature

Bug#886237: transition: libgig

[James Cowgill]

Hi Mattia,

On 03/01/18 13:18, Mattia Rizzolo wrote:
> Control: tag -1 moreinfo
> 
> On Wed, Jan 03, 2018 at 12:55:40PM +0100, Jaromír Mikeš wrote:
>> Can I upload new upstream version of gigedit now to experimental? ...
>> I am not DD just having DM flag for qsampler
> 
> Usually uploading to experimental comes *before* opening a transition
> bug.
> Please upload to experimental and ping this bug once it passed new (and
> the reverse-depends still builds fine).

I think you have misunderstood. libgig is the library undergoing a
transition and is already in experimental. gigedit is a reverse
dependency of libgig which currently FTBFS but a fix is ready to be
uploaded.

Thanks,
James



signature.asc
Description: OpenPGP digital signature

Bug#885533: jessie-pu: package soundtouch/1.8.0-1+deb8u1

[James Cowgill]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

[This is #885531 but for jessie instead of stretch]

This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856,
and #870857. I have tested the package on jessie and with the attached
debdiff, soundstretch still works and the proof of concepts for the 3
security issues behave correctly now.

The patch under debian/patches uses DOS line endings because the file it
modifies also uses DOS line endings.

Thanks,
James

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru soundtouch-1.8.0/debian/changelog soundtouch-1.8.0/debian/changelog
--- soundtouch-1.8.0/debian/changelog   2014-06-21 13:58:52.0 +0100
+++ soundtouch-1.8.0/debian/changelog   2017-12-27 16:37:31.0 +
@@ -1,3 +1,13 @@
+soundtouch (1.8.0-1+deb8u1) jessie; urgency=medium
+
+  [ Gabor Karsay ]
+  * Add patch to fix
+- CVE-2017-9258 (Closes: #870854)
+- CVE-2017-9259 (Closes: #870856)
+- CVE-2017-9260 (Closes: #870857)
+
+ -- James Cowgill <jcowg...@debian.org>  Wed, 27 Dec 2017 16:37:31 +
+
 soundtouch (1.8.0-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 
soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch
--- soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 1970-01-01 
01:00:00.0 +0100
+++ soundtouch-1.8.0/debian/patches/cve-2017-92xx.patch 2017-12-27 
16:37:31.0 +
@@ -0,0 +1,36 @@
+Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260
+ Based on an upstream commit, original commit message was: "Added sanity
+ checks against illegal input audio stream parameters e.g. wildly excessive
+ samplerate".
+ . 
+ There is no reference to CVEs or bugs, the commit was made after disclosure
+ of the CVEs and all three proofs of concept (crafted wav files) fail after
+ this commit.
+ . 
+ The commit was made after version 2.0.0, so that version is also vulnerable.
+ .
+ Unrelated changes were stripped away by patch author, upstream commit author
+ is Olli Parviainen <oparv...@iki.fi>.
+Author: Gabor Karsay <gabor.kar...@gmx.at>
+Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/source/SoundTouch/TDStretch.cpp
 b/source/SoundTouch/TDStretch.cpp
+@@ -126,7 +126,12 @@ void TDStretch::setParameters(int aSampl
+   int aSeekWindowMS, int aOverlapMS)
+ {
+ // accept only positive parameter values - if zero or negative, use old 
values instead
+-if (aSampleRate > 0)   this->sampleRate = aSampleRate;
++if (aSampleRate > 0)
++{
++if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive 
samplerate");
++this->sampleRate = aSampleRate;
++}
++
+ if (aOverlapMS > 0)this->overlapMs = aOverlapMS;
+ 
+ if (aSequenceMS > 0)
diff -Nru soundtouch-1.8.0/debian/patches/series 
soundtouch-1.8.0/debian/patches/series
--- soundtouch-1.8.0/debian/patches/series  2014-06-21 13:58:33.0 
+0100
+++ soundtouch-1.8.0/debian/patches/series  2017-12-27 16:37:31.0 
+
@@ -1,2 +1,3 @@
 dont-use-integers-if-softfp.patch
 fix-fp-rounding-error.patch
+cve-2017-92xx.patch


signature.asc
Description: OpenPGP digital signature

Bug#885531: stretch-pu: package soundtouch/1.9.2-2+deb9u1

[James Cowgill]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

This soundtouch update fixes 3 no-DSA security bugs: #870854, #870856,
and #870857. I have tested the package on stretch and with the attached
debdiff, soundstretch still works and the proof of concepts for the 3
security issues behave correctly now.

The patch under debian/patches uses DOS line endings because the file it
modifies also uses DOS line endings.

Thanks,
James

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru soundtouch-1.9.2/debian/changelog soundtouch-1.9.2/debian/changelog
--- soundtouch-1.9.2/debian/changelog   2015-09-28 15:13:28.0 +0100
+++ soundtouch-1.9.2/debian/changelog   2017-12-27 16:34:15.0 +
@@ -1,3 +1,13 @@
+soundtouch (1.9.2-2+deb9u1) stretch; urgency=medium
+
+  [ Gabor Karsay ]
+  * Add patch to fix
+- CVE-2017-9258 (Closes: #870854)
+- CVE-2017-9259 (Closes: #870856)
+- CVE-2017-9260 (Closes: #870857)
+
+ -- James Cowgill <jcowg...@debian.org>  Wed, 27 Dec 2017 16:34:15 +
+
 soundtouch (1.9.2-2) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch 
soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch
--- soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch 1970-01-01 
01:00:00.0 +0100
+++ soundtouch-1.9.2/debian/patches/cve-2017-92xx.patch 2017-12-27 
16:34:15.0 +
@@ -0,0 +1,36 @@
+Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260
+ Based on an upstream commit, original commit message was: "Added sanity
+ checks against illegal input audio stream parameters e.g. wildly excessive
+ samplerate".
+ . 
+ There is no reference to CVEs or bugs, the commit was made after disclosure
+ of the CVEs and all three proofs of concept (crafted wav files) fail after
+ this commit.
+ . 
+ The commit was made after version 2.0.0, so that version is also vulnerable.
+ .
+ Unrelated changes were stripped away by patch author, upstream commit author
+ is Olli Parviainen <oparv...@iki.fi>.
+Author: Gabor Karsay <gabor.kar...@gmx.at>
+Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/source/SoundTouch/TDStretch.cpp
 b/source/SoundTouch/TDStretch.cpp
+@@ -128,7 +128,12 @@
+   int aSeekWindowMS, int aOverlapMS)
+ {
+ // accept only positive parameter values - if zero or negative, use old 
values instead
+-if (aSampleRate > 0)   this->sampleRate = aSampleRate;
++if (aSampleRate > 0)
++{
++if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive 
samplerate");
++this->sampleRate = aSampleRate;
++}
++
+ if (aOverlapMS > 0)this->overlapMs = aOverlapMS;
+ 
+ if (aSequenceMS > 0)
diff -Nru soundtouch-1.9.2/debian/patches/series 
soundtouch-1.9.2/debian/patches/series
--- soundtouch-1.9.2/debian/patches/series  1970-01-01 01:00:00.0 
+0100
+++ soundtouch-1.9.2/debian/patches/series  2017-12-27 16:34:15.0 
+
@@ -0,0 +1 @@
+cve-2017-92xx.patch


signature.asc
Description: OpenPGP digital signature

Bug#884635: transition: libupnp

[James Cowgill]

Control: block -1 by 882377 884252 884243 884245 884246 884247 884248
Control: block -1 by 884249 884250 884251

Hi,

On 17/12/17 21:07, Uwe Kleine-König wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: transition
> 
> Hello,
> 
> Currently there are two versions of libupnp in the archive:
> 
>  - src:libupnp providing the 1.6.x branch of libupnp which is considered
>legacy by upstream
>  - src:pupnp-1.8 providing the 1.8.x branch of libupnp
> 
> I want to get rid of libupnp6 converting all rdeps to the newer libupnp
> package.
> 
> There are not that many reverse dependencies for libupnp6:
[...]
> I know about mpd upstream already supporting both versions. The Debian
> maintainer of vlc already invested some work in making vlc support both
> versions. I'm about to send a bug about silverjuke with a patch
> implementing a simple conversion which makes it support both versions.
> The Debian maintainer of wmaloader asked me to report an RM bug.

I've added blocks for the bugs I think need to be fixed before starting
the transition. Most were filed by Sebastian Ramacher who (very kindly)
did a rebuild of all the rdeps against pupnp 1.8. mpd, silverjuke and
wmaloader all have bugs already filed against them.

> James Cowgill (= maintainer of src:pupnp-1.8) already uploaded a version
> of src:pupnp-1.8 providing libupnp-dev to experimental.
> https://release.debian.org/transitions/ doesn't have an automatic
> transition though (probably because there are two packages involved).
> 
> Ben file:
> 
> title = "libupnp";
> is_affected = .depends ~ "libupnp6" | .depends ~ "libupnp10";
> is_good = .depends ~ "libupnp10";
> is_bad = .depends ~ "libupnp6";

One slight issue is #882377. In pupnp 1.8.3 upstream broke the ABI which
I pointed out to them. As a result they have bumped the SONAME in
upstream git (not yet released). To avoid having to do two transitions,
we should wait to use the new SONAME. Since the damage is already done,
I guess we could use the new SONAME right now, although I am always a
little cautious in doing that in case upstream changes something else :)
In any case, the ben file will need to be changed at some point.

Also thanks to the people working on this. I know I haven't done as much
as I probably should be doing.

Thanks,
James



signature.asc
Description: OpenPGP digital signature

Bug#868468: stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u2

[James Cowgill]

On 15/07/17 20:50, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2017-07-15 at 20:37 +0100, James Cowgill wrote:
>> Some more security issues were discovered in libopenmpt so it will need
>> another stretch update. One of the issues looked potentially serious so
>> I had CVE-2017-11311 allocated for it. That CVE has been marked as
>> no-dsa by the security team.
>>
>> Also, sorry this is pretty late for 9.1.
> 
> It is, but if it's uploaded in time then it still might make it.

Thankyou! Uploaded.

James



signature.asc
Description: OpenPGP digital signature

Bug#868468: stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u2

[James Cowgill]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

Some more security issues were discovered in libopenmpt so it will need
another stretch update. One of the issues looked potentially serious so
I had CVE-2017-11311 allocated for it. That CVE has been marked as
no-dsa by the security team.

Also, sorry this is pretty late for 9.1.

Debdiff against 0.2.7386~beta20.3-3+deb9u1 (which is already in
stretch-pu) attached.

Thanks,
James

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (500, 'stable'), (500, 'oldstable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, mips

Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/changelog 
libopenmpt-0.2.7386~beta20.3/debian/changelog
--- libopenmpt-0.2.7386~beta20.3/debian/changelog   2017-06-20 
08:58:50.0 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/changelog   2017-07-15 
18:33:57.0 +0100
@@ -1,3 +1,11 @@
+libopenmpt (0.2.7386~beta20.3-3+deb9u2) stretch; urgency=medium
+
+  * Add security patches (Closes: #867579).
+- up8: Out-of-bounds read while loading a malfomed PLM file.
+- up10: CVE-2017-11311: Arbitrary code execution by a crafted PSM file.
+
+ -- James Cowgill <jcowg...@debian.org>  Sat, 15 Jul 2017 18:33:57 +0100
+
 libopenmpt (0.2.7386~beta20.3-3+deb9u1) stretch; urgency=medium
 
   * Add various security patches (Closes: #864195).
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/series 
libopenmpt-0.2.7386~beta20.3/debian/patches/series
--- libopenmpt-0.2.7386~beta20.3/debian/patches/series  2017-06-20 
08:58:50.0 +0100
+++ libopenmpt-0.2.7386~beta20.3/debian/patches/series  2017-07-15 
16:49:37.0 +0100
@@ -4,3 +4,5 @@
 up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch
 up5-excessive-cpu-consumption-on-malformed-files-ams.patch
 up6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch
+up8-out-of-bounds-read-plm.patch
+up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
diff -Nru 
libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
 
libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
--- 
libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
  1970-01-01 01:00:00.0 +0100
+++ 
libopenmpt-0.2.7386~beta20.3/debian/patches/up10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch
  2017-07-15 17:59:44.0 +0100
@@ -0,0 +1,30 @@
+Description: Fix CVE-2017-11311
+ See https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html
+ Fix heap buffer overflow which may allow arbitrary code execution via a
+ crafted PSM File.
+Origin: upstream, 
https://source.openmpt.org/browse/openmpt?op=revision=8460
+Bug-Debian: https://bugs.debian.org/867579
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/soundlib/Load_psm.cpp
 b/soundlib/Load_psm.cpp
+@@ -1187,15 +1187,16 @@ bool CSoundFile::ReadPSM16(FileReader 
+   }
+ 
+   SAMPLEINDEX smp = sampleHeader.sampleNumber;
+-  if(smp < MAX_SAMPLES)
++  if(smp > 0 && smp < MAX_SAMPLES)
+   {
+   m_nSamples = std::max(m_nSamples, smp);
+ 
+-  
mpt::String::Read(m_szNames[smp], 
sampleHeader.name);
+   sampleHeader.ConvertToMPT(Samples[smp]);
++  
mpt::String::Read(m_szNames[smp], 
sampleHeader.name);
+ 
+-  if((loadFlags & loadSampleData) && 
file.Seek(sampleHeader.offset))
++  if(loadFlags & loadSampleData)
+   {
++  file.Seek(sampleHeader.offset);
+   
sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file);
+   }
+   }
diff -Nru 
libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch 
libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch
--- 
libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch
1970-01-01 01:00:00.0 +0100
+++ 
libopenmpt-0.2.7386~beta20.3/debian/patches/up8-out-of-bounds-read-plm.patch
2017-07-15 18:04:11.0 +0100
@@ -0,0 +1,25 @@
+Descriptio

Bug#865355: stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u1

[James Cowgill]

Hi again,

On 25/06/17 23:11, James Cowgill wrote:
> On 25/06/17 22:46, Cyril Brulebois wrote:
>> James Cowgill <jcowg...@debian.org> (2017-06-20):
>>> This update contains a number of security fixes to libopenmpt which
>>> upstream has specifically asked me to get into stretch. Upstream asked
>>> me to fix these earlier this month and since none of them looked
>>> "critical" I decided to wait and file a stretch-pu bug (although maybe
>>> I was a little lazy...) The worst bugs fixed here are NULL pointer
>>> dereferences - I don't think there is any remote code execution here.
>>
>> I suspect it would be best to check with the security team anyway?
> 
> OK I've asked them in the original bug report.

Salvatore Bonaccorso replied and said this was OK to do in a point release.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864195#72

Thanks,
James



signature.asc
Description: OpenPGP digital signature

Bug#865355: stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u1

[James Cowgill]

Hi,

On 25/06/17 22:46, Cyril Brulebois wrote:
> James Cowgill <jcowg...@debian.org> (2017-06-20):
>> This update contains a number of security fixes to libopenmpt which
>> upstream has specifically asked me to get into stretch. Upstream asked
>> me to fix these earlier this month and since none of them looked
>> "critical" I decided to wait and file a stretch-pu bug (although maybe
>> I was a little lazy...) The worst bugs fixed here are NULL pointer
>> dereferences - I don't think there is any remote code execution here.
> 
> I suspect it would be best to check with the security team anyway?

OK I've asked them in the original bug report.

>> Upstream kindly backported all the fixes to the version Debian has in
>> stretch and they were taken from this announcement:
>> https://lib.openmpt.org/libopenmpt/md_announce-2017-06-02.html
>>
>> I omitted 2 patches which seem to be impossible to exploit or which
>> only have minor cosmetic effects.
>>
>> Debdiff attached.
>>
> 
> Patch: 
> debian/patches/up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch
>> --- 
>> libopenmpt-0.2.7386~beta20.3/debian/patches/up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch
>>1970-01-01 01:00:00.0 +0100
>> +++ 
>> libopenmpt-0.2.7386~beta20.3/debian/patches/up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch
>>2017-06-20 08:58:50.0 +0100
>> @@ -0,0 +1,351 @@
>> +Description: Fix excessive CPU consumption on malformed DMF and MDL files
>> + See https://lib.openmpt.org/libopenmpt/md_announce-2017-06-02.html
>> + This patch prevents loading of DMF and MDL modules taking multiple minutes 
>> if
>> + the module contains truncated compressed samples.
>> +Origin: upstream, 
>> https://source.openmpt.org/browse/openmpt?op=revision=8237
>> +Bug-Debian: https://bugs.debian.org/864195
>> +---
>> +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
>> +--- a/soundlib/Load_dmf.cpp
>>  b/soundlib/Load_dmf.cpp
>> +@@ -16,6 +16,7 @@
>> + #include "stdafx.h"
>> + #include "Loaders.h"
>> + #include "ChunkReader.h"
>> ++#include 
>> + 
>> + OPENMPT_NAMESPACE_BEGIN
>> + 
>> +@@ -1087,68 +1088,66 @@ struct DMFHTree
>> +int bitnum;
>> +int lastnode, nodecount;
>> +DMFHNode nodes[256];
>> +-};
>> +-
> 
> ^^^ This update seems to be putting DMFReadBits() and DMFNewNode()
> functions “inside” the DMFHTree struct? I'm not a C overlord, but that's
> a construction I haven't seen yet. :)

It's perfectly legal in C++ though :)

> Anyway all I could spot was this structure update, and a function
> signature update, both of which not being exported as far as I can tell.
> 
> So that looks good to me, except for the security team question in my
> first paragraph.

Thanks,
James



signature.asc
Description: OpenPGP digital signature

Bug#865355: stretch-pu: package libopenmpt/0.2.7386~beta20.3-3+deb9u1

[James Cowgill]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

This update contains a number of security fixes to libopenmpt which
upstream has specifically asked me to get into stretch. Upstream asked
me to fix these earlier this month and since none of them looked
"critical" I decided to wait and file a stretch-pu bug (although maybe I
was a little lazy...) The worst bugs fixed here are NULL pointer
dereferences - I don't think there is any remote code execution here.

Upstream kindly backported all the fixes to the version Debian has in
stretch and they were taken from this announcement:
https://lib.openmpt.org/libopenmpt/md_announce-2017-06-02.html

I omitted 2 patches which seem to be impossible to exploit or which only
have minor cosmetic effects.

Debdiff attached.

Thanks,
James

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/changelog 
libopenmpt-0.2.7386~beta20.3/debian/changelog
--- libopenmpt-0.2.7386~beta20.3/debian/changelog   2017-01-12 
17:17:13.0 +
+++ libopenmpt-0.2.7386~beta20.3/debian/changelog   2017-06-20 
08:58:50.0 +0100
@@ -1,3 +1,14 @@
+libopenmpt (0.2.7386~beta20.3-3+deb9u1) stretch; urgency=medium
+
+  * Add various security patches (Closes: #864195).
+- up1: Division by zero in temp calculation.
+- up2: Infinite loop with cyclic plugin routing.
+- up3: Excessive CPU consumption on malformed DMF and MDL files.
+- up5: Excessive CPU consumption on malformed AMS files.
+- up6: Invalid memory read when applying NNAs to effect plugins.
+
+ -- James Cowgill <jcowg...@debian.org>  Tue, 20 Jun 2017 08:58:50 +0100
+
 libopenmpt (0.2.7386~beta20.3-3) unstable; urgency=medium
 
   * debian/tests:
diff -Nru libopenmpt-0.2.7386~beta20.3/debian/patches/series 
libopenmpt-0.2.7386~beta20.3/debian/patches/series
--- libopenmpt-0.2.7386~beta20.3/debian/patches/series  2017-01-12 
17:09:08.0 +
+++ libopenmpt-0.2.7386~beta20.3/debian/patches/series  2017-06-20 
08:58:50.0 +0100
@@ -1 +1,6 @@
 01_libmodplug_symver.patch
+up1-division-by-zero-in-tempo-calculation.patch
+up2-infinite-loop-in-plugin-routing.patch
+up3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch
+up5-excessive-cpu-consumption-on-malformed-files-ams.patch
+up6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch
diff -Nru 
libopenmpt-0.2.7386~beta20.3/debian/patches/up1-division-by-zero-in-tempo-calculation.patch
 
libopenmpt-0.2.7386~beta20.3/debian/patches/up1-division-by-zero-in-tempo-calculation.patch
--- 
libopenmpt-0.2.7386~beta20.3/debian/patches/up1-division-by-zero-in-tempo-calculation.patch
 1970-01-01 01:00:00.0 +0100
+++ 
libopenmpt-0.2.7386~beta20.3/debian/patches/up1-division-by-zero-in-tempo-calculation.patch
 2017-06-20 08:58:50.0 +0100
@@ -0,0 +1,51 @@
+Description: Guard against division by zero in tempo calculation
+ See https://lib.openmpt.org/libopenmpt/md_announce-2017-06-02.html
+Origin: upstream, 
https://source.openmpt.org/browse/openmpt?op=revision=8235
+Bug-Debian: https://bugs.debian.org/864195
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/soundlib/Sndfile.cpp
 b/soundlib/Sndfile.cpp
+@@ -1542,15 +1542,15 @@ void CSoundFile::RecalculateSamplesPerTi
+   {
+   case tempoModeClassic:
+   default:
+-  m_PlayState.m_nSamplesPerTick = 
Util::muldiv(m_MixerSettings.gdwMixingFreq, 5 * TEMPO::fractFact, 
m_PlayState.m_nMusicTempo.GetRaw() << 1);
++  m_PlayState.m_nSamplesPerTick = 
Util::muldiv(m_MixerSettings.gdwMixingFreq, 5 * TEMPO::fractFact, 
std::max(TEMPO::store_t(1), m_PlayState.m_nMusicTempo.GetRaw() << 1));
+   break;
+ 
+   case tempoModeModern:
+-  m_PlayState.m_nSamplesPerTick = 
static_cast((Util::mul32to64_unsigned(m_MixerSettings.gdwMixingFreq, 60 
* TEMPO::fractFact) * Util::mul32to64_unsigned(m_PlayState.m_nMusicSpeed, 
m_PlayState.m_nCurrentRowsPerBeat)) / m_PlayState.m_nMusicTempo.GetRaw());
++  m_PlayState.m_nSamplesPerTick = 
static_cast((Util::mul32to64_unsigned(m_MixerSettings.gdwMixingFreq, 60 
* TEMPO::fractFact) / std::max(uint64(1),  
Util::mul32to64_unsigned(m_PlayState.m_nMusicSpeed, 
m_PlayState.m_nCurrentRowsPerBeat) * m_PlayState.m_nMusicTempo.GetRaw(;
+   break;
+ 
+   case tempoModeAlternative:
+-  m_PlayState.m_nSamplesPerTick = 
Util::muldiv(m_MixerSettings.gdwMixingFreq, TEMPO::fractFact, 
m_Pl

Bug#862167: jessie-pu: package polarssl/1.3.9-2.1+deb8u2

[James Cowgill]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

This polarssl update fixes CVE-2017-2784 (Freeing of memory allocated on
stack when validating a public key with a secp224k1 curve) which is a
no-DSA security issue.

I've tested the CVE with the testcase which was added to mbedtls (and it
passes only after the patch is applied). Unfortunately the test system
is broken in polarssl (doesn't handle crashes) so adding the test to
jessie won't have any affect on the builds unless the test system is
fixed as well.

Debdiff attached.

Thanks,
James

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru polarssl-1.3.9/debian/changelog polarssl-1.3.9/debian/changelog
--- polarssl-1.3.9/debian/changelog 2016-02-06 13:29:38.0 +
+++ polarssl-1.3.9/debian/changelog 2017-05-09 09:42:21.0 +0100
@@ -1,3 +1,10 @@
+polarssl (1.3.9-2.1+deb8u2) jessie; urgency=high
+
+  * Fix CVE-2017-2784: Freeing of memory allocated on stack when
+validating a public key with a secp224k1 curve. (Closes: #857561)
+
+ -- James Cowgill <jcowg...@debian.org>  Tue, 09 May 2017 09:42:21 +0100
+
 polarssl (1.3.9-2.1+deb8u1) jessie-security; urgency=high
 
   * Non-maintainer upload.
diff -Nru polarssl-1.3.9/debian/patches/CVE-2017-2784.patch 
polarssl-1.3.9/debian/patches/CVE-2017-2784.patch
--- polarssl-1.3.9/debian/patches/CVE-2017-2784.patch   1970-01-01 
01:00:00.0 +0100
+++ polarssl-1.3.9/debian/patches/CVE-2017-2784.patch   2017-05-09 
09:36:13.0 +0100
@@ -0,0 +1,49 @@
+Description: Fix for CVE-2017-2784
+ Fixed a bug that caused freeing a buffer that was allocated on the stack,
+ when verifying the validity of a key on secp224k1. This could be
+ triggered remotely for example with a maliciously constructed certificate
+ and might have led to remote code execution on some exotic embedded
+ platforms. Reported independently by rongsaws and Regina Wilson.
+ .
+ The function ecp_mod_koblitz computed the space for the result of a
+ multiplication optimally for that specific case, but unfortunately
+ the function mbedtls_mpi_mul_mpi performs a generic, suboptimal
+ calculation and needs one more limb for the result. Since the result's
+ buffer is on the stack, the best case scenario is that the program
+ stops.
+ .
+ This only happened on 64 bit platforms.
+Origin: upstream, 
https://github.com/ARMmbed/mbedtls/commit/f5ffc79896681daddf7530646c0908f51a887dbd
+Bug-Debian: https://bugs.debian.org/857561
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+
+--- a/library/ecp_curves.c
 b/library/ecp_curves.c
+@@ -1268,7 +1268,7 @@ static inline int ecp_mod_koblitz( mpi *
+ int ret;
+ size_t i;
+ mpi M, R;
+-t_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R];
++t_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
+ 
+ if( N->n < p_limbs )
+ return( 0 );
+@@ -1290,7 +1290,7 @@ static inline int ecp_mod_koblitz( mpi *
+ memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( t_uint ) );
+ if( shift != 0 )
+ MPI_CHK( mpi_shift_r( , shift ) );
+-M.n += R.n - adjust; /* Make room for multiplication by R */
++M.n += R.n; /* Make room for multiplication by R */
+ 
+ /* N = A0 */
+ if( mask != 0 )
+@@ -1312,7 +1312,7 @@ static inline int ecp_mod_koblitz( mpi *
+ memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( t_uint ) );
+ if( shift != 0 )
+ MPI_CHK( mpi_shift_r( , shift ) );
+-M.n += R.n - adjust; /* Make room for multiplication by R */
++M.n += R.n; /* Make room for multiplication by R */
+ 
+ /* N = A0 */
+ if( mask != 0 )
diff -Nru polarssl-1.3.9/debian/patches/series 
polarssl-1.3.9/debian/patches/series
--- polarssl-1.3.9/debian/patches/series2016-02-05 12:25:30.0 
+
+++ polarssl-1.3.9/debian/patches/series2017-05-09 09:42:14.0 
+0100
@@ -5,3 +5,4 @@
 CVE-2015-8036-Added-bounds-checking-for-TLS-extensions.patch
 CVE-2015-8036-Reordered-extension-fields-and-added-to-Cha.patch
 CVE-2015-8036-Add-extra-check-before-integer-conversion.patch
+CVE-2017-2784.patch


signature.asc
Description: OpenPGP digital signature

Bug#862061: nmu: raincat_1.1.1.2-3

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Hi,

raincat needs binNMUing against haskell-glut 2.7.0.10-4 to fix the RC
bug #861957. This should pick up the fixes to haskell-glut in #861976
so raincat can start again. It needs binNMUing to pick up the changes
because these are both haskell packages (so it's statically linked).

Thanks,
James

nmu raincat_1.1.1.2-3 . ANY . unstable . -m "rebuild against haskell-glut 
2.7.0.10-4 to fix #861957"

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)



signature.asc
Description: OpenPGP digital signature

Bug#860887: unblock: bind9/1:9.10.3.dfsg.P4-12.2

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock package bind9

This version fixes RC bug #778720 where bind9 randomly crashes on MIPS.
The MIPS atomics implementation was buggy (register constraints were
wrong and there were no memory barriers) and to fix it I just replaced
it with C11 atomics. Only the MIPS part was replaced - this update
should have no effect on other architectures.

I've tested the new version under heavy load for an hour or so on the 3
MIPS architectures and it seems to be OK. Previously it would crash
within 5 mins.

I've attached the debdiff. Since that isn't the easiest to read, I also
attach the diff of lib/isc/mips/include/isc/atomic.h (the only file
changed) between the version in testing and unstable.

There is another RC bug affecting bind9 (#860225), but that bug is not a
regression from stretch.

Thanks,
James

unblock bind9/1:9.10.3.dfsg.P4-12.2
diff -Nru bind9-9.10.3.dfsg.P4/debian/changelog 
bind9-9.10.3.dfsg.P4/debian/changelog
--- bind9-9.10.3.dfsg.P4/debian/changelog   2017-03-17 18:07:16.0 
+
+++ bind9-9.10.3.dfsg.P4/debian/changelog   2017-04-18 16:42:50.0 
+0100
@@ -1,3 +1,11 @@
+bind9 (1:9.10.3.dfsg.P4-12.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Replace 32_mips_atomic.diff with a version that uses C11 atomics. Fixes
+hangs and crashes on MIPS. (Closes: #778720)
+
+ -- James Cowgill <jcowg...@debian.org>  Tue, 18 Apr 2017 16:42:50 +0100
+
 bind9 (1:9.10.3.dfsg.P4-12.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru bind9-9.10.3.dfsg.P4/debian/patches/32_mips_atomic.diff 
bind9-9.10.3.dfsg.P4/debian/patches/32_mips_atomic.diff
--- bind9-9.10.3.dfsg.P4/debian/patches/32_mips_atomic.diff 2017-02-19 
22:38:45.0 +
+++ bind9-9.10.3.dfsg.P4/debian/patches/32_mips_atomic.diff 2017-04-18 
16:42:50.0 +0100
@@ -1,22 +1,29 @@
-Author: Thiemo Seufer <t...@networkno.de>
-Date:   Thu Nov 8 15:11:48 2007 -0700
-Forwarded: yes RT#41965
-
-mips:atomic.h: improve implementation of atomic ops, fix mips{el,64}
-
-The appended patch extends the configure check to cover mips64 and
-mipsel, and improves the mips atomics implementation.
-
-See http://bugs.debian.org/406409 for more detail.
-
-Signed-off-by: LaMont Jones <lam...@debian.org>
+Description: Replace MIPS atomics assembly with calls to C11 atomic functions
+ This fixes various hangs and crashes on MIPS.
+Author: James Cowgill <jcowg...@debian.org>
+Forwarded: no
+Bug-Debian: https://bugs.debian.org/778720
 
 --- a/lib/isc/mips/include/isc/atomic.h
 +++ b/lib/isc/mips/include/isc/atomic.h
-@@ -31,18 +31,20 @@
- isc_atomic_xadd(isc_int32_t *p, int val) {
-   isc_int32_t orig;
+@@ -19,32 +19,19 @@
+ #ifndef ISC_ATOMIC_H
+ #define ISC_ATOMIC_H 1
+ 
++#include 
++
+ #include 
+ #include 
  
+-#ifdef ISC_PLATFORM_USEGCCASM
+ /*
+  * This routine atomically increments the value stored in 'p' by 'val', and
+  * returns the previous value.
+  */
+ static inline isc_int32_t
+ isc_atomic_xadd(isc_int32_t *p, int val) {
+-  isc_int32_t orig;
+-
 -  /* add is a cheat, since MIPS has no mov instruction */
 -  __asm__ volatile (
 -  "1:"
@@ -29,24 +36,13 @@
 -  : "m"(*p), "r"(val)
 -  : "memory", "$3"
 -  );
-+  __asm__ __volatile__ (
-+  "   .setpush\n"
-+  "   .setmips2   \n"
-+  "   .setnoreorder   \n"
-+  "   .setnoat\n"
-+  "1: ll  $1, %1  \n"
-+  "   addu%0, $1, %2  \n"
-+  "   sc  %0, %1  \n"
-+  "   beqz%0, 1b  \n"
-+  "   move%0, $1  \n"
-+  "   .setpop \n"
-+  : "=" (orig), "+R" (*p)
-+  : "r" (val)
-+  : "memory");
  
-   return (orig);
+-  return (orig);
++  return atomic_fetch_add(p, val);
  }
-@@ -52,16 +54,7 @@
+ 
+ /*
+@@ -52,16 +39,7 @@ isc_atomic_xadd(isc_int32_t *p, int val)
   */
  static inline void
  isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
@@ -60,16 +56,16 @@
 -  : "m"(*p), "r"(val)
 -  : "memory", "$3"
 -  );
-+  *p = val;
++  atomic_store(p, val);
  }
  
  /*
-@@ -72,20 +65,23 @@
+@@ -71,28 +49,8 @@ isc_atomic_store(isc_int32_t *p, isc_int
+  */
  static inline isc_int32_t
  isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) {
-   isc_int32_t orig;
-+  isc_int32_t tmp;
- 
+-  isc_int32_t orig;
+-
 -  __asm__ volatile(
 -  "1:"
 -  "ll $3, %1\n"
@@ -83,21 +79,15 @@
 -  : "m&qu

Bug#859471: unblock: swh-plugins/0.4.17-2

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock package swh-plugins

It fixes RC bug #859395 where one of the plugins was not linked
correctly and ld.so refused to load it.

I also fixed the Breaks / Replaces on vocoder-ladspa because 0.4.17-1
was so wrong I couldn't just leave it. I've moved it into the correct
paragraph of the control file, and changed the package to
"vocoder-ladspa" which was the actual package containing the vocoder
plugin which was moved to swh-plugins (see #826110).

Thanks,
James

unblock swh-plugins/0.4.17-2

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru swh-plugins-0.4.17/debian/changelog 
swh-plugins-0.4.17/debian/changelog
--- swh-plugins-0.4.17/debian/changelog 2016-11-05 04:47:12.0 +
+++ swh-plugins-0.4.17/debian/changelog 2017-04-03 19:54:39.0 +0100
@@ -1,3 +1,12 @@
+swh-plugins (0.4.17-2) unstable; urgency=medium
+
+  * Team upload.
+  * Link gsm_1215.so plugin against system libgsm. (Closes: #859395)
+  * Fix vocoder-ladspa Breaks/Replaces (replacing the faulty lmms
+Breaks/Replaces).
+
+ -- James Cowgill <jcowg...@debian.org>  Mon, 03 Apr 2017 19:54:39 +0100
+
 swh-plugins (0.4.17-1) unstable; urgency=medium
 
   * Exclude .gitignore file from upstream tarball.
diff -Nru swh-plugins-0.4.17/debian/control swh-plugins-0.4.17/debian/control
--- swh-plugins-0.4.17/debian/control   2016-11-05 04:47:12.0 +
+++ swh-plugins-0.4.17/debian/control   2017-04-03 19:54:39.0 +0100
@@ -16,11 +16,6 @@
  libxml-parser-perl,
  libgsm1-dev,
  pkg-config
-Replaces:
- lmms (<= 1.1.3-2)
- ${cdbs:Replaces}
-Breaks:
- lmms (<= 1.1.3-2)
 Standards-Version: 3.9.8
 Homepage: http://plugin.org.uk/
 Vcs-Git: https://anonscm.debian.org/git/pkg-multimedia/swh-plugins.git
@@ -31,6 +26,11 @@
 Depends:
  ${misc:Depends},
  ${shlibs:Depends}
+Replaces:
+ vocoder-ladspa (<< 1.1.3-3~),
+ ${cdbs:Replaces}
+Breaks:
+ vocoder-ladspa (<< 1.1.3-3~)
 Provides:
  ladspa-plugin
 Description: Steve Harris's LADSPA plugins
diff -Nru swh-plugins-0.4.17/debian/patches/08-gsm_plugin.patch 
swh-plugins-0.4.17/debian/patches/08-gsm_plugin.patch
--- swh-plugins-0.4.17/debian/patches/08-gsm_plugin.patch   2016-06-02 
00:32:48.0 +0100
+++ swh-plugins-0.4.17/debian/patches/08-gsm_plugin.patch   2017-04-03 
19:54:39.0 +0100
@@ -45,7 +45,7 @@
  sc4m_1916_la_LIBADD = -Lutil -ldb -lrms
  se4_1883_la_LIBADD = -Lutil -ldb -lrms
 -gsm_1215_la_LIBADD = gsm/libgsm.a
-+#gsm_1215_la_LIBADD = gsm/libgsm.a
++gsm_1215_la_LIBADD = -lgsm
  gverb_1216_la_LIBADD = -Lgverb -lgverb
  lcr_delay_1436_la_DEPENDENCIES = util/biquad.h
  


signature.asc
Description: OpenPGP digital signature

Bug#857579: unblock: mbedtls/2.4.2-1 (pre-approval)

[James Cowgill]

Control: tags -1 - moreinfo
Control: retitle -1 unblock: mbedtls/2.4.2-1

Hi,

On 13/03/17 20:20, Niels Thykier wrote:
> James Cowgill:
>> Hi,
>>
>> I am wondering whether it's possible to include mbedtls 2.4.2 in
>> stretch. While it does fix an RC security bug (#857560), it also
>> contains a lot of other stuff - all of it bugfixes though.
[...]
> Hi,
> 
> I have reviewed it and I agree that upstream release looks preferable
> with one remark:
> 
>  * The test suite appears to be "time-bombed" via
>"tests/data_files/test-ca2_cat-future-invalid.crt".
>  * Ideally, the buildability should not expire.
>  * Furthermore, its "expire" date is "Sep 22 15:49:49 2023" which is
>uncomfortably close stretch's expected EOL on the LTS release
>(Said EOL is currently estimated to some time in 2022 and counting).

Thanks for discovering that! I've adjusted the package to run the
testsuite inside faketime until upstream fixes this.

> Please resolve that, upload and remove the moreinfo tag once the upload
> has been processed and built on all relevant release architectures.

Uploaded, and built on all release arches.

Thanks,
James



signature.asc
Description: OpenPGP digital signature

Bug#856228: unblock: libnids/1.23-2.1

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock package libnids

This fixes 2 RC bugs in the package:
- #851060 where the package doesn't work on armhf. The package contains
numerous violations of the strict-aliasing rule so I added
-fno-strict-aliasing as an easy workaround which does fix the bug on armhf.

- #855602 where the package assumes the old gnu89 inline semantics but
this was never caught because the undefined references only occur when
building another package which links against libnids. The bug only
happens after being rebuilt and on mips64el where it's already broken.
two separate patches are needed to fix this - one concerning 'after' and
'before' which is already applied upstream, and another concerning some
i386 only functions.

Thanks,
James

unblock libnids/1.23-2.1

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy:(500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru libnids-1.23/debian/changelog libnids-1.23/debian/changelog
--- libnids-1.23/debian/changelog   2010-07-21 20:23:34.0 +0100
+++ libnids-1.23/debian/changelog   2017-02-26 16:25:37.0 +
@@ -1,3 +1,13 @@
+libnids (1.23-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix assembly of TCP streams on armhf by adding -fno-strict-aliasing.
+(Closes: #851060)
+  * Fix use of "inline" with GCC >= 5 which causes undefined references in
+applications linked against libnids. (Closes: #855602)
+
+ -- James Cowgill <jcowg...@debian.org>  Sun, 26 Feb 2017 16:25:37 +
+
 libnids (1.23-2) unstable; urgency=high
 
   * Update my email address (closes: #574042).
diff -Nru libnids-1.23/debian/patches/01_before-after.patch 
libnids-1.23/debian/patches/01_before-after.patch
--- libnids-1.23/debian/patches/01_before-after.patch   1970-01-01 
01:00:00.0 +0100
+++ libnids-1.23/debian/patches/01_before-after.patch   2017-02-26 
16:25:37.0 +
@@ -0,0 +1,52 @@
+Description: fix before and after declarations
+ Fix declarations of before and after functions so that they just happen in 
the header file to fix undefined references in libnids.so.
+Origin: upstream, 
http://downloads.sourceforge.net/project/libnids/libnids/1.24/libnids-1.24.tar.gz
+Bug-Debian: https://bugs.debian.org/855602
+Applied-Upstream: 1.24
+Last-Update: 2015-12-06
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/util.c
 b/src/util.c
+@@ -29,18 +29,6 @@ test_malloc(int x)
+   return ret;
+ }
+ 
+-inline int
+-before(u_int seq1, u_int seq2)
+-{
+-  return ((int)(seq1 - seq2) < 0);
+-}
+-
+-inline int
+-after(u_int seq1, u_int seq2)
+-{
+-  return ((int)(seq2 - seq1) < 0);
+-}
+-
+ void
+ register_callback(struct proc_node **procs, void (*x))
+ {
+--- a/src/util.h
 b/src/util.h
+@@ -23,8 +23,18 @@ struct lurker_node {
+ 
+ void nids_no_mem(char *);
+ char *test_malloc(int);
+-inline int before(u_int seq1, u_int seq2);
+-inline int after(u_int seq1, u_int seq2);
++
++static inline int
++before(u_int seq1, u_int seq2)
++{
++  return ((int)(seq1 - seq2) < 0);
++}
++
++static inline int
++after(u_int seq1, u_int seq2)
++{
++  return ((int)(seq2 - seq1) < 0);
++}
+ void register_callback(struct proc_node **procs, void (*x));
+ void unregister_callback(struct proc_node **procs, void (*x));
+ 
diff -Nru libnids-1.23/debian/patches/02_inline.patch 
libnids-1.23/debian/patches/02_inline.patch
--- libnids-1.23/debian/patches/02_inline.patch 1970-01-01 01:00:00.0 
+0100
+++ libnids-1.23/debian/patches/02_inline.patch 2017-02-25 17:50:03.0 
+
@@ -0,0 +1,45 @@
+Description: Fix more undefined references when using GCC-5.
+ Avoids making the functions ip_fast_csum, ip_compute_csum, my_tcp_check and
+ my_udp_check inline. See https://github.com/aol/moloch/issues/440 as well.
+Author: Robert Scheck <rob...@fedoraproject.org>
+Origin: vendor, 
http://pkgs.fedoraproject.org/cgit/rpms/libnids.git/commit/?id=ecafb692f20e0acad555f66c3cc1646997a82dae
+Bug-Debian: https://bugs.debian.org/855602
+---
+This patch header follows DEP-3: https://dep.debian.net/deps/dep3/
+
+--- a/src/checksum.c
 b/src/checksum.c
+@@ -120,7 +120,7 @@ csum_partial(const u_char * buff, int le
+   By Jorge Cwik <jo...@laser.satlink.net>, adapted for linux by Arnt
+   Gulbrandsen.
+ */
+-inline u_short ip_fast_csum(u_char * iph, u_int ihl)
++u_short ip_fast_csum(u_char * iph, u_int ihl)
+ {
+   u_int sum;
+   if (dontchksum(((struct ip*)iph)->ip_src.s_addr))
+@@ -191,13 +191,13 @@ csum_tcpudp_magic(u_int saddr, u_int dad
+   this routine is used for miscellaneous IP-like checksums, mainly in
+   icmp.c
+ */
+-inline u_s

Bug#856204: unblock: libsfml/2.4.1+dfsg-3

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock package libsfml

This fixes the important bug #855404 where SFML can in certain
situations deadlock inside the GL context handling code. Upstream have
explicitly asked me to try and include this fix into stretch. The patch
originates from version 2.4.2 which is in experimental but was too late
to get into stretch.

I've tested the patch with reverse-dependencies in Debian and everything
still works AFAIK.

Thanks,
James

unblock libsfml/2.4.1+dfsg-3

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru libsfml-2.4.1+dfsg/debian/changelog 
libsfml-2.4.1+dfsg/debian/changelog
--- libsfml-2.4.1+dfsg/debian/changelog 2016-12-30 19:02:05.0 +
+++ libsfml-2.4.1+dfsg/debian/changelog 2017-02-20 20:11:38.0 +
@@ -1,3 +1,9 @@
+libsfml (2.4.1+dfsg-3) unstable; urgency=medium
+
+  * Apply upstream patch to fix TransientContext deadlocks. (Closes: #855404)
+
+ -- James Cowgill <jcowg...@debian.org>  Mon, 20 Feb 2017 20:11:38 +
+
 libsfml (2.4.1+dfsg-2) unstable; urgency=medium
 
   * Fix segfaults triggered by sf::Window::setIcon. (Closes: #849750)
diff -Nru 
libsfml-2.4.1+dfsg/debian/patches/08_fix-transientcontext-deadlocks.patch 
libsfml-2.4.1+dfsg/debian/patches/08_fix-transientcontext-deadlocks.patch
--- libsfml-2.4.1+dfsg/debian/patches/08_fix-transientcontext-deadlocks.patch   
1970-01-01 01:00:00.0 +0100
+++ libsfml-2.4.1+dfsg/debian/patches/08_fix-transientcontext-deadlocks.patch   
2017-02-20 20:11:38.0 +
@@ -0,0 +1,435 @@
+From 2857207cae8ccd8677ef3586add44102790dea92 Mon Sep 17 00:00:00 2001
+From: binary1248 <binary1...@hotmail.com>
+Date: Sun, 27 Nov 2016 18:31:21 +0100
+Subject: [PATCH] Replaced TransientContextLock implementation with a more
+ elaborate one which relies on locking a single mutex and thus avoids lock
+ order inversion. Fixes #1165.
+
+---
+ src/SFML/Window/GlContext.cpp  | 206 +
+ src/SFML/Window/GlContext.hpp  |  25 +++--
+ src/SFML/Window/GlResource.cpp |  48 +-
+ 3 files changed, 161 insertions(+), 118 deletions(-)
+
+diff --git a/src/SFML/Window/GlContext.cpp b/src/SFML/Window/GlContext.cpp
+index 8ae4b3ab..d773ed00 100644
+--- a/src/SFML/Window/GlContext.cpp
 b/src/SFML/Window/GlContext.cpp
+@@ -26,6 +26,7 @@
+ // Headers
+ 
+ #include 
++#include 
+ #include 
+ #include 
+ #include 
+@@ -131,18 +132,70 @@ namespace
+ // We need to make sure that no operating system context
+ // or pixel format operations are performed simultaneously
+ // This mutex is also used to protect the shared context
+-// from being locked on multiple threads
++// from being locked on multiple threads and for managing
++// the resource count
+ sf::Mutex mutex;
+ 
++// OpenGL resources counter
++unsigned int resourceCount = 0;
++
+ // This per-thread variable holds the current context for each thread
+ sf::ThreadLocalPtr currentContext(NULL);
+ 
+ // The hidden, inactive context that will be shared with all other 
contexts
+ ContextType* sharedContext = NULL;
+ 
+-// This per-thread variable is set to point to the shared context
+-// if we had to acquire it when a TransientContextLock was required
+-sf::ThreadLocalPtr currentSharedContext(NULL);
++// This structure contains all the state necessary to
++// track TransientContext usage
++struct TransientContext : private sf::NonCopyable
++{
++
++/// \brief Constructor
++///
++
++TransientContext() :
++referenceCount   (0),
++context  (0),
++sharedContextLock(0),
++useSharedContext (false)
++{
++if (resourceCount == 0)
++{
++context = new sf::Context;
++}
++else if (!currentContext)
++{
++sharedContextLock = new sf::Lock(mutex);
++useSharedContext = true;
++sharedContext->setActive(true);
++}
++}
++
++
++/// \brief Destructor
++///
++
++~TransientContext()
++{
++if (useSharedContext)
++sharedContext->setActive(false);
++
++delete

Bug#855258: unblock: spice/0.12.8-2.1

[James Cowgill]

Control: tags -1 - moreinfo

Hi,

On Fri, 17 Feb 2017 21:11:44 +0100 Salvatore Bonaccorso
 wrote:
> Hi Moarkus, hi Emilio,
> 
> On Thu, Feb 16, 2017 at 10:50:34PM +0100, Markus Koschany wrote:
> > On 16.02.2017 22:23, Emilio Pozuelo Monfort wrote:
> > > Control: tags -1 moreinfo
> > > 
> > > On 16/02/17 06:06, Salvatore Bonaccorso wrote:
> > >> Package: release.debian.org
> > >> Severity: normal
> > >> User: release.debian@packages.debian.org
> > >> Usertags: unblock
> > >>
> > >> Hi
> > >>
> > >> Please unblock package spice
> > [...]
> > > That failed to build on mips(64)el:
> > > 
> > > https://buildd.debian.org/status/package.php?p=spice
> > 
> > Hi,
> > 
> > I think this is unrelated to our security fix. The package already
> > failed on mips64el last month (2017/01/06) with the same build failure.
> 
> FTR, yes I think this is true, that the failure is *not* related to
> the security fixes. I built both 0.12.8-2 and 0.12.8-2.1 on eller.d.o,
> and it failed both there. I have not futher investigated.

The build failure was caused by the lesser form of the binutils bug
(#844227 - scroll to the bottom) which has just been fixed. I rebuilt
spice with an extra-depends on binutils and it now builds ok.

Thanks,
James



signature.asc
Description: OpenPGP digital signature

Bug#855204: libpetsc3.7.5-dev: uninstallable - Depends: libopenmpi-dev (< 2.0.2~git.20161226)

[James Cowgill]

On 15/02/17 13:41, Mattia Rizzolo wrote:
> Control: reassign -1 release.debian.org
> Control: forcemerge 854905 -1
> 
> On Wed, Feb 15, 2017 at 01:09:16PM +, James Cowgill wrote:
>> Package: libpetsc3.7.5-dev
>> Version: 3.7.5+dfsg1-3
>> Severity: serious
>> Tags: sid stretch
> 
> Please look for already reported bugs before reporting new ones (there
> is an "affect" so it is in libpetsc3.7.5-dev bugs list).

Well I did check petsc (not release.debian.org), but affects on binary
packages don't actually show up on the main bugs page - #636689

James



signature.asc
Description: OpenPGP digital signature

Bug#855087: unblock: mpv/0.23.0-2

[James Cowgill]

Attaching the debdiff this time...

James
diff -Nru mpv-0.23.0/debian/changelog mpv-0.23.0/debian/changelog
--- mpv-0.23.0/debian/changelog 2016-12-27 23:02:13.0 +
+++ mpv-0.23.0/debian/changelog 2017-02-13 21:39:28.0 +
@@ -1,3 +1,10 @@
+mpv (0.23.0-2) unstable; urgency=medium
+
+  * Add patch from upstream fix segfaults on tv input.
+Thanks to Frédéric Brière. (Closes: #853798)
+
+ -- James Cowgill <jcowg...@debian.org>  Mon, 13 Feb 2017 21:39:28 +
+
 mpv (0.23.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru mpv-0.23.0/debian/patches/07_segfaults-on-tv-input.patch 
mpv-0.23.0/debian/patches/07_segfaults-on-tv-input.patch
--- mpv-0.23.0/debian/patches/07_segfaults-on-tv-input.patch1970-01-01 
01:00:00.0 +0100
+++ mpv-0.23.0/debian/patches/07_segfaults-on-tv-input.patch2017-02-13 
21:35:21.0 +
@@ -0,0 +1,42 @@
+From aaad2d847e60a5bbd8fbf9c89f100a9ef9abd008 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Bri=C3=A8re?= <fbri...@fbriere.net>
+Date: Fri, 3 Feb 2017 12:57:47 -0500
+Subject: [PATCH] tv: Zero-out newly-allocated handle in tv_new_handle()
+
+Some fields (notably tv_channel_list) were left uninitialized,
+potentially causing problems later on.
+
+Fixes #4096
+---
+ stream/tv.c | 5 +
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/stream/tv.c b/stream/tv.c
+index 0b34b566d..89783374f 100644
+--- a/stream/tv.c
 b/stream/tv.c
+@@ -145,7 +145,7 @@ const struct m_sub_options tv_params_conf = {
+ 
+ tvi_handle_t *tv_new_handle(int size, struct mp_log *log, const 
tvi_functions_t *functions)
+ {
+-tvi_handle_t *h = malloc(sizeof(*h));
++tvi_handle_t *h = calloc(1, sizeof(*h));
+ 
+ if (!h)
+ return NULL;
+@@ -159,12 +159,9 @@ tvi_handle_t *tv_new_handle(int size, struct mp_log *log, 
const tvi_functions_t
+ 
+ h->log= log;
+ h->functions  = functions;
+-h->seq= 0;
+ h->chanlist   = -1;
+-h->chanlist_s = NULL;
+ h->norm   = -1;
+ h->channel= -1;
+-h->scan   = NULL;
+ 
+ return h;
+ }
+-- 
+2.11.0
+
diff -Nru mpv-0.23.0/debian/patches/series mpv-0.23.0/debian/patches/series
--- mpv-0.23.0/debian/patches/series2016-12-27 22:55:48.0 +
+++ mpv-0.23.0/debian/patches/series2017-02-13 21:36:32.0 +
@@ -3,3 +3,4 @@
 04_waf-pie.patch
 05_add-keywords.patch
 06_ffmpeg-abi.patch
+07_segfaults-on-tv-input.patch


signature.asc
Description: OpenPGP digital signature

Bug#855087: unblock: mpv/0.23.0-2

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock package mpv

This upload fixes important bug #853798 where mpv segfaults when used
with particular tv input devices. The patch is backported from upstream
0.24.0 which was recently released.

Thanks,
James

unblock mpv/0.23.0-2

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)



signature.asc
Description: OpenPGP digital signature

Bug#854505: unblock: make-dfsg/4.1-9.1

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-CC: sriva...@debian.org

Hi,

Please unblock package make-dfsg

This fixes the important bug #853213 in make which should in turn fix
the RC bug #853214 in openjdk-8 (without any changes needed to that
package).

The debdiff is attached.

Thanks,
James

unblock make-dfsg/4.1-9.1

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -u make-dfsg-4.1/debian/changelog make-dfsg-4.1/debian/changelog
--- make-dfsg-4.1/debian/changelog
+++ make-dfsg-4.1/debian/changelog
@@ -1,3 +1,11 @@
+make-dfsg (4.1-9.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Ensure the stack limit is reset when make re-execs itself.
+(Closes: #853213)
+
+ -- James Cowgill <jcowg...@debian.org>  Tue, 31 Jan 2017 16:31:57 +
+
 make-dfsg (4.1-9) unstable; urgency=low
 
   * Reword the manual page. While the wording included in the manual page
diff -u make-dfsg-4.1/main.c make-dfsg-4.1/main.c
--- make-dfsg-4.1/main.c
+++ make-dfsg-4.1/main.c
@@ -2423,6 +2423,11 @@
 exit (WIFEXITED(r) ? WEXITSTATUS(r) : EXIT_FAILURE);
   }
 #else
+#ifdef SET_STACK_SIZE
+  /* Reset limits, if necessary.  */
+  if (stack_limit.rlim_cur)
+setrlimit (RLIMIT_STACK, _limit);
+#endif
   exec_command ((char **)nargv, environ);
 #endif
   free (aargv);


signature.asc
Description: OpenPGP digital signature

Bug#853152: unblock: codelite/10.0+dfsg-1

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock package codelite.

I recently uploaded a new version of codelite and was hoping for it to
be included in stretch. It was uploaded "within the time" but
unfortunately (?) I switched from LLVM 3.8 to 3.9 and it built on armel,
so it depends on the newer version of LLVM 3.9 which is not in testing yet.

Would it be possible to unblock codelite so it migrates when LLVM 3.9
does? I understand if you don't want this in stretch and it was pretty
late - it isn't a hugely important update.

Alternatively, could you age LLVM 3.9 so codelite doesn't need an unblock?

Thanks,
James

unblock codelite/10.0+dfsg-1



signature.asc
Description: OpenPGP digital signature

Bug#838109: release.debian.org: binNMU for ccache/amd64 to rebuild against stable

[James Cowgill]

Hi,

On Sun, 18 Sep 2016 00:03:17 +0100 "Adam D. Barratt"  
wrote:
> Control: tags -1 + pending
> 
> On Sat, 2016-09-17 at 13:00 +0100, Adam D. Barratt wrote:
> > Whilst performing some checks during today's point release, we noticed
> > that a new "ccache-dbgsym" binary package appeared on amd64. Neither the
> > debhelper version in stable nor stable-backports will generate such
> > packages, implying that the upload was built in another, or unclean,
> > environment.
> 
> I scheduled the binNMU, and it's now in proposed-updates.

(Since I also just noticed this package)

Should the ccache-dbgsym package now be removed from stable?

Thanks,
James



signature.asc
Description: OpenPGP digital signature

Bug#852042: nmu: jackd2_1.9.10+20150825git1ed50c92~dfsg-4

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu
Control: block 848285 by -1

Hi,

Please binNMU jackd2. It is affected by the RC bug #848285 which was
caused by a GCC regression in gcc-6_6.2.0-13 and has now been fixed in
gcc-6_6.3.0-3. It probably needs this extra dependency forcing when
rebuilt.

nmu jackd2_1.9.10+20150825git1ed50c92~dfsg-4 . ANY . unstable . -m "rebuild 
with newer gcc to fix #848285"

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)



signature.asc
Description: OpenPGP digital signature

Re: Bug#850887: Decide proper solution for binutils' mips* bug

[James Cowgill]

Hi,

On 12/01/17 14:54, Lisandro Damián Nicanor Pérez Meyer wrote:
> I would like to point out that it would be preferable if, in case a patch is 
> preferable over going back to the last know version to work, either Matthias 
> or a mips porter points out which of the two proposed patches is preferable.
> 
> For the time being I'm testing the patch I submited to the bug, but I have no 
> preference over any of them (nor technical grounds to discuss).

Both patches posted in the upstream bug should work. The first one fixes
a bug in the MIPS back end so that local symbols are sorted before
global symbols. This is probably the safer (although larger) patch
because it only touches the MIPS back end to try and bring it into line
with other architectures. The second patch prevents the questionable
local symbols from every appearing (so no sorting is necessary). This
should also be correct, although it will visibly change the contents of
the dynamic symbol table on all arches so I am slightly more
apprehensive because of that.

Side note: the patch you uploaded is not totally correct because it
isn't applied when building cross binutils (__mips__ will not be defined
there).

Thanks,
James



signature.asc
Description: OpenPGP digital signature

Re: binutils on mips*

[James Cowgill]

Hi,

On 09/01/17 10:51, Julien Cristau wrote:
> On 01/08/2017 11:40 PM, Matthias Klose wrote:
>> On 08.01.2017 14:29, Lisandro Damián Nicanor Pérez Meyer wrote:
>>> Matthias: this bug is stopping a lot of packages from migrating and in 
>>> doing 
>>> so near the freeze is hurting many teams (and their users!) like the Qt/KDE 
>>> one, so I'm planning to NMU it to the last working version.
>>>
>>> Do we know which was the last version to properly work on mips*? Is there 
>>> any 
>>> drawback in going back to that version?
>>>
>>> Of course if you have a better course of action suitable for a fast fix, 
>>> I'll 
>>> be glad to read it.
>>
>> Please don't.  I'm fine to apply work arounds for port architectures, but not
>> for release architectures (I didn't decide on this status).  The binutils 
>> update
>> plan was announced last June [1], and I plan to stick to it.  At least one of
>> the mips toolchain maintainers (out of the five who committed to in the
>> architecture qualification process) seems to address RC issues, and 
>> according to
>> the upstream issue, there's work in progress.
>>
> Work in progress is not enough.  This has been filed almost two months
> ago, and keeping an RC issue in the toolchain open for this long right
> around freeze time is irresponsible on your part, so please don't block
> others fixing it if you don't want to apply a workaround yourself.  (I'm
> also disappointed that none of the mips porters saw fit to get this
> fixed in sid sooner.)

As a MIPS porter, I'm not really sure what more I could have done about
this bug. I provided a patch in November and it still hasn't been fixed
in Debian. I do not control upstream binutils and cannot make them
commit anything. Occasionally I've been pinging Maciej, but nothing has
happened (though he cannot be blamed for the situation Debian finds
itself in). What was I supposed to do?

James



signature.asc
Description: OpenPGP digital signature

Bug#850482: nmu: ardour_1:5.5.0~dfsg-1

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Hi,

Please can ardour be binNMUed against fftw3 3.3.5-3. That version of
fftw3 tightens the package dependencies which is needed for a new API
used by ardour.

Thanks,
James


nmu ardour_1:5.5.0~dfsg-1 . ANY . unstable . -m "rebuild for stricter fftw3 
dependency"

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'buildd-unstable'), (500, 
'unstable'), (500, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)



signature.asc
Description: OpenPGP digital signature

Bug#847001: nmu: libjack dependencies using new port_rename APIs

[James Cowgill]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: binnmu
Severity: normal
X-Debbugs-CC: pkg-multimedia-maintain...@lists.alioth.debian.org

Hi,

In #845654 and #845655, the dependencies generated by libjack were
tightened after a new API was added to both jack implementations. The
packages which use the new API need to be binNMUed to get the new
dependency. I checked codesearch for packages using the affected
functions (jack_set_port_rename_callback and jack_port_rename) and
these were the only 3 packages affected. I already knew about hydrogen
and libsoundio though.

ardour and hydrogen need to wait for the new libjack-dev to be
installed, while libsoundio needs to wait for the new
libjack-jackd2-dev.

Does this seem right?

nmu ardour_1:5.4.0~dfsg-2 . ANY . unstable . -m "rebuild for tighter libjack 
dependency"
nmu hydrogen_0.9.7-1 . ANY . unstable . -m "rebuild for tighter libjack 
dependency"
nmu libsoundio_1.0.2-1 . ANY . unstable . -m "rebuild for tighter libjack 
dependency"

dw ardour_1:5.4.0~dfsg-2 . ANY . unstable . -m 'libjack-dev (>= 1:0.125.0-2)'
dw hydrogen_0.9.7-1 . ANY . unstable . -m 'libjack-dev (>= 1:0.125.0-2)'
dw libsoundio_1.0.2-1 . ANY . unstable . -m 'libjack-jackd2-dev (>= 
1.9.10+20150825git1ed50c92~dfsg-4)'

Thanks,
James



signature.asc
Description: OpenPGP digital signature

Bug#841979: jessie-pu: package minissdpd/1.2.20130907-3

[James Cowgill]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: Thomas Goirand <z...@debian.org>

Hi,

The attached debdiff fixes #816759 (minissdpd: CVE-2016-3178
CVE-2016-3179) for jessie. Both CVEs are taged 'no-DSA' by the security
team.

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru minissdpd-1.2.20130907/debian/changelog 
minissdpd-1.2.20130907/debian/changelog
--- minissdpd-1.2.20130907/debian/changelog 2014-07-14 08:02:57.0 
+0100
+++ minissdpd-1.2.20130907/debian/changelog 2016-10-24 22:46:46.0 
+0100
@@ -1,3 +1,15 @@
+minissdpd (1.2.20130907-3+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759)
+The minissdpd daemon contains a improper validation of array index
+vulnerability (CWE-129) when processing requests sent to the Unix
+socket at /var/run/minissdpd.sock the Unix socket can be accessed
+by an unprivileged user to send invalid request causes an
+out-of-bounds memory access that crashes the minissdpd daemon.
+
+ -- James Cowgill <jcowg...@debian.org>  Mon, 24 Oct 2016 22:46:46 +0100
+
 minissdpd (1.2.20130907-3) unstable; urgency=medium
 
   * Removed $all from init.d script.
diff -Nru minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch 
minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch
--- minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch   1970-01-01 
01:00:00.0 +0100
+++ minissdpd-1.2.20130907/debian/patches/CVE-2016-3178.patch   2016-10-24 
22:43:23.0 +0100
@@ -0,0 +1,95 @@
+Description: Fix CVE-2016-3178
+ buffer overflow while handling negative length request
+Author: Salva Peiró <speir...@gmail.com>
+Origin: upstream, 
https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47
+Bug-Debian: https://bugs.debian.org/816759
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/minissdpd.c
 b/minissdpd.c
+@@ -555,7 +555,7 @@ void processRequest(struct reqelem * req
+   type = buf[0];
+   p = buf + 1;
+   DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-  if(p+l > buf+n) {
++  if(l > (unsigned)(buf+n-p)) {
+   syslog(LOG_WARNING, "bad request (length encoding)");
+   goto error;
+   }
+@@ -661,7 +661,7 @@ void processRequest(struct reqelem * req
+   goto error;
+   }
+   DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-  if(p+l > buf+n) {
++  if(l > (unsigned)(buf+n-p)) {
+   syslog(LOG_WARNING, "bad request (length encoding)");
+   goto error;
+   }
+@@ -679,7 +679,7 @@ void processRequest(struct reqelem * req
+   newserv->usn[l] = '\0';
+   p += l;
+   DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-  if(p+l > buf+n) {
++  if(l > (unsigned)(buf+n-p)) {
+   syslog(LOG_WARNING, "bad request (length encoding)");
+   goto error;
+   }
+@@ -697,7 +697,7 @@ void processRequest(struct reqelem * req
+   newserv->server[l] = '\0';
+   p += l;
+   DECODELENGTH_CHECKLIMIT(l, p, buf + n);
+-  if(p+l > buf+n) {
++  if(l > (unsigned)(buf+n-p)) {
+   syslog(LOG_WARNING, "bad request (length encoding)");
+   goto error;
+   }
+--- a/testminissdpd.c
 b/testminissdpd.c
+@@ -45,6 +45,23 @@ void printresponse(const unsigned char *
+ #define SENDCOMMAND(command, size) write(s, command, size); \
+   printf("Command written type=%u\n", (unsigned)command[0]);
+ 
++int connect_unix_socket(const char * sockpath)
++{
++  int s;
++  struct sockaddr_un addr;
++
++  s = socket(AF_UNIX, SOCK_STREAM, 0);
++  addr.sun_family = AF_UNIX;
++  strncpy(addr.sun_path, sockpath, sizeof(addr.sun_path));
++  if(connect(s, (struct sockaddr *), sizeof(struct sockaddr_un)) < 
0) {
++  fprintf(stderr, "connecting to %s : ", addr.sun_path);
++  perror("connect");
++  exit(1);
++  }
++  printf("Connected to %s\n", addr.sun_path);
++  return s;
++}
++
+ /* test program for minissdpd */
+ int
+ main(int argc, char * * argv)
+@@ -52,6 +69,7 @@ main(int argc, char * * argv)
+   char command1

Bug#839731: jessie-pu: package mpg123/1.20.1-2+deb8u1

[James Cowgill]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-multimedia-maintain...@lists.alioth.debian.org

Hi,

A security issue was reported against mpg123 in bug #838960. Since it
was marked no-DSA by the security team, it needs a normal jessie-pu
update to fix it in jessie.

The debdiff is attached. I've tested it on jessie against the testcase
provided in the upstream bug report (https://mpg123.org/bugs/240).

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.0-36-generic (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru mpg123-1.20.1/debian/changelog mpg123-1.20.1/debian/changelog
--- mpg123-1.20.1/debian/changelog  2014-08-31 10:51:53.0 +0100
+++ mpg123-1.20.1/debian/changelog  2016-10-04 11:42:56.0 +0100
@@ -1,3 +1,10 @@
+mpg123 (1.20.1-2+deb8u1) jessie; urgency=high
+
+  * Team upload.
+  * Fix DoS with crafted ID3v2 tags. (Closes: #838960)
+
+ -- James Cowgill <jcowg...@debian.org>  Tue, 04 Oct 2016 11:42:56 +0100
+
 mpg123 (1.20.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch 
mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch
--- mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch  
1970-01-01 01:00:00.0 +0100
+++ mpg123-1.20.1/debian/patches/0002-dos-crafted-id3v2-tags.patch  
2016-10-04 11:41:20.0 +0100
@@ -0,0 +1,18 @@
+Description: Fix DoS with crafted ID3v2 tags
+Author: Thomas Orgis <thomas-fo...@orgis.org>
+Bug: https://sourceforge.net/p/mpg123/bugs/240/
+Bug-Debian: https://bugs.debian.org/838960
+Applied-Upstream: 1.23.8
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/libmpg123/id3.c
 b/src/libmpg123/id3.c
+@@ -752,7 +752,7 @@ int parse_new_id3(mpg123_handle *fr, uns
+   unsigned long fflags; /* need 16 bits, 
actually */
+   id[4] = 0;
+   /* pos now advanced after ext head, now 
a frame has to follow */
+-  while(tagpos < length-10) /* I want to 
read at least a full header */
++  while(length >= 10 && tagpos < 
length-10) /* I want to read at least a full header */
+   {
+   int i = 0;
+   unsigned long pos = tagpos;
diff -Nru mpg123-1.20.1/debian/patches/series 
mpg123-1.20.1/debian/patches/series
--- mpg123-1.20.1/debian/patches/series 2014-08-30 20:39:33.0 +0100
+++ mpg123-1.20.1/debian/patches/series 2016-10-04 11:41:20.0 +0100
@@ -1 +1,2 @@
 0001-disable_not_public_funcs.patch
+0002-dos-crafted-id3v2-tags.patch


signature.asc
Description: OpenPGP digital signature

Re: fact++ is marked for autoremoval from testing

[James Cowgill]

Hi,

On 29/08/16 09:43, Jonas Smedegaard wrote:
> Hi,
> 
> [please cc me on replies: I am not subscribed]
> 
> I am puzzled about this one:
> 
> Quoting Debian testing autoremoval watch (2016-08-29 06:39:03)
>> fact++ 1.6.4~dfsg-1 is marked for autoremoval from testing on 2016-08-31
>>
>> It (build-)depends on packages with these RC bugs:
>> 806865: ppl: FTBFS when built with dpkg-buildpackage -A (No rule to make 
>> ppl_c.h)
>> 811825: ppl: FTBFS with GCC 6: no match for
> 
> As I understand it, packages ppl (mentioned above) and cloog-ppl 
> (build-dependency of fact++) are independent projects.
> 
> Could this be a flaw somewhere in the autoremoval scripts?

cloog-ppl depends on libppl-c4 and libppl13v5 from the ppl source
package, so fact++ is being autoremoved due to transitive dependencies.

James



signature.asc
Description: OpenPGP digital signature

Bug#835784: nmu: mpv_0.20.0-1

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Hi,

As I wrote in #835645, some of the ffmpeg symbols in 7:3.1.2-1 do not
generate tight enough dependencies and if mpv is used with an old version
of ffmpeg, it segfaults.

This is fixed in ffmpeg 3.1.3-1 so please binNMU mpv against that version.

nmu mpv_0.20.0-1 . ANY . unstable . -m "Rebuild against ffmpeg 3.1.3-1 for 
correct dependencies"
dw mpv_0.20.0-1 . ANY . unstable . -m 'libavformat57 (>= 7:3.1.3-1)'

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)



signature.asc
Description: OpenPGP digital signature

Re: Porter roll call for Debian Stretch

[James Cowgill]

Hi,

On 17/08/16 21:05, ni...@thykier.net wrote:
> Like last release, we are doing a roll call for porters of all release
> architectures.  If you are an active porter behind one of the [release
> architectures] for the entire lifetime of Debian Stretch (est. end of
> 2020), please respond with a signed email containing the following
> before Friday, the 9th of September:
> 
>  * Which architectures are you committing to be an active porter for?

I'm an active porter for mips, mipsel and mips64el.

>  * Please describe recent relevant porter contributions.

Numerous mips64el related bugs and some assistance bootstrapping parts
of it. Lately I've been looking at some toolchain issues and bugs in
various other packages.

>  * Are you running/using Debian testing or sid on said port(s)?

Yes we have a number of mips machines running testing. They are mostly
used for development (some quite heavily used). I test common packages
on them (I'd be surprised if anyone can claim they test *all* packages
on their arch).

>  * Are you testing/patching d-i for the port(s)?

I don't use d-i a huge amount with the port unfortunately. Having said
that I am about to setup another machine so I'll try it out on that :)

>  * If we were to enable -fPIE/-pie by default in GCC-6, should that change
>also apply to this port? [0]

I'm not aware of any issues with enabling -fPIC on mips arches so I
think you can go ahead with it. PIE is already enabled in a number of
packages and there doesn't seem to be any issues with them mips.

I'm a DD

James



signature.asc
Description: OpenPGP digital signature

Bug#834105: transition: libsfml

[James Cowgill]

On 12/08/16 09:33, Emilio Pozuelo Monfort wrote:
> On 12/08/16 00:21, James Cowgill wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: transition
>>
>> Hi,
>>
>> The new upstream version of libsfml bumped the SONAME and therefore
>> requires a transition.
>>
>> These packages will need rebuilding:
>>  dolphin-emu
>>  extremetuxracer
>>  libcsfml
>>  marsshooter
>>  python-sfml
>>
>> I did a test rebuild of all of them and they all built fine with the new
>> SFML.
> 
> Go ahead.

Thanks! Uploaded and built on all arches.

James



signature.asc
Description: OpenPGP digital signature

Bug#834105: transition: libsfml

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hi,

The new upstream version of libsfml bumped the SONAME and therefore
requires a transition.

These packages will need rebuilding:
 dolphin-emu
 extremetuxracer
 libcsfml
 marsshooter
 python-sfml

I did a test rebuild of all of them and they all built fine with the new
SFML.

Thanks,
James

Ben file:

title = "libsfml";
is_affected = .depends ~ /libsfml-[a-z]*2\.3v5/ | .depends ~
/libsfml-[a-z]*2\.4/;
is_good = .depends ~ /libsfml-[a-z]*2\.4/;
is_bad = .depends ~ /libsfml-[a-z]*2\.3v5/;


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500,
'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, mips

Kernel: Linux 4.7.0-rc4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)



signature.asc
Description: OpenPGP digital signature

Bug#827288: jessie-pu: package audiofile/0.3.6-2

[James Cowgill]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

This update fixes CVE-2015-7747 (#801102). The security bug is marked
no-DSA, so the security team asked me to submit it as a normal stable
update.

The patch is copied directly from this Ubuntu bug (and is already
applied in Ubuntu):
https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721

Thanks,
James

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog
--- audiofile-0.3.6/debian/changelog	2016-06-14 14:21:11.0 +0100
+++ audiofile-0.3.6/debian/changelog	2016-06-14 16:39:56.0 +0100
@@ -1,3 +1,11 @@
+audiofile (0.3.6-2+deb8u1) jessie; urgency=high
+
+  * Team upload.
+  * Fix CVE-2015-7747: buffer overflow when changing both sample format and
+number of channels. (Closes: #801102)
+
+ -- James Cowgill <jcowg...@debian.org>  Tue, 14 Jun 2016 16:39:49 +0100
+
 audiofile (0.3.6-2) unstable; urgency=low
 
   * Upload to unstable.
diff -Nru audiofile-0.3.6/debian/patches/CVE-2015-7747.patch audiofile-0.3.6/debian/patches/CVE-2015-7747.patch
--- audiofile-0.3.6/debian/patches/CVE-2015-7747.patch	1970-01-01 01:00:00.0 +0100
+++ audiofile-0.3.6/debian/patches/CVE-2015-7747.patch	2016-06-14 16:19:51.0 +0100
@@ -0,0 +1,161 @@
+Description: fix buffer overflow when changing both sample format and
+ number of channels
+Origin: backport, https://github.com/mpruett/audiofile/pull/25
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801102
+
+Index: audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp
+===
+--- audiofile-0.3.6.orig/libaudiofile/modules/ModuleState.cpp	2015-10-20 08:00:58.036128202 -0400
 audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp	2015-10-20 08:00:58.036128202 -0400
+@@ -402,7 +402,7 @@
+ 		addModule(new Transform(outfc, in.pcm, out.pcm));
+ 
+ 	if (in.channelCount != out.channelCount)
+-		addModule(new ApplyChannelMatrix(infc, isReading,
++		addModule(new ApplyChannelMatrix(outfc, isReading,
+ 			in.channelCount, out.channelCount,
+ 			in.pcm.minClip, in.pcm.maxClip,
+ 			track->channelMatrix));
+Index: audiofile-0.3.6/test/Makefile.am
+===
+--- audiofile-0.3.6.orig/test/Makefile.am	2015-10-20 08:00:58.036128202 -0400
 audiofile-0.3.6/test/Makefile.am	2015-10-20 08:00:58.036128202 -0400
+@@ -26,6 +26,7 @@
+ 	VirtualFile \
+ 	floatto24 \
+ 	query2 \
++	sixteen-stereo-to-eight-mono \
+ 	sixteen-to-eight \
+ 	testchannelmatrix \
+ 	testdouble \
+@@ -139,6 +140,7 @@
+ printmarkers_LDADD = $(LIBAUDIOFILE) -lm
+ 
+ sixteen_to_eight_SOURCES = sixteen-to-eight.c TestUtilities.cpp TestUtilities.h
++sixteen_stereo_to_eight_mono_SOURCES = sixteen-stereo-to-eight-mono.c TestUtilities.cpp TestUtilities.h
+ 
+ testchannelmatrix_SOURCES = testchannelmatrix.c TestUtilities.cpp TestUtilities.h
+ 
+Index: audiofile-0.3.6/test/sixteen-stereo-to-eight-mono.c
+===
+--- /dev/null	1970-01-01 00:00:00.0 +
 audiofile-0.3.6/test/sixteen-stereo-to-eight-mono.c	2015-10-20 08:33:57.512286416 -0400
+@@ -0,0 +1,117 @@
++/*
++	Audio File Library
++
++	Copyright 2000, Silicon Graphics, Inc.
++
++	This program is free software; you can redistribute it and/or modify
++	it under the terms of the GNU General Public License as published by
++	the Free Software Foundation; either version 2 of the License, or
++	(at your option) any later version.
++
++	This program is distributed in the hope that it will be useful,
++	but WITHOUT ANY WARRANTY; without even the implied warranty of
++	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++	GNU General Public License for more details.
++
++	You should have received a copy of the GNU General Public License along
++	with this program; if not, write to the Free Software Foundation, Inc.,
++	51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++*/
++
++/*
++	sixteen-stereo-to-eight-mono.c
++
++	This program tests the conversion from 2-channel 16-bit integers to
++	1-channel 8-bit	integers.
++*/
++
++#ifdef HAVE_CONFIG_H
++#include 
++#endif
++
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++
++#include 
++
++#include "TestUtilities.h"
++
++int main (int argc, char **argv)
++{
++	AFfilehandle file;
+

Bug#650601: fixed in elastix 4.8-3

[James Cowgill]

Control: reopen -1

On Thu, 2016-01-07 at 15:50 +, Gert Wollny wrote:
> Source: elastix
> Source-Version: 4.8-3
> 
> We believe that the bug you reported is fixed in the latest version of
> elastix, which is due to be installed in the Debian FTP archive.
[...]
>    [ Gert Wollny ]
>    * Update dependency for libdcmtk-dev to unversioned package
>    * Rebuild against itk-4.8.2-3, Closes: #650601

Wrong bug number? Did you mean #809889 "elastix: FTBFS with libpng16"?
You just closed the global libpng1.6 transition tracking bug.

James

signature.asc
Description: This is a digitally signed message part

Bug#803997: transition: polarssl

[James Cowgill]

Hi,

On Mon, 2015-11-09 at 19:19 +0100, Emilio Pozuelo Monfort wrote:
> On 04/11/15 04:02, James Cowgill wrote:
> > Package: release.debian.org
> > User: release.debian@packages.debian.org
> > Usertags: transition
> > Severity: normal
> > Forwarded: https://release.debian.org/transitions/html/auto-polarssl.html
> > X-Debbugs-CC: polar...@packages.debian.org
> > 
> > Hi,
> > 
> > polarssl needs a library transition. The name of the upstream project
> > changed to 'mbedtls' so the SONAME has become 'libmbedtls9'. I've kept
> > the name of the dev package as 'libpolarssl-dev' for the 1.3 series so
> > every package doesn't need to be changed.
> 
> Shouldn't there be a new libmbedtls-dev package, with libpolarssl-dev 
> becoming a
> transitional one?
> 
> Shouldn't the source be renamed?

Earlier this year (in 1.3.10) upstream renamed the project mbedTLS. In
the 1.3 series they changed the soname, but not the API (ie all the
headers, functions, etc are still called "polarssl").

A few months later they released 2.0 which completely changed the API
by renaming all the functions and doing various cleanups to the API
which would brake many programs.

The new 2.0 series is in NEW right now and called 'mbedtls' and
contains a libmbedtls-dev package.

I didn't want to rename the dev package since it would end up
conflicting with the new 2.0 series and although the "brand" name is
mbedTLS, it still follows polarssl's API.

> > The new version of polarssl fixes a grave security bug (#801413). I
> > havn't got a response from the package maintainer at all in dealing
> > with this so I NMUed the version currently in experimental.
> 
> Doing this transition as a NMU seems a bit odd to me. Though hijacking the
> package seems a bit premature since that bug was opened only a month ago.
> If you renamed the source, then maybe you could get away with it :p

Okay sorry I didn't mean to hijack anyone's package, I was just trying
to fix this security bug affecting one of my packages and nothing
seemed to be happening on it. Although my upload of mbedtls 2 does now
feel like a bit of a hijack :/

Thinking about this, I could probably avoid this transition by waiting 
for mbedtls to pass NEW, porting all the rdeps, and then having
polarssl removed from the archive. This would be the "end" goal anyway.
This transition is effectively a temporary fix since I don't know how
long that will take, and in the mean time there will be a grave
security bug affecting polarssl.

If you're wondering why a transition has to happen to fix this bug at
all, upstream basically said "do not try to backport any of these
commits" when I asked them about the security bug (see some of the
links in #801413).

Thanks,
James

signature.asc
Description: This is a digitally signed message part

Bug#803997: transition: polarssl

[James Cowgill]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: transition
Severity: normal
Forwarded: https://release.debian.org/transitions/html/auto-polarssl.html
X-Debbugs-CC: polar...@packages.debian.org

Hi,

polarssl needs a library transition. The name of the upstream project
changed to 'mbedtls' so the SONAME has become 'libmbedtls9'. I've kept
the name of the dev package as 'libpolarssl-dev' for the 1.3 series so
every package doesn't need to be changed.

The new version of polarssl fixes a grave security bug (#801413). I
havn't got a response from the package maintainer at all in dealing
with this so I NMUed the version currently in experimental.

There is a build failure on s309x, but the fix should be a 1 line
change which I'd like to make when I upload the package to unstable. If
you'd prefer I could make another NMU to experimental instead.

Thanks,
James

Ben file (the automatic one is fine):

title = "polarssl";
is_affected = .depends ~ "libpolarssl7" | .depends ~ "libmbedtls9";
is_good = .depends ~ "libmbedtls9";
is_bad = .depends ~ "libpolarssl7";

signature.asc
Description: This is a digitally signed message part

Bug#791166: libsfml: library transition may be needed when GCC 5 is the default

[James Cowgill]

Hi,

Can I upload this to unstable (it's in experimental)?

All the reverse dependencies build except python-sfml because cython is
currently uninstallable (See #793227, #794511).

https://release.debian.org/transitions/html/auto-libsfml.html

Thanks,
James

signature.asc
Description: This is a digitally signed message part

Bug#794486: release.debian.org: auto transition trackers incorrectly handle addition of suffixes (including GCC 5 related transitions)

[James Cowgill]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: tools

Hi,

I don't think any of the automatic transition trackers for the
libstdcxx / GCC 5 packages are working correctly.

Currently cmake has been rebuilt against both the new versions of GCC 5
and libjsoncpp, and shows up good on this tracker:
https://release.debian.org/transitions/html/libstdc++6.html

but bad on this tracker:
https://release.debian.org/transitions/html/auto-libjsoncpp.html

The auto-libjsoncpp ben file contains this:
is_affected = .depends ~ 
/libjsoncpp0v5|libjsoncpp0v5\-dbg|libjsoncpp0|libjsoncpp0\-dbg/;
is_good = .depends ~ /libjsoncpp0v5|libjsoncpp0v5\-dbg/;
is_bad = .depends ~ /libjsoncpp0|libjsoncpp0\-dbg/;

Here, packages depending on libjsoncpp0v5 match both the is_good and
is_bad regexes so ben marks them as bad.

The regexes for is_good and is_bad should probably have ^ and $
inserted before and after each package name to fix this.

Thanks,
James

signature.asc
Description: This is a digitally signed message part

Bug#794486: release.debian.org: auto transition trackers incorrectly handle addition of suffixes (including GCC 5 related transitions)

[James Cowgill]

On Mon, 2015-08-03 at 18:09 +0200, Julien Cristau wrote:
 On Mon, Aug  3, 2015 at 16:44:32 +0100, James Cowgill wrote:
  Package: release.debian.org
  User: release.debian@packages.debian.org
  Usertags: tools
  
  Hi,
  
  I don't think any of the automatic transition trackers for the
  libstdcxx / GCC 5 packages are working correctly.
  
  Currently cmake has been rebuilt against both the new versions of GCC 5
  and libjsoncpp, and shows up good on this tracker:
  https://release.debian.org/transitions/html/libstdc++6.html
  
  but bad on this tracker:
  https://release.debian.org/transitions/html/auto-libjsoncpp.html
  
  The auto-libjsoncpp ben file contains this:
  is_affected = .depends ~ 
  /libjsoncpp0v5|libjsoncpp0v5\-dbg|libjsoncpp0|libjsoncpp0\-dbg/;
  is_good = .depends ~ /libjsoncpp0v5|libjsoncpp0v5\-dbg/;
  is_bad = .depends ~ /libjsoncpp0|libjsoncpp0\-dbg/;
  
  Here, packages depending on libjsoncpp0v5 match both the is_good and
  is_bad regexes so ben marks them as bad.
  
 I've made a manual tracker for libjsoncpp, see
 https://release.debian.org/transitions/html/libjsoncpp.html

That looks better. I tried one I suggested with ^ and $ and it didn't
work properly, so I guess ben applies the regex to the entire Depends
line? The automatic solution could be a little more complex than I
thought.

 Any other broken ones?

After a quick skim these trackers are probably broken:

ccfits
csound
geos
libconfig
libdap
libgig
libmusicbrainz5
libquvi-scripts (not gcc 5)
log4cxx
spatialindex
wxwidgets3.0

James

signature.asc
Description: This is a digitally signed message part

Bug#736808: nmu: github-backup_1.20131203

[James Cowgill]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Hi,

github-backup is still compiled against libicu48 on some architetures

  nmu github-backup_1.20131203 . amd64 i386 powerpc sparc . -m rebuild against 
libicu52

James

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1390771717.13046.1.camel@angel.local