Bug#780624: libmpeg2-4: introduces new symbols
Package: libmpeg2-4 Version: 0.5.1-6 Severity: serious Hi, Between wheezy and jessie libmpeg2-4 introduced at least one new symbol, mpeg2_guess_aspect, without even including a shlibs or symbols files. The result being that some applications using libmpeg2-4 that use the new symbols, perhaps directly, perhaps picked up?, do not have a proper versioned dependency on libmpeg2-4. One such package is gstreamer1.0-plugins-ugly, though there might be others. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#772223: bristol: bashism in /bin/sh script
Package: bristol Severity: minor Version: 0.60.11-2 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/bin/startBristol line 464 (exit|return with negative status code): exit -1 Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#772257: dvblast: bashism in /bin/sh script
Package: dvblast Severity: minor Version: 2.2-1 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/bin/dvblast_mmi.sh line 24 ($_): BASE_DIR=`dirname $_` Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#772264: din: bashism in /bin/sh script
Package: din Severity: minor Version: 5.2.1-3 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/share/din/m00 line 5 (unsafe echo with backslash): echo \033[1;30m mouse parameters:`xset q | grep accel` \033[0m possible bashism in ./usr/share/din/m00 line 5 ( here string): echo \033[1;30m mouse parameters:`xset q | grep accel` \033[0m Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#772354: mjpegtools: bashism in /bin/sh script
Package: mjpegtools Severity: normal Version: 1:2.1.0+debian-2.1+b2 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/lib/mjpegtools/bin/lav2avi.sh line 75 (echo -e): echo -e USAGE:\t`basename $0` filename.eli possible bashism in ./usr/lib/mjpegtools/bin/lav2avi.sh line 76 (echo -e): echo -e \n\tfilename - MJPEG Tools lav editing file\n possible bashism in ./usr/lib/mjpegtools/bin/lav2avi.sh line 77 (echo -e): echo -e EXAMPLE:\n\t`basename $0` SecondFilm.eli\n Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#772347: xbmc: bashism in /bin/sh script
Package: xbmc Severity: serious Version: 2:13.2+dfsg1-4 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/bin/xbmc line 81 (should be word 21): if which systemd-coredumpctl /dev/null; then possible bashism in ./usr/bin/xbmc line 82 (should be word 21): systemd-coredumpctl dump -o core xbmc.bin /dev/null Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#772403: rotter: bashism in /bin/sh script
Package: rotter Severity: minor Version: 0.9-3 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./etc/init.d/rotter line 51 (sleep only takes one integer): sleep 0.1 Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Re: Bug#729203: [FFmpeg-devel] Reintroducing FFmpeg to Debian
Andreas Cadhalpun wrote: Given the amount of software in Debian and thus the amount of security fixes necessary for a stable release, I think that the additional stable-security uploads for FFmpeg in the order of 10 per release will be hardly noticeable. They are surely noticeable to the security team: the release process of a security update is more than just a throw and forget. Tracking every single vulnerability for each copy of the code consumes time. Every single update also consumes team's time, and that of many organisations external to Debian. What is particularly hard for me to understand is why e.g. MySQL and MariaDB can be in testing at the same time without much resistance from the security team, but FFmpeg and Libav can apparently not. There is resistance - we only want one, not two, not three (percona). IMH (and personal) O, if you want to see ffmpeg in Jessie or later, you should replace libav - i.e. no silly one binary + libraries that won't work for anything else. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Re: Bug#729203: [FFmpeg-devel] Reintroducing FFmpeg to Debian
Andreas Cadhalpun wrote: According to the changelog[1], there have been 8 security updates for ffmpeg in squeeze. There would have been more but the code has evolved too much for it to be feasible to backport the patches. Not to mention that some bugs that are being fixed are, for example, for incomplete checks - checks that don't exist in the 0.5 branch. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Re: Re: Bug#729203: [FFmpeg-devel] Reintroducing FFmpeg to Debian
On Tuesday 29 July 2014 18:43:17 Andreas Cadhalpun wrote: On 29.07.2014 09:47, Raphael Geissert wrote: Andreas Cadhalpun wrote: According to the changelog[1], there have been 8 security updates for ffmpeg in squeeze. There would have been more You're right, my calculation is slightly flawed. That was my point, so please don't use it as an argument. Not to mention that some bugs that are being fixed are, for example, for incomplete checks - checks that don't exist in the 0.5 branch. What do you mean here? If the affected code is not there, then that's nice, because a backport is not needed. Let me rephrase it: the fix is for an incomplete check, but in 0.5 the check is missing - while the rest of the code is there. Which is kinda... worse. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#737534: vlc: unsafe use of libtar
Package: vlc Severity: important Tags: security Hi, vlc uses libtar to unpack skins, however, its use on untrusted data exposes it to CVE-2013-4420 (#731860). Changing the behaviour of libtar appears to be problematic because some applications have relied on the, lack of, path sanitation (cf. https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html and the follow-ups). What appears to be the safe way to handle this issue is making sure that libtar is not used on untrusted data without file path validation - that would mean that vlc would have to check for every file that is about to be extracted that none contains a ../, and something similar for symlinks. Alternatively, vlc could just use tar(1) to unpack the tarballs, or drop support for skins or skins in tarballs. What do you think? This should probably be forwarded to upstream. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#690617: mjpegtools: bashism in /bin/sh script
Package: mjpegtools Version: 2.0.0+debian-1 Severity: important User: debian-rele...@lists.debian.org Usertags: goal-dash Hello maintainer, While performing an archive wide checkbashisms (from the 'devscripts' package) check I've found your package containing a /bin/sh script making use of a bashism. checkbashisms' output: possible bashism in ./usr/bin/lav2mpeg line 255 (let ...): let MOPTIND=OPTIND-LAVRC_COUNT possible bashism in ./usr/bin/lav2mpeg line 545 ($SECONDS): STARTALL=$SECONDS possible bashism in ./usr/bin/lav2mpeg line 549 ($SECONDS): START=$SECONDS possible bashism in ./usr/bin/lav2mpeg line 567 ($SECONDS): diff=$(getTimeDiff $START $SECONDS) possible bashism in ./usr/bin/lav2mpeg line 568 ($SECONDS): elapsed=$(expr $SECONDS - $START) possible bashism in ./usr/bin/lav2mpeg line 578 ($SECONDS): END=$SECONDS possible bashism in ./usr/bin/lav2mpeg line 579 ($SECONDS): diff=$(getTimeDiff $STARTALL $SECONDS) possible bashism in ./usr/bin/lav2mpeg line 580 ($SECONDS): temp=$(expr $SECONDS - $STARTALL) Not using bash (or a Debian Policy conformant shell interpreter which doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. You can find hints about how to fix bashisms at: https://wiki.ubuntu.com/DashAsBinSh Thank you, Raphael Geissert ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#661197: CVE-2012-0270: buffer overflows
Package: csound Severity: grave Tags: security Hi, Two vulnerabilities have been found in csound. Please refer to the following page for more information: http://secunia.com/secunia_research/2012-3/ Regards, Raphael Geissert ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#598282: ardour-i686: CVE-2010-3349: insecure library loading
Package: ardour-i686 Version: 1:2.8.11-1 Severity: grave Tags: security User: t...@security.debian.org Usertags: ldpath Hello, During a review of the Debian archive, I've found your package to contain a script that can be abused by an attacker to execute arbitrary code. The vulnerability is introduced by an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries on a directory other than the standard paths. Vulnerable code follows: /usr/bin/ardour2 line 5: export LD_LIBRARY_PATH=/usr/lib/ardour2:$LD_LIBRARY_PATH When there's an empty item on the colon-separated list of LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given script is executed from a directory where a potential, local, attacker can write files to, there's a chance to exploit this bug. This vulnerability has been assigned the CVE id CVE-2010-3349. Please make sure you mention it when forwarding this report to upstream and when fixing this bug (everywhere: upstream and here at Debian.) [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3349 [1] http://security-tracker.debian.org/tracker/CVE-2010-3349 Sincerely, Raphael Geissert ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers
Bug#598285: bristol: CVE-2010-3351: insecure library loading
Package: bristol
Version: 0.60.5-1+b1
Severity: grave
Tags: security
User: t...@security.debian.org
Usertags: ldpath
Hello,
During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.
The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.
Vulnerable code follows:
/usr/bin/startBristol line 350:
export LD_LIBRARY_PATH=/usr/local/lib:usr/lib:${LD_LIBRARY_PATH}:${BRISTOL}/lib
When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.
Note that there's also a missing slash on the second entry (_usr_/lib.)
This vulnerability has been assigned the CVE id CVE-2010-3351. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3351
[1] http://security-tracker.debian.org/tracker/CVE-2010-3351
Sincerely,
Raphael Geissert
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers
Bug#598283: ardour: CVE-2010-3349: insecure library loading
Package: ardour Version: 1:2.8.11-1 Severity: grave Tags: security User: t...@security.debian.org Usertags: ldpath Hello, During a review of the Debian archive, I've found your package to contain a script that can be abused by an attacker to execute arbitrary code. The vulnerability is introduced by an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries on a directory other than the standard paths. Vulnerable code follows: /usr/bin/ardour2 line 5: export LD_LIBRARY_PATH=/usr/lib/ardour2:$LD_LIBRARY_PATH When there's an empty item on the colon-separated list of LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given script is executed from a directory where a potential, local, attacker can write files to, there's a chance to exploit this bug. This vulnerability has been assigned the CVE id CVE-2010-3349. Please make sure you mention it when forwarding this report to upstream and when fixing this bug (everywhere: upstream and here at Debian.) [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3349 [1] http://security-tracker.debian.org/tracker/CVE-2010-3349 Sincerely, Raphael Geissert ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers
Bug#567442: mediatomb: incorrect init scripts dependencies
On 3 February 2010 15:43, Mehdi me...@dogguy.org wrote: On 0, Raphael Geissert geiss...@debian.org wrote: Package: mediatomb Version: 0.12.0~svn2018-4 Severity: important User: initscripts-ng-de...@lists.alioth.debian.org Usertags: incorrect-dependency [...] P.S. this is a release goal. Why the severity is only important then? Because release goals aren't release critical (and the app doesn't horribly break.) Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers
Bug#567442: mediatomb: incorrect init scripts dependencies
Package: mediatomb Version: 0.12.0~svn2018-4 Severity: important User: initscripts-ng-de...@lists.alioth.debian.org Usertags: incorrect-dependency Hi, mediatomb has a dependency on $all which in 99% of the cases is incorrect. By depending on $all, no other init script can depend on mediatomb, possibly preventing the other script from working properly. Please fix the dependencies. P.S. this is a release goal. Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers
