Bug#965154: maxima: insecure use of /tmp

Package: maxima Version: 5.43.2-3 Severity: grave Tags: security Maxima uses /tmp in an insecure way. In particular, when creating plots, files are written to maxima_tempdir (which defaults to /tmp) with predictable names, and there is no check that the files do not exist. An attacker could

Bug#964471: libreoffice-l10n-ru: error when configuring: cp: cannot create regular file '/etc/libreoffice/registry/Langpack-ru.xcd': No such file or directory

On 07.07.2020 22:40, Rene Engelhard wrote: Even that worked for me in said testing VM "upgraded" to unstable with your apt-get --with-new-pkgs upgrade. libreoffice-l10n-de, libreoffice-l10n-ru and other LO packages were kept back. After some testing, I found out that you also need to pass

Bug#964471: libreoffice-l10n-ru: error when configuring: cp: cannot create regular file '/etc/libreoffice/registry/Langpack-ru.xcd': No such file or directory

Package: libreoffice-l10n-ru Version: 1:7.0.0~rc1-3 Severity: serious When upgrading Libreoffice, the following errors occur: Setting up libreoffice-l10n-ru (1:7.0.0~rc1-3) ... Creating config file /etc/libreoffice/registry/Langpack-ru.xcd with new version cp: cannot create regular file

Bug#960709: unattended-upgrades: Exception: 'NoneType' object has no attribute 'dependencies'

Package: unattended-upgrades Version: 1.11.2 I'm using unattended-upgrades on a Debian Buster system. Some time ago, it stopped working. When run from terminal, it prints: Exception: 'NoneType' object has no attribute 'dependencies' This line doesn't appear in logs. After some manual

Bug#941700: [Pkg-javascript-devel] Bug#941700: Bug#941700: Update babel to version 7

[14:53:55] ReferenceError: [BABEL] /home/pravi/forge/debian/git/js-team/node-babel/packages/babel-parser/src/x.js: Unknown option: base.envName. Check out for more information about options. The reason for this error and other errors is that this version

Bug#941900: Update Warzone 2100 to version 3.3

Package: warzone2100 Version: 3.2.1-4 Warzone 2100 version 3.3 is available, and it includes fixes for various problems with version 3.2. The new version should be packaged in Debian.

Bug#929829: gulp 4 cannot build node-babel 7 - Cannot convert undefined or null to object

[15:37:17] Cannot convert undefined or null to object After checking the code, I found the root cause of this error. The error is caused by NPM package now-and-later, which is included in Debian package gulp version 4.0.2-2. The version included is 1.0.0. It should be upgraded to at least

Bug#941700: Update babel to version 7

Source: node-babel Version: 6.26.0+dfsg-3 Severity: important Babel 7 was released more than a year ago, so perhaps it's time to package the new version.

Bug#914153: Update to version 2.3.0-3 breaks Megaglest

Package: libftgl2 Version: 2.3.0-3 After updating libftgl2 from version 2.1.3~rc5-5 to version 2.3.0-3, text rendering in Megaglest is broken. Text is shown correctly in menus, but text displayed in the game itself is replaced by white rectangles.

Bug#913137: virtualbox: VirtualBox E1000 Guest-to-Host Escape

Control: severity -1 critical Raising severity because this bug can be used by any local user to elevate privileges. Also, before this bug is fixed upstream, it is possible to use this patch as a band-aid: --- a/src/VBox/Devices/Network/DevE1000.cpp +++

Bug#902897: virtualbox: fails to start vm (VERR_LDRELF_RELOCATION_NOT_SUPPORTED)

Control: fixed -1 5.2.14-dfsg-7 Seems to be fixed now.

Bug#902897: virtualbox: fails to start vm (VERR_LDRELF_RELOCATION_NOT_SUPPORTED)

Control: notfixed -1 5.2.14-dfsg-5 I also still see this bug with the latest version.

Bug#903580: aegisub can't be installed on unstable anymore

Package: aegisub Version: 3.2.2+dfsg-3+b6 Severity: grave For some time already, Aegisub can't be installed on Debian unstable due to broken dependencies.

Bug#902897: virtualbox: fails to start vm (VERR_LDRELF_RELOCATION_NOT_SUPPORTED)

To install old package versions, there is snapshot.d.o [1]. Basically, it has a copy of every state Debian repository was ever in. There is also a way to see every version of every package and to find the appropriate snapshot to install it from. [1] https://snapshot.debian.org/

Bug#902897: virtualbox: fails to start vm (VERR_LDRELF_RELOCATION_NOT_SUPPORTED)

On 08.07.2018 22:54, Steven R. Wright wrote: This is a critical enough bug to warrant removing 5.2.14-dfsg-1 from the repos.  I have to do selective upgrades now to avoid pulling it in. Unstable repo is called unstable for a reason. If you want a system that doesn't break, use stable (you

Bug#902897: virtualbox: fails to start vm (VERR_LDRELF_RELOCATION_NOT_SUPPORTED)

Control: severity -1 serious This bug affects me as well. I was not able to start any VMs because of this error. Raising the severity to prevent this from migrating to testing.

Bug#901409: Very low FPS in Nexuiz after Darkplaces upgrade

On 12.06.2018 22:28, Simon McVittie wrote: On Tue, 12 Jun 2018 at 21:27:06 +0300, Evgeny Kapun wrote: After I upgraded Darkplaces to version 0~20180412~beta1-2 (from 0~20140513+svn12208-7), Nexuiz slowed down to about 8 frames per second, which made it unplayable. With the previous version, I

Bug#901409: Very low FPS in Nexuiz after Darkplaces upgrade

Package: darkplaces Version: 0~20180412~beta1-2 Severity: important After I upgraded Darkplaces to version 0~20180412~beta1-2 (from 0~20140513+svn12208-7), Nexuiz slowed down to about 8 frames per second, which made it unplayable. With the previous version, I could get 30-40 FPS on most maps.

Bug#898660: Telegram can't connect to the servers

Package: telegram-desktop Version: 1.2.17-1 Severity: important Forwarded: https://github.com/telegramdesktop/tdesktop/issues/4652 Control: found -1 1.1.23-1~bpo9+1 There is an issue in Telegram Desktop which can make it impossible to connect to the servers [1]. This issue doesn't affect the

Bug#876644: Is this bug still reproducible?

Control: tags -1 - moreinfo On 15.03.2018 18:49, Lisandro Damián Nicanor Pérez Meyer wrote: OK. Do you have qt5ct installed? if not, can you try and install it? I want to be sure this is a bug somewhere and not just the lack of the proper QPA. The bug is still reproducible, even if I install

Bug#876644: Is this bug still reproducible?

Control: tags -1 - moreinfo Control: found -1 5.9.2+dfsg-12 On 14.03.2018 22:25, Lisandro Damián Nicanor Pérez Meyer wrote: Hi! Can you still reproduce this bug with current Debian testing? Hi! This bug is still reproducible with version 5.9.2+dfsg-12.

Bug#890999: VirtualBox modules built against headers version 4.14.17-1 cannot be loaded by kernel version 4.14.13-1: Unknown symbol __x86_indirect_thunk_r15 (err 0)

Package: linux-headers-4.14.0-3-amd64 Version: 4.14.17-1 When I build VirtualBox kernel modules using linux-headers-4.14.0-3-amd64 version 4.14.17-1, the resulting modules can't be loaded using linux-image-4.14.0-3-amd64 version 4.14.13-1. When I build the same modules using headers version

Bug#890479: pytz can't find any time zones

Package: python3-tz Version: 2018.3-1 Severity: grave After upgrade to version 2018.3-1: >>> import pytz >>> pytz.all_timezones [] This is caused by this line in /usr/lib/python3/dist-packages/pytz/__init__.py: filename = os.path.join('usr','share'

Bug#852146: Changing board size while game window is maximized results in clipped output

Control: tags -1 fixed-upstream This is fixed upstream: https://git.tartarus.org/?p=simon/puzzles.git;a=commit;h=f03e8d30a038f740ea0bfe21474de5df69093893

Bug#560029: "new game" can't be undone

Control: tags -1 fixed-upstream This is fixed upstream: https://git.tartarus.org/?p=simon/puzzles.git;a=commit;h=b9b73adb53b3ffb09a2e8c9682351bf892634470

Bug#878281: python3-numpy shouldn't depend on both Python 3.5 and Python 3.6

That's how transitions for languages like python (and ruby, and others) are handled: 1) add support for the new version, and rebuild stuff to be able to run on multiple versions 2) switch the default version 3) drop support for the old version. You filed this bug while we were in the middle of

Bug#878281: python3-numpy shouldn't depend on both Python 3.5 and Python 3.6

Package: python3-numpy Version: 1:1.13.1-1 Currently, package python3-numpy depends on packages python3.5 and python3.6. As a result, to install python3-numpy, it is necessary to install both Python 3.5 and Python 3.6. To use python3-numpy, just one version of Python is enough, and a

Bug#876644: System tray icons are shown without transparency

On 24.09.2017 16:58, Dmitry Shachnev wrote: Hi Evgeny! On Sun, Sep 24, 2017 at 01:22:56PM +0300, Evgeny Kapun wrote: When an application using Qt 5 has a system tray icon, areas of the icon that should be transparent are black instead. For me, this affects GoldenDict (after it was changed

Bug#876644: System tray icons are shown without transparency

Package: libqt5widgets5 Version: 5.9.1+dfsg-9 When an application using Qt 5 has a system tray icon, areas of the icon that should be transparent are black instead. For me, this affects GoldenDict (after it was changed to use Qt 5 instead of Qt 4) and VLC.

Bug#876565: ImageMagick crashes (assertion failure) when opening a malformed image file

Package: imagemagick-6.q16 Version: 8:6.9.7.4+dfsg-16 An image that causes the crash is attached. $ identify image.png identify: ../../magick/quantum.c:216: DestroyQuantumInfo: Assertion `quantum_info != (QuantumInfo *) NULL' failed. Aborted

Bug#876563: Some icons are broken

Package: keepassx Version: 2.0.3-1 Some icon files shipped with KeePassX are not valid image files, and therefore not displayed. I found these broken files: /usr/share/keepassx/icons/database/C08_Socket.png /usr/share/keepassx/icons/database/C39_History.png

Bug#876545: src.zip is placed in a wrong directory

Package: openjdk-9-source Version: 9~b181-4 The file src.zip is placed into the directory /usr/lib/jvm/openjdk-9/lib, but should be placed into the directory /usr/lib/jvm/openjdk-9. Or, the symlink /usr/lib/jvm/java-9-openjdk-amd64/src.zip should be changed to point to the correct file

Bug#873254: classes.jsa is not removed on package uninstall

Package: openjdk-9-jre-headless Version: 9~b181-4 File /usr/lib/jvm/java-9-openjdk-amd64/lib/server/classes.jsa is created by postinst script and not removed when the package is uninstalled.

Bug#862917: Warzone 2100 3.2 campaign is buggy and unplayable. Debian should package version 3.1 until this is resolved

Debian version is affected. Another possibility is to take script files from version 3.1 and use them with version 3.2, but that would require some patching. As to why the bugs are not reported here, it is possible that the users don't want to bother Debian maintainer with bugs that affect

Bug#862973: Package Warzone 2100 videos

Package: warzone2100 Version: 3.2.1-2 Severity: wishlist There are videos in Warzone 2100, which are not packaged in Debian. Currently, users who wish to have those videos need to download and install them manually, which is cumbersome. The purpose of Debian archive is to make it easy for

Bug#862917: Warzone 2100 3.2 campaign is buggy and unplayable. Debian should package version 3.1 until this is resolved

Package: warzone2100 Version: 3.2.1-2 Severity: important Starting from version 3.2, campaign scripts in Warzone 2100 are being rewritten in JavaScript [1]. As a result, they now have lots of bugs (some examples: [2], [3], [4]), making the campaign more or less unplayable. Because the

Bug#860420: Secrets of the Ancients campaign is not packaged

Source: wesnoth-1.13 Version: 1:1.13.7-1 Secrets of the Ancients is a new mainline campaign added to Wesnoth in version 1.13.7 [1]. It needs to be included in a Debian package. [1] https://raw.githubusercontent.com/wesnoth/wesnoth/1.13.7/players_changelog

Bug#857639: Generated README file is bad

Package: python3-afl Version: 0.5.5-1 Package python3-afl includes a README file (located at /usr/share/doc/python3-afl/README), which is generated from README.rst. Because of the way it is generated, it is missing important parts (specifically, snippets of source code) and is therefore

Bug#855228: icedove -> thunderbird transition: /etc/icedove is not removed

Package: thunderbird Version: 1:45.6.0-3 After upgrading from Icedove to Thunderbird, I found that /etc/icedove directory is not removed. Here is what is left there: $ ls -laR /etc/icedove /etc/icedove: total 20 drwxr-xr-x 3 root root 4096 Feb 15 18:09 . drwxr-xr-x 144 root root 12288 Feb

Bug#853877: golang-1.7-doc doesn't provide godoc command

Package: golang-1.7-doc Version: 1.7.4-1 The description of package golang-1.7-doc says: You can view the formatted documentation by running "godoc--http=:6060", and then visiting http://localhost:6060/doc/install.html. However, this package doesn't in fact provide "godoc" command.

Bug#845555: lxpanel: battery monitor no longer working

In version 0.9.3-1, the remaining time is shown correctly. There is still a minor glitch: if battery charge level is 100%, the remaining time is not shown. I think that this is due to this check [1]. I think that this check is wrong. I think the right check would be "lx_b->b->seconds >= 0"

Bug#852146: Changing board size while game window is maximized results in clipped output

Package: sgt-puzzles Version: 20161228.7cae89f-1 In many games (such as Loopy, Palisade, Slant), it is possible to select different sizes of the game board (using Type menu). However, if this is done while game window is maximized, the result won't look right (usually, only the top level

Bug#845555: Time left not shown

On 04.01.2017 22:37, Andriy Grytsenko wrote: Confirming, the fix is not complete. I wonder why it takes them so much time to implement such a simple calculation (they have the amount of energy remaining and the power consumption, dividing one by the other yields the remaining time).

Bug#845555: Time left not shown

Control: reopen -1 Confirming, the fix is not complete. I wonder why it takes them so much time to implement such a simple calculation (they have the amount of energy remaining and the power consumption, dividing one by the other yields the remaining time).

Bug#845926: Cannot install package openbox-lxde-session: trying to overwrite '/etc/xdg/lxsession/LXDE/autostart', which is also in package lxde-common 0.99.2-1

Control: reassign -1 lxde-common On 27.11.2016 03:52, Andriy Grytsenko wrote: I believe it's some dpkg error, just look at list of files in lxde-common package at https://packages.debian.org/sid/all/lxde-common/filelist: /etc/xdg/lxpanel/LXDE/config /etc/xdg/lxpanel/LXDE/panels/panel

Bug#845926: Cannot install package openbox-lxde-session: trying to overwrite '/etc/xdg/lxsession/LXDE/autostart', which is also in package lxde-common 0.99.2-1

Package: openbox-lxde-session Version: 0.99.2-1 Severity: grave When trying to install openbox-lxde-session package, dpkg fails with an error message: dpkg: error processing archive .../openbox-lxde-session_0.99.2-1_all.deb (--unpack): trying to overwrite

Bug#843492: add bash completion for apt-mark

Package: bash-completion Version: 1:2.1-4.3 Severity: wishlist There are already bash completions for apt-get and apt-cache commands. I propose adding completion for apt-mark command as well.

Bug#842292: libnss3: re-enable SSLKEYLOGFILE support

Package: libnss3 Version: 2:3.26-2 Severity: wishlist In previous versions of libnss, it was possible to use SSLKEYLOGFILE environment variable to save session keys to a file. Since version 3.24, this is disabled by default at compile time [1]. I think that SSLKEYLOGFILE support should be

Bug#827517: [Pkg-mozext-maintainers] Bug#827517: Bug#827517: xul-ext-ublock-origin: Missing icons in uBlock's popup UI

On 02.10.2016 07:41, Sean Whitton wrote: Thanks for this feedback. Unfortunately, installing an absolute symlink does not make the problem disappear for firefox-esr, contrary to various reports in this thread. That's because /usr/share/fonts-font-awesome/fonts/fontawesome-webfont.ttf is also

Bug#838787: libboost1.61-doc doesn't contain the actual documentation

Package: libboost1.61-doc Version: 1.61.0+dfsg-2.1 The package libboost1.61-doc is supposed to include Boost documentation. It doesn't. All I can see in /usr/share/doc/libboost1.61-doc/HTML is a symlink to /usr/include/boost. There are some HTML files in

Bug#827517: [Pkg-mozext-maintainers] Bug#827517: xul-ext-ublock-origin: Missing icons in uBlock's popup UI

This bug looks similar to bug #819900. That bug was caused by faulty handling of symlinks by Firefox, which Mozilla refuses to fix [1]. There is a simple workaround: use an absolute symlink instead of a relative one. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1286634

Bug#819900: Configuration page doesn't work on Firefox 45.0.1

Control: tags -1 - upstream Looks like the problem is caused by the file being not found. This file is located at /usr/share/xul-ext/requestpolicy/content/settings/jquery.min.js, and it is a symbolic link. The real location of this file is /usr/share/javascript/jquery/jquery.min.js.

Bug#828705: Linux kernel update creates redundant symlinks

On 27.06.2016 15:45, Ben Hutchings wrote: Control: tag -1 wontfix On Mon, 2016-06-27 at 15:20 +0300, Evgeny Kapun wrote: On 27.06.2016 15:03, Ben Hutchings wrote: Doesn't lilo fail if a file specified in its configuration is missing? Ben. LILO has an "optional" option which mak

Bug#828705: Linux kernel update creates redundant symlinks

On 27.06.2016 15:03, Ben Hutchings wrote: Doesn't lilo fail if a file specified in its configuration is missing? Ben. LILO has an "optional" option which makes it skip an entry if either the kernel or the initrd file is missing (or is a broken link).

Bug#828705: Linux kernel update creates redundant symlinks

On 27.06.2016 11:51, Ben Hutchings wrote: Control: reassign -1 linux-base 4.3 Control: tag -1 moreinfo On Mon, 2016-06-27 at 03:59 +0300, Evgeny Kapun wrote: Package: linux-image-4.6.0-1-amd64 Version: 4.6.2-2 When updating the package linux-image-4.6.0-1-amd64 from version 4.6.2-1 to version

Bug#828705: Linux kernel update creates redundant symlinks

Package: linux-image-4.6.0-1-amd64 Version: 4.6.2-2 When updating the package linux-image-4.6.0-1-amd64 from version 4.6.2-1 to version 4.6.2-2, post-install script printed this: I: /vmlinuz.old is now a symlink to boot/vmlinuz-4.6.0-1-amd64 I: /initrd.img.old is now a symlink to

Bug#826059: java may crash when loading a class named java

Package: openjdk-8-jre-headless Version: 8u91-b14-2 Tags: patch JVM may crash when trying to load a class named "java" in default package. How to reproduce: * Create a file named "java.java" with content "class java{}". * Compile it: `javac java.java'. * Try to run it: `java -cp "$PWD" java'.

Bug#825022: man pages for *xattr syscalls are missing from manpages-dev

Package: manpages-dev Version: 4.06-1 Linux man-pages project has pages about *xattr syscalls, like this [1]. However, they are not present in manpages-dev package for some reason. I think this is a bug. [1] http://man7.org/linux/man-pages/man2/getxattr.2.html

Bug#800581: goldendict: CPU usage is more than expected

From the official bug tracker [1], I found that such behavior can be caused by full-text search indexing. And what? As soon as I went to settings and disabled full-text search, CPU usage dropped to zero. Moreover, while dictionaries are being indexed for full-text search, there is a label at

Bug#819900: Configuration page doesn't work on Firefox 45.0.1

Package: xul-ext-requestpolicy Version: 1.0.0~beta11.1+dfsg-1 Severity: important On Firefox 45.0.1, the configuration page (about:requestpolicy) doesn't open. As a result, it is not possible to configure the extension.

Bug#791982: New upstream games

Any updates? Currently packaged version is more than 18 months old, which is probably old enough to update it.

Bug#812110: KeePassX 0.4 and KeePassX 2.0 should be in different packages

On 05.02.2016 00:13, Felix Geyer wrote: On 20.01.2016 19:53, Evgeny Kapun wrote: I think most tools support the .kdbx format by now so shipping just one version seems like the right choice to me. The problem is that if the same database is used on multiple machines, they must be all

Bug#812950: xul-ext-requestpolicy doesn't work in Iceweasel 44.0

Package: xul-ext-requestpolicy Version: 1.0.0~beta10+dfsg-1 Severity: grave After I updated Iceweasel to version 44.0, RequestPolicy stopped working. Requests are not blocked and there is no toolbar button. It is still listed as enabled on about:addons, but it behaves as if it were not

Bug#812143: Wide character in print at /usr/bin/ts line 126, <> line 1.

On 22.01.2016 09:01, Nicolas Schier wrote: Dear Evgeny, I can get rid of the 'Wide character...' warning by adding the line use open ':locale'; (cp. attached patch). Could you please check whether this is sufficient for you? Unfortunately, the 'ts -r' does not work for ru_RU.*...

Bug#812143: Wide character in print at /usr/bin/ts line 126, <> line 1.

could you please supply your locale settings (the output of 'locale') and an example of a 'ts' output line? $ locale LANG=ru_RU.UTF-8 LANGUAGE= LC_CTYPE="ru_RU.UTF-8" LC_NUMERIC="ru_RU.UTF-8" LC_TIME="ru_RU.UTF-8" LC_COLLATE="ru_RU.UTF-8" LC_MONETARY="ru_RU.UTF-8" LC_MESSAGES="ru_RU.UTF-8"

Bug#812110: KeePassX 0.4 and KeePassX 2.0 should be in different packages

Package: keepassx KeePassX 2.0, the new upstream version, stores password databases in a format incompatible with KeePassX 0.4. As a result, some users may prefer to keep the old version for interoperability. However, because Debian package for KeePassX 2.0 uses the same name as KeePassX 0.4,

Bug#812120: update-initramfs fails if busybox is not installed

Package: initramfs-tools-core Version: 0.121 If I try to run update-initramfs while busybox is not installed, I get an error message: E: busybox is required but not installed E: /usr/share/initramfs-tools/hooks/busybox failed with return 1. This happens irrespective of the BUSYBOX

Bug#812120: update-initramfs fails if busybox is not installed

On 20.01.2016 22:41, Ben Hutchings wrote: On Wed, 2016-01-20 at 22:21 +0300, Evgeny Kapun wrote: Package: initramfs-tools-core Version: 0.121 If I try to run update-initramfs while busybox is not installed, I get an error message: E: busybox is required but not installed E: /usr

Bug#812120: update-initramfs fails if busybox is not installed

On 21.01.2016 01:16, Ben Hutchings wrote: Control: reassign -1 cryptsetup Control: forcemerge 783297 -1 On Thu, 2016-01-21 at 00:56 +0300, Evgeny Kapun wrote: On 20.01.2016 22:41, Ben Hutchings wrote: On Wed, 2016-01-20 at 22:21 +0300, Evgeny Kapun wrote: Package: initramfs-tools-core

Bug#812143: Wide character in print at /usr/bin/ts line 126, <> line 1.

Package: moreutils Version: 0.57-1 After I upgraded Perl to version 5.22, ts started printing a warning before every line, like this: Wide character in print at /usr/bin/ts line 126, <> line 1. This is annoying.

Bug#807107: ssh: doesn't support SSH protocol version 1

Package: openssh-client Version: 1:7.1p1-1 After the last update, ssh can't use SSH protocol version 1. Moreover, if "Protocol 1" option appears anywhere in ssh_config file, ssh will not work at all. Unfortunately, there are still SSH servers which don't support protocol version 2.

Bug#804479: NumPy reference is broken

Package: python-numpy-doc Version: 1:1.9.2-5 Severity: important Many of the pages in NumPy reference are missing most of the content, like this [1]. Look how this page is supposed to look like [2]. [1]: /usr/share/doc/python-numpy-doc/html/reference/routines.set.html [2]:

Bug#799123: Debug::pkgAcquire::Worker output is percent-encoded incorrectly

The precent encoding is done on characters, not on bytes. That's not correct. On UTF-8 locales, each byte is encoded separately. I presume you are trying this on an amd64 machine, which has a signed char, so the valid range is from -128 (or -127) to 127 only. I am a bit at a lost here as I

Bug#802427: "async" and "await" keywords are not highlighted as such

Package: python3.5-doc Version: 3.5.0-3 Severity: minor In Python 3.5, two new keywords were added: async and await. However, in the code examples in the documentation, they are not highlighted as keywords.

Bug#800581: goldendict: CPU usage is more than expected

Same for me. Here is a backtrace from the thread which is doing it: #0 0x77bcd3e8 in inflate () at /lib/x86_64-linux-gnu/libz.so.1 #1 0x77bd11d5 in uncompress () at /lib/x86_64-linux-gnu/libz.so.1 #2 0x00512c38 in BtreeIndexing::BtreeIndex::readNode(unsigned int,

Bug#801326: embedded web browser used to display cards is insecure

Package: anki Version: 2.0.32+dfsg-1 Tags: security In Anki, cards [1] are formatted using HTML and displayed using a web browser control. That browser is not appropriately restricted, for example: * Script execution is permitted. * Arbitrary file: URLs can be accessed. * Arbitrary http: and

Bug#799124: apt should print details about ignored errors

Package: apt Version: 1.1~exp12 Severity: wishlist Sometimes, APT ignores errors. For example, if there is an error while downloading Packages.xz, APT may ignore it and try to download Packages.gz instead. Currently, it is not easy to obtain the error message for such errors, which makes

Bug#799123: Debug::pkgAcquire::Worker output is percent-encoded incorrectly

Package: apt Version: 1.1~exp12 Severity: minor Debug::pkgAcquire::Worker option causes APT to produce debug output, some of which is percent-encoded. Bytes with values greater than or equal to 128 are encoded incorrectly: for example, the value 128 should be encoded as %80, but is actually

Bug#799121: local repository in non-world-readable directory doesn't work

Package: apt Version: 1.1~exp12 I'm using APT with a local repository configured with a file: URI. Also, the directory containing the repository is not world-readable. This works fine with APT 1.0, but not with APT 1.1. I found that APT 1.1 runs some of its helper programs under a restricted

Bug#674671: [icedove] Subject and message use different languages with spell checking

This issue is not gone. Steps to reproduce: 1. Create a new message. 2. Click on subject line text box. 3. Open context menu and select some spell checker language. 4. Click on message text area. 5. Open context menu and select a different spell checker language. 6. Click on subject line again.

Bug#674671: [icedove] Subject and message use different languages with spell checking

On 20.07.2015 14:29, Carsten Schoenert wrote: On Mon, Jul 20, 2015 at 10:40:48AM +0300, Evgeny Kapun wrote: This issue is not gone. Steps to reproduce: 1. Create a new message. 2. Click on subject line text box. 3. Open context menu and select some spell checker language. 4. Click on message

Bug#789299: ImportError when trying to import gumbo

Package: python3-gumbo Version: 0.10.1+dfsg-1 Severity: grave When trying to import gumbo, I get ImportError: import gumbo Traceback (most recent call last): File stdin, line 1, in module File /usr/lib/python3/dist-packages/gumbo/__init__.py, line 33, in module from gumbo.gumboc import

Bug#769706: florence: Crashes on openbox, as any buuton s pressed by mouse.

I found that it crashes if at-spi-bus-launcher is not running. This may happen if package at-spi2-core is not installed. I think that florence should depend on at-spi2-core, as it doesn't seem to work without it. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a

Bug#776176: doc-rfc is outdated

Package: doc-rfc Severity: wishlist The latest version of doc-rfc package is dated February 2012. It's almost three years since then, and more than 900 more RFCs has been published during this period. I think that this package needs an update, and that it should be updated at least every few

Bug#762889: apt-get should ignore cached data in case of invalid signature or hash mismatch

Package: apt Version: 0.9.7.9+deb7u1 Tags: security When running `apt-get update`, I noticed that it couldn't update some of the lists because of invalid signatures (BADSIG). This happens most frequently when `Release` files don't correspond to `Release.gpg`. I thought that it might be some

Bug#762891: apt-get clean should also clean /var/lib/apt/lists/partial

Package: apt Version: 1.0.9.1 Severity: wishlist Currently, `apt-get clean` only cleans /var/cache/apt/archives and /var/cache/apt/archives/partial. I think that it should also clean /var/lib/apt/lists/partial. Files located there are unverified, and having wrong files there may prevent

Bug#762889: apt-get should ignore cached data in case of invalid signature or hash mismatch

We verify the data before moving it to the final directory. If it is there, it is either valid, or we have no key for it, or it is unsigned (the latter two will disappear / be disabled at some point I think). We had some issues where that validation succeeded where it should not (for

Bug#762650: LXPanel doesn't reserve space on screen anymore

Package: lxpanel Version: 0.7.1-1 LXPanel has an option to reserve space on screen for a panel, so that it is not used by maximized windows. After an update from version 0.7.0-1 to 0.7.1-1, this option stopped working. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org

Bug#760561: Output redirection lets local users overwrite any file writable by the caller

Package: tribler Version: 6.2.0+git20130731.149555fa-2 Tags: security The script /usr/bin/tribler redirects its output to /tmp/$USER-tribler.log. If an attacker creates a symlink with this name pointing to one of the user's files, this file would be overwritten. The safe way to create a file

Bug#760569: Virtualbox lets any user mess with system's network configuration

Package: virtualbox Version: 4.3.14-dfsg-1 Tags: security Virtualbox lets any local user create and configure network interfaces (vboxnet*), and also send and receive traffic through them. It also lets users bridge their VMs to other network interfaces. Normally, such operations are reserved

Bug#760574: Access to Virtualbox should be limited to a group of users

Package: virtualbox Version: 4.3.14-dfsg-1 Tags: security Virtualbox has a lot of code. Virtualbox has five setuid root binaries and four kernel modules. Virtualbox has a large attack surface. And yet any user can run Virtualbox. Not just real users, but also accounts used for running web

Bug#756334: Configure script downloads files from the Internet

Package: hoogle Version: 4.2.33-1+b1 Severity: critical Tags: security During configuration, hoogle postinst script attempts to download a file from the URL http://hackage.haskell.org/packages/hoogle.tar.gz and subsequently unpack it. Moreover, the integrity of this file is not verified. This

Bug#707006: [nik...@gmail.com: Live CD keys missing from key server]

06.04.2014 04:02, Jonathan McDowell wrote: You're making an assumption that the key on the filesystem at /usr/share/keyrings/debian-role-keys.gpg is the right one, which relies on a whole extra chain of trust which I referred to above. If the keys are in

Bug#707006: [nik...@gmail.com: Live CD keys missing from key server]

02.04.2014 07:45, Jonathan McDowell wrote: I don't actually think it's appropriate that this key lives in the debian-role-keys keyring (and in general I think that keyring needs to go away). The key should be present on the public keyserver network; keyring.debian.org does not attempt to

Bug#707006: [nik...@gmail.com: Live CD keys missing from key server]

03.04.2014 00:50, Jonathan McDowell wrote: Public keyservers aren't expected to provide verification of key authenticity. The signatures on the keys themselves do that. The Debian Live CD key is signed by Daniel, whose key is then signed by many other DDs (and present in the debian-keyring

Bug#741678: It is possible to use live user account to log in via SSH

Package: live-config Version: 4.0~alpha31-1 Severity: important Tags: security By default, live-config creates a user with known name (user) and password (live). In live images with included openssh-server, this means that anyone can log into a live system immediately once it connects to a

Bug#741678: It is possible to use live user account to log in via SSH

I think that it is wrong if anyone on the same network can log into a live system and get full access to it. If a user connects, say, to a Wi-Fi network to download something, he doesn't expect his computer to become open to everyone. Currently, it is necessary to change the password before

Bug#741678: It is possible to use live user account to log in via SSH

It is never mentioned in debian-live documentation that it is unsafe to connect to untrusted networks from a live system. If this is intended, it should be said clearly. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact

  1   2   >