Bug#1053296: RFS: kcollectd/0.12.1-1 -- simple collectd graphing front-end for KDE

2023-09-30 Thread Antonio Russo 
Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "kcollectd":

 * Package name : kcollectd
   Version  : 0.12.1-1
   Upstream contact : Antonio Russo 
 * URL  : https://www.antonioerusso.com/projects/kcollectd
 * License  : GFDL-1.3+, PUBLIC-DOMAIN, GPL-3+
 * Vcs  : https://salsa.debian.org/qt-kde-team/extras/kcollectd
   Section  : utils

The source builds the following binary packages:

  kcollectd - simple collectd graphing front-end for KDE

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/kcollectd/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/k/kcollectd/kcollectd_0.12.1-1.dsc

Changes since the last upload:

 kcollectd (0.12.1-1) unstable; urgency=medium
 .
   * New upstream release 0.12.1.
  - Align translations with source code (Closes: #1048793)
   * Bump Standards-Version to 4.6.2, no changes required.

Best,
Antonio Russo

OpenPGP_0xB01C53D5DED4A4EE.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1053295: golang-ginkgo: dropped transitional package golang-ginkgo-dev, which is still used

2023-09-30 Thread Paul Wise 
Source: golang-ginkgo
Version: 1.16.5-4
Severity: serious

golang-ginkgo is failing to migrate to testing, because it dropped the
transitional package golang-ginkgo-dev, which makes a lot of golang
packages uninstallable, because they haven't migrated to the new
package golang-github-onsi-ginkgo-dev yet. The britney log indicates
the src/bin packages with newly uninstallable Depends/Build-Depends
and the ftp-master cruft report confirms the problems in more detail.

https://release.debian.org/britney/update_output.txt
https://release.debian.org/doc/britney/short-intro-to-migrations.html#debugging-failed-migration-attempts
https://ftp-master.debian.org/cruft-report-daily.txt

Probably the solution to this is for golang-github-onsi-ginkgo-dev to
add Provides: golang-ginkgo-dev so it doesn't have to go through NEW.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part

Bug#1051613: linux-image-6.1.0-12-amd64: 6.1.0-12 breaks loading DVB ddbridge module and others

2023-09-30 Thread s3phy 

Hello,

On Tue, 26 Sep 2023 06:54:43 +0200 Salvatore Bonaccorso 
 wrote:

> The next point release is scheduled on 7th October, meaning that the
> kernel needs to be uploaded to the stable-proposed-updates queue the
> weekend before (and testing from there would be very welcome).

I can confirm that updating my kernel to 
linux-image-6.1.0-13-amd64-unsigned from proposed-updates did fix the 
bug for me.


Thank you very much.

Bug#1053294: RFP: auto-cpufreq -- Automatic CPU speed & power optimizer

2023-09-30 Thread Antoine Beaupre 
Package: wnpp
Severity: wishlist
X-Debbugs-Cc: Adnan Hodzic 

* Package name: auto-cpufreq
  Version : 2.0.0
  Upstream Contact: Adnan Hodzic 
* URL : https://github.com/AdnanHodzic/auto-cpufreq
* License : LGPL-3
  Programming Lang: Python
  Description : Automatic CPU speed & power optimizer

Automatic CPU speed & power optimizer for, Linux based on active
monitoring of a laptop's battery state, CPU usage, CPU temperature and
system load. Ultimately allowing you to improve battery life without
making any compromises.

Features:


 * Monitoring
   * Basic system information
   * CPU frequency (system total & per core)
   * CPU usage (system total & per core)
   * CPU temperature (total average & per core)
   * Battery state
   * System load
 * CPU frequency scaling, governor and turbo boost management based on
   * Battery state
   * CPU usage (total & per core)
   * CPU temperature in combination with CPU utilization/load (prevent 
overheating)
   * System load
 * Automatic CPU & power optimization (temporary and persistent)




I found this package through this post on Debian Planet:

https://foolcontrol.org/?p=4603

This is a tool similar to already existing tools in Debian,
specifically TLP. According to the auto-cpufreq author though:

> Using tools like TLP can help in this situation with extending
> battery life (which is something I used to do for numerous years),
> but it also might come with its own set of problems, like losing
> turbo boost.
>
> With that said, I needed a simple tool which would automatically
> make "cpufreq" related changes, save battery like TLP, but let Linux
> kernel do most of the heavy lifting. That's how auto-cpufreq was
> born.
>
> Please note: auto-cpufreq aims to replace TLP in terms of
> functionality and after you install auto-cpufreq it's recommended to
> remove TLP. If both are used for same functionality, i.e: to set CPU
> frequencies it'll lead to unwanted results like overheating. Hence,
> only use both tools in tandem if you know what you're doing.

So I'm not exactly clear on what the overlap between the two is, but I
do feel there's some room in this space for another option. TLP is
rather "heavy" in terms of the number of things it does, it's a rather
big pill to swallow, with all sorts of pitfalls...

I like the idea of having a simple, one-task-focused tool.

I do not currently have the cycles to evaluate this any further, but
would love to collaborate on further research when I have time.

Otherwise, if anyone is interested in pursuing this any further,
please go right ahead (but keep this bug in CC!).

Bug#1053292: bookworm-pu: package amd64-microcode/3.20230808.1.1~deb12u1

2023-09-30 Thread Henrique de Moraes Holschuh 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]

As requested by the security team, I would like to bring the microcode
update level for AMD64 processors in Bullseye and Bookworm to match what
we have in Sid and Trixie.  This is the bug report for Bookworm, a
separate one will be filled for Bullseye.

This fixes:
CVE-2023-20569 "AMD Inception" on AMD Zen4 processors

There are no releavant issues reported on this microcode update,
considering the version of amd64-microcode already available as security
updates for bookworm and bullseye.

[ Impact ]

If this update is not approved, owners of some Zen4 processors will
depend on UEFI updates to be protected against CVE-2023-20569.

[ Tests ]

There were no bug reports from users of Debian sid or Trixie, these
packages have been tested there since 2023-08-10 (sid), 2023-08-12
(trixie).

[ Risks ]

Unknown, but not believed to be any different from other AMD microcode
updates.

Linux kernel updates related to these microcode update fixes are already
available in Bookworm and Bullseye.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

As per the debdiff, only documentation changes, package documentation
changes, and the binary blob change from upstream.

Diffstat:
 README |   15 +
 amd-ucode/README   |   13 +++
 amd-ucode/microcode_amd_fam19h.bin |binary
 amd-ucode/microcode_amd_fam19h.bin.asc |   16 +++---
 debian/NEWS|   15 +
 debian/changelog   |   37 +
 6 files changed, 88 insertions(+), 8 deletions(-)

[ Other info ]

The package version with "~" is needed to guarantee smooth updates to
the next debian release.

-- 
  Henrique Holschuh

diff --git a/README b/README
index cd7c30b..798d2e7 100644
--- a/README
+++ b/README
@@ -8,6 +8,21 @@ the newest of either amd-ucode or amd-sev.
 
 latest commits in this release:
 
+commit f2eb058afc57348cde66852272d6bf11da1eef8f
+Author: John Allen 
+Date:   Tue Aug 8 19:02:39 2023 +
+
+linux-firmware: Update AMD cpu microcode
+
+* Update AMD cpu microcode for processor family 19h
+
+Key Name= AMD Microcode Signing Key (for signing microcode container files only)
+Key ID  = F328AE73
+Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+Signed-off-by: John Allen 
+Signed-off-by: Josh Boyer 
+
 commit 0bc3126c9cfa0b8c761483215c25382f831a7c6f
 Author: John Allen 
 Date:   Wed Jul 19 19:17:57 2023 +
diff --git a/amd-ucode/README b/amd-ucode/README
index 1d39da3..fac1152 100644
--- a/amd-ucode/README
+++ b/amd-ucode/README
@@ -37,6 +37,19 @@ Microcode patches in microcode_amd_fam17h.bin:
   Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126e Length=3200 bytes
 
 Microcode patches in microcode_amd_fam19h.bin:
+  Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e Length=5568 bytes
+  Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e Length=5568 bytes
+  Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d1 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001079 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001234 Length=5568 bytes
+  Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Length=5568 bytes
+
+NOTE: For Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19 Model=0xa0),
+either AGESA version >= 1.0.0.8 OR a kernel with the following commit is
+required:
+a32b0f0db3f3 ("x86/microcode/AMD: Load late on both threads too")
+
+When late loading the patches for Genoa or Bergamo, there may be one spurious
+NMI observed per physical core. These NMIs are benign and don't cause any
+functional issue but will result in kernel messages being logged.
diff --git a/amd-ucode/microcode_amd_fam19h.bin b/amd-ucode/microcode_amd_fam19h.bin
index 50470c3..02a5d05 100644
Binary files a/amd-ucode/microcode_amd_fam19h.bin and b/amd-ucode/microcode_amd_fam19h.bin differ
diff --git a/amd-ucode/microcode_amd_fam19h.bin.asc b/amd-ucode/microcode_amd_fam19h.bin.asc
index a32b4d6..8cff901 100644
--- a/amd-ucode/microcode_amd_fam19h.bin.asc
+++ b/amd-ucode/microcode_amd_fam19h.bin.asc
@@ -1,11 +1,11 @@
 -BEGIN PGP SIGNATURE-
 
-iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmS3F00ACgkQ5L5TOfMo
-rnNEhQgAizSV8IFpvaYNytaJKLA4uevrZneGPV4czjCXnnj1yHpfQmCTyZQnoLnx
-7gyzf7K5271zO51FBQ5z2Nm48a3XPUhMbQLNP4BZdekLiA3bRpMtSyHct6zD0ULm
-xaFaOQ7MR1tGADhlon1bDvtnOuixUhwrZhEIlR9MzQAzERKDMOAVTbxn9ZhMfYiT
-LhA791Blyyi+6Z9uh7BpaA8l8uvoxt+uuvlBTjQMR3ER/TEjgcsoy+XhhK4QKS0V

Bug#1053293: ghdl-llvm: Does not work, ghdl1-llvm not found

2023-09-30 Thread Andreas Bombe 
Package: ghdl-llvm
Version: 3.0.0+dfsg-1
Severity: important

ghdl-llvm has become unusable with 3.0.0+dfsg-1. Running ghdl-llvm
immediately aborts with the message:

  /usr/bin/ghdl-llvm:error: installation problem: ghdl1-llvm not found

According to build logs, the testsuite for the LLVM build already fails
with the same message.

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-1-amd64 (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ghdl-llvm depends on:
ii  gcc  4:13.2.0-1
ii  ghdl-common  3.0.0+dfsg-1
ii  libc62.37-11
ii  libgcc-s113.2.0-4
ii  libgnat-12   12.3.0-9
ii  libllvm161:16.0.6-15
ii  libstdc++6   13.2.0-4
ii  zlib1g-dev   1:1.2.13.dfsg-3

ghdl-llvm recommends no packages.

ghdl-llvm suggests no packages.

-- no debconf information

Bug#1053291: libffi-platypus-perl: FTBFS on hppa - broken integer support

2023-09-30 Thread John David Anglin 
Source: libffi-platypus-perl
Severity: normal
Tags: ftbfs

Dear Maintainer,

Various integer tests fail.  See build log:
https://buildd.debian.org/status/fetch.php?pkg=libffi-platypus-perl=hppa=2.08-1=1696034524=0

More details are available in this upstream issue:
https://github.com/PerlFFI/FFI-Platypus/issues/394

There is a partial fix but the t/type_sint64.t and t/type_uint64.t fail.
This might be due to incorrect casts.

Regards,
Dave Anglin

-- System Information:
Debian Release: trixie/sid
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable')
Architecture: hppa (parisc64)

Kernel: Linux 6.1.55+ (SMP w/4 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Bug#1053290: bullseye-pu: package amd64-microcode/3.20230808.1.1~deb11u1

2023-09-30 Thread Henrique de Moraes Holschuh 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]

As requested by the security team, I would like to bring the microcode
update level for AMD64 processors in Bullseye and Bookworm to match what
we have in Sid and Trixie.  This is the bug report for Bullseye, a
separate one will be filled for Bookmorm.

This fixes:
CVE-2023-20569 "AMD Inception" on AMD Zen4 processors

There are no releavant issues reported on this microcode update,
considering the version of amd64-microcode already available as security
updates for bookworm and bullseye.

[ Impact ]

If this update is not approved, owners of some Zen4 processors will
depend on UEFI updates to be protected against CVE-2023-20569.

[ Tests ]

There were no bug reports from users of Debian sid or Trixie, these
packages have been tested there since 2023-08-10 (sid), 2023-08-12
(trixie).

[ Risks ]

Unknown, but not believed to be any different from other AMD microcode
updates.

Linux kernel updates related to these microcode update fixes are already
available in Bookworm and Bullseye.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

As per the debdiff, only documentation changes, package documentation
changes, and the binary blob change from upstream.

Diffstat:
 README |   15 +
 amd-ucode/README   |   13 +++
 amd-ucode/microcode_amd_fam19h.bin |binary
 amd-ucode/microcode_amd_fam19h.bin.asc |   16 ++---
 debian/NEWS|   15 +
 debian/changelog   |   38 +
 6 files changed, 89 insertions(+), 8 deletions(-)

[ Other info ]

The package version with "~" is needed to guarantee smooth updates to
the next debian release.

-- 
  Henrique Holschuh
diff --git a/README b/README
index cd7c30b..798d2e7 100644
--- a/README
+++ b/README
@@ -8,6 +8,21 @@ the newest of either amd-ucode or amd-sev.
 
 latest commits in this release:
 
+commit f2eb058afc57348cde66852272d6bf11da1eef8f
+Author: John Allen 
+Date:   Tue Aug 8 19:02:39 2023 +
+
+linux-firmware: Update AMD cpu microcode
+
+* Update AMD cpu microcode for processor family 19h
+
+Key Name= AMD Microcode Signing Key (for signing microcode container files only)
+Key ID  = F328AE73
+Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+Signed-off-by: John Allen 
+Signed-off-by: Josh Boyer 
+
 commit 0bc3126c9cfa0b8c761483215c25382f831a7c6f
 Author: John Allen 
 Date:   Wed Jul 19 19:17:57 2023 +
diff --git a/amd-ucode/README b/amd-ucode/README
index 1d39da3..fac1152 100644
--- a/amd-ucode/README
+++ b/amd-ucode/README
@@ -37,6 +37,19 @@ Microcode patches in microcode_amd_fam17h.bin:
   Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126e Length=3200 bytes
 
 Microcode patches in microcode_amd_fam19h.bin:
+  Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e Length=5568 bytes
+  Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e Length=5568 bytes
+  Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d1 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001079 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001234 Length=5568 bytes
+  Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Length=5568 bytes
+
+NOTE: For Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19 Model=0xa0),
+either AGESA version >= 1.0.0.8 OR a kernel with the following commit is
+required:
+a32b0f0db3f3 ("x86/microcode/AMD: Load late on both threads too")
+
+When late loading the patches for Genoa or Bergamo, there may be one spurious
+NMI observed per physical core. These NMIs are benign and don't cause any
+functional issue but will result in kernel messages being logged.
diff --git a/amd-ucode/microcode_amd_fam19h.bin b/amd-ucode/microcode_amd_fam19h.bin
index 50470c3..02a5d05 100644
Binary files a/amd-ucode/microcode_amd_fam19h.bin and b/amd-ucode/microcode_amd_fam19h.bin differ
diff --git a/amd-ucode/microcode_amd_fam19h.bin.asc b/amd-ucode/microcode_amd_fam19h.bin.asc
index a32b4d6..8cff901 100644
--- a/amd-ucode/microcode_amd_fam19h.bin.asc
+++ b/amd-ucode/microcode_amd_fam19h.bin.asc
@@ -1,11 +1,11 @@
 -BEGIN PGP SIGNATURE-
 
-iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmS3F00ACgkQ5L5TOfMo
-rnNEhQgAizSV8IFpvaYNytaJKLA4uevrZneGPV4czjCXnnj1yHpfQmCTyZQnoLnx
-7gyzf7K5271zO51FBQ5z2Nm48a3XPUhMbQLNP4BZdekLiA3bRpMtSyHct6zD0ULm
-xaFaOQ7MR1tGADhlon1bDvtnOuixUhwrZhEIlR9MzQAzERKDMOAVTbxn9ZhMfYiT
-LhA791Blyyi+6Z9uh7BpaA8l8uvoxt+uuvlBTjQMR3ER/TEjgcsoy+XhhK4QKS0V

Bug#1053276: polyphone: update d/watch

2023-09-30 Thread Thorsten Glaser 
Hello Patrice,

>Here is a suggested patch for this.

for this what? Is there a problem with the watch file,
other than the usual github changed their links one?

I’ve had a fix for the latter in another package of mine
for a long time already but hadn’t had uploaded polyphone
yet. I guess I should probably do that some time. I have
committed the fixed d/watch file now.

Is there anything you still think needs changing?

I don’t like these @magicstring@ thingies very much and
would prefer to not apply them.

Thanks,
//mirabilos
-- 
 you introduced a merge commit│ % g rebase -i HEAD^^
 sorry, no idea and rebasing just fscked │ Segmentation
 should have cloned into a clean repo  │  fault (core dumped)
 if I rebase that now, it's really ugh │ wuahh

Bug#1053289: libzypp FTBFS on slower buildds: 87 - EvDownloader_test (Failed)

2023-09-30 Thread Adrian Bunk 
Source: libzypp
Version: 17.31.15-1
Severity: serious
Tags: ftbfs

https://buildd.debian.org/status/logs.php?pkg=libzypp=mips64el
https://buildd.debian.org/status/logs.php?pkg=libzypp=riscv64
https://buildd.debian.org/status/logs.php?pkg=libzypp=alpha

...
87: Test command: 
/<>/obj-riscv64-linux-gnu/tests/zyppng/media/EvDownloader_test 
"--catch_system_errors=no"
87: Working Directory: /<>/obj-riscv64-linux-gnu/tests/zyppng/media
87: Test timeout computed to be: 1000
87: Running 100 test cases...
87: ./tests/zyppng/media/EvDownloader_test.cc(465): fatal error: in 
"test1/_4": critical check startedDownloads == expectedDownloads has failed [11 
!= 10]
87: Failure occurred in a following context:
87: elem = MirrorSet{ All good mirrors }; withSSL = true; maxDLs = 10; 

87: ./tests/zyppng/media/EvDownloader_test.cc(465): fatal error: in 
"test1/_5": critical check startedDownloads == expectedDownloads has failed [11 
!= 10]
87: Failure occurred in a following context:
87: elem = MirrorSet{ All good mirrors }; withSSL = true; maxDLs = 15; 

87: 
87: *** 2 failures are detected in the test module "Master Test Suite"
87: 
87/91 Test #87: EvDownloader_test ***Failed  206.11 sec
...
The following tests FAILED:
 87 - EvDownloader_test (Failed)
Errors while running CTest
Output from these tests are in: 
/<>/obj-riscv64-linux-gnu/tests/Testing/Temporary/LastTest.log
Use "--rerun-failed --output-on-failure" to re-run the failed cases verbosely.
make[4]: *** [tests/CMakeFiles/ctest.dir/build.make:73: tests/CMakeFiles/ctest] 
Error 8


The pattern where it fails correlates strongly with buildd speed,
like a cutoff regarding minimum speed required.

The number of times this assert triggers, and the numbers in the assert,
differ in different builds.

This failure is also frequently seen in reproducible builds.

The error sounds like race condition, like an assumption that everything that 
had been
started more than $time ago is already finished which is only true with a 
certain minimum
speed of the buildd.

Bug#1053288: crontab -l became unreadable

2023-09-30 Thread Harald Dunkel 

Package: cron
Version: 3.0pl1-175

I am using a dark desktop theme. Problem is, since #813614 the output
of crontab -l is unreadable due to lack of contrast, esp. the comment
lines. Apparently crontab -l changes the foreground color to dark blue,
but ignores the background color provided by the terminal application
using the dark theme. Doesn't seem reasonable to me. Either define
both foreground and background, or don't mess up the colors.

In Debian 12 crontab -l was fine.


Regards
Harri

Bug#967818: xboard: depends on deprecated GTK 2

2023-09-30 Thread Bastian Germann 

I have fixed this in git by building the Xaw backend.
As I am not very familiar with xboard, can somebody please verify
that one can still use it in all the ways as the gtk version?

Bug#1052210: lxappearance: segfault after upgrade to lxappearance 0.6.3-3

2023-09-30 Thread 10dmar10 
>@10dmar10
>Do you have lxapperance-obconf installed too? If yes, have you tried removing
>it?

lxapperance and lxapperance-obconf are installed on my system as a
required dependency of lxde.
Removing lxapperance-obconf would break lxde, I would prefer not to do that...

>And if possible, please open a new bug report there, with grave severity. The
>patch is already available, so it won't be much work of fixing the package.

Done: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053287

Bug#1053287: lxappearance-obconf: segfault in lxappearance since upgrade to gtk3(?)

2023-09-30 Thread 10dmar10 
Package: lxappearance-obconf
Version: 0.2.3-2
Severity: grave
Justification: renders package unusable
X-Debbugs-Cc: 10dma...@gmail.com

Hi,

it seems since the last upgrade from 0.2.3-1 to 0.2.3-2 this package is
causing a segfault in lxappearance.

see also:
attached gdb backtrace text file
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052210


-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.5-wwa (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lxappearance-obconf depends on:
ii  libc62.37-10
ii  libcairo21.18.0-1
ii  libgdk-pixbuf-2.0-0  2.42.10+dfsg-1+b1
ii  libglib2.0-0 2.78.0-2
ii  libgtk-3-0   3.24.38-5
ii  libobrender32v5  3.6.1-11
ii  libobt2v53.6.1-11
ii  libx11-6 2:1.8.6-1
ii  libxml2  2.9.14+dfsg-1.3

lxappearance-obconf recommends no packages.

lxappearance-obconf suggests no packages.

-- no debconf information
Starting program: /usr/bin/lxappearance 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x757ff6c0 (LWP 3673)]
[New Thread 0x74ffe6c0 (LWP 3674)]
[New Thread 0x7fffe6c0 (LWP 3675)]
[New Thread 0x7fffef7fe6c0 (LWP 3676)]
[Thread 0x7fffef7fe6c0 (LWP 3676) exited]
[New Thread 0x7fffef7fe6c0 (LWP 3677)]
[New Thread 0x7fffeeffd6c0 (LWP 3678)]
[Thread 0x7fffef7fe6c0 (LWP 3677) exited]
[Thread 0x7fffeeffd6c0 (LWP 3678) exited]
[New Thread 0x7fffeeffd6c0 (LWP 3679)]
[New Thread 0x7fffef7fe6c0 (LWP 3680)]
[New Thread 0x7fffed5ff6c0 (LWP 3681)]
[Thread 0x7fffef7fe6c0 (LWP 3680) exited]
[New Thread 0x7fffef7fe6c0 (LWP 3682)]
[New Thread 0x7fffecdfe6c0 (LWP 3683)]
[Thread 0x7fffed5ff6c0 (LWP 3681) exited]
[Thread 0x7fffef7fe6c0 (LWP 3682) exited]
[Thread 0x7fffecdfe6c0 (LWP 3683) exited]
[New Thread 0x7fffecdfe6c0 (LWP 3684)]
[New Thread 0x7fffef7fe6c0 (LWP 3685)]
[New Thread 0x7fffed5ff6c0 (LWP 3686)]
[Thread 0x7fffecdfe6c0 (LWP 3684) exited]
[New Thread 0x7fffecdfe6c0 (LWP 3687)]
[Thread 0x7fffef7fe6c0 (LWP 3685) exited]
[Thread 0x7fffed5ff6c0 (LWP 3686) exited]
[New Thread 0x7fffed5ff6c0 (LWP 3688)]
[New Thread 0x7fffef7fe6c0 (LWP 3689)]
[New Thread 0x7fffda1ff6c0 (LWP 3690)]
[Thread 0x7fffed5ff6c0 (LWP 3688) exited]
[New Thread 0x7fffed5ff6c0 (LWP 3691)]
[Thread 0x7fffef7fe6c0 (LWP 3689) exited]
[Thread 0x7fffda1ff6c0 (LWP 3690) exited]
[Thread 0x7fffecdfe6c0 (LWP 3687) exited]
[Thread 0x7fffed5ff6c0 (LWP 3691) exited]

Thread 1 "lxappearance" received signal SIGSEGV, Segmentation fault.
0x76cf6564 in cairo_surface_get_content () from 
/lib/x86_64-linux-gnu/libcairo.so.2
#0  0x76cf6564 in cairo_surface_get_content () at 
/lib/x86_64-linux-gnu/libcairo.so.2
#1  0x77eede3f in gdk_pixbuf_get_from_surface () at 
/lib/x86_64-linux-gnu/libgdk-3.so.0
#2  0x7460806c in preview_menu (theme=0x555de8b0) at 
src/preview.c:152
title_text = 
dpy = 0x55577d40
title_h = 25
selected = 0x55ad0a40
surface = 0x555fa170
width = 77
x = 1
tw = 2
th = 18
bw = 
bh = 22
unused = 51
normal = 0x55ad0930
disabled = 0x55ad0b50
bullet = 0x55ad0d70
y = 1
title = 0x55ad0560
menu = 
background = 
pixbuf = 
height = 94
preview = 
menu = 
window = 
window_w = 
menu_w = 
w = 
h = 
theme = 0x555de8b0
#3  preview_theme (name=, titlelayout=0x55957800 "NLIMC", 
active_window_font=, inactive_window_font=, 
menu_title_font=, menu_item_font=, 
osd_active_font=0x559b3520, osd_inactive_font=0x55ab5920) at 
src/preview.c:835
preview = 
menu = 
window = 
window_w = 
menu_w = 
w = 
h = 
theme = 0x555de8b0
#4  0x746088e6 in preview_update_all () at src/preview_update.c:60
pix = 
preview = 
name = 0x55a901b0 "Clearlooks-Olive"
it = {
  stamp = 1769482829,
  user_data = 0x55a93d80,
  user_data2 = 0x0,
  user_data3 = 0x0
}
sel = 
#5  0x7460901d in theme_load_all () at src/theme.c:242
name = 0x55a8e600 "Clearlooks-Olive"
p = 
it = 
next = 
i = 
w = 0x55a49c70
#6  0x74606792 in plugin_load (app=, 
lxappearance_builder=) at src/main.c:231
exit_with_error = 0
wm_name = 
#7  0xdd6f in plugins_init (builder=0x555fdd40) at 
./src/plugin.c:62
load = 0x746064d0 
loaded = 0

Bug#1052759: qtremoteobjects-everywhere-src: FTBFS: qcontainerfwd.h:63:7: error: typedef redefinition with different types ('QList' vs 'QByteArrayList')

2023-09-30 Thread Dmitry Shachnev 
Control: retitle -1 qtremoteobjects-everywhere-src: FTBFS: 
tst_usertypes::extraPropertyInQml2() fails
Control: severity -1 important
Control: tags -1 + unreproducible

Hi Lucas!

On Tue, Sep 26, 2023 at 02:38:35PM +0200, Lucas Nussbaum wrote:
> Source: qtremoteobjects-everywhere-src
> Version: 5.15.10-2
> Severity: serious
> Justification: FTBFS
> Tags: trixie sid ftbfs
> User: lu...@debian.org
> Usertags: ftbfs-20230925 ftbfs-trixie
> 
> Hi,
> 
> During a rebuild of all packages in sid, your package failed to build
> on amd64.

I have just built this package successfully two times in my sid chroot.
Also, it builds successfully in the reproducible builds environment [1].

[1]: 
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/qtremoteobjects-everywhere-src.html

> Relevant part (hopefully):
> > make[6]: Entering directory '/<>/src/remoteobjects'
> > /usr/lib/qt5/bin/qtattributionsscanner /<> --filter 
> > QDocModule=qtremoteobjects -o 
> > /<>/src/remoteobjects/codeattributions.qdoc
> > /<>/src/remoteobjects/qdoc_wrapper.sh -outputdir 
> > /<>/doc/qtremoteobjects -installdir /usr/share/qt5/doc 
> > /<>/src/remoteobjects/doc/qtremoteobjects.qdocconf -prepare 
> > -indexdir /usr/share/qt5/doc -no-link-errors -I. -I../../include 
> > -I../../include/QtRemoteObjects -I../../include/QtRemoteObjects/5.15.10 
> > -I../../include/QtRemoteObjects/5.15.10/QtRemoteObjects -I. 
> > -I/usr/include/x86_64-linux-gnu/qt5 
> > -I/usr/include/x86_64-linux-gnu/qt5/QtNetwork 
> > -I/usr/include/x86_64-linux-gnu/qt5/QtCore/5.15.10 
> > -I/usr/include/x86_64-linux-gnu/qt5/QtCore/5.15.10/QtCore 
> > -I/usr/include/x86_64-linux-gnu/qt5/QtCore -I.moc 
> > -I/usr/lib/x86_64-linux-gnu/qt5/mkspecs/linux-g++ -I/usr/include/c++/13 
> > -I/usr/include/x86_64-linux-gnu/c++/13 -I/usr/include/c++/13/backward 
> > -I/usr/lib/gcc/x86_64-linux-gnu/13/include -I/usr/local/include 
> > -I/usr/include/x86_64-linux-gnu -I/usr/include
> > qt.qdoc: Start qdoc for QtRemoteObjects in dual process mode: prepare phase.
> > /usr/include/x86_64-linux-gnu/qt5/QtCore/qcontainerfwd.h:63:7: error: 
> > typedef redefinition with different types ('QList' vs 
> > 'QByteArrayList')

No, this is an error when generating documentation, but it does not make the
build fail.

The really relevant part is this one:

> > * Start testing of tst_usertypes *
> > Config: Using QtTest library 5.15.10, Qt 5.15.10 (x86_64-little_endian-lp64 
> > shared (dynamic) release build; by GCC 13.1.0), debian unknown
> > PASS   : tst_usertypes::initTestCase()
> > PASS   : tst_usertypes::extraPropertyInQml()
> > QSYSTEM: tst_usertypes::extraPropertyInQml2() qt.remoteobjects:  Listen 
> > failed for URL: QUrl("local:test2")
> > QSYSTEM: tst_usertypes::extraPropertyInQml2() qt.remoteobjects:  
> > QAbstractSocket::AddressInUseError
> > FAIL!  : tst_usertypes::extraPropertyInQml2() Compared values are not the 
> > same
> >Actual   ((obj->property("hour").value())): 6
> >Expected (10)  : 10
> >Loc: [tst_usertypes.cpp(106)]

Maybe this test is flaky, but as I said, it works for me.

Can you reproduce this error? Maybe there is some difference between our
setups that makes it fail?

--
Dmitry Shachnev


signature.asc
Description: PGP signature

Bug#1053286: tripwire segfaults during run

2023-09-30 Thread Ron Murray 
Package: tripwire
Version: 2.4.3.7-4+b9
Severity: important

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Maintainer,

The latest version of tripwire segfaults during a run. I've taken an
strace, but it's over a Gb lond, and still over 100 Mb when tarred and
feathered. I'll try and attach the last couple of hundred lines.

I do note that the last couple of files that it was checking before it
failed were symlinks to other files
(/lib/x86_64-linux-gnu/libbsd.so.0 and
/lib/x86_64-linux-gnu/libmd.so.0), but I don't know whether that's
relevant or not.

- -- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.5.khufu (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages tripwire depends on:
ii  debconf [debconf-2.0]1.5.82
ii  sendmail-bin [mail-transport-agent]  8.17.2-1

tripwire recommends no packages.

tripwire suggests no packages.

- -- Configuration Files:
/etc/tripwire/twpol.txt changed:
@@section GLOBAL
TWBIN = /usr/sbin;
TWETC = /etc/tripwire;
TWVAR = /var/lib/tripwire;
@@section FS
SEC_CRIT  = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_BIN   = $(ReadOnly) ;# Binaries that should not change
SEC_CONFIG= $(Dynamic) ; # Config files that are changed
# infrequently but accessed
# often
SEC_LOG   = $(Growing) ; # Files that grow, but that
 # should never change ownership
SEC_INVARIANT = +tpug ;  # Directories that should never
# change permission or ownership
SIG_LOW   = 33 ; # Non-critical files that are of
 # minimal security impact
SIG_MED   = 66 ; # Non-critical files that are of
 # significant security impact
SIG_HI= 100 ;# Critical files that are
 # significant points of
 # vulnerability
(
  rulename = "Tripwire Binaries",
  severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire   -> $(SEC_BIN) ;
$(TWBIN)/twadmin-> $(SEC_BIN) ;
$(TWBIN)/twprint-> $(SEC_BIN) ;
}
(
  rulename = "Tripwire Data Files",
  severity = $(SIG_HI)
)
{
$(TWVAR)/$(HOSTNAME).twd-> $(SEC_CONFIG) -i ;
$(TWETC)/tw.pol -> $(SEC_BIN) -i ;
$(TWETC)/tw.cfg -> $(SEC_BIN) -i ;
$(TWETC)/$(HOSTNAME)-local.key  -> $(SEC_BIN) ;
$(TWETC)/site.key   -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWVAR)/report -> $(SEC_CONFIG) (recurse=0) ;
}
(
  rulename = "Critical system boot files",
  severity = $(SIG_HI)
)
{
/boot   -> $(SEC_CRIT) ;
/lib/modules-> $(SEC_CRIT) ;
}
(
  rulename = "Boot Scripts",
  severity = $(SIG_HI)
)
{
/etc/init.d -> $(SEC_BIN) ;
/etc/rcS.d  -> $(SEC_BIN) ;
/etc/rc0.d  -> $(SEC_BIN) ;
/etc/rc1.d  -> $(SEC_BIN) ;
/etc/rc2.d  -> $(SEC_BIN) ;
/etc/rc3.d  -> $(SEC_BIN) ;
/etc/rc4.d  -> $(SEC_BIN) ;
/etc/rc5.d  -> $(SEC_BIN) ;
/etc/rc6.d  -> $(SEC_BIN) ;
/etc/systemd-> $(SEC_BIN) ;
}
(
  rulename = "Root file-system executables",
  severity = $(SIG_HI)
)
{
/bin-> $(SEC_BIN) ;
/sbin   -> $(SEC_BIN) ;
}
(
  rulename = "Root file-system libraries",
  severity = $(SIG_HI)
)
{
/lib-> $(SEC_BIN) ;
}
(
  rulename = "Security Control",
  severity = $(SIG_MED)
)
{
/etc/passwd -> $(SEC_CONFIG) ;
/etc/shadow -> $(SEC_CONFIG) ;
}
(
  rulename = "Root config files",
  severity = 100
)
{
/root   -> $(SEC_CRIT) ; # Catch all 
additions to /root
/root/.bashrc   -> $(SEC_CONFIG) ;
/root/.bash_profile -> $(SEC_CONFIG) ;
/root/.Xdefaults-> $(SEC_CONFIG) ;
/root/.Xauthority   -> $(SEC_CONFIG) -i ; # Changes Inode 
number on login
/root/.ICEauthority -> $(SEC_CONFIG) ;
}
(
  rulename = "Devices & Kernel information",
  severity = $(SIG_HI),
)
{
/dev-> $(Device) ;
}
(
  rulename = "Things that change all the time",
  severity = 0
)
{
/etc/cups/printers.conf

Bug#1050329: sexpp FTBFS with nocheck profile

2023-09-30 Thread Karel van Gruiten 
Hello!
Please excuse me for writing a mail about this bug as a non-Debian developer.
I had read on a problem with the GnuPG2 package (#1033155) that Daniel is on 
the LowThresholdNmu list.
If I understood it correctly, there is already a patch for this bug. So could 
such a non-maintainer upload be the solution here as well?
Again, sorry for this unasked post, but since 10/24 is approaching, I just 
wrote it as a simple Thundbird user on Debian.
Kind regards
Karel

Bug#1050607: xcb: bookworm xcb won't paste from selected cut buffer

2023-09-30 Thread Dennis Filder 
X-Debbugs-CC: Phil Chadwick 
Control: tag -1 moreinfo

I cannot reproduce this with 2.4-7 under xorg: xcb behaves as
expected.

You state that you use the "standard bookworm Gnome desktop" which
should be using Wayland.  Are you under Wayland?  Because if so then I
suspect the behaviour you observed might be due to Xwayland probably
not implementing Cut Buffers correctly (or at all) -- which would be
unsurprising as they have been a rather obscure/obsolete feature of X
for quite some time.  In that case it would be prudent to look for an
alternative clipboard because I have my doubts that the Xwayland
people would add this feature if one were to ask them to.

If you want to debug this further you should paste the output of

  xprop -root | grep CUT_BUFFER

For me its:

  CUT_BUFFER0(UTF8_STRING) = "foo"
  CUT_BUFFER1(UTF8_STRING) = "bar"
  CUT_BUFFER2(STRING) =
  CUT_BUFFER3(STRING) =
  CUT_BUFFER4(STRING) =
  CUT_BUFFER5(STRING) =
  CUT_BUFFER6(STRING) =
  CUT_BUFFER7(STRING) =

Regards.

Bug#1053285: AttributeError: 'PlatformioCLI' object has no attribute 'resultcallback'

2023-09-30 Thread Gregor Riepl 
Package: platformio
Version: 4.3.4-3
Severity: grave
Justification: renders package unusable
Forwarded: https://github.com/platformio/platformio-core/issues/4075
X-Debbugs-Cc: onit...@gmail.com

Dear Maintainer,

The current version of PlatformIO in Debian no longer works with python3-click
due to the following incompatibility:
AttributeError: 'PlatformioCLI' object has no attribute 'resultcallback'. Did
you mean: 'result_callback'?

This issue has been fixed in PlatformIO 5.2.1.
Preferably, update to the latest upstream version (6.1.11 currently).

Thanks!

Full stack trace:

Traceback (most recent call last):
  File "/usr/bin/platformio", line 33, in 
sys.exit(load_entry_point('platformio==4.3.4', 'console_scripts',
'platformio')())
^^
  File "/usr/bin/platformio", line 25, in importlib_load_entry_point
return next(matches).load()
   
  File "/usr/lib/python3.11/importlib/metadata/__init__.py", line 202, in load
module = import_module(match.group('module'))
 
  File "/usr/lib/python3.11/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
   
  File "", line 1204, in _gcd_import
  File "", line 1176, in _find_and_load
  File "", line 1147, in _find_and_load_unlocked
  File "", line 690, in _load_unlocked
  File "", line 940, in exec_module
  File "", line 241, in _call_with_frames_removed
  File "/usr/lib/python3/dist-packages/platformio/__main__.py", line 66, in

@cli.resultcallback()
 ^^
AttributeError: 'PlatformioCLI' object has no attribute 'resultcallback'. Did
you mean: 'result_callback'?


-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages platformio depends on:
ii  python3   3.11.4-5+b1
ii  python3-bottle0.12.23-1.2
ii  python3-click 8.1.6-1
ii  python3-colorama  0.4.6-4
ii  python3-marshmallow   3.18.0-1
ii  python3-pyelftools0.30-1
ii  python3-requests  2.31.0+dfsg-1
ii  python3-semantic-version  2.9.0-2
ii  python3-serial3.5-1.1
ii  python3-tabulate  0.8.9-1

platformio recommends no packages.

Versions of packages platformio suggests:
pn  platformio-doc  

-- no debconf information

Bug#1053284: xrdp: CVE-2023-42822: Unchecked access to font glyph info

2023-09-30 Thread Salvatore Bonaccorso 
Source: xrdp
Version: 0.9.21.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for xrdp.

CVE-2023-42822[0]:
| xrdp is an open source remote desktop protocol server. Access to the
| font glyphs in xrdp_painter.c is not bounds-checked . Since some of
| this data is controllable by the user, this can result in an out-of-
| bounds read within the xrdp executable. The vulnerability allows an
| out-of-bounds read within a potentially privileged process. On non-
| Debian platforms, xrdp tends to run as root. Potentially an out-of-
| bounds write can follow the out-of-bounds read. There is no denial-
| of-service impact, providing xrdp is running in forking mode. This
| issue has been addressed in release 0.9.23.1. Users are advised to
| upgrade. There are no known workarounds for this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-42822
https://www.cve.org/CVERecord?id=CVE-2023-42822
[1] https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw
[2] 
https://github.com/neutrinolabs/xrdp/commit/73acbe1f7957c65122b00de4d6f57a8d0d257c40

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#1053283: matrix-synapse: CVE-2023-42453 CVE-2023-41335

2023-09-30 Thread Salvatore Bonaccorso 
Source: matrix-synapse
Version: 1.92.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerabilities were published for matrix-synapse.

CVE-2023-42453[0]:
| Synapse is an open-source Matrix homeserver written and maintained
| by the Matrix.org Foundation. Users were able to forge read receipts
| for any event (if they knew the room ID and event ID). Note that the
| users were not able to view the events, but simply mark it as read.
| This could be confusing as clients will show the event as read by
| the user, even if they are not in the room. This issue has been
| patched in version 1.93.0. Users are advised to upgrade. There are
| no known workarounds for this issue.


CVE-2023-41335[1]:
| Synapse is an open-source Matrix homeserver written and maintained
| by the Matrix.org Foundation. When users update their passwords, the
| new credentials may be briefly held in the server database. While
| this doesn't grant the server any added capabilities—it already
| learns the users' passwords as part of the authentication process—it
| does disrupt the expectation that passwords won't be stored in the
| database. As a result, these passwords could inadvertently be
| captured in database backups for a longer duration. These
| temporarily stored passwords are automatically erased after a
| 48-hour window. This issue has been addressed in version 1.93.0.
| Users are advised to upgrade. There are no known workarounds for
| this issue.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-42453
https://www.cve.org/CVERecord?id=CVE-2023-42453

https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2x
[1] https://security-tracker.debian.org/tracker/CVE-2023-41335
https://www.cve.org/CVERecord?id=CVE-2023-41335

https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5

Regards,
Salvatore



-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#1053282: node-postcss: CVE-2023-44270

2023-09-30 Thread Salvatore Bonaccorso 
Source: node-postcss
Version: 8.4.20+~cs8.0.23-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for node-postcss.

CVE-2023-44270[0]:
| An issue was discovered in PostCSS before 8.4.31. It affects linters
| using PostCSS to parse external Cascading Style Sheets (CSS). There
| may be \r discrepancies, as demonstrated by @font-face{
| font:(\r/*);} in a rule.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-44270
https://www.cve.org/CVERecord?id=CVE-2023-44270
[1] 
https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#1053281: linux-image-6.5.0-1-amd64: Debian does not boot at cold start on kernel 6.5.0-1-amd64 on Intel NUC 12

2023-09-30 Thread Kazimierz Uromski 
Package: src:linux
Version: 6.5.3-1
Severity: important
X-Debbugs-Cc: kurom...@stodwa.org

Dear Maintainer,



   * What is the issue?
When I cold boot my Intel NUC12SNKi72, boot process of my Debian sid hangs at
Loading initial ramdisk
EFI stub: Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path
EFI stub: Measured initrd data into PCR 9
Suspected problem source is firmware loading and/or i915 driver because it has
dual Intel GPU (CPU-included and A770M) configuration, which is not very
popular.

   * What exactly did you do (or not do) that was effective (or
 ineffective)?
Added "nomodeset" kernel param -> it made issue even worse. It hangs same way,
but ctrl+alt+del does not reboot OS.
Installed bookworm-backports kernel linux-image-6.4.0-0.deb12.2-amd64
(6.4.4-3~bpo12+1) - it works properly on this version.

   * What was the outcome of this action?
OS does not boot. I found two workarounds for kernel 6.5:
1. Boot Windows first, reboot and boot Debian.
2. Let Debian hang as described above, press ctrl+alt+del to reboot. After that
Debian will boot properly.
It won't boot though if I reboot while in Grub - it must attempt to load initrd
to let Debian boot after reboot.

The issue was reported on Ubuntu kernel 6.5 as well:
https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-intel/+bug/2037176


-- Package-specific info:
** Version:
Linux version 6.5.0-1-amd64 (debian-ker...@lists.debian.org) (gcc-13 (Debian 
13.2.0-4) 13.2.0, GNU ld (GNU Binutils for Debian) 2.41) #1 SMP PREEMPT_DYNAMIC 
Debian 6.5.3-1 (2023-09-13)

** Command line:
BOOT_IMAGE=/boot/vmlinuz-6.5.0-1-amd64 
root=UUID=bf0e1c3b-f21b-443d-a929-d450ea6a2f30 ro quiet

** Tainted: U (64)
 * taint requested by userspace application

** Kernel log:
[5.014518] usb 1-1.5: new high-speed USB device number 11 using xhci_hcd
[5.144618] usb 1-1.5: New USB device found, idVendor=0bda, idProduct=5418, 
bcdDevice= 1.01
[5.144622] usb 1-1.5: New USB device strings: Mfr=1, Product=2, 
SerialNumber=0
[5.144622] usb 1-1.5: Product: BillBoard Device
[5.144623] usb 1-1.5: Manufacturer: Realtek
[5.214504] usb 1-1.1.5: new high-speed USB device number 12 using xhci_hcd
[5.332226] usb 1-1.1.5: New USB device found, idVendor=0bda, 
idProduct=1100, bcdDevice= 1.01
[5.332230] usb 1-1.1.5: New USB device strings: Mfr=1, Product=2, 
SerialNumber=0
[5.332232] usb 1-1.1.5: Product: HID Device
[5.332233] usb 1-1.1.5: Manufacturer: Realtek
[5.402517] usb 1-1.1.2.3: new full-speed USB device number 13 using xhci_hcd
[5.424418] Bluetooth: hci0: Waiting for firmware download to complete
[5.425079] Bluetooth: hci0: Firmware loaded in 1538277 usecs
[5.425167] Bluetooth: hci0: Waiting for device to boot
[5.441106] Bluetooth: hci0: Device booted in 15611 usecs
[5.441472] bluetooth hci0: firmware: direct-loading firmware 
intel/ibt-0040-0041.ddc
[5.441500] Bluetooth: hci0: Found Intel DDC parameters: 
intel/ibt-0040-0041.ddc
[5.444292] Bluetooth: hci0: Applying Intel DDC parameters completed
[5.447239] Bluetooth: hci0: Firmware timestamp 2023.13 buildtype 1 build 
62562
[5.509488] usb 1-1.1.2.3: New USB device found, idVendor=413c, 
idProduct=2514, bcdDevice= 2.22
[5.509510] usb 1-1.1.2.3: New USB device strings: Mfr=1, Product=2, 
SerialNumber=0
[5.509512] usb 1-1.1.2.3: Product: Dell Universal Receiver
[5.509513] usb 1-1.1.2.3: Manufacturer: Dell Computer Corp
[5.516437] Bluetooth: MGMT ver 1.22
[5.521038] NET: Registered PF_ALG protocol family
[5.582555] usb 1-1.6: new high-speed USB device number 14 using xhci_hcd
[5.677319] pipewire[1235]: memfd_create() called without MFD_EXEC or 
MFD_NOEXEC_SEAL set
[5.700275] usb 1-1.6: New USB device found, idVendor=0bda, idProduct=1101, 
bcdDevice= 1.01
[5.700279] usb 1-1.6: New USB device strings: Mfr=1, Product=2, 
SerialNumber=0
[5.700280] usb 1-1.6: Product: HID Device
[5.700280] usb 1-1.6: Manufacturer: Realtek
[5.709487] mc: Linux media interface: v0.10
[5.710256] hid: raw HID events driver (C) Jiri Kosina
[5.722243] videodev: Linux video capture interface: v2.00
[5.731497] usbcore: registered new interface driver usbhid
[5.731499] usbhid: USB HID core driver
[5.734394] input: Dell C2422HE Consumer Control as 
/devices/pci:00/:00:14.0/usb1/1-1/1-1.3/1-1.3:1.3/0003:413C:C00B.0001/input/input17
[5.734823] usb 1-1.4: Found UVC 1.50 device Integrated_Webcam_5M_IR 
(413c:c00a)
[5.752288] usb 1-1.3: Warning! Unlikely big volume range (=18944), 
cval->res is probably wrong.
[5.752308] usb 1-1.3: [2] FU [Headset Playback Volume] ch = 2, val = 
-18944/0/1
[5.757326] usb 1-1.3: Warning! Unlikely big volume range (=18944), 
cval->res is probably wrong.
[5.757334] usb 1-1.3: [6] FU [Headset Capture Volume] ch = 2, val = 
-18944/0/1
[5.774563] usb 1-1.1.2.4: new high-speed USB device number 15 using xhci_hcd
[5.794553] input: Dell C2422HE as

Bug#1053280: RFS: gsimplecal/2.5.1-1 -- lightweight GUI calendar application

2023-09-30 Thread Hugo Torres 
Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "gsimplecal":

 * Package name : gsimplecal
   Version  : 2.5.1-1
   Upstream contact : https://github.com/dmedvinsky/gsimplecal/issues
 * URL  : https://dmedvinsky.github.io/gsimplecal
 * License  : BSD-3-Clause
 * Vcs  : https://salsa.debian.org/debian/gsimplecal
   Section  : misc

The source builds the following binary packages:

  gsimplecal - lightweight GUI calendar application

To access further information about this package, please visit the following 
URL:

  https://mentors.debian.net/package/gsimplecal/

Alternatively, you can download the package with 'dget' using this command:

  dget -x 
https://mentors.debian.net/debian/pool/main/g/gsimplecal/gsimplecal_2.5.1-1.dsc

Changes since the last upload:

 gsimplecal (2.5.1-1) unstable; urgency=medium
 .
   * New upstream version 2.5.1

Regards,
--
  Hugo Torres de Lima

Bug#1053199: liferea does not show feed item contents after 1.15.2-1->1.15.3-1 update

2023-09-30 Thread Paul Gevers 

Hi,

Thanks for reporting issues you encounter.

On 29-09-2023 09:47, Paul Seyfert wrote:

I upgraded liferea and liferea-data 1.15.2-1 → 1.15.3-1, along with a
bunch of other updates (e.g. libwebkit2gtk 2.40.5-1 → 2.42.0-1)


Stupid question maybe: did you restart liferea since the upgrade?


The liferea window is divided into 3 parts:
  1) the list of all my feeds
  2) the list of all news items in the selected feed
  3) the content a news item

Usually, when selecting a news item in 2, it gets shown in 3.


Agreed (I use liferea myself).


Since the upgrade, window 3 remains gray and does not show.


It works for me. So, what could be different (non-default) in your 
environment?


Paul


OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#1053275: (no subject)

2023-09-30 Thread Alexey Kuznetsov 

Recent patch:

* 
https://gitlab.com/axet/homebin/-/blob/debian/dbuild.d/bookworm/devscripts/mk-build-deps.patch


Also devscripts failed to build without:

* 
https://gitlab.com/axet/homebin/-/blob/debian/dbuild.d/bookworm/devscripts/build.patch


-- AK

Bug#999649: tagging 999649

2023-09-30 Thread Tobias Frost 
tags 999649 + pending
thanks

Fixed with commit: https://salsa.debian.org/science-team/ckon/-/commit/45cf9dd5f

Bug#1053277: libcups2: typo in NEWS

2023-09-30 Thread Thorsten Alteholz 

Hi Christian,

On 30.09.23 19:02, Christian T. Steigies wrote:

I did not find this file (because I don't have a full install), but I think
the filename should be cupsd.conf instead of cupds.conf.


oops, thanks for telling. You are right, the correct name would have 
been cupsd.conf


  Thorsten

Bug#1053278: Acknowledgement (embeds fasttext LLM)

2023-09-30 Thread Joey Hess 
Screenshot attached

-- 
see shy jo


signature.asc
Description: PGP signature

Bug#1053279: contains 100+kb minified .js file without corresponding source

2023-09-30 Thread Joey Hess 
Package: firefox
Version: 118.0-1
Severity: normal

toolkit/components/translations/fasttext/fasttext_wasm.js is 100+ kb of
minified js. There is no other source code. AFAIK this is not acceptable
in a Debian package.

https://firefox-source-docs.mozilla.org/toolkit/components/translations/resources/02_contributing.html#building-fasttext
discusses this file and how it was generated, including minification.

-- Package-specific info:


-- Addons package information

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-1-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firefox depends on:
ii  debianutils  5.13
ii  fontconfig   2.14.2-6
ii  libasound2   1.2.10-1
ii  libatk1.0-0  2.50.0-1
ii  libc62.37-11
ii  libcairo-gobject21.18.0-1
ii  libcairo21.18.0-1
ii  libdbus-1-3  1.14.10-1
ii  libdbus-glib-1-2 0.112-3
ii  libevent-2.1-7   2.1.12-stable-8
ii  libffi8  3.4.4-1
ii  libfontconfig1   2.14.2-6
ii  libfreetype6 2.13.2+dfsg-1
ii  libgcc-s113.2.0-4
ii  libgdk-pixbuf-2.0-0  2.42.10+dfsg-1+b1
ii  libglib2.0-0 2.78.0-2
ii  libgtk-3-0   3.24.38-5
ii  libnspr4 2:4.35-1.1
ii  libnss3  2:3.93-1
ii  libpango-1.0-0   1.51.0+ds-2
ii  libstdc++6   13.2.0-4
ii  libvpx7  1.12.0-1
ii  libx11-6 2:1.8.6-1
ii  libx11-xcb1  2:1.8.6-1
ii  libxcb-shm0  1.15-1
ii  libxcb1  1.15-1
ii  libxcomposite1   1:0.4.5-1
ii  libxdamage1  1:1.1.6-1
ii  libxext6 2:1.3.4-1+b1
ii  libxfixes3   1:6.0.0-2
ii  libxrandr2   2:1.5.2-2+b1
ii  libxtst6 2:1.2.3-1.1
ii  procps   2:4.0.3-1
ii  zlib1g   1:1.2.13.dfsg-3

Versions of packages firefox recommends:
ii  libavcodec59  7:5.1.3-2
ii  libavcodec60  7:6.0-7

Versions of packages firefox suggests:
ii  fonts-lmodern  2.005-1
pn  fonts-stix | otf-stix  
ii  libcanberra0   0.30-10
ii  libgssapi-krb5-2   1.20.1-4
ii  pulseaudio 16.1+dfsg1-2+b1

-- no debconf information

-- 
see shy jo


signature.asc
Description: PGP signature

Bug#1053278: embeds fasttext LLM

2023-09-30 Thread Joey Hess 
Package: firefox
Version: 118.0-1
Severity: normal

Firefox has a new offline translation capability in version 118. 
Step one of that is determining the language used in a web page.
It uses https://fasttext.cc/ to acomplish that.

I have experimentally verified that firefox is able to detect the
language of a Spanish language web page when used offline. So it is not
downloading the LLM from a server and using it, instead the LLM must be
baked into firefox. (The LLMs used for the actual translation are
downloaded on demand.)

See attached screenshot. This is the first run of firefox in a user
account, while offline. The localhost webserver does not send any
headers indicating the page's language.

This is arguably a DFSG violation. I have no firm opinion on that
matter, but I *do* have the opinion that the free software community
needs to come to a consensus about the question. Inclusion of LLMs
in packages like this risks a decision by default.

Note that the fasttext LLM uses wikipedia or the common crawl as its
corpus. The pre-trained vectors, which I think some would prefer to
consider as "source" rather than the training corpus, are 500+ mb so
it seems that are not included in the source package either. I think
what is included is a quantized model, as described here
https://fasttext.cc/docs/en/faqs.html

-- Package-specific info:


-- Addons package information

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-1-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firefox depends on:
ii  debianutils  5.13
ii  fontconfig   2.14.2-6
ii  libasound2   1.2.10-1
ii  libatk1.0-0  2.50.0-1
ii  libc62.37-11
ii  libcairo-gobject21.18.0-1
ii  libcairo21.18.0-1
ii  libdbus-1-3  1.14.10-1
ii  libdbus-glib-1-2 0.112-3
ii  libevent-2.1-7   2.1.12-stable-8
ii  libffi8  3.4.4-1
ii  libfontconfig1   2.14.2-6
ii  libfreetype6 2.13.2+dfsg-1
ii  libgcc-s113.2.0-4
ii  libgdk-pixbuf-2.0-0  2.42.10+dfsg-1+b1
ii  libglib2.0-0 2.78.0-2
ii  libgtk-3-0   3.24.38-5
ii  libnspr4 2:4.35-1.1
ii  libnss3  2:3.93-1
ii  libpango-1.0-0   1.51.0+ds-2
ii  libstdc++6   13.2.0-4
ii  libvpx7  1.12.0-1
ii  libx11-6 2:1.8.6-1
ii  libx11-xcb1  2:1.8.6-1
ii  libxcb-shm0  1.15-1
ii  libxcb1  1.15-1
ii  libxcomposite1   1:0.4.5-1
ii  libxdamage1  1:1.1.6-1
ii  libxext6 2:1.3.4-1+b1
ii  libxfixes3   1:6.0.0-2
ii  libxrandr2   2:1.5.2-2+b1
ii  libxtst6 2:1.2.3-1.1
ii  procps   2:4.0.3-1
ii  zlib1g   1:1.2.13.dfsg-3

Versions of packages firefox recommends:
ii  libavcodec59  7:5.1.3-2
ii  libavcodec60  7:6.0-7

Versions of packages firefox suggests:
ii  fonts-lmodern  2.005-1
pn  fonts-stix | otf-stix  
ii  libcanberra0   0.30-10
ii  libgssapi-krb5-2   1.20.1-4
ii  pulseaudio 16.1+dfsg1-2+b1

-- no debconf information

-- 
see shy jo


signature.asc
Description: PGP signature

Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2

2023-09-30 Thread Adam D. Barratt 
Control: tags -1 confirmed

On Fri, 2023-09-29 at 17:37 +0400, Yadd wrote:
> Two new vulnerabilities have been dicovered and fixed in lemonldap-
> ng:
>  - an open redirection only when configuration is edited by hand and
>doesn't follow OIDC specifications
>  - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
>A little-know feature of OIDC allows the OpenID Provider to fetch
> the
>Authorization request parameters itself by indicating a
> request_uri
>parameter. This feature is now restricted to a white list using
> this
>patch
> 

--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium

As Salvatore pointed out, the suite is wrong in the header.

+
+  A little-know feature of OIDC allows the OpenID Provider to fetch the

s/little-know//

Please go ahead.

Regards,

Adam

Bug#1053189: bookworm-pu: package foot/1.13.1-2+deb12u1

2023-09-30 Thread Adam D. Barratt 
Control: tags -1 confirmed

On Fri, 2023-09-29 at 08:35 +0200, Birger Schacht wrote:
> The terminal emulator foot contains a vulnerability. The issue is
> that, if an XTGETTCAP escape sequence printed to the terminal
> contains newline characters, foot will echo the newline characters
> back into the PTY as part of the "invalid capability" response.
> (XTGETTCAP strings are supposed to be hex-encoded, so it's not valid
> for them to contain newline characters.) 
> 

Please go ahead.

Regards,

Adam

Bug#1053220: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5

2023-09-30 Thread Adam D. Barratt 
Control: tags -1 confirmed

On Fri, 2023-09-29 at 17:45 +0400, Yadd wrote:
> Two new vulnerabilities have been dicovered and fixed in lemonldap-
> ng:
>  - an open redirection due to incorrect escape handling
>  - an open redirection only when configuration is edited by hand and
>doesn't follow OIDC specifications
>  - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
>A little-know feature of OIDC allows the OpenID Provider to fetch
> the
>Authorization request parameters itself by indicating a
> request_uri
>parameter. This feature is now restricted to a white list using
> this
>patch
> 

Please go ahead.

Regards,

Adam

Bug#1053277: libcups2: typo in NEWS

2023-09-30 Thread Christian T. Steigies 
Package: libcups2
Version: 2.2.10-6+deb10u9
Severity: minor

Dear Maintainer,
I don't seem to have a full CUPS install on this old machine, but libcups2
got updated and displayed the NEWS file with this line:

 "Please double check your /etc/cups/cupds.conf file"

I did not find this file (because I don't have a full install), but I think
the filename should be cupsd.conf instead of cupds.conf.

thanks,
Christian

-- System Information:
Debian Release: 10.13
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-20-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libcups2 depends on:
ii  libavahi-client3  0.7-4+deb10u3
ii  libavahi-common3  0.7-4+deb10u3
ii  libc6 2.28-10+deb10u2
ii  libgnutls30   3.6.7-4+deb10u10
ii  libgssapi-krb5-2  1.17-3+deb10u5
ii  zlib1g1:1.2.11.dfsg-1+deb10u2

libcups2 recommends no packages.

Versions of packages libcups2 suggests:
pn  cups-common  

-- no debconf information

Bug#1053270: bullseye-pu: package curl/7.74.0-1.3+deb11u9

2023-09-30 Thread Adam D. Barratt 
Control: tags -1 confirmed

On Sat, 2023-09-30 at 20:46 +0800, Carlos Henrique Lima Melara wrote:
> Vulnerabilities were discovered and reported to Curl upstream [1][2]
> with the
> following CVE IDs:
> 
> - CVE-2023-28321
> - CVE-2023-28322
> 

Please go ahead.

Regards,

Adam

Bug#1053276: polyphone: update d/watch

2023-09-30 Thread Patrice Duroux 
Package: polyphone
Version: 2.2.0.20210109+dfsg1-3
Severity: minor

Dear Maintainer,

Here is a suggested patch for this.

Thanks,
Patrice


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-1-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages polyphone depends on:
ii  libc6 2.37-11
ii  libflac12 1.4.3+ds-2
ii  libgcc-s1 13.2.0-4
ii  libjack-jackd2-0 [libjack-0.125]  1.9.21~dfsg-3
ii  libportaudio2 19.6.0-1.2
ii  libqcustomplot2.1 2.1.0+dfsg1-3.1
ii  libqt5core5a  5.15.10+dfsg-3
ii  libqt5gui55.15.10+dfsg-3
ii  libqt5network55.15.10+dfsg-3
ii  libqt5svg55.15.10-2
ii  libqt5widgets55.15.10+dfsg-3
ii  librtmidi65.0.0-3
ii  libsfark0 2.24-5
ii  libssl3   3.0.11-1
ii  libstdc++613.2.0-4
ii  libstk-4.6.2  4.6.2+dfsg-2
ii  zlib1g1:1.2.13.dfsg-3

polyphone recommends no packages.

polyphone suggests no packages.

-- no debconf information
diff --git a/debian/watch b/debian/watch
index ac23b1b..3543b8b 100644
--- a/debian/watch
+++ b/debian/watch
@@ -3,6 +3,6 @@ version=4
   repacksuffix=+dfsg1,\
   compression=xz,\
   dversionmangle=s/\+dfsg[0-9]+$// \
- https://github.com/mirabilos/polyphone/tags \
- .*/polyphone/archive/([0-9]+(?:\.[0-9]+)*)\.tar\.gz \
+ https://github.com/mirabilos/@PACKAGE@/tags \
+ (?:.*?/)?v?@ANY_VERSION@@ARCHIVE_EXT@ \
 debian

Bug#1038447: librsvg: FTBFS on big-endian architectures: multiple test regressions since September 2022

2023-09-30 Thread Simon McVittie 
On Mon, 28 Aug 2023 at 06:05:57 +, Gayathri Berli wrote:
> Unfortunately, we are encountering an issue with the chroot as followed.
> [an attached screenshot of some text]

For reference, the attached image was a screenshot of a terminal with
approximately this text (might contain mistakes, I am transcribing it
by hand):

root@:~# schroot -n librsvg -c sid —begin
E: --session-name is not permitted for the specified action
I: Run “schroot --help” to list usage example for the specified action

When discussing a technical issue, particularly involving command-line
tools, please try to send text as copy/pasted text, rather than as
images of text. Images are not easily available in all contexts, and
some developers who rely on screen readers and other accessibility
technologies cannot see them at all.

> We
> tried the best to resolve it, but nothing helped us move forward. Could anyone
> has faced the same issue/solution of it please let us know. If any other steps
> might be needed to reproduce the same, please confirm.

Sorry, I have too many responsibilities other than librsvg, and I am not
able to provide you with a detailed tutorial on how to use schroot. The
instructions I provided assume basic familiarity with the schroot tool,
and a chroot template named "sid" already set up with Debian unstable.

As an alternative to using Debian-specific tools, you could try building
librsvg according to its normal upstream build procedure: you might
find that easier if you are unfamiliar with Debian tools. There is an
upstream development guide available:
https://gnome.pages.gitlab.gnome.org/librsvg/devel-docs/index.html

Or, if you have a preferred container or virtual machine technology, you
could use that instead of schroot, set up a Debian unstable environment,
and run something like this as root in that environment instead of
using schroot:

apt-get -y update
apt-get -y dist-upgrade
apt-get -y install ccache git quilt git-buildpackage
apt-get -y build-dep librsvg

and then do the build in that environment. If you would prefer to use
schroot, please consult schroot documentation or ask a colleague who
already knows how to use it.

In the text in your screenshot, you seem to be using "—begin" (starting
with U+2014 EM DASH) instead of the correct "--begin" (starting with two
copies of U+002D HYPHEN-MINUS) which is probably part of the problem that
you are having.

smcv

Bug#1038447: librsvg: FTBFS on big-endian architectures: multiple test regressions since September 2022

2023-09-30 Thread Simon McVittie 
On Sun, 18 Jun 2023 at 15:58:10 +0200, John Paul Adrian Glaubitz wrote:
> TIL about debbisect. I can try to bisect this on big-endian PowerPC,
> I have root on multiple big-endian machines.

Were you able to do this?

Thanks,
smcv

Bug#1050388: canu: autopkgtest generates unreasonably large artifacts

2023-09-30 Thread Michael R. Crusoe 
Hello, this has been fixed. Can you unblock canu from running on the CI
infrastructure?

Thanks,

Bug#1015702: view3dscene: ftbfs with LTO (link time optimization) enabled

2023-09-30 Thread Graham Inggs 
I don't think disabling LTO is the correct solution here.
At least, view3dscene 4.2.0-2 still FTBFS in Ubuntu with:

/usr/bin/ld.bfd: -f may not be used without -shared

Please consider the patch that was applied in Ubuntu [1], which
filters out -ffat-lto-objects from LDFLAGS.

--- a/debian/rules
+++ b/debian/rules
@@ -22,7 +22,7 @@
 # Set default compilation options
 LDFLAGS=$(strip $(shell DEB_BUILD_MAINT_OPTIONS=$(DEB_BUILD_MAINT_OPTIONS) \
  dpkg-buildflags --get LDFLAGS | \
- sed -e 's/-Wl,//g' -e 's/,/ /g' -e 's1-specs=/usr/share/dpkg/.*\.specs11'))
+ sed -e 's/-Wl,//g' -e 's/,/ /g' -e
's1-specs=/usr/share/dpkg/.*\.specs11' -e 's/-ffat-lto-objects//'))
 BUILDOPTS=-k"${LDFLAGS}"\
  -dRELEASE \
  -Mobjfpc \


[1] https://launchpad.net/ubuntu/+source/view3dscene/4.0.0-3ubuntu1

Bug#1053275: devscripts: mk-build-deps failed to build i386 packages on amd64 host

2023-09-30 Thread Alexey Kuznetsov 

Package: devscripts
Version: 2.23.4
Severity: normal

Dear Maintainer,

the script copy Build-Depends into Depends. But those are not the same 
fields. Build-Depends parsed differently by apt then Depends. For most 
cases it is the same. But when you specify Build-Depends as for example 
python3-mako apt will install python3-mako:all arch. But when this build 
dependency moved into Depends with out arch specification, apt will try 
to install python3-mako:i386. and since here is no python3-mako:i386 
install will failed.


Following should work on amd64:

apt build-dep mangohud
apt build-dep mangohud:i386
mk-build-deps mangohud
mk-build-deps -a i386 mangohud

This patch / hack fixing the behaviour:

diff --git a/scripts/mk-build-deps.pl b/scripts/mk-build-deps.pl
index 8b35e7e..f09ae9b 100755
--- a/scripts/mk-build-deps.pl
+++ b/scripts/mk-build-deps.pl
@@ -425,7 +425,7 @@ if ($opt_install) {
my (@pkg_names, @deb_files, @buildinfo_files, @changes_files, %uniq);
for my $package (@packages) {
if ($uniq{ $package->{deb_file} }++ == 0) {
- push @pkg_names, $package->{package};
+ push @pkg_names, $package->{package}.":".$package->{arch};
push @deb_files, $package->{deb_file};
push @buildinfo_files, $package->{buildinfo_file};
push @changes_files, $package->{changes_file};
@@ -514,16 +514,6 @@ sub build_equiv {
$hostarch = $opt_hostarch;
}

- if ($packagearch eq "all") {
- if ($buildarch ne $hostarch) {
- die
-"build architecture \"$buildarch\" is unequal host architecture 
\"$hostarch\" in which case the package architecture must not be \"all\" 
(but \"$hostarch\" instead)\n";

- }
- } elsif ($packagearch ne $hostarch) {
- die
-"The package architecture must be equal to the host architecture except 
if the package architecture is \"all\"\n";

- }
-
my $build_profiles = [split /\s+/, ($ENV{'DEB_BUILD_PROFILES'} // "")];
if (defined $opt_buildprofiles) {
$build_profiles = [split /,/, $opt_buildprofiles];
@@ -560,6 +550,10 @@ sub build_equiv {
$dep->{archqual} = $buildarch;
}
}
+ my $str = `apt-cache showsrc "$dep" | grep-dctrl --show-field 
Package-List - | awk '\$1 == "$dep" && /arch=all/{print \$1}'`;

+ if ($str ne "") {
+ $dep->{archqual} = "all";
+ }
return 1;
};
deps_iterate($positive, $handle_native_archqual);
@@ -574,6 +568,14 @@ sub build_equiv {
$buildess .= ", crossbuild-essential-$hostarch:$buildarch";
}

+ use File::Temp ();
+ my $temp = File::Temp->new();
+ print $temp
+"
+$pkgname ($opts->{version}) unstable; urgency=low
+
+ * First version
+";
my $readme = '/usr/share/devscripts/templates/README.mk-build-deps';
open EQUIVS, "| equivs-build $args-"
or die "$progname: Failed to execute equivs-build: $!\n";
@@ -581,7 +583,9 @@ sub build_equiv {
. "Priority: optional\n"
. "Standards-Version: 3.7.3\n\n"
. "Package: $pkgname\n"
- . "Architecture: $packagearch\n"
+ . "Architecture: any\n"
+ . "Multi-Arch: same\n"
+ . "Changelog: $temp\n"
. "Depends: $buildess, $positive\n";

print EQUIVS "Conflicts: $negative\n" if $negative;
@@ -603,10 +607,17 @@ sub build_equiv {
my $v = Dpkg::Version->new($version);
# The version in the .deb filename will not contain the epoch
$version = $v->as_string(omit_epoch => 1);
- my $deb_file = "${pkgname}_${version}_${packagearch}.deb";
+ my $debarch;
+ if ($packagearch eq "all") {
+ $debarch = "$buildarch";
+ } else {
+ $debarch = "$packagearch";
+ }
+ my $deb_file = "${pkgname}_${version}_${debarch}.deb";
my $buildinfo_file = "${pkgname}_${version}_${hostarch}.buildinfo";
my $changes_file = "${pkgname}_${version}_${hostarch}.changes";
return {
+ arch => $debarch,
package => $pkgname,
deb_file => $deb_file,
buildinfo_file => $buildinfo_file,



-- Package-specific info:

--- /etc/devscripts.conf ---
Empty.

--- ~/.devscripts ---
DEBEMAIL=a...@me.com
DEBFULLNAME="Alexey Kuznetsov"

-- System Information:
Debian Release: 12.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-10-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en

Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages devscripts depends on:
ii dpkg-dev 1.21.22
ii fakeroot 1.31-1.2
ii file 1:5.44-3
ii gnupg 2.2.40-1.1
ii gpgv 2.2.40-1.1
ii libc6 2.36-9+deb12u1
ii libfile-dirlist-perl 0.05-3
ii libfile-homedir-perl 1.006-2
ii libfile-touch-perl 0.12-2
ii libfile-which-perl 1.27-2
ii libipc-run-perl 20220807.0-1
ii libmoo-perl 2.005005-1
ii libwww-perl 6.68-1
ii patchutils 0.4.2-1
ii perl 5.36.0-7
ii python3 3.11.2-1+b1
ii sensible-utils 0.0.17+nmu1
ii wdiff 1.2.2-5

Versions of packages devscripts recommends:
ii apt 2.6.1
ii curl 7.88.1-10
ii dctrl-tools 2.24-3+b1
ii debian-keyring 2022.12.24
ii dput 1.1.3
ii equivs 2.3.1
ii libdistro-info-perl 1.5
ii libdpkg-perl 1.21.22
ii libencode-locale-perl 1.05-3
ii libgit-wrapper-perl 0.048-2
ii libgitlab-api-v4-perl 0.26-3
ii liblist-compare-perl 0.55-2
ii

Bug#1053274: ont-fast5-api: test_001_read_events fails with h5py 3.9.0: 'AstypeWrapper' object does not support the context manager protocol

2023-09-30 Thread Drew Parsons 
Source: ont-fast5-api
Version: 4.1.1+dfsg-2
Severity: serious
Justification: debci

h5py 3.9.0 is triggering an error ont-fast5-api debci tests,
https://ci.debian.net/data/autopkgtest/testing/amd64/o/ont-fast5-api/38279479/log.gz


 33s ERROR: test_001_read_events 
(test.test_event_detection_tools.TestEventDetectionTools.test_001_read_events)
 33s --
 33s Traceback (most recent call last):
 33s   File 
"/tmp/autopkgtest-lxc.jqw02kin/downtmp/autopkgtest_tmp/test/test_event_detection_tools.py",
 line 26, in test_001_read_events
 33s data, attrs = fh.get_event_data(time_in_seconds=True)
 33s   ^^^
 33s   File 
"/usr/lib/python3/dist-packages/ont_fast5_api/analysis_tools/event_detection.py",
 line 84, in get_event_data
 33s with dataset.astype(np.dtype(descr)):
 33s TypeError: 'AstypeWrapper' object does not support the context manager 
protocol
 33s 
 33s --
 33s Ran 76 tests in 1.416s
 33s 
 33s FAILED (errors=1, skipped=5)

Bug#1053272: bookworm-pu: package rmlint/2.9.0-2.5~deb12u1

2023-09-30 Thread Adrian Bunk 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Julian Gilbey , Carlos Maddela 


This adds the #1040940 fix to the #1040939 upload for an unrelated
issue that is already included for the next point release.

#1040940 happens with python3.11/sid but not with python3.11/bookworm,
but it is unclear which python3.11 change caused it or whether this
might at some point get backported as part of a security fix to
python3.11/bookworm. The fix is an obvious off-by-one fix.

Regarding the versioning:

My debdiff is against the already approved #1040939,
but I am changing the versioning from 2.9.0-2.3+deb12u*
to 2.9.0-2.5~deb12u1 for two reasons:
1. it documents that this is a backport of a version, and
2. people won't see the same changes twice in apt-listchanges

These are not very strong reasons, I wouldn't have made such a change
had 2.9.0-2.3+deb12u1 already been released.
diffstat for rmlint-2.9.0 rmlint-2.9.0

 changelog   |   19 
++-
 patches/0001-cmdline-do-not-write-NUL-byte-to-GUI-bootstrap-scrip.patch |   26 
++
 patches/0001-fix-link-error-on-compilers-with-fno-common-enabled.patch  |9 
---
 patches/series  |1 
 4 files changed, 46 insertions(+), 9 deletions(-)

diff -Nru rmlint-2.9.0/debian/changelog rmlint-2.9.0/debian/changelog
--- rmlint-2.9.0/debian/changelog   2023-07-12 18:18:40.0 +0300
+++ rmlint-2.9.0/debian/changelog   2023-09-30 15:52:45.0 +0300
@@ -1,10 +1,25 @@
-rmlint (2.9.0-2.3+deb12u1) bookworm; urgency=medium
+rmlint (2.9.0-2.5~deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for bookworm.
+
+ -- Adrian Bunk   Sat, 30 Sep 2023 15:52:45 +0300
+
+rmlint (2.9.0-2.5) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add upstream fix for GUI startup failure with recent python3.11.
+(Closes: #1040940)
+
+ -- Adrian Bunk   Sat, 05 Aug 2023 17:16:05 +0300
+
+rmlint (2.9.0-2.4) unstable; urgency=medium
 
   * Non-maintainer upload.
   * Fix error in other packages caused by invalid python package version
 number (cherry-picking upstream patch; closes: #1040179)
 
- -- Julian Gilbey   Wed, 12 Jul 2023 16:18:40 +0100
+ -- Julian Gilbey   Wed, 05 Jul 2023 09:31:46 +0100
 
 rmlint (2.9.0-2.3) unstable; urgency=medium
 
diff -Nru 
rmlint-2.9.0/debian/patches/0001-cmdline-do-not-write-NUL-byte-to-GUI-bootstrap-scrip.patch
 
rmlint-2.9.0/debian/patches/0001-cmdline-do-not-write-NUL-byte-to-GUI-bootstrap-scrip.patch
--- 
rmlint-2.9.0/debian/patches/0001-cmdline-do-not-write-NUL-byte-to-GUI-bootstrap-scrip.patch
 1970-01-01 02:00:00.0 +0200
+++ 
rmlint-2.9.0/debian/patches/0001-cmdline-do-not-write-NUL-byte-to-GUI-bootstrap-scrip.patch
 2023-08-05 17:13:47.0 +0300
@@ -0,0 +1,26 @@
+From e811a34bdf81f0f5366b07077432f8ab9c776ddd Mon Sep 17 00:00:00 2001
+From: Cebtenzzre 
+Date: Wed, 2 Aug 2023 21:29:15 -0400
+Subject: cmdline: do not write NUL byte to GUI bootstrap script
+
+Fixes #628
+---
+ lib/cmdline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/cmdline.c b/lib/cmdline.c
+index d5b1338c..07ba104a 100644
+--- a/lib/cmdline.c
 b/lib/cmdline.c
+@@ -176,7 +176,7 @@ static void rm_cmd_start_gui(int argc, const char **argv) {
+ return;
+ }
+ 
+-if(write(bootstrap_fd, RM_PY_BOOTSTRAP, sizeof(RM_PY_BOOTSTRAP)) < 0) {
++if(write(bootstrap_fd, RM_PY_BOOTSTRAP, strlen(RM_PY_BOOTSTRAP)) < 0) {
+ rm_log_warning_line("Could not bootstrap gui: Unable to write to 
tempfile: %s",
+ g_strerror(errno));
+ return;
+-- 
+2.30.2
+
diff -Nru 
rmlint-2.9.0/debian/patches/0001-fix-link-error-on-compilers-with-fno-common-enabled.patch
 
rmlint-2.9.0/debian/patches/0001-fix-link-error-on-compilers-with-fno-common-enabled.patch
--- 
rmlint-2.9.0/debian/patches/0001-fix-link-error-on-compilers-with-fno-common-enabled.patch
  2023-07-12 18:18:40.0 +0300
+++ 
rmlint-2.9.0/debian/patches/0001-fix-link-error-on-compilers-with-fno-common-enabled.patch
  2023-07-05 11:31:46.0 +0300
@@ -10,11 +10,9 @@
  lib/config.h.in | 62 ++---
  1 file changed, 33 insertions(+), 29 deletions(-)
 
-diff --git a/lib/config.h.in b/lib/config.h.in
-index 44d7e5d9..d9fdeabd 100644
 --- a/lib/config.h.in
 +++ b/lib/config.h.in
-@@ -121,9 +121,13 @@
+@@ -123,9 +123,13 @@
  #  define N_(String) gettext_noop (String)
  #endif
  
@@ -30,7 +28,7 @@
  
  typedef guint64 RmOff;
  
-@@ -150,33 +154,33 @@ typedef guint64 RmOff;
+@@ -152,33 +156,33 @@
  
  ///
  
@@ -91,6 +89,3 @@
  
  /* Domain for reporting errors. Needed by GOptions */
  #define RM_ERROR_QUARK (g_quark_from_static_string("rmlint"))
--- 
-2.20.1
-
diff -Nru rmlint-2.9.0/debian/patches/series rmlint-2.9.0/debian/patches/series
---

Bug#1053271: bullseye-pu: package cpio/2.13+dfsg-7.1~deb11u1

2023-09-30 Thread Adrian Bunk 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@security.debian.org, Anibal Monsalve Salazar 


This updates the cpio package in bullseye to the package
in bookworm/trixie/sid (same upstream version).

The first 3 post-bullseye uploads are CVE-2021-38185 plus
regression fixes for this change.

The 2.13+dfsg-7.1 changes are one documentation change and two
changes that look desirable (even though they alone might not have
warranted a stable update):
  * Suggest libarchive-dev (Closes: #662718).
  * d/copyright: Convert to machine-readable format.
  * Fix CRC with new ASCII format when file > 2GB (Closes: #962188).

There are no bugs in the BTS that any regressions have been caused
by any of these changes during the 1 year since they were uploaded
to bookworm/sid.
diffstat for cpio-2.13+dfsg cpio-2.13+dfsg

 changelog|   39 
 control  |2 
 copyright|   51 -
 patches/992045-CVE-2021-38185-rewrite-dynamic-string-support |  454 +++
 patches/992098-regression-of-orig-fix-for-CVE-2021-38185 |   36 
 patches/992192-Fix-dynamic-string-reallocations.patch|   80 +
 patches/Wrong-CRC-with-ASCII-CRC-for-large-files.patch   |   34 
 patches/series   |4 
 8 files changed, 685 insertions(+), 15 deletions(-)

diff -Nru cpio-2.13+dfsg/debian/changelog cpio-2.13+dfsg/debian/changelog
--- cpio-2.13+dfsg/debian/changelog 2020-09-17 14:16:18.0 +0300
+++ cpio-2.13+dfsg/debian/changelog 2023-09-30 15:18:55.0 +0300
@@ -1,3 +1,42 @@
+cpio (2.13+dfsg-7.1~deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for bullseye.
+
+ -- Adrian Bunk   Sat, 30 Sep 2023 15:18:55 +0300
+
+cpio (2.13+dfsg-7.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Suggest libarchive-dev (Closes: #662718).
+  * d/copyright: Convert to machine-readable format.
+  * Fix CRC with new ASCII format when file > 2GB (Closes: #962188).
+
+ -- Bastian Germann   Wed, 14 Sep 2022 21:45:55 +0200
+
+cpio (2.13+dfsg-7) unstable; urgency=medium
+
+  [ Salvatore Bonaccorso ]
+  * Fix dynamic string reallocations (Closes: #992192)
+
+ -- Anibal Monsalve Salazar   Sun, 22 Aug 2021 15:21:53 
+1000
+
+cpio (2.13+dfsg-6) unstable; urgency=high
+
+  * Fix regression of original fix for CVE-2021-38185
+Add patch 992098-regression-of-orig-fix-for-CVE-2021-38185 
+Closes: #992098
+
+ -- Anibal Monsalve Salazar   Fri, 13 Aug 2021 13:06:27 
+1000
+
+cpio (2.13+dfsg-5) unstable; urgency=medium
+
+  * Fix CVE-2021-38185
+Add patch 992045-CVE-2021-38185-rewrite-dynamic-string-support
+Closes: #992045
+
+ -- Anibal Monsalve Salazar   Wed, 11 Aug 2021 01:18:33 
+1000
+
 cpio (2.13+dfsg-4) unstable; urgency=medium
 
   * Source only upload to enable migration.
diff -Nru cpio-2.13+dfsg/debian/control cpio-2.13+dfsg/debian/control
--- cpio-2.13+dfsg/debian/control   2020-02-01 15:11:00.0 +0200
+++ cpio-2.13+dfsg/debian/control   2022-09-14 22:45:55.0 +0300
@@ -17,7 +17,7 @@
 Replaces: cpio-mt
 Conflicts: mt-st (<< 0.6), cpio-mt
 Multi-Arch: foreign
-Suggests: libarchive1
+Suggests: libarchive-dev
 Description: GNU cpio -- a program to manage archives of files
  GNU cpio is a tool for creating and extracting archives, or copying
  files from one place to another.  It handles a number of cpio formats
diff -Nru cpio-2.13+dfsg/debian/copyright cpio-2.13+dfsg/debian/copyright
--- cpio-2.13+dfsg/debian/copyright 2020-02-01 15:11:00.0 +0200
+++ cpio-2.13+dfsg/debian/copyright 2022-09-14 22:45:55.0 +0300
@@ -1,16 +1,39 @@
-This is the Debian GNU/Linux prepackaged version of GNU cpio
-(including mt).
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Comment:
+ This is the Debian GNU/Linux prepackaged version of GNU cpio
+ (including mt).
+ .
+ This package was put together by Clint Adams .
+Source: ftp://ftp.gnu.org/gnu/cpio
 
-This package was put together by Clint Adams ,
-from sources obtained from ftp://ftp.gnu.org:/gnu/cpio
+Files: *
+Copyright: (C) 1984-2019 Free Software Foundation, Inc.
+License: GPL-3+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3, or (at your option)
+ any later version.
+Comment:
+ The text of the GPL version 3 can be found on Debian systems in
+ /usr/share/common-licenses/GPL-3.
 
-GNU cpio is Copyright (C) 1990, 1991, 1992, 2001, 2003, 2004, 2005,
-2006, 2007 Free Software Foundation, Inc.
-
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation;

Bug#1053270: bullseye-pu: package curl/7.74.0-1.3+deb11u9

2023-09-30 Thread Carlos Henrique Lima Melara 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: c...@packages.debian.org, charlesmel...@riseup.net
Control: affects -1 + src:curl

[ Reason ]
Vulnerabilities were discovered and reported to Curl upstream [1][2] with the
following CVE IDs:

- CVE-2023-28321
- CVE-2023-28322

The description of the CVE-2023-28321 is:

> An improper certificate validation vulnerability exists in curl
>  listed as "Subject Alternative Name" in TLS server certificates. curl
> can be built to use its own name matching function for TLS rather than
> one provided by a TLS library. This private wildcard matching function
> would match IDN (International Domain Name) hosts incorrectly and
> could as a result accept patterns that otherwise should mismatch. IDN
> hostnames are converted to puny code before used for certificate
> checks. Puny coded names always start with `xn--` and should not be
> allowed to pattern match, but the wildcard check in curl could still
> check for `x*`, which would match even though the IDN name most likely
> contained nothing even resembling an `x`.

And the description of the CVE-2023-28322 is:

> An information disclosure vulnerability exists in curl  doing HTTP(S) transfers, libcurl might erroneously use the read
> callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when
> the `CURLOPT_POSTFIELDS` option has been set, if the same handle
> previously wasused to issue a `PUT` request which used that callback.
> This flaw may surprise the application and cause it to misbehave and
> either send off the wrong data or use memory after free or similar in
> the second transfer. The problem exists in the logic for a reused
> handle when it is (expected to be) changed from a PUT to a POST.

This proposed update is meant to fix those vulnerabilities.

[ Impact ]
As the vulnerabilities are present in bullseye's curl code, they can be
exploited by malicious actors.

[ Tests ]
Automatic tests were executed (from the curl test suite) during build
time. Everything passed after the changes were introduced.

I also conducted a test to see if the CVE-2023-28321 was fixed. In order
to do so, I've followed the report's reproduction steps [3] and tested in a
bullseye container. The default bullseye curl version is vulnerable, but
this new one is not. Unfortunately the PoC of CVE-2023-28322 was crafted
using a newer version of libcurl, so I wasn't able to validate the fix
of the backported patch.

Also, note the fix for CVE-2023-28321 comes from CentOS and is already
available there.

[ Risks ]
The changes for weren't big because the delta between bullseye's version and
current upstream are not that large (true for CVE-2023-28322). Though
they exist so I did a backport of the patch (obviously there is a
chance of introducing bugs here, but we are using the tests to spot it).

Also, the fix for CVE-2023-28321 is new code based on the fix applied in curl
8.1.0 done by a Red Hat engineer. So, new bugs could have been
introduced.

I reviewed this fix and samueloph reviewed everything (both fixes and
packaging).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Here is a list of the commits applied to this pu release:

commit a1190a634dcca9a85f8217c71b1073825885a16e
Author: Carlos Henrique Lima Melara 
Date:   Sun Sep 10 15:29:53 2023 +0530

Finalize changelog for 7.74.0-1.3+deb11u9 bullseye upload

commit 39155aa17df39693c2f21ef5dbb0ddf11568256f
Author: Carlos Henrique Lima Melara 
Date:   Fri Sep 8 19:00:25 2023 +0530

d/p/CVE-2023-28322.patch: backport patch

commit 156409a45db1c739edece8fd3b3d4d78d09c82ae
Author: Carlos Henrique Lima Melara 
Date:   Sun Aug 13 11:01:11 2023 -0300

Import 2 new patches fixing CVES

One comes from upstream and another from CentOS.

CVE-2023-28321
CVE-2023-28322

[ Other info ]
Links:

[1] https://security-tracker.debian.org/tracker/CVE-2023-28321
[2] https://security-tracker.debian.org/tracker/CVE-2023-28322
[3] https://hackerone.com/reports/1950627

Cheers,
Charles
diff -Nru curl-7.74.0/debian/changelog curl-7.74.0/debian/changelog
--- curl-7.74.0/debian/changelog2023-04-03 03:34:17.0 +0800
+++ curl-7.74.0/debian/changelog2023-09-10 17:49:20.0 +0800
@@ -1,3 +1,14 @@
+curl (7.74.0-1.3+deb11u9) bullseye; urgency=medium
+
+  * Team upload.
+  * Import 2 new patches to fix CVES:
+- CVE-2023-28321: IDN wildcard match may lead to Improper Cerificate
+  Validation.
+- CVE-2023-28322: more POST-after-PUT confusion.
+  * debian/patches/CVE-2023-28322.patch: backport patch.
+
+ -- Carlos Henrique Lima Melara   Sun, 10 Sep 2023 
15:19:20 +0530
+
 curl (7.74.0-1.3+deb11u8) bullseye; urgency=medium
 
   * Backport upstream patches to fix 5 CVEs:
diff -Nru

Bug#1053269: RFS: wifi-qr/0.3-1 -- WiFi password share via QR codes

2023-09-30 Thread Ko Ko Ye` 
Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "wifi-qr":

 * Package name : wifi-qr
   Version  : 0.3-1
   Upstream contact : kokoye2007 
 * URL  : https://github.com/kokoye2007/wifi-qr
 * License  : GPL-3.0+
 * Vcs  : https://github.com/kokoye2007/wifi-qr
   Section  : utils

The source builds the following binary packages:

  wifi-qr - WiFi password share via QR codes

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/wifi-qr/

Alternatively, you can download the package with 'dget' using this command:

  dget -x
https://mentors.debian.net/debian/pool/main/w/wifi-qr/wifi-qr_0.3-1.dsc

Changes since the last upload:

 wifi-qr (0.3-1) unstable; urgency=medium
 .
   * New upstream release (0.3).
   * #18 Xiaomi QR code is parsed incorrectly.
   * #17 QR issue when the name and SSID differ.
   * #16 QR issue when the password has special characters.
   * #15 QR issue when the SSID has special characters.
   * #12 Password with special characters needs to be unquoted.

More function with feedback and merge requests.


 Usage: ./wifi-qr [-g] [-c] [-t] [-s] [-z] [-f file] [-p] [-q] [-v] [-h]

 -g Launch GUI Main Menu
 -c Launch WiFi QR Create GUI
 -t Launch WiFi QR Create Terminal
 -z Launch WiFi QR Create Terminal Fuzzy Finder
 -s Launch QR Scan and Auto Connect WiFi
 -f file Terminal [file] QR Scan and Auto Connect WiFi from file
 -p Launch GUI [file] QR Scan and Auto Connect WiFi from file
 -q Launch QR Scan and Connect WiFi GUI
 -v Show WiFi-QR Version 0.3
 -h Show this help message

Regards,

Bug#1028722: prody: FTBFS: AssertionError: 3205 != 3211 : selection 'abs(x) == sqrt(sq(x))' for Selection 'all' failed, expected 3211, selected 3205

2023-09-30 Thread Drew Parsons 
Source: prody
Followup-For: Bug #1028722

There seems to be ambiguity about the reproducibility of this bug.
That's possibly consistent with problems with rounding, though the bug
here seems to be more than an issue with floating point precision.

Upstream has made a new release.  I suggest packaging and uploading
the new version. That will give more fresh information on the state of
the build, whether the FTBFS is reliably reproducible.

Bug#1053188: darktable removed at each apt full-upgrade

2023-09-30 Thread David Bremner 
David Bremner  writes:

> Control: tag -1 unreproducible
>

Thierry told me off list that the problem went away after an upgrade, so
I'll close the bug for now. Feel free to reopen (ideally with the apt
debugging info above) if the problem resurfaces.

d

Bug#1007700: but the configured service works

2023-09-30 Thread Diego Roversi 
I had the same problem, but if you use the service configured by the debian 
packages it works fine (like: systemctl omnidb start). For more information you 
can see:

/usr/share/doc/omnidb-server/README.Debian

Regards

-- 
Diego Roversi

Bug#1053268: RM: pgaudit-1.7 -- ROM; superseded by pgaudit-16

2023-09-30 Thread Christoph Berg 
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: pgaudit-...@packages.debian.org
Control: affects -1 + src:pgaudit-1.7

Please remove pgaudit-1.7 from unstable, it supports PG15 only.
(pgaudit-16 in unstable supports PG16.)

Thanks,
Christoph

Bug#1053267: hickle: test_H5NodeFilterProxy fails with h5py 3.9.0: Unable to delete attribute (no write intent on file)

2023-09-30 Thread Drew Parsons 
Source: hickle
Version: 5.0.2-5
Severity: serious
Justification: debci

h5py 3.9.0 is triggering an error in hickle tests, found by debci,
https://ci.debian.net/data/autopkgtest/testing/amd64/h/hickle/38279474/log.gz

 62s  test_H5NodeFilterProxy 

 62s 
 62s h5_data = 
 62s 
 62s def test_H5NodeFilterProxy(h5_data):
 62s """
 62s tests H5NodeFilterProxy class. This class allows to temporarily 
rewrite
 62s attributes of h5py.Group and h5py.Dataset nodes before being 
loaded by
 62s hickle._load method.
 62s """
 62s 
 62s # load data and try to directly modify 'type' and 'base_type' 
Attributes
 62s # which will fail cause hdf5 file is opened for read only
 62s h5_node = h5_data['somedata']
 62s with pytest.raises(OSError):
 62s try:
 62s >   h5_node.attrs['type'] = pickle.dumps(list)
 62s 
 62s 
/tmp/autopkgtest-lxc.kwo7jiul/downtmp/build.aWU/src/hickle/tests/test_01_hickle_helpers.py:126:
 
 62s _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
_ _ _ 
 62s h5py/_debian_h5py_serial/_objects.pyx:54: in 
h5py._debian_h5py_serial._objects.with_phil.wrapper
 62s ???
 62s h5py/_debian_h5py_serial/_objects.pyx:55: in 
h5py._debian_h5py_serial._objects.with_phil.wrapper
 62s ???
 62s /usr/lib/python3/dist-packages/h5py/_debian_h5py_serial/_hl/attrs.py:104: 
in __setitem__
 62s self.create(name, data=value)
 62s /usr/lib/python3/dist-packages/h5py/_debian_h5py_serial/_hl/attrs.py:200: 
in create
 62s h5a.delete(self._id, name)
 62s h5py/_debian_h5py_serial/_objects.pyx:54: in 
h5py._debian_h5py_serial._objects.with_phil.wrapper
 62s ???
 62s h5py/_debian_h5py_serial/_objects.pyx:55: in 
h5py._debian_h5py_serial._objects.with_phil.wrapper
 62s ???
 62s _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
_ _ _ 
 62s 
 62s >   ???
 62s E   KeyError: 'Unable to delete attribute (no write intent on file)'
 62s 
 62s h5py/_debian_h5py_serial/h5a.pyx:145: KeyError

Bug#1053266: python3-h5sparse incomplete Depends: python3-h5py-serial

2023-09-30 Thread Drew Parsons 
Package: python3-h5sparse
Version: 0.1.0-6
Severity: serious
Justification: debci

Currently python3-h5sparse Depends: python3-h5py-serial, but h5sparse
tests access h5py, not h5py._debian_h5py_serial.

The python3-h5py-serial package only provides
h5py._debian_h5py_serial. If you need to use the generic h5py
namespace rather than the specific serial namespace, then you need

Depends: python3-h5py

python3-h5py depends on python3-h5py-serial by default but that might
alternatively be satisfied by python3-h5py-mpi.  If h5sparse strictly
needs python3-h5py-serial and not python3-h5py-mpi, then the
dependency should declare both

Depends: python3-h5py, python3-h5py-serial


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.5.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-h5sparse depends on:
ii  python3  3.11.4-5+b1
ii  python3-h5py-serial  3.9.0-2
ii  python3-numpy1:1.24.2-1
ii  python3-scipy1.10.1-2
ii  python3-six  1.16.0-4

python3-h5sparse recommends no packages.

python3-h5sparse suggests no packages.

-- no debconf information

Bug#1053265: dipy: test_icm_square test fails since exact equality used with floating point numbers

2023-09-30 Thread Drew Parsons 
Source: dipy
Version: 1.7.0-2
Severity: serious
Justification: debci

h5py 3.9.0 is triggering an error in dipy debci tests,
https://ci.debian.net/data/autopkgtest/testing/amd64/d/dipy/38279462/log.gz

However from the error log, it's not clear that the problem is
directly related to h5py.  An exact [in]equality test is failing
between floating point numbers.

The error log is:

1967s ___ test_icm_square 

1967s 
1967s def test_icm_square():
1967s 
1967s com = ConstantObservationModel()
1967s icm = IteratedConditionalModes()
1967s 
1967s initial_segmentation = square
1967s 
1967s mu, sigma = com.seg_stats(square_1, initial_segmentation,
1967s   nclasses)
1967s sigmasq = sigma ** 2
1967s npt.assert_(mu[0] >= 0.0)
1967s npt.assert_(mu[1] >= 0.0)
1967s npt.assert_(mu[2] >= 0.0)
1967s npt.assert_(mu[3] >= 0.0)
1967s npt.assert_(sigmasq[0] >= 0.0)
1967s npt.assert_(sigmasq[1] >= 0.0)
1967s npt.assert_(sigmasq[2] >= 0.0)
1967s npt.assert_(sigmasq[3] >= 0.0)
1967s 
1967s negll = com.negloglikelihood(square_1, mu, sigmasq, nclasses)
1967s 
1967s final_segmentation_1 = np.empty_like(square_1)
1967s final_segmentation_2 = np.empty_like(square_1)
1967s 
1967s beta = 0.0
1967s 
1967s for i in range(max_iter):
1967s 
1967s print('\n')
1967s print('>> Iteration: ' + str(i))
1967s print('\n')
1967s 
1967s final_segmentation_1, energy_1 = icm.icm_ising(negll, beta,
1967s
initial_segmentation)
1967s initial_segmentation = final_segmentation_1
1967s 
1967s beta = 2
1967s initial_segmentation = square
1967s 
1967s for j in range(max_iter):
1967s 
1967s print('\n')
1967s print('>> Iteration: ' + str(j))
1967s print('\n')
1967s 
1967s final_segmentation_2, energy_2 = icm.icm_ising(negll, beta,
1967s
initial_segmentation)
1967s initial_segmentation = final_segmentation_2
1967s 
1967s difference_map = np.abs(final_segmentation_1 - 
final_segmentation_2)
1967s >   npt.assert_(np.abs(np.sum(difference_map)) != 0)
1967s E   AssertionError
1967s 
1967s dipy/segment/tests/test_mrf.py:370: AssertionError


I'm assumung final_segmentation is floating point, not integer.
Correct me if that's wrong. In general exact equality of floating
point numbers should always be expected to fail. The test should be
something like
   npt.assert_( not np.isclose( np.abs(np.sum(difference_map)), 0 ) )
   

If final_segmentation is an integer then of course it's a different
problem.

Bug#1053264: wpasupplicant: config parser has problem with SSIDs/PSKs that contain double quotes followed by hash sign

2023-09-30 Thread Johannes Brallentin 
Package: wpasupplicant Version: 2.10 Dear Maintainer, wpa_supplicant has 
problems loading a configs that contains a network with an SSID/PSK that 
contains double quotes followed by hash. steps to reproduce: 1a. create the 
config: ctrl_interface=/run/wpa_supplicant network={ ssid="my"#SSID" 
psk="securePsk" } 1b. start wpa_supplicant and do "wpa_cli list_networks": 

> ~/wpa_supplicant-2.10/wpa_supplicant# wpa_cli list_networks
 Selected interface 'wlan0'
 network id / ssid / bssid / flags
 0 my any <--- wrong SSID

2a. create the config: ctrl_interface=/run/wpa_supplicant network={ 
ssid="my"awsome#SSID" psk="securePsk" } 2b. start wpa_supplicant gives the 
following errors in log: 1692607987.076948: Successfully initialized 
wpa_supplicant 1692607987.077262: Line 3: failed to parse ssid '"my"awsome'. 
<-- wrong SSID 1692607987.077302: Line 3: failed to parse ssid 
'"my"awsome'. 1692607987.109757: Line 5: failed to parse network block. 
1692607987.109836: Failed to read or parse configuration 
'/etc/wpa_supplicant/wpa_supplicant.conf'. 3a. create the config: 
ctrl_interface=/run/wpa_supplicant network={ ssid="mySSID" 
psk="secure"awsome#Psk" } 3b. start wpa_supplicant gives the following errors 
in log: 1692608589.796979: Successfully initialized wpa_supplicant 
1692608589.797357: Line 4: Invalid passphrase length 6 (expected: 8..63) 
'secure"awsome'. <-- wrong PSK 1692608589.797399: Line 4: failed to parse 
psk '"secure"awsome'. 1692608589.797439: Line 5: failed to parse network block. 
1692608589.797496: Failed to read or parse configuration 
'/etc/wpa_supplicant/wpa_supplicant.conf'. 

The problem did not occure with wpa_supplicant v2.8-devel.

The problem does not occure if the hash sign is followed by double quotes.

I am using:

Linux Kali 6.3.0-kali1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.3.7-1kali1 
(2023-06-29) x86_64 GNU/Linux

Linux Raspberry-Pi-2 5.10.103-v7l+ #1529 SMP Tue Mar 8 12:24:00 GMT 2022 armv7l 
GNU/Linux

Bug#1052667: mptcpd FTBFS when systemd.pc changes systemdsystemunitdir

2023-09-30 Thread Matthieu Baerts 
Hi Helmut,

Sorry for the delay, I was at a conference.

25 Sept 2023 23:33:15 Helmut Grohne :

> We want to change the value of systemdsystemunitdir in systemd.pc to
> point below /usr. mptcpd's upstream build system consumes this variable
> while its packaging hard codes the current value. Consequently, mptcpd
> FTBFS when changing it. Consider applying the attached patch to avoid
> that failure.

Thank you for the bug report and the patch, it looks good to me.

I'm sorry, it is the first time I'm getting such contributions and I'm not sure 
what I'm supposed to do: apply the patch in the Git repo, prepare a new release 
and send it? (I still need someone to sponsor my packages to have new versions 
accepted)
Or do you plan to send a new version with this patch?

Cheers,
Matt
--
Tessares | Belgium | Hybrid Access Solutions
www.tessares.net

Bug#1053263: blaspp: please make the build reproducible

2023-09-30 Thread Chris Lamb 
Source: blaspp
Version: 2023.08.25-1
Severity: wishlist
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: hostname
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org

Hi,

Whilst working on the Reproducible Builds effort [0], we noticed that
blaspp could not be built reproducibly.

This is because it embeds the build hostname into a defines.h file as
a comment. Patch attached that strips out this entry.

 [0] https://reproducible-builds.org/


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
--- a/debian/patches/reproducible-build.patch   1970-01-01 01:00:00.0 
+0100
--- b/debian/patches/reproducible-build.patch   2023-09-29 09:36:59.134774346 
+0100
@@ -0,0 +1,14 @@
+Description: Make the build reproducible
+Author: Chris Lamb 
+Last-Update: 2023-09-29
+
+--- blaspp-2023.08.25.orig/include/blas/defines.h.in
 blaspp-2023.08.25/include/blas/defines.h.in
+@@ -8,7 +8,6 @@
+ 
+ // auto-generated by: @argv@
+ // @CMAKE_COMMAND@ @CMAKE_VERSION@
+-// host: @HOSTNAME@
+ //
+ // Definitions for:
+ // CXX   = @CXX@
--- a/debian/patches/series 2023-09-29 09:33:44.700072219 +0100
--- b/debian/patches/series 2023-09-29 09:36:58.190765429 +0100
@@ -0,0 +1 @@
+reproducible-build.patch

Bug#1041242: libheif1: 1.16.2-1+b1 breaks displaying any pictures

2023-09-30 Thread Jeremy Bícha 
Christoph,

I tried cherry-picking the commit you mentioned. It needed to be
rebased slightly. It did not fix my test case: Use geeqie to open the
autumn image from upstream issue 933

I pushed my change to the wip/10421242 branch of
https://salsa.debian.org/multimedia-team/libheif if someone wants to
do a test build.

Thank you,
Jeremy Bícha

Bug#1053262: node-get-func-name: CVE-2023-43646

2023-09-30 Thread Salvatore Bonaccorso 
Source: node-get-func-name
Version: 2.0.0+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for node-get-func-name.

CVE-2023-43646[0]:
| get-func-name is a module to retrieve a function's name securely and
| consistently both in NodeJS and the browser. Versions prior to 2.0.1
| are subject to a regular expression denial of service (redos)
| vulnerability which may lead to a denial of service when parsing
| malicious input. This vulnerability can be exploited when there is
| an imbalance in parentheses, which results in excessive backtracking
| and subsequently increases the CPU load and processing time
| significantly. This vulnerability can be triggered using the
| following input: '\t'.repeat(54773) + '\t/function/i'. This issue
| has been addressed in commit `f934b228b` which has been included in
| releases from 2.0.1. Users are advised to upgrade. There are no
| known workarounds for this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-43646
https://www.cve.org/CVERecord?id=CVE-2023-43646
[1] 
https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5
[2] 
https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#1053261: gst-plugins-bad1.0: CVE-2023-40474

2023-09-30 Thread Salvatore Bonaccorso 
Source: gst-plugins-bad1.0
Version: 1.22.4-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for gst-plugins-bad1.0.

CVE-2023-40474[0]:
| Integer overflow leading to heap overwrite in MXF file handling with
| uncompressed video


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-40474
https://www.cve.org/CVERecord?id=CVE-2023-40474
[1] https://gstreamer.freedesktop.org/security/sa-2023-0006.html
[2] 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ce17e968e4cf900d28ca5b46f6e095febc42b4f0

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#1053260: gst-plugins-bad1.0: CVE-2023-40475

2023-09-30 Thread Salvatore Bonaccorso 
Source: gst-plugins-bad1.0
Version: 1.22.4-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for gst-plugins-bad1.0.

CVE-2023-40475[0]:
| Integer overflow leading to heap overwrite in MXF file handling with
| AES3 audio


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-40475
https://www.cve.org/CVERecord?id=CVE-2023-40475
[1] https://gstreamer.freedesktop.org/security/sa-2023-0007.html
[2] 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/72742dee30cce7bf909639f82de119871566ce39

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#1053259: gst-plugins-bad1.0: CVE-2023-40476

2023-09-30 Thread Salvatore Bonaccorso 
Source: gst-plugins-bad1.0
Version: 1.22.4-1
Severity: grave
Tags: patch security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for gst-plugins-bad1.0.

CVE-2023-40476[0]:
| Integer overflow in H.265 video parser leading to stack overwrite


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-40476
https://www.cve.org/CVERecord?id=CVE-2023-40476
[1] https://gstreamer.freedesktop.org/security/sa-2023-0008.html
[2] 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff91a3d8d6f7e2412c44663bf30fad5c7fdbc9d9

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug#1053258: cdimage.debian.org: wine installation incomplete offline with only amd64 DVDs/BDs but without dropped i386 DVDs/BDs

2023-09-30 Thread dfrg 
Package: cdimage.debian.org
Severity: normal

Dear Maintainer,

I am maintaining some offline computers in my organization. I choose Debian 
because it provides a set of DVDs/BDs of nearly complete Debian software 
repositories, and can be used with USB sticks to maintain these offline 
computers.

I noticed that amd64 DVDs/BDs do not contain complete wine installation -- 
amd64 wine needs wine64 and wine32 to work, but wine32 is in i386 DVDs/BDs. I 
workaround this by downloading both amd64 and i386 DVDs/BDs. However, I found 
that Debian trixie has dropped DVDs, so this workaround will not work with 
trixie any more.

I know that I can download wine32 and its prereq packages manually, and copy 
these into offline computers using USB sticks. But it is frustrating as 
DVDs/BDs are no longer complete for offline usage.

So I wonder if Debian can keep wine packages complete in trixie amd64 DVDs/BDs. 
I think one of these methods can solve this:

1. let trixie amd64 DVDs/BDs contain wine32 and its prereqs.

2. build a small i386 DVD/BD which contains only wine32 and its prereqs.

3. completely drop wine in amd64 DVDs/BDs (disappointing).

3. write a wiki page about its workaround.

4. change wine packaging flavor from current multiarch to multilib again.

5. packaging wine using 'new wow64 mode', which does not need any i386 prereqs 
(only mingw-w64-i686), introduced in most recent wine.  

Regards,

-- dfrg

Bug#1052817: sarsen: FTBFS: dh_auto_test: error: pybuild --test --test-pytest -i python{version} -p 3.11 returned exit code 13

2023-09-30 Thread Antonio Valentino 

This seems to be the same issue reported in #1050832.
The problem seems to be a regression in xarray v2023.08.
The update to xarray > 2023.08 should fix the issue.
See also https://github.com/bopen/sarsen/issues/54.

I will reassign to xarray.

[#1050832] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050832
--
Antonio Valentino

Bug#1053257: ITP: python-globus-sdk -- convenient Pythonic interface to Globus APIs

2023-09-30 Thread Étienne Mollier 
Package: wnpp
Severity: wishlist
Owner: Étienne Mollier 
X-Debbugs-Cc: debian-de...@lists.debian.org
X-Debbugs-Cc: debian-pyt...@lists.debian.org
X-Debbugs-Cc: debian-...@lists.debian.org

* Package name: python-globus-sdk
  Version : 3.28.0
  Upstream Contact: Globus Team 
* URL : https://github.com/globus/globus-sdk-python
* License : Apache-2.0
  Programming Lang: Python
  Description : convenient Pythonic interface to Globus APIs

 The Globus SDK for Python provides a convenient Pythonic interface to Globus
 APIs.  Using this package, one can import Globus client classes and other
 helpers from the globus_sdk python module.


This package would be needed to finish the packaging of
python-parsl, which in turn would be required to finish the
qiime ecosystem upgrade to version 2023.7.

For the moment, I plan to put this package under the Debian
Python team umbrella, but I'm also open to put it under the
Debian HPC team, so the people behind the Globus ecosystem
packaging also have this component on their radar.  I have not
settled for a location for the repository yet, probably some
place like [1] if sticking to the Python team.

[1]: https://salsa.debian.org/python-team/packages/python-globus-sdk

Have a nice day,  :)
-- 
  .''`.  Étienne Mollier 
 : :' :  gpg: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/3, please excuse my verbosity
   `-on air: Final Conflict - A River Of Dreams


signature.asc
Description: PGP signature

Bug#1049872: armel and armhf excluded from asmjit architectures

2023-09-30 Thread Andrius Merkys 

control: severity -1 normal

Hello,

In 0.0~git20230914.917f19d-1 I have excluded armel and armhf 
architectures from the list of architectures asmjit is built upon. Thus 
I think the severity should be normal now.


Andrius

Bug#1053256: ITP: bypass-paywalls-firefox-clean -- Firefox browser plugin to bypass various paywalls

2023-09-30 Thread Andres Salomon 
Package: wnpp
Severity: wishlist
Owner: Andres Salomon 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: bypass-paywalls-firefox-clean
  Version : 3.3.5.0
  Upstream Contact: https://gitlab.com/magnolia1234
* URL : 
https://gitlab.com/magnolia1234/bypass-paywalls-firefox-clean
* License : MIT
  Programming Lang: Javascript 
  Description : Firefox browser plugin to bypass various paywalls

Add-on allows you to read articles from (supported) sites that implement a
paywall. You can also add a domain as custom site and try to bypass the
paywall.
.
Note: this plugin may leak information about your web browsing based on the
techniques used to bypass paywalls. For example, for some sites it will load
text from Google's webcache, thereby letting Google know that you read a
certain article. The plugin only operates on sites that you opt-into.


I use this package on both firefox and chromium, and would welcome this
to be co-maintained by Debian Mozilla Extension Maintainers if they're
interested. I've already got a working package, but I'm still trying to
figure out whether we really need separate source packages for the firefox
and chromium plugins.

Bug#1053255: mozilla-devscripts: dh_webext shouldn't look in .pc for manifest.json

2023-09-30 Thread Andres Salomon 

Package: mozilla-devscripts
Version: 0.54.2+nmu1

While building a package using dh_webext, I noticed the following 
warning/error:


dh_webext: Found != 1 manifest.json, source PATH set to .

I was a bit confused because there's only one manifest.json file, but 
it turns out that the find command sees the following:


find . -name manifest.json -not -path './debian/*'
./manifest.json
./.pc/applications.patch/manifest.json

I have a quilt patch called debian/patches/applications.patch that 
modifies manifest.json. As such, when the package builds it creates 
that manifest.json file in the .pc directory. dh_webext shouldn't be 
picking that up; it should be ignoring everything in .pc.


I suggest the following command instead:
find . -name manifest.json -not -path './debian/*' -not -path './.pc/*'

In the script, that would look like this:
   candidates = subprocess.check_output(
   ["find", ".", "-name", "manifest.json", "-not", "-path", 
'./debian/*', "-not", "-path", './.pc/*'])

Bug#824499: GPX Route vs. Track

2023-09-30 Thread Paul Wise 
On Fri, 2023-09-29 at 18:10 +, Stefan Kropp wrote:

> I looked into the code.

I wouldn't bother looking at the FoxtrotGPS codebase, since it is GTK2
and there aren't any volunteers to fix that, it is likely to be removed
from Debian within the trixie release cycle. There is a WIP branch to
port it to GTK3 (which is already obsolete) but no-one with the time,
skills and motivation to work on and finish the port. There are also
much better map apps now, so it would be best to switch to them.

https://bugs.debian.org/967347
https://code.launchpad.net/~pabs/foxtrotgps/gtk3

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part