Bug#866890: pspp - cve-2017-10791 - cve-2017-10792

2017-07-03 Thread John Darrington 
On Mon, Jul 03, 2017 at 11:37:30PM +0200, Friedrich Beckmann wrote:
 Hi John,
 
 today I looked a little bit at the hash function. I think the problem is 
that compared to
 the referenced code the x parameter is type int instead of unsigned int. 
Googling around the
 overflow behavior of signed and the shift right of signed is not defined 
in the c standard
 although ???many?" implementations assume 2th complement signed 
implementation. Both is well
 defined for unsigned int operations.
 
Ahh.  Perhaps you're right.  But I cannot see that this would cause a crash, so 
I suspect that's
another problem.

 I changed the parameter type from int to unsigned int and I cannot see a 
problem in the regression.

What problems did you encounter before your change (if any)?

 But looking at the code I wondered if this hash function also works on 64 
Bit architectures. The
 reference only talks about uint32_t.

I cannot see that it wouldn't "work".  But it might not create such an 
efficient hash.

Anyway maybe Ben will be able to have a look soon.
 

J'
 
 
-- 
Avoid eavesdropping.  Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.



signature.asc
Description: Digital signature

Bug#866890: pspp - cve-2017-10791 - cve-2017-10792

2017-07-03 Thread John Darrington 
I suspect this report is mistaken.  But this bit is Ben's code, so I'll let him 
comment on
that.

J'

On Mon, Jul 03, 2017 at 07:22:57AM +0200, Friedrich Beckmann wrote:
 Dear owl337 team,
 
 thanks for looking at pspp and finding the security problems
 
 https://security-tracker.debian.org/tracker/CVE-2017-10791
 
 and
 
 https://security-tracker.debian.org/tracker/CVE-2017-10792
 
 in pspp! Your reports are quite detailed. Could you describe how you found 
the problems, i.e. do
 you have some information about collAFL?
 
 Regards
 
 Friedrich
 
 
 
 ___
 pspp-dev mailing list
 pspp-...@gnu.org
 https://lists.gnu.org/mailman/listinfo/pspp-dev

-- 
Avoid eavesdropping.  Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.



signature.asc
Description: Digital signature

Bug#850457: pspp 0.10.2-1 FTBS randomly

2017-06-03 Thread John Darrington 
Hi Christoph,


On Sat, Jun 03, 2017 at 12:27:12PM +0200, Christoph Berg wrote:
 Re: John Darrington 2017-06-03 <20170603061903.GA30068@jocasta.intra>
 > If I'm reading that log file correctly, the issue is simply that initdb 
is dumping that
 > message on stderr. Our test considers that a failure.  
 > 
 > This would seem to suggest a problem with debian's postgres package.
 
 Hi,
 
 this is not a PostgreSQL problem. Make sure the locale settings are
 valid in the build environment. (This is either a problem with the
 build daemon, or a problem with pspp's testsuite or debian/rules
 file.)

Pspp's testsuite sets its environment to LC_ALL=C overriding anything which 
might have been
previously set.   This should ensure the locale is always valid shouldn't it?

I presume this error is one that has just recently arisen?  and so far as I'm 
aware, no uploads
of pspp have recently occured in Debian (am I right Frederich?)   If so, then I 
suggest that recent
changes to other entities are investigated. 

Or we can just ignore stderr by using the workaround  I suggested earlier.

J'


-- 
Avoid eavesdropping.  Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.



signature.asc
Description: Digital signature

Bug#850457: pspp 0.10.2-1 FTBS randomly

2017-06-03 Thread John Darrington 
If I'm reading that log file correctly, the issue is simply that initdb is 
dumping that
message on stderr. Our test considers that a failure.  

This would seem to suggest a problem with debian's postgres package.

However I think we can safely ignore it by changing

 AT_CHECK([initdb -A trust], [0], [ignore])

to

 AT_CHECK([initdb -A trust], [0], [ignore], [ignore])


J'


On Sat, Jun 03, 2017 at 07:34:53AM +0200, Friedrich Beckmann wrote:
 Dear Adrian, dear Lucas,
 
 thanks for your reports. Maybe you can help me with the analysis as I have 
problems to reproduce it
 here locally. 
 
 As already reported in the bug log
 
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863933
 
 I think the problem is due to locale settings in the environment. The
 critical message is:
 
 +locale: Cannot set LC_MESSAGES to default locale: No such file or 
directory
 
 in test 247 (which starts a PSQL server). The problem happens when the 
psql server starts.
 
 It seems strange to me that this happens randomly. 
 
 Regards
 
 Friedrich
 
 
 
 ___
 pspp-dev mailing list
 pspp-...@gnu.org
 https://lists.gnu.org/mailman/listinfo/pspp-dev

-- 
Avoid eavesdropping.  Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.



signature.asc
Description: Digital signature

Bug#820743: [Pkg-postgresql-public] Bug#820743: [hurd-i386] postgresql-common / postgresql-9.5 fails to install during pspp build

2016-04-12 Thread John Darrington 
Just for clarification ...

As correctly mentioned, the PostgreSQL server cannot run on the Hurd.

However this does not mean that the PSPP postgres client option cannot or 
should not be enabled
on the Hurd.  It simply means that the regression test for that option cannot 
run.

My recollection was that in Debian the option was enabled, but the test 
specifically disabled.

J'


On Tue, Apr 12, 2016 at 06:16:40PM +0200, Friedrich Beckmann wrote:
 Hi Christoph,
 
 thanks for the info. We had disabled the optional postgresql on hurd-i386 
in the previous pspp release.
 
 Is it maybe an idea to include this test case in the regression in 
postgresql? That would stop the
 release of the non-functional postgresql on hurd-i386, no?
 
 Friedrich
 
 > Am 12.04.2016 um 17:39 schrieb Christoph Berg :
 > 
 > Re: Friedrich Beckmann 2016-04-12 
<3ad966ac-2984-4449-94ba-addfe00d9...@gmx.de>
 >> Package: postgresql-9.5
 >> Version: 9.5.2-1
 >> 
 >> During test installation on buildd for pspp, the pspp build fails on 
hurd-i386 during the setup
 >> of the postgresql. When I disable postgresql, then pspp builds and 
works. 
 >> 
 >> This is specific to the hurd-i386 architecture. The pspp package builds 
on other architectures.
 >> 
 >> Friedrich
 >> 
 >> The full log: 
https://buildd.debian.org/status/fetch.php?pkg=pspp=hurd-i386=0.10.1-2=1460387447
 > 
 > Hi Friedrich,
 > 
 > the problem is in the hurd kernel that doesn't implement semaphores.
 > The interesting initdb error is this:
 > 
 > creating template1 database in 
/?PKGBUILDDIR?/build/src/test/regress/./tmp_check/data/base/1 ... FATAL:  could 
not create semaphores: Function not implemented
 > DETAIL:  Failed system call was semget(1, 17, 03600).
 > 
 > We have the weird situation where the server compiles successfully
 > including semget(), but isn't able to get executed because the
 > the kernel doesn't implement the feature.
 > 
 > I've talked to the hurd people, and Richard Braun was confirming that
 > inter-process semaphores are not implemented yet.
 > 
 > What we can do from the PostgreSQL side is to replace the current sysv
 > semaphores (semget) by POSIX semaphores (sem_init) which don't work
 > either, but have a much greater chance of getting implemented in the
 > future. So some day, it will just work, but until then, PostgreSQL
 > will unfortunately not really be available on that platform.
 > 
 > Christoph
 
 
 ___
 pspp-dev mailing list
 pspp-...@gnu.org
 https://lists.gnu.org/mailman/listinfo/pspp-dev

-- 
Avoid eavesdropping.  Send strong encryted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.



signature.asc
Description: Digital signature

Bug#532737: /usr/bin/dig: dig crashes on recursive PTR lookups for classless addresses

2009-06-11 Thread John Darrington 
Package: dnsutils
Version: 1:9.5.1.dfsg.P1-1
Severity: normal
File: /usr/bin/dig


This query:

 dig -x 203.82.214.165 +trace

results in a Segmentation fault.

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages dnsutils depends on:
ii  bind9-host [host] 1:9.5.1.dfsg.P1-1  Version of 'host' bundled with BIN
ii  libbind9-40   1:9.5.1.dfsg.P1-1  BIND9 Shared Library used by BIND
ii  libc6 2.9-4  GNU C Library: Shared libraries
ii  libcap2   2.11-2 support for getting/setting POSIX.
ii  libdns45  1:9.5.1.dfsg.P1-1  DNS Shared Library used by BIND
ii  libisc45  1:9.5.1.dfsg.P1-1  ISC Shared Library used by BIND
ii  libisccfg40   1:9.5.1.dfsg.P1-1  Config File Handling Library used 
ii  libkrb53  1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries
ii  liblwres401:9.5.1.dfsg.P1-1  Lightweight Resolver Library used 
ii  libssl0.9.8   0.9.8g-15  SSL shared libraries
ii  libxml2   2.6.32.dfsg-5  GNOME XML library

dnsutils recommends no packages.

Versions of packages dnsutils suggests:
pn  rblcheck  none (no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#517624: amaya: Amaya crashes on start-up.

2009-02-28 Thread John Darrington 
Package: amaya
Version: wx-9.53-1
Severity: grave
Justification: renders package unusable


When starting amaya, it aborts with the following error message:

The program 'amaya-wx' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadMatch (invalid parameter attributes)'.
  (Details: serial 1094 error_code 8 request_code 146 minor_code 3)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)


-- System Information:
Debian Release: 5.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages amaya depends on:
ii  libatk1.0-01.22.0-1  The ATK accessibility toolkit
ii  libc6  2.7-18GNU C Library: Shared libraries
ii  libexpat1  2.0.1-4   XML parsing C library - runtime li
ii  libfreetype6   2.3.7-2   FreeType 2 font engine, shared lib
ii  libgcc11:4.3.2-1.1   GCC support library
ii  libglib2.0-0   2.16.6-1  The GLib library of C routines
ii  libgtk2.0-02.12.11-4 The GTK+ graphical user interface 
ii  libpango1.0-0  1.20.5-3  Layout and rendering of internatio
ii  libstdc++5 1:3.3.6-18The GNU Standard C++ Library v3
ii  libx11-6   2:1.1.5-2 X11 client-side library
ii  libxext6   2:1.0.4-1 X11 miscellaneous extension librar
ii  zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime

amaya recommends no packages.

amaya suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#486777: pspp: New upstream release

2008-06-17 Thread John Darrington 
Package: pspp
Version: 0.3.0-7
Severity: normal


PSPP version 0.6.0 has been released. This version is 64bit safe, fixes
many bugs and introduces new features.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages pspp depends on:
ii  libc6  2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libncurses55.5-5 Shared libraries for terminal hand
ii  libreadline4   4.3-11GNU readline and history libraries

pspp recommends no packages.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#480437: ncurses5-config reports incorrect information

2008-05-09 Thread John Darrington 
Package: ncurses-bin / libncurses5-dev
Version: 5.6+20080308-1
Severity: important

ncurses-bin ships the ncurses5-config binary.

Running ncurses5-bin --cflags reports -I/usr/include/ncurses  But
this is wrong.  The package does not provide /usr/include/ncurses.
Even if libncurses5-dev is installed, then it puts the header files in
/usr/include NOT /usr/include/ncurses Consequently any build
configurations which rely on ncurses5-config will break.


ncurses5-config should be shipped by libncurses5-dev and not
ncurses5-bin and it should give the correct information.

J'



-- 
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://pgp.mit.edu or any PGP keyserver for public key.




signature.asc
Description: Digital signature

Bug#390870: Xbiff cannot find its bitmaps

2007-04-12 Thread John Darrington 
No.  The problem seems to have been fixed in recent versions.

J'

On Tue, Apr 10, 2007 at 11:04:10PM +0200, Brice Goglin wrote:
 Hi,
 
 About 6 months ago, you reported a bug to the Debian BTS regarding xbiff
 not finding its bitmaps. I can't reproduce here. Did you reproduce this
 problem recently?
 
 Thanks,
 Brice

-- 
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://pgp.mit.edu or any PGP keyserver for public key.




signature.asc
Description: Digital signature

Bug#405622: initscripts: /etc/init.d/mountnfs.sh fails to detect mounted files.

2007-01-04 Thread John Darrington 
Package: initscripts
Version: 2.86.ds1-36
Severity: important


/etc/init.d/mountnfs.sh waits until all entries from /etc/fstab have been
succesfully mounted.  However, if one of these is a file, rather than a 
directory, 
then it fails to detect that it is in fact mounted.  Thus, there is an annoying
90 second delay on boot up, followed by an error message,  even though there is 
nothing wrong. 

There needs to be a more robust way to detect successfull mounts.



-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Versions of packages initscripts depends on:
ii  debianut 2.17Miscellaneous utilities specific t
ii  e2fsprog 1.39+1.40-WIP-2006.11.14+dfsg-1 ext2 file system utilities and lib
ii  libc62.3.6.ds1-8 GNU C Library: Shared libraries
ii  lsb-base 3.1-22  Linux Standard Base 3.1 init scrip
ii  mount2.12r-15Tools for mounting and manipulatin
ii  sysvinit 2.86.ds1-36 System-V-like utilities

Versions of packages initscripts recommends:
ii  psmisc22.3-1 Utilities that use the proc filesy

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#400851: tzdata: Daylight saving rules for Western Australia have changed.

2006-11-28 Thread John Darrington 
Package: tzdata
Version: 2006l-1
Severity: important
Tags: l10n

The government of Western Australia have decided (contrary to recent
referendum) to introduce daylight saving. See  
http://www.mediastatements.wa.gov.au/media/media.nsf/0c079b992e7e607a48256a5a0016e16b/71c80789277dad4f4825722e000c0569?OpenDocument

Thus /usr/share/zoneinfo/Australia/Perth
/usr/share/zoneinfo/Australia/West etc need to be updated 


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-2-686
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#390870: Xbiff cannot find its bitmaps

2006-10-03 Thread John Darrington 
Package: xbase-clients
Version: 1:7.1.ds-3

When starting xbiff I get: 

Warning: Cannot convert string flagup to type Pixmap
Warning: Cannot convert string flagdown to type Pixmap

and xbiff displays a bunk bed instead of the mailbox.
I expected to see a mailbox.
strace indicates that it's looking for these files in 
/usr/X11R6/include/X11/bitmaps/ whereas, they are actually to be found
in /usr/include/X11/bitmaps/

$ uname -a
Linux marilyn 2.4.26-1-686 #1 Tue Aug 24 13:46:05 JST 2004 i686 GNU/Linux

-- 
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://pgp.mit.edu or any PGP keyserver for public key.




pgpvnf0HllSPn.pgp
Description: PGP signature

Bug#325993: fuse-utils: addgroup vs. groupadd

2006-04-12 Thread John Darrington 
Package: fuse-utils
Version: 2.5.2-4
Followup-For: Bug #325993


This seems to be because postinst says addgroup --system fuse
whereas it ought to say groupadd --system fuse.
Similarly postrm says delgroup --system fuse instead of groupdel
--system fuse.



-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Versions of packages fuse-utils depends on:
ii  adduser   3.85   Add and remove users and groups
ii  libc6 2.3.5-8GNU C Library: Shared libraries an
ii  makedev   2.3.1-80   creates device files in /dev
ii  sed   4.1.2-8The GNU sed stream editor
ii  ucf   2.003  Update Configuration File: preserv

Versions of packages fuse-utils recommends:
pn  fuse-source   none (no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#300504: lam-runtime: Name clash with wipe package.

2005-03-21 Thread John Darrington 
On Mon, Mar 21, 2005 at 07:52:39PM +0100, Thomas Schoepf wrote:
 What does ls -l /usr/share/man/man1/wipe.1.gz show?
 

[EMAIL PROTECTED]:~$ ls -l /usr/share/man/man1/wipe.1.gz 
-rw-r--r--1 root root 4215 Jul 27  1999 
/usr/share/man/man1/wipe.1.gz

This one is the man page for the wipe packaage.

J'

-- 
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://wwwkeys.pgp.net or any PGP keyserver for public key.




pgp1UV4zADRy7.pgp
Description: PGP signature

Bug#300504: lam-runtime: Name clash with wipe package.

2005-03-19 Thread John Darrington 
Package: lam-runtime, wipe
Version: 6.5.8-2
Severity: normal

There are two manpages calles wipe(1).

I have lam-runtime installed at the same time as wipe.  When I type man wipe 
I expected to get the manpage for /usr/share/man/man1/wipe.1.gz

Instead I got /usr/share/man/man1/lam-wipe.1.gz



-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux freyja.cellform.com 2.2.17 #1 Sun Jun 25 09:24:41 EST 2000 i?86
Locale: LANG=en_AU, LC_CTYPE=en_AU

Versions of packages lam-runtime depends on:
ii  debconf1.2.23woody1  Debian configuration management sy
ii  dpkg   1.9.21Package maintenance system for Deb
ii  lam3   6.5.8-2   Shared libraries used by LAM paral
ii  libc6  2.3.1-16  GNU C Library: Shared libraries an
ii  ssh1:3.4p1-1.woody.3 Secure rlogin/rsh/rcp replacement 
ii  ssh [rsh-client]   1:3.4p1-1.woody.3 Secure rlogin/rsh/rcp replacement 
pn  ssh | rsh-client Not found.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]