Bug#866890: pspp - cve-2017-10791 - cve-2017-10792
On Mon, Jul 03, 2017 at 11:37:30PM +0200, Friedrich Beckmann wrote: Hi John, today I looked a little bit at the hash function. I think the problem is that compared to the referenced code the x parameter is type int instead of unsigned int. Googling around the overflow behavior of signed and the shift right of signed is not defined in the c standard although ???many?" implementations assume 2th complement signed implementation. Both is well defined for unsigned int operations. Ahh. Perhaps you're right. But I cannot see that this would cause a crash, so I suspect that's another problem. I changed the parameter type from int to unsigned int and I cannot see a problem in the regression. What problems did you encounter before your change (if any)? But looking at the code I wondered if this hash function also works on 64 Bit architectures. The reference only talks about uint32_t. I cannot see that it wouldn't "work". But it might not create such an efficient hash. Anyway maybe Ben will be able to have a look soon. J' -- Avoid eavesdropping. Send strong encrypted email. PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. signature.asc Description: Digital signature
Bug#866890: pspp - cve-2017-10791 - cve-2017-10792
I suspect this report is mistaken. But this bit is Ben's code, so I'll let him comment on that. J' On Mon, Jul 03, 2017 at 07:22:57AM +0200, Friedrich Beckmann wrote: Dear owl337 team, thanks for looking at pspp and finding the security problems https://security-tracker.debian.org/tracker/CVE-2017-10791 and https://security-tracker.debian.org/tracker/CVE-2017-10792 in pspp! Your reports are quite detailed. Could you describe how you found the problems, i.e. do you have some information about collAFL? Regards Friedrich ___ pspp-dev mailing list pspp-...@gnu.org https://lists.gnu.org/mailman/listinfo/pspp-dev -- Avoid eavesdropping. Send strong encrypted email. PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. signature.asc Description: Digital signature
Bug#850457: pspp 0.10.2-1 FTBS randomly
Hi Christoph, On Sat, Jun 03, 2017 at 12:27:12PM +0200, Christoph Berg wrote: Re: John Darrington 2017-06-03 <20170603061903.GA30068@jocasta.intra> > If I'm reading that log file correctly, the issue is simply that initdb is dumping that > message on stderr. Our test considers that a failure. > > This would seem to suggest a problem with debian's postgres package. Hi, this is not a PostgreSQL problem. Make sure the locale settings are valid in the build environment. (This is either a problem with the build daemon, or a problem with pspp's testsuite or debian/rules file.) Pspp's testsuite sets its environment to LC_ALL=C overriding anything which might have been previously set. This should ensure the locale is always valid shouldn't it? I presume this error is one that has just recently arisen? and so far as I'm aware, no uploads of pspp have recently occured in Debian (am I right Frederich?) If so, then I suggest that recent changes to other entities are investigated. Or we can just ignore stderr by using the workaround I suggested earlier. J' -- Avoid eavesdropping. Send strong encrypted email. PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. signature.asc Description: Digital signature
Bug#850457: pspp 0.10.2-1 FTBS randomly
If I'm reading that log file correctly, the issue is simply that initdb is dumping that message on stderr. Our test considers that a failure. This would seem to suggest a problem with debian's postgres package. However I think we can safely ignore it by changing AT_CHECK([initdb -A trust], [0], [ignore]) to AT_CHECK([initdb -A trust], [0], [ignore], [ignore]) J' On Sat, Jun 03, 2017 at 07:34:53AM +0200, Friedrich Beckmann wrote: Dear Adrian, dear Lucas, thanks for your reports. Maybe you can help me with the analysis as I have problems to reproduce it here locally. As already reported in the bug log https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863933 I think the problem is due to locale settings in the environment. The critical message is: +locale: Cannot set LC_MESSAGES to default locale: No such file or directory in test 247 (which starts a PSQL server). The problem happens when the psql server starts. It seems strange to me that this happens randomly. Regards Friedrich ___ pspp-dev mailing list pspp-...@gnu.org https://lists.gnu.org/mailman/listinfo/pspp-dev -- Avoid eavesdropping. Send strong encrypted email. PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. signature.asc Description: Digital signature
Bug#820743: [Pkg-postgresql-public] Bug#820743: [hurd-i386] postgresql-common / postgresql-9.5 fails to install during pspp build
Just for clarification ... As correctly mentioned, the PostgreSQL server cannot run on the Hurd. However this does not mean that the PSPP postgres client option cannot or should not be enabled on the Hurd. It simply means that the regression test for that option cannot run. My recollection was that in Debian the option was enabled, but the test specifically disabled. J' On Tue, Apr 12, 2016 at 06:16:40PM +0200, Friedrich Beckmann wrote: Hi Christoph, thanks for the info. We had disabled the optional postgresql on hurd-i386 in the previous pspp release. Is it maybe an idea to include this test case in the regression in postgresql? That would stop the release of the non-functional postgresql on hurd-i386, no? Friedrich > Am 12.04.2016 um 17:39 schrieb Christoph Berg: > > Re: Friedrich Beckmann 2016-04-12 <3ad966ac-2984-4449-94ba-addfe00d9...@gmx.de> >> Package: postgresql-9.5 >> Version: 9.5.2-1 >> >> During test installation on buildd for pspp, the pspp build fails on hurd-i386 during the setup >> of the postgresql. When I disable postgresql, then pspp builds and works. >> >> This is specific to the hurd-i386 architecture. The pspp package builds on other architectures. >> >> Friedrich >> >> The full log: https://buildd.debian.org/status/fetch.php?pkg=pspp=hurd-i386=0.10.1-2=1460387447 > > Hi Friedrich, > > the problem is in the hurd kernel that doesn't implement semaphores. > The interesting initdb error is this: > > creating template1 database in /?PKGBUILDDIR?/build/src/test/regress/./tmp_check/data/base/1 ... FATAL: could not create semaphores: Function not implemented > DETAIL: Failed system call was semget(1, 17, 03600). > > We have the weird situation where the server compiles successfully > including semget(), but isn't able to get executed because the > the kernel doesn't implement the feature. > > I've talked to the hurd people, and Richard Braun was confirming that > inter-process semaphores are not implemented yet. > > What we can do from the PostgreSQL side is to replace the current sysv > semaphores (semget) by POSIX semaphores (sem_init) which don't work > either, but have a much greater chance of getting implemented in the > future. So some day, it will just work, but until then, PostgreSQL > will unfortunately not really be available on that platform. > > Christoph ___ pspp-dev mailing list pspp-...@gnu.org https://lists.gnu.org/mailman/listinfo/pspp-dev -- Avoid eavesdropping. Send strong encryted email. PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. signature.asc Description: Digital signature
Bug#532737: /usr/bin/dig: dig crashes on recursive PTR lookups for classless addresses
Package: dnsutils Version: 1:9.5.1.dfsg.P1-1 Severity: normal File: /usr/bin/dig This query: dig -x 203.82.214.165 +trace results in a Segmentation fault. -- System Information: Debian Release: 5.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages dnsutils depends on: ii bind9-host [host] 1:9.5.1.dfsg.P1-1 Version of 'host' bundled with BIN ii libbind9-40 1:9.5.1.dfsg.P1-1 BIND9 Shared Library used by BIND ii libc6 2.9-4 GNU C Library: Shared libraries ii libcap2 2.11-2 support for getting/setting POSIX. ii libdns45 1:9.5.1.dfsg.P1-1 DNS Shared Library used by BIND ii libisc45 1:9.5.1.dfsg.P1-1 ISC Shared Library used by BIND ii libisccfg40 1:9.5.1.dfsg.P1-1 Config File Handling Library used ii libkrb53 1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries ii liblwres401:9.5.1.dfsg.P1-1 Lightweight Resolver Library used ii libssl0.9.8 0.9.8g-15 SSL shared libraries ii libxml2 2.6.32.dfsg-5 GNOME XML library dnsutils recommends no packages. Versions of packages dnsutils suggests: pn rblcheck none (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#517624: amaya: Amaya crashes on start-up.
Package: amaya Version: wx-9.53-1 Severity: grave Justification: renders package unusable When starting amaya, it aborts with the following error message: The program 'amaya-wx' received an X Window System error. This probably reflects a bug in the program. The error was 'BadMatch (invalid parameter attributes)'. (Details: serial 1094 error_code 8 request_code 146 minor_code 3) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the --sync command line option to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.) -- System Information: Debian Release: 5.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages amaya depends on: ii libatk1.0-01.22.0-1 The ATK accessibility toolkit ii libc6 2.7-18GNU C Library: Shared libraries ii libexpat1 2.0.1-4 XML parsing C library - runtime li ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib ii libgcc11:4.3.2-1.1 GCC support library ii libglib2.0-0 2.16.6-1 The GLib library of C routines ii libgtk2.0-02.12.11-4 The GTK+ graphical user interface ii libpango1.0-0 1.20.5-3 Layout and rendering of internatio ii libstdc++5 1:3.3.6-18The GNU Standard C++ Library v3 ii libx11-6 2:1.1.5-2 X11 client-side library ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime amaya recommends no packages. amaya suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#486777: pspp: New upstream release
Package: pspp Version: 0.3.0-7 Severity: normal PSPP version 0.6.0 has been released. This version is 64bit safe, fixes many bugs and introduces new features. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.27-2-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages pspp depends on: ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries ii libncurses55.5-5 Shared libraries for terminal hand ii libreadline4 4.3-11GNU readline and history libraries pspp recommends no packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480437: ncurses5-config reports incorrect information
Package: ncurses-bin / libncurses5-dev Version: 5.6+20080308-1 Severity: important ncurses-bin ships the ncurses5-config binary. Running ncurses5-bin --cflags reports -I/usr/include/ncurses But this is wrong. The package does not provide /usr/include/ncurses. Even if libncurses5-dev is installed, then it puts the header files in /usr/include NOT /usr/include/ncurses Consequently any build configurations which rely on ncurses5-config will break. ncurses5-config should be shipped by libncurses5-dev and not ncurses5-bin and it should give the correct information. J' -- PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://pgp.mit.edu or any PGP keyserver for public key. signature.asc Description: Digital signature
Bug#390870: Xbiff cannot find its bitmaps
No. The problem seems to have been fixed in recent versions. J' On Tue, Apr 10, 2007 at 11:04:10PM +0200, Brice Goglin wrote: Hi, About 6 months ago, you reported a bug to the Debian BTS regarding xbiff not finding its bitmaps. I can't reproduce here. Did you reproduce this problem recently? Thanks, Brice -- PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://pgp.mit.edu or any PGP keyserver for public key. signature.asc Description: Digital signature
Bug#405622: initscripts: /etc/init.d/mountnfs.sh fails to detect mounted files.
Package: initscripts Version: 2.86.ds1-36 Severity: important /etc/init.d/mountnfs.sh waits until all entries from /etc/fstab have been succesfully mounted. However, if one of these is a file, rather than a directory, then it fails to detect that it is in fact mounted. Thus, there is an annoying 90 second delay on boot up, followed by an error message, even though there is nothing wrong. There needs to be a more robust way to detect successfull mounts. -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-3-686 Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1) Versions of packages initscripts depends on: ii debianut 2.17Miscellaneous utilities specific t ii e2fsprog 1.39+1.40-WIP-2006.11.14+dfsg-1 ext2 file system utilities and lib ii libc62.3.6.ds1-8 GNU C Library: Shared libraries ii lsb-base 3.1-22 Linux Standard Base 3.1 init scrip ii mount2.12r-15Tools for mounting and manipulatin ii sysvinit 2.86.ds1-36 System-V-like utilities Versions of packages initscripts recommends: ii psmisc22.3-1 Utilities that use the proc filesy -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#400851: tzdata: Daylight saving rules for Western Australia have changed.
Package: tzdata Version: 2006l-1 Severity: important Tags: l10n The government of Western Australia have decided (contrary to recent referendum) to introduce daylight saving. See http://www.mediastatements.wa.gov.au/media/media.nsf/0c079b992e7e607a48256a5a0016e16b/71c80789277dad4f4825722e000c0569?OpenDocument Thus /usr/share/zoneinfo/Australia/Perth /usr/share/zoneinfo/Australia/West etc need to be updated -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.27-2-686 Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1) -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#390870: Xbiff cannot find its bitmaps
Package: xbase-clients Version: 1:7.1.ds-3 When starting xbiff I get: Warning: Cannot convert string flagup to type Pixmap Warning: Cannot convert string flagdown to type Pixmap and xbiff displays a bunk bed instead of the mailbox. I expected to see a mailbox. strace indicates that it's looking for these files in /usr/X11R6/include/X11/bitmaps/ whereas, they are actually to be found in /usr/include/X11/bitmaps/ $ uname -a Linux marilyn 2.4.26-1-686 #1 Tue Aug 24 13:46:05 JST 2004 i686 GNU/Linux -- PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://pgp.mit.edu or any PGP keyserver for public key. pgpvnf0HllSPn.pgp Description: PGP signature
Bug#325993: fuse-utils: addgroup vs. groupadd
Package: fuse-utils Version: 2.5.2-4 Followup-For: Bug #325993 This seems to be because postinst says addgroup --system fuse whereas it ought to say groupadd --system fuse. Similarly postrm says delgroup --system fuse instead of groupdel --system fuse. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.8-2-686 Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1) Versions of packages fuse-utils depends on: ii adduser 3.85 Add and remove users and groups ii libc6 2.3.5-8GNU C Library: Shared libraries an ii makedev 2.3.1-80 creates device files in /dev ii sed 4.1.2-8The GNU sed stream editor ii ucf 2.003 Update Configuration File: preserv Versions of packages fuse-utils recommends: pn fuse-source none (no description available) -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#300504: lam-runtime: Name clash with wipe package.
On Mon, Mar 21, 2005 at 07:52:39PM +0100, Thomas Schoepf wrote: What does ls -l /usr/share/man/man1/wipe.1.gz show? [EMAIL PROTECTED]:~$ ls -l /usr/share/man/man1/wipe.1.gz -rw-r--r--1 root root 4215 Jul 27 1999 /usr/share/man/man1/wipe.1.gz This one is the man page for the wipe packaage. J' -- PGP Public key ID: 1024D/2DE827B3 fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://wwwkeys.pgp.net or any PGP keyserver for public key. pgp1UV4zADRy7.pgp Description: PGP signature
Bug#300504: lam-runtime: Name clash with wipe package.
Package: lam-runtime, wipe Version: 6.5.8-2 Severity: normal There are two manpages calles wipe(1). I have lam-runtime installed at the same time as wipe. When I type man wipe I expected to get the manpage for /usr/share/man/man1/wipe.1.gz Instead I got /usr/share/man/man1/lam-wipe.1.gz -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux freyja.cellform.com 2.2.17 #1 Sun Jun 25 09:24:41 EST 2000 i?86 Locale: LANG=en_AU, LC_CTYPE=en_AU Versions of packages lam-runtime depends on: ii debconf1.2.23woody1 Debian configuration management sy ii dpkg 1.9.21Package maintenance system for Deb ii lam3 6.5.8-2 Shared libraries used by LAM paral ii libc6 2.3.1-16 GNU C Library: Shared libraries an ii ssh1:3.4p1-1.woody.3 Secure rlogin/rsh/rcp replacement ii ssh [rsh-client] 1:3.4p1-1.woody.3 Secure rlogin/rsh/rcp replacement pn ssh | rsh-client Not found. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]