Bug#932007: wabt: missing files needed by generated output from wasm2c

2019-07-14 Thread Markus Koschany
Hi,

Am 13.07.19 um 20:06 schrieb Martin Juhlin:
> Package: wabt
> 
> Version: 1.0.8-1
> 
> Severity: normal
> 
> 
> Dear Maintainer,
> 
> 
> I was running wasm2c on an example file and found that the generated
> 
> output needs a wasm-rt.h file. The final output also needs
> 
> wasm-rt-impl.c + wasm-rt-impl.h to be compilable. 
> 
> 
> It would be very useful if everything in the wasm2c/ folder from the
> 
> source package is included in the final binary package (including example).

In general those files in the wasm2c folder are not necessary to use
wasm2c. For instance running wasm2c on the example file fac.wasm

wasm2c fac.wasm -o test.c

works as expected. Of course I can include the wasm2c files as examples
though.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#931845: Cannot install solr-tomcat when building docker image

2019-07-11 Thread Markus Koschany
Hello,

this issue is caused by the command systemctl daemon-reload in
solr-tomcat's postinst file. You can try to remove it and see if it
works. However solr-tomcat is supposed to work in a systemd environment,
I doubt that anyone has tested it with another init system or without one.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#931640: webext-ublock-origin: no longer functional in firefox-esr

2019-07-08 Thread Markus Koschany
Hello,

Am 08.07.19 um 17:50 schrieb Sven Joachim:
> Package: webext-ublock-origin
> Version: 1.19.0+dfsg-2
> Severity: important
> 
> After upgrading from 1.18.4+dfsg-2 I found that uBlock Origin was no
> longer functional in firefox-esr.  Some observations so far:

[...]

Thanks for reporting. I believe in order to debug this issue it would be
most effective to add your customizations one by one to a new profile
and compare the results. There will be a new firefox-esr version at the
end of the year, so it could make sense to try the most recent Firefox
release in Debian too and to use this one for debugging. If we can
narrow the issue down, I can file an upstream bug report.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#910764: openjfx: segmentation fault in GtkNativeMainLoopThread with GTK 3

2019-06-30 Thread Markus Koschany
Am 30.06.19 um 12:42 schrieb Thomas Uhle:
> Hello Markus,
> 
> it seems that the bugfix has been backported upstream to OpenJFX 11.0.2
> as well. Please see https://bugs.openjdk.java.net/browse/JDK-8216292 for
> further reference.

Thanks for the information. I will remove the workaround in PDFsam after
the freeze and report back if it works.

Markus



signature.asc
Description: OpenPGP digital signature


Bug#931199: unblock: freeorion/0.4.8-3

2019-06-27 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package freeorion

Freeorion crashed when someone tried to load or save a game. We
believe this issue was resolved in version 0.4.8-3 and it would be
great if we could release Buster with this version.
This is Debian bug #930417.

Thanks,

Markus

unblock freeorion/0.4.8-3

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru freeorion-0.4.8/debian/changelog freeorion-0.4.8/debian/changelog
--- freeorion-0.4.8/debian/changelog2018-08-31 17:09:10.0 +0200
+++ freeorion-0.4.8/debian/changelog2019-06-23 01:52:26.0 +0200
@@ -1,3 +1,16 @@
+freeorion (0.4.8-3) unstable; urgency=medium
+
+  * Really fix save or load game crash. (Closes: #930417)
+
+ -- Markus Koschany   Sun, 23 Jun 2019 01:52:26 +0200
+
+freeorion (0.4.8-2) unstable; urgency=medium
+
+  * Fix save or load game crash. Thanks to Michal Mauser for the report and
+Bernhard Übelacker for the investigation. (Closes: #930417)
+
+ -- Markus Koschany   Sun, 16 Jun 2019 01:02:41 +0200
+
 freeorion (0.4.8-1) unstable; urgency=medium
 
   * New upstream version 0.4.8.
diff -Nru freeorion-0.4.8/debian/patches/debian-bug-930417.patch 
freeorion-0.4.8/debian/patches/debian-bug-930417.patch
--- freeorion-0.4.8/debian/patches/debian-bug-930417.patch  1970-01-01 
01:00:00.0 +0100
+++ freeorion-0.4.8/debian/patches/debian-bug-930417.patch  2019-06-23 
01:52:26.0 +0200
@@ -0,0 +1,147 @@
+From: Markus Koschany 
+Date: Sun, 16 Jun 2019 01:10:41 +0200
+Subject: debian-bug-930417
+
+Bug-Debian: https://bugs.debian.org/930417
+Origin: 
https://github.com/freeorion/freeorion/pull/2366/commits/1e94e406fa309c60c4b68ef08b424b65a7bd0e4d
+---
+ server/SaveLoad.cpp | 70 +
+ 1 file changed, 39 insertions(+), 31 deletions(-)
+
+diff --git a/server/SaveLoad.cpp b/server/SaveLoad.cpp
+index ecb73a3..37614d7 100644
+--- a/server/SaveLoad.cpp
 b/server/SaveLoad.cpp
+@@ -333,8 +333,13 @@ void LoadGame(const std::string& filename, 
ServerSaveGameData& server_save_game_
+ if (!ifs)
+ throw std::runtime_error(UNABLE_TO_OPEN_FILE);
+ 
+-try {
+-// first attempt binary deserialziation
++std::string signature(5, '\0');
++if (!ifs.read([0], 5))
++throw std::runtime_error(UNABLE_TO_OPEN_FILE);
++boost::iostreams::seek(ifs, 0, std::ios_base::beg);
++
++if (strncmp(signature.c_str(), "> BOOST_SERIALIZATION_NVP(ignored_save_preview_data);
+@@ -350,14 +355,10 @@ void LoadGame(const std::string& filename, 
ServerSaveGameData& server_save_game_
+ Deserialize(ia, universe);
+ 
+ DebugLogger() << "Done deserializing";
+-} catch (...) {
+-// if binary deserialization failed, try more-portable XML 
deserialization
+-
+-// reset to start of stream (attempted binary serialization will 
have consumed some input...)
+-boost::iostreams::seek(ifs, 0, std::ios_base::beg);
+-
++} else {
+ // create archive with (preallocated) buffer...
+ freeorion_xml_iarchive xia(ifs);
++DebugLogger() << "Reading XML iarchive";
+ // read from save file: uncompressed header serialized data, with 
compressed main archive string at end...
+ // deserialize uncompressed save header info
+ xia >> BOOST_SERIALIZATION_NVP(ignored_save_preview_data);
+@@ -458,18 +459,21 @@ void LoadGalaxySetupData(const std::string& filename, 
GalaxySetupData& galaxy_se
+ if (!ifs)
+ throw std::runtime_error(UNABLE_TO_OPEN_FILE);
+ 
+-try {
+-// first attempt binary deserialziation
++std::string signature(5, '\0');
++if (!ifs.read([0], 5))
++throw std::runtime_error(UNABLE_TO_OPEN_FILE);
++boost::iostreams::seek(ifs, 0, std::ios_base::beg);
++
++if (strncmp(signature.c_str(), "> BOOST_SERIALIZATION_NVP(ignored_save_preview_data);
+ ia >> BOOST_SERIALIZATION_NVP(galaxy_setup_data);
+ 
+-} catch(...) {
+-// if binary deserialization failed, try more-portable XML 
deserialization
+-
+-// reset to start of stream (attempted binary serialization will 
have consumed some input...)
+-boost::iostreams::seek(ifs, 0, std::ios_base::beg);
++} else {
++DebugLogger() << "Attempting XML deserialization...";
+ freeorion_xml_iarchive ia(ifs);
+

Bug#931198: unblock: warzone2100/3.2.1-4

2019-06-27 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package warzone2100

A segmentation fault was discovered in warzone2100 when someone tries
to host a new multiplayer game. It would be great if we still could get this
into Buster. This is Debian bug #930942.

Regards,

Markus

unblock warzone2100/3.2.1-4

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru warzone2100-3.2.1/debian/changelog warzone2100-3.2.1/debian/changelog
--- warzone2100-3.2.1/debian/changelog  2018-02-24 00:51:59.0 +0100
+++ warzone2100-3.2.1/debian/changelog  2019-06-26 06:49:41.0 +0200
@@ -1,3 +1,13 @@
+warzone2100 (3.2.1-4) unstable; urgency=medium
+
+  * Team upload.
+  * Move the package to salsa.debian.org.
+  * Fix segmentation fault upon multiplayer "Start Hosting Game"
+Thanks to Phil Morrell for the report and Bernhard Übelacker for the patch.
+(Closes: #930942)
+
+ -- Markus Koschany   Wed, 26 Jun 2019 06:49:41 +0200
+
 warzone2100 (3.2.1-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru warzone2100-3.2.1/debian/control warzone2100-3.2.1/debian/control
--- warzone2100-3.2.1/debian/control2018-02-24 00:51:59.0 +0100
+++ warzone2100-3.2.1/debian/control2019-06-26 06:49:41.0 +0200
@@ -41,8 +41,8 @@
  zip
 Standards-Version: 4.1.3
 Homepage: http://www.wz2100.net/
-Vcs-Svn: svn://anonscm.debian.org/pkg-games/packages/trunk/warzone2100/
-Vcs-Browser: 
https://anonscm.debian.org/viewvc/pkg-games/packages/trunk/warzone2100/
+Vcs-Git: https://salsa.debian.org/games-team/warzone2100.git
+Vcs-Browser: https://salsa.debian.org/games-team/warzone2100
 
 Package: warzone2100
 Architecture: any
diff -Nru 
warzone2100-3.2.1/debian/patches/0001-Avoid-calling-EC_KEY_dup-with-null-pointer.patch
 
warzone2100-3.2.1/debian/patches/0001-Avoid-calling-EC_KEY_dup-with-null-pointer.patch
--- 
warzone2100-3.2.1/debian/patches/0001-Avoid-calling-EC_KEY_dup-with-null-pointer.patch
  1970-01-01 01:00:00.0 +0100
+++ 
warzone2100-3.2.1/debian/patches/0001-Avoid-calling-EC_KEY_dup-with-null-pointer.patch
  2019-06-26 06:49:41.0 +0200
@@ -0,0 +1,30 @@
+Description: Avoid calling EC_KEY_dup with null pointer
+
+Author: Bernhard Übelacker 
+Bug-Debian: https://bugs.debian.org/930942
+Forwarded: no
+Last-Update: 2019-06-24
+
+--- warzone2100-3.2.1.orig/lib/framework/crc.cpp
 warzone2100-3.2.1/lib/framework/crc.cpp
+@@ -245,7 +245,9 @@ EcKey::EcKey()
+ 
+ EcKey::EcKey(EcKey const )
+ {
+-  vKey = (void *)EC_KEY_dup((EC_KEY *)b.vKey);
++  vKey = nullptr;
++  if (!b.empty())
++  vKey = (void *)EC_KEY_dup((EC_KEY *)b.vKey);
+ }
+ 
+ EcKey::EcKey(EcKey &)
+@@ -262,7 +264,8 @@ EcKey::~EcKey()
+ EcKey ::operator =(EcKey const )
+ {
+   clear();
+-  vKey = (void *)EC_KEY_dup((EC_KEY *)b.vKey);
++  if (!b.empty())
++  vKey = (void *)EC_KEY_dup((EC_KEY *)b.vKey);
+   return *this;
+ }
+ 
diff -Nru warzone2100-3.2.1/debian/patches/series 
warzone2100-3.2.1/debian/patches/series
--- warzone2100-3.2.1/debian/patches/series 2018-02-24 00:51:59.0 
+0100
+++ warzone2100-3.2.1/debian/patches/series 2019-06-26 06:49:41.0 
+0200
@@ -8,3 +8,4 @@
 quickstartguide.patch
 openssl-1.1.patch
 miniupnpc-api.patch
+0001-Avoid-calling-EC_KEY_dup-with-null-pointer.patch


Bug#931097: unattended-upgrades: InvalidURL(f"URL can't contain control characters. {url!r} "

2019-06-26 Thread Markus Koschany
Hello,

Am 26.06.19 um 09:59 schrieb duncanwebb:
> Package: unattended-upgrades
> Version: 0.83.3.2+deb8u1
> Severity: serious
> Justification: normal
> 
> Dear Maintainer,
> 
> Jessie uses python 3.4 and python 3.4 does not support f"" strings
> 
> So now unattended upgrades no longer performs security upgrades.

[...]

Thank you for reporting this issue. We have corrected this problem with
the upload of python3.4 version 3.4.2-1+deb8u4 yesterday. Unfortunately
a manual upgrade is required, afterwards unattended-upgrades will
continue to work again as intended.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#929772: ResidualVM should be built against SDL2 instead of SDL 1.2

2019-06-25 Thread Markus Koschany
Hello,

Am 30.05.19 um 20:55 schrieb Bastien Bouclet:
> Package: residualvm
> 
> Version: 0.3.1+dfsg-1
> 
> I'm an upstream maintainer of ResidualVM and just noticed the version
> packaged in Debian was build against SDL 1.2. At this point we recommend
> linking against SDL 2, as ResidualVM can take advantage of the new
> capabilities of that version. Our support of SDL 1.2 should be considered
> as deprecated.
> 
> Please switch the dependency to SDL 2, the configure script should detect
> it automatically.

Thanks for the report. We will update the package after Debian 10
"Buster" was released and switch to SDL 2.

Best,

Markus




signature.asc
Description: OpenPGP digital signature


Bug#930676: goplay: Should this package be removed?

2019-06-22 Thread Markus Koschany
Hello,

On Tue, 18 Jun 2019 12:46:30 +0200 Julian Andres Klode 
wrote:
> Package: goplay
> Severity: serious
> 
> Hi folks,
> 
> goplay has not received any updates since 2015, it uses libept,
> which we'd like to get rid of eventually I think, as it's also
> unmaintained, so I think it would be best to remove it.

I agree with you in general. However, IMHO, can we defer this decision
to buster +1 or is this really imminent. AFAIK the package works for Buster?

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#930940: unblock: jackson-databind/2.9.8-3

2019-06-22 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear release team,

Please unblock package jackson-databind

It would be great if we could include the latest security fixes for
this package. #930750

Thanks,

Markus

unblock jackson-databind/2.9.8-3

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru jackson-databind-2.9.8/debian/changelog 
jackson-databind-2.9.8/debian/changelog
--- jackson-databind-2.9.8/debian/changelog 2019-05-18 20:31:28.0 
+0200
+++ jackson-databind-2.9.8/debian/changelog 2019-06-22 00:28:48.0 
+0200
@@ -1,3 +1,16 @@
+jackson-databind (2.9.8-3) unstable; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2019-12814 and CVE-2019-12384:
+More Polymorphic Typing issues were discovered in jackson-databind. When
+Default Typing is enabled (either globally or for a specific property) for
+an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or
+logback-core jar in the classpath, an attacker can send a specifically
+crafted JSON message that allows them to read arbitrary local files on the
+server. (Closes: #930750)
+
+ -- Markus Koschany   Sat, 22 Jun 2019 00:28:48 +0200
+
 jackson-databind (2.9.8-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru jackson-databind-2.9.8/debian/patches/CVE-2019-12384.patch 
jackson-databind-2.9.8/debian/patches/CVE-2019-12384.patch
--- jackson-databind-2.9.8/debian/patches/CVE-2019-12384.patch  1970-01-01 
01:00:00.0 +0100
+++ jackson-databind-2.9.8/debian/patches/CVE-2019-12384.patch  2019-06-22 
00:28:48.0 +0200
@@ -0,0 +1,24 @@
+From: Markus Koschany 
+Date: Sat, 22 Jun 2019 00:00:02 +0200
+Subject: CVE-2019-12384
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750
+Origin: 
https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234
+---
+ .../com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git 
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
 
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index a17cdf5..3dbb16e 100644
+--- 
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
 
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -83,6 +83,9 @@ public class SubTypeValidator
+ // [databind#2326] (2.9.9): one more 3rd party gadget
+ s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+ 
++// [databind#2334] (2.9.9.1): logback-core
++s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+ 
diff -Nru jackson-databind-2.9.8/debian/patches/CVE-2019-12814.patch 
jackson-databind-2.9.8/debian/patches/CVE-2019-12814.patch
--- jackson-databind-2.9.8/debian/patches/CVE-2019-12814.patch  1970-01-01 
01:00:00.0 +0100
+++ jackson-databind-2.9.8/debian/patches/CVE-2019-12814.patch  2019-06-22 
00:28:48.0 +0200
@@ -0,0 +1,29 @@
+From: Markus Koschany 
+Date: Sat, 22 Jun 2019 00:26:32 +0200
+Subject: CVE-2019-12814
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750
+Origin: 
https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5
+---
+ .../fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java  | 6 +-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git 
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
 
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 3dbb16e..72db61d 100644
+--- 
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
 
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -83,9 +83,13 @@ public class SubTypeValidator
+ // [databind#2326] (2.9.9): one more 3rd party gadget
+ s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+ 
+-// [databind#2334] (2.9.9.1): logback-core
++// [databind#2334]: logback-core
+ s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
+ 
++// [databind#2341]: jdom/jdom2
++s.add("org.jdom.transform.XSLTransformer");
++s.add("org.jdom2.transform.XSLTransformer");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+ 
diff -Nru jackson-databind-2.9.8/debian/patches/series 
jackson-databind-2.9.8/debian/patches/series
--- jackso

Bug#930417: freeorion: Crash on save/load button

2019-06-16 Thread Markus Koschany
Sorry, I mistyped your email address. Does the new version resolve your
issue?

Thanks

Markus

On Sun, 16 Jun 2019 02:19:44 +0200 Markus Koschany  wrote:
> Thanks for the report, and thanks to Bernhard for the investigation. I
> have just uploaded a new revision of freeorion with the proposed patch
> to unstable. Please tell me if it resolves your issue.
> 
> Regards,
> 
> Markus
> 



signature.asc
Description: OpenPGP digital signature


Bug#930417: freeorion: Crash on save/load button

2019-06-15 Thread Markus Koschany
Thanks for the report, and thanks to Bernhard for the investigation. I
have just uploaded a new revision of freeorion with the proposed patch
to unstable. Please tell me if it resolves your issue.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#929886: unblock: marsshooter/0.7.6-4

2019-06-02 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package marsshooter

A segmentation fault was discovered in marsshooter, that may crash the
game and make it unusable. This is Debian bug #929513. Bernhard
Übelacker provided a patch. Please find attached the debdiff.

Thanks,

Markus


unblock marsshooter/0.7.6-4

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru marsshooter-0.7.6/debian/changelog marsshooter-0.7.6/debian/changelog
--- marsshooter-0.7.6/debian/changelog  2018-07-29 02:33:04.0 +0200
+++ marsshooter-0.7.6/debian/changelog  2019-05-29 14:55:09.0 +0200
@@ -1,3 +1,11 @@
+marsshooter (0.7.6-4) unstable; urgency=medium
+
+  * Add avoid-crash-because-of-missing-return-statement.patch.
+Fix potential crash by adding proper return statements.
+Thanks to Bernhard Übelacker for the patch (Closes: #929513)
+
+ -- Markus Koschany   Wed, 29 May 2019 14:55:09 +0200
+
 marsshooter (0.7.6-3) unstable; urgency=medium
 
   * Switch to compat level 11.
diff -Nru 
marsshooter-0.7.6/debian/patches/avoid-crash-because-of-missing-return-statement.patch
 
marsshooter-0.7.6/debian/patches/avoid-crash-because-of-missing-return-statement.patch
--- 
marsshooter-0.7.6/debian/patches/avoid-crash-because-of-missing-return-statement.patch
  1970-01-01 01:00:00.0 +0100
+++ 
marsshooter-0.7.6/debian/patches/avoid-crash-because-of-missing-return-statement.patch
  2019-05-29 14:55:09.0 +0200
@@ -0,0 +1,72 @@
+From 61b2f879bf460645faf39b4729e355ea13ee6eec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= 
+Date: Tue, 28 May 2019 10:30:01 +0200
+Subject: Avoid crash because of missing return statement.
+
+warning: no return statement in function returning non-void [-Wreturn-type]
+warning: control reaches end of non-void function [-Wreturn-type]
+
+Debian-Bug: https://bugs.debian.org/929513
+---
+ include/Specials/NoSpecial.hpp | 2 +-
+ include/Weapons/NoWeapon.hpp   | 6 +++---
+ src/Interface/Tab.cpp  | 2 ++
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/include/Specials/NoSpecial.hpp b/include/Specials/NoSpecial.hpp
+index 4c1c8d3..67c3fa4 100644
+--- a/include/Specials/NoSpecial.hpp
 b/include/Specials/NoSpecial.hpp
+@@ -32,7 +32,7 @@ class NoSpecial: public Special {
+ /// Does nothing.
+ void activate() const {}
+ 
+-float radius() const {}
++float radius() const { return 0.; }
+ 
+ /// Draws the special.
+ void draw(float alpha) const;
+diff --git a/include/Weapons/NoWeapon.hpp b/include/Weapons/NoWeapon.hpp
+index e739851..38c8b2c 100644
+--- a/include/Weapons/NoWeapon.hpp
 b/include/Weapons/NoWeapon.hpp
+@@ -35,13 +35,13 @@ class NoWeapon: public Weapon {
+ void draw(float alpha) const {}
+ 
+ /// Returns the maximum distance from which this weapon should be 
used.
+-float maxDistance() const {}
++float maxDistance() const { return 0.; }
+ 
+ /// Returns the minimum distance from which this weapon should be 
used.
+-float minDistance() const {}
++float minDistance() const { return 0.; }
+ 
+ /// Returns the maximum angle from which this weapon should be used.
+-float maxAngle()   const {}
++float maxAngle()   const { return 0.; }
+ };
+ 
+ # endif // NOWEAPON_HPP_INCLUDED
+diff --git a/src/Interface/Tab.cpp b/src/Interface/Tab.cpp
+index 19a7e26..e0dd57e 100644
+--- a/src/Interface/Tab.cpp
 b/src/Interface/Tab.cpp
+@@ -110,6 +110,7 @@ bool Tab::tabNext() {
+ return true;
+ }
+ }
++return false;
+ }
+ 
+ bool Tab::tabPrevious() {
+@@ -140,6 +141,7 @@ bool Tab::tabPrevious() {
+ return true;
+ }
+ }
++return false;
+ }
+ 
+ 
+-- 
+2.20.1
+
diff -Nru marsshooter-0.7.6/debian/patches/series 
marsshooter-0.7.6/debian/patches/series
--- marsshooter-0.7.6/debian/patches/series 2018-07-29 02:33:04.0 
+0200
+++ marsshooter-0.7.6/debian/patches/series 2019-05-29 14:55:09.0 
+0200
@@ -1,2 +1,3 @@
 man-page.patch
 desktop-file.patch
+avoid-crash-because-of-missing-return-statement.patch


Bug#929513: marsshooter: Segfaults a few seconds after starting

2019-05-29 Thread Markus Koschany


Am 28.05.19 um 11:05 schrieb Bernhard Übelacker:
[...]
> I tried to have a look at this crash and I think I found something.

Hi Bernhard,

thanks for the patch! Although I still can't reproduce the crash, I
think the patch makes sense and I trust you with your assessment. I have
just uploaded a new revision and intend to request an unblock for Buster.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#929513: marsshooter: Segfaults a few seconds after starting

2019-05-27 Thread Markus Koschany
Hi,

Am 25.05.19 um 10:34 schrieb Jacob Nevins:
> Package: marsshooter
> Version: 0.7.6-3
> Severity: important
> 
> When I start marsshooter, either from the desktop menu or command line,
> it runs for a few seconds (13-18s in my tests), and then segfaults.

I can't reproduce the segfault at the moment. I can play the game just
fine. You could try to install the -dbgsym package which might help us
to get a proper backtrace.

https://wiki.debian.org/HowToGetABacktrace

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#929483: robocode: Class not found program wont start

2019-05-24 Thread Markus Koschany
Control: severity -1 grave

On Fri, 24 May 2019 13:45:04 +0200 Bardot Jerome
 wrote:
[...]
> Can't find robocode.core-1.x.jar module near to robocode.jar
> Class path: /usr/share/java/robocode.jar

Thanks for reporting. This is another Java 11 issue. It seems we have to
explicitly add some jar files to the classpath now. This is also known
upstream as

https://sourceforge.net/p/robocode/bugs/407/

I will prepare an update for Buster soon.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#929266: axis: CVE-2019-0227

2019-05-23 Thread Markus Koschany
Hi,

On Mon, 20 May 2019 12:20:31 +0200 Sylvain Beucler  wrote:
> Package: axis
> X-Debbugs-CC: t...@security.debian.org
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for axis.
> 
> CVE-2019-0227[0]:
> | A Server Side Request Forgery (SSRF) vulnerability affected the Apache
> | Axis 1.4 distribution that was last released in 2006. Security and bug
> | commits commits continue in the projects Axis 1.x Subversion
> | repository, legacy users are encouraged to build from source. The
> | successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not
> | vulnerable to this issue.
> 
> The vulnerable 'StockQuoteService.jws' is not present in Debian binary
> packages, however a SSRF mitigation was also committed [1].

I believe the SSRF mitigation should be viewed in the context of the
vulnerable StockQuoteService.jws file. Since we don't ship this file in
our binary packages, I think it is correct to mark the issue as
unimportant. However I agree it is sensible to change
uconn.setInstanceFollowRedirects(true) to
uconn.setInstanceFollowRedirects(false).

I don't think it is likely that this issue is somehow exploited when
using our Debian package. We use axis mainly as a build-dependency for
other packages. We could change the default for
uconn.setInstanceFollowRedirects in Buster but keep it this way in
Jessie and Stretch.

It is nice to know that there is ongoing work on axis1. I think we could
update this package after the freeze and track the new upstream
development at

https://github.com/apache/axis1-java/

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#929457: unblock: jackson-databind/2.9.8-2

2019-05-23 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package jackson-databind

Hi,

I have fixed CVE-2019-12086 in jackson-databind. Please find attached
the debdiff.

Regards,

Markus


unblock jackson-databind/2.9.8-2

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru jackson-databind-2.9.8/debian/changelog 
jackson-databind-2.9.8/debian/changelog
--- jackson-databind-2.9.8/debian/changelog 2018-12-30 11:03:14.0 
+0100
+++ jackson-databind-2.9.8/debian/changelog 2019-05-18 20:31:28.0 
+0200
@@ -1,3 +1,18 @@
+jackson-databind (2.9.8-2) unstable; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2019-12086:
+A Polymorphic Typing issue was discovered in jackson-databind. When
+Default Typing is enabled (either globally or for a specific property) for
+an externally exposed JSON endpoint, the service has the
+mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
+attacker can host a crafted MySQL server reachable by the victim, an
+attacker can send a crafted JSON message that allows them to read arbitrary
+local files on the server. This occurs because of missing
+com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177)
+
+ -- Markus Koschany   Sat, 18 May 2019 20:31:28 +0200
+
 jackson-databind (2.9.8-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch 
jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch
--- jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch  1970-01-01 
01:00:00.0 +0100
+++ jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch  2019-05-18 
20:31:28.0 +0200
@@ -0,0 +1,25 @@
+From: Markus Koschany 
+Date: Sat, 18 May 2019 20:29:23 +0200
+Subject: CVE-2019-12086
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929177
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/2326
+Origin: 
https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024
+---
+ .../com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git 
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
 
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 30adb94..a17cdf5 100644
+--- 
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
 
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -80,6 +80,9 @@ public class SubTypeValidator
+ s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
+ s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+ 
++// [databind#2326] (2.9.9): one more 3rd party gadget
++s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+ 
diff -Nru jackson-databind-2.9.8/debian/patches/series 
jackson-databind-2.9.8/debian/patches/series
--- jackson-databind-2.9.8/debian/patches/series1970-01-01 
01:00:00.0 +0100
+++ jackson-databind-2.9.8/debian/patches/series2019-05-18 
20:31:28.0 +0200
@@ -0,0 +1 @@
+CVE-2019-12086.patch


Bug#929402: unblock: debian-games/3

2019-05-22 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package debian-games

debian-games is a collection of metapackages. This update reflects the
latest changes in Buster. Three packages that were recommended by
debian-games will not be part of Debian 10. They are still present in
unstable, so I have changed the recommendations to Suggests.

unblock debian-games/3

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru debian-games-2.6/debian/changelog debian-games-3/debian/changelog
--- debian-games-2.6/debian/changelog   2019-02-10 14:13:56.0 +0100
+++ debian-games-3/debian/changelog 2019-05-20 00:01:59.0 +0200
@@ -1,3 +1,10 @@
+debian-games (3) unstable; urgency=medium
+
+  * Suggest Netbeans, cuyo and holdingnuts because they will not be part of
+Debian 10 "Buster".
+
+ -- Markus Koschany   Mon, 20 May 2019 00:01:59 +0200
+
 debian-games (2.6) unstable; urgency=medium
 
   * games-tasks: Depend on ${misc:Depends}
diff -Nru debian-games-2.6/debian/control debian-games-3/debian/control
--- debian-games-2.6/debian/control 2019-02-10 14:13:56.0 +0100
+++ debian-games-3/debian/control   2019-05-20 00:01:59.0 +0200
@@ -387,7 +387,6 @@
 deal,
 dealer,
 gsalliere,
-holdingnuts,
 lmemory,
 openpref,
 pescetti,
@@ -401,6 +400,7 @@
 xsol
 Suggests: dds,
   gnome-games,
+  holdingnuts,
   kdegames,
   python-pydds,
   yahtzeesharp
@@ -734,9 +734,9 @@
 liblwjgl-java,
 libpixels-java,
 libsvgsalamander-java,
-libupnp-java,
-netbeans
+libupnp-java
 Suggests: freecol,
+  netbeans,
   triplea
 Description: development of games in Java
  This metapackage will install a selection of suitable tools and packages to
@@ -1247,7 +1247,6 @@
 bastet,
 blockout2,
 crack-attack,
-cuyo,
 flobopuyo,
 freealchemist,
 frozen-bubble,
@@ -1264,7 +1263,8 @@
 vitetris,
 xbubble,
 xwelltris
-Suggests: kblocks
+Suggests: cuyo,
+  kblocks
 Description: Debian's tetris-like games
  This metapackage will install tetris-like games.
 


Bug#929246: stretch-pu: package librecad/2.1.2-1+b1

2019-05-19 Thread Markus Koschany
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

I would like to fix CVE-2018-19105 in Stretch too. I have prepared an
update, please find attached the debdiff.

Regards,

Markus

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru librecad-2.1.2/debian/changelog librecad-2.1.2/debian/changelog
--- librecad-2.1.2/debian/changelog 2016-09-17 15:53:14.0 +0200
+++ librecad-2.1.2/debian/changelog 2019-05-19 23:17:22.0 +0200
@@ -1,3 +1,13 @@
+librecad (2.1.2-1+deb9u1) stretch; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2018-19105:
+A vulnerability was found in LibreCAD, a computer-aided design system,
+which could be exploited to crash the application or cause other
+unspecified impact when opening a specially crafted file. (Closes: #928477)
+
+ -- Markus Koschany   Sun, 19 May 2019 23:17:22 +0200
+
 librecad (2.1.2-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru librecad-2.1.2/debian/patches/CVE-2018-19105.patch 
librecad-2.1.2/debian/patches/CVE-2018-19105.patch
--- librecad-2.1.2/debian/patches/CVE-2018-19105.patch  1970-01-01 
01:00:00.0 +0100
+++ librecad-2.1.2/debian/patches/CVE-2018-19105.patch  2019-05-19 
23:17:22.0 +0200
@@ -0,0 +1,92 @@
+From: Markus Koschany 
+Date: Thu, 16 May 2019 13:08:48 +0200
+Subject: CVE-2018-19105
+
+Bug-Upstream: https://github.com/LibreCAD/LibreCAD/issues/1038
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928477
+Origin: 
https://github.com/LibreCAD/LibreCAD/commit/6da7cc5f7f31afb008f03dbd11e07207ccd82085
+Origin: 
https://github.com/LibreCAD/LibreCAD/commit/8604f171ee380f294102da6154adf77ab754d403
+---
+ libraries/libdxfrw/src/drw_header.cpp |  8 
+ libraries/libdxfrw/src/libdxfrw.cpp   | 29 +++--
+ 2 files changed, 31 insertions(+), 6 deletions(-)
+
+diff --git a/libraries/libdxfrw/src/drw_header.cpp 
b/libraries/libdxfrw/src/drw_header.cpp
+index 1e0530d..6465669 100644
+--- a/libraries/libdxfrw/src/drw_header.cpp
 b/libraries/libdxfrw/src/drw_header.cpp
+@@ -20,6 +20,7 @@ DRW_Header::DRW_Header() {
+ linetypeCtrl = layerCtrl = styleCtrl = dimstyleCtrl = appidCtrl = 0;
+ blockCtrl = viewCtrl = ucsCtrl = vportCtrl = vpEntHeaderCtrl = 0;
+ version = DRW::AC1021;
++curr = NULL;
+ }
+ 
+ void DRW_Header::addComment(std::string c){
+@@ -29,6 +30,13 @@ void DRW_Header::addComment(std::string c){
+ }
+ 
+ void DRW_Header::parseCode(int code, dxfReader *reader){
++if (NULL == curr && 9 != code) {
++DRW_DBG("invalid header code: ");
++DRW_DBG(code);
++DRW_DBG("\n");
++return;
++}
++
+ switch (code) {
+ case 9:
+ curr = new DRW_Variant();
+diff --git a/libraries/libdxfrw/src/libdxfrw.cpp 
b/libraries/libdxfrw/src/libdxfrw.cpp
+index 60d6b74..03da2a6 100644
+--- a/libraries/libdxfrw/src/libdxfrw.cpp
 b/libraries/libdxfrw/src/libdxfrw.cpp
+@@ -1839,17 +1839,27 @@ bool dxfRW::processDxf() {
+ DRW_DBG(sectionstr); DRW_DBG("  processDxf\n");
+ //found section, process it
+ if (sectionstr == "HEADER") {
+-processHeader();
++if (!processHeader()) {
++return false;
++}
+ } else if (sectionstr == "CLASSES") {
+ //processClasses();
+ } else if (sectionstr == "TABLES") {
+-processTables();
++if (!processTables()) {
++return false;
++}
+ } else if (sectionstr == "BLOCKS") {
+-processBlocks();
++if (!processBlocks()) {
++return false;
++}
+ } else if (sectionstr == "ENTITIES") {
+-processEntities(false);
++if (!processEntities(false)) {
++return false;
++}
+ } else if (sectionstr == "OBJECTS") {
+-processObjects();
++if (!processObjects()) {
++return false;
++}
+ }
+ }
+ }
+@@ -1875,7 +1885,14 @@ bool dxfRW::processHeader() {
+ iface->addHeader();
+ 

Bug#929177: jackson-databind: CVE-2019-12086

2019-05-18 Thread Markus Koschany
Package: jackson-databind
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

I will take care of this one myself.

The following vulnerability was published for jackson-databind.

CVE-2019-12086[0]:
| A Polymorphic Typing issue was discovered in FasterXML jackson-
| databind 2.x before 2.9.9. When Default Typing is enabled (either
| globally or for a specific property) for an externally exposed JSON
| endpoint, the service has the mysql-connector-java jar (8.0.14 or
| earlier) in the classpath, and an attacker can host a crafted MySQL
| server reachable by the victim, an attacker can send a crafted JSON
| message that allows them to read arbitrary local files on the server.
| This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin
| validation.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Please adjust the affected versions in the BTS as needed.




signature.asc
Description: OpenPGP digital signature


Bug#929174: unblock: neverball/1.6.0+git20180603-2

2019-05-18 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package neverball

Hi,

I would like to fix some graphical issues in Neverball. No code
changes are necessary, I just had to install some png files that were
previously not needed. This is Debian bug #871223.

Thanks

Markus

unblock neverball/1.6.0+git20180603-2

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru neverball-1.6.0+git20180603/debian/changelog 
neverball-1.6.0+git20180603/debian/changelog
--- neverball-1.6.0+git20180603/debian/changelog2019-01-04 
19:38:45.0 +0100
+++ neverball-1.6.0+git20180603/debian/changelog2019-05-18 
15:17:26.0 +0200
@@ -1,3 +1,10 @@
+neverball (1.6.0+git20180603-2) unstable; urgency=medium
+
+  * Install the png files from the geom directory to fix graphical glitches in
+Neverball. (Closes: #871223)
+
+ -- Markus Koschany   Sat, 18 May 2019 15:17:26 +0200
+
 neverball (1.6.0+git20180603-1) unstable; urgency=medium
 
   * New upstream snapshot 1.6.0+git20180603.
diff -Nru neverball-1.6.0+git20180603/debian/neverball-common.install 
neverball-1.6.0+git20180603/debian/neverball-common.install
--- neverball-1.6.0+git20180603/debian/neverball-common.install 2019-01-04 
19:38:45.0 +0100
+++ neverball-1.6.0+git20180603/debian/neverball-common.install 2019-05-18 
15:17:26.0 +0200
@@ -3,11 +3,16 @@
 data/bgm usr/share/games/neverball
 data/geom/back/*.sol usr/share/games/neverball/geom/back
 data/geom/beam/*.sol usr/share/games/neverball/geom/beam
+data/geom/beam/*.png usr/share/games/neverball/geom/beam
 data/geom/flag/*.sol usr/share/games/neverball/geom/flag
+data/geom/flag/*.png usr/share/games/neverball/geom/flag
 data/geom/goal/*.sol usr/share/games/neverball/geom/goal
+data/geom/goal/*.png usr/share/games/neverball/geom/goal
 data/geom/jump/*.sol usr/share/games/neverball/geom/jump
+data/geom/jump/*.png usr/share/games/neverball/geom/jump
 data/geom/mark/*.sol usr/share/games/neverball/geom/mark
 data/geom/vect/*.sol usr/share/games/neverball/geom/vect
+data/geom/vect/*.png usr/share/games/neverball/geom/vect
 data/gui usr/share/games/neverball
 data/iconusr/share/games/neverball
 data/itemusr/share/games/neverball


Bug#929173: unblock: librecad/2.1.3-1.2

2019-05-18 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package librecad

Hello,

I have fixed CVE-2018-19105 in librecad and I think the new version should be 
part
of Buster. Please find attached the debdiff.

Regards,

Markus

unblock librecad/2.1.3-1.2

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru librecad-2.1.3/debian/changelog librecad-2.1.3/debian/changelog
--- librecad-2.1.3/debian/changelog 2018-09-17 19:23:30.0 +0200
+++ librecad-2.1.3/debian/changelog 2019-05-16 13:11:05.0 +0200
@@ -1,3 +1,13 @@
+librecad (2.1.3-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2018-19105:
+A vulnerability was found in LibreCAD, a computer-aided design system,
+which could be exploited to crash the application or cause other
+unspecified impact when opening a specially crafted file. (Closes: #928477)
+
+ -- Markus Koschany   Thu, 16 May 2019 13:11:05 +0200
+
 librecad (2.1.3-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru librecad-2.1.3/debian/patches/CVE-2018-19105.patch 
librecad-2.1.3/debian/patches/CVE-2018-19105.patch
--- librecad-2.1.3/debian/patches/CVE-2018-19105.patch  1970-01-01 
01:00:00.0 +0100
+++ librecad-2.1.3/debian/patches/CVE-2018-19105.patch  2019-05-16 
13:11:05.0 +0200
@@ -0,0 +1,92 @@
+From: Markus Koschany 
+Date: Thu, 16 May 2019 13:08:48 +0200
+Subject: CVE-2018-19105
+
+Bug-Upstream: https://github.com/LibreCAD/LibreCAD/issues/1038
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928477
+Origin: 
https://github.com/LibreCAD/LibreCAD/commit/6da7cc5f7f31afb008f03dbd11e07207ccd82085
+Origin: 
https://github.com/LibreCAD/LibreCAD/commit/8604f171ee380f294102da6154adf77ab754d403
+---
+ libraries/libdxfrw/src/drw_header.cpp |  8 
+ libraries/libdxfrw/src/libdxfrw.cpp   | 29 +++--
+ 2 files changed, 31 insertions(+), 6 deletions(-)
+
+diff --git a/libraries/libdxfrw/src/drw_header.cpp 
b/libraries/libdxfrw/src/drw_header.cpp
+index 1e0530d..6465669 100644
+--- a/libraries/libdxfrw/src/drw_header.cpp
 b/libraries/libdxfrw/src/drw_header.cpp
+@@ -20,6 +20,7 @@ DRW_Header::DRW_Header() {
+ linetypeCtrl = layerCtrl = styleCtrl = dimstyleCtrl = appidCtrl = 0;
+ blockCtrl = viewCtrl = ucsCtrl = vportCtrl = vpEntHeaderCtrl = 0;
+ version = DRW::AC1021;
++curr = NULL;
+ }
+ 
+ void DRW_Header::addComment(std::string c){
+@@ -29,6 +30,13 @@ void DRW_Header::addComment(std::string c){
+ }
+ 
+ void DRW_Header::parseCode(int code, dxfReader *reader){
++if (NULL == curr && 9 != code) {
++DRW_DBG("invalid header code: ");
++DRW_DBG(code);
++DRW_DBG("\n");
++return;
++}
++
+ switch (code) {
+ case 9:
+ curr = new DRW_Variant();
+diff --git a/libraries/libdxfrw/src/libdxfrw.cpp 
b/libraries/libdxfrw/src/libdxfrw.cpp
+index 60d6b74..03da2a6 100644
+--- a/libraries/libdxfrw/src/libdxfrw.cpp
 b/libraries/libdxfrw/src/libdxfrw.cpp
+@@ -1839,17 +1839,27 @@ bool dxfRW::processDxf() {
+ DRW_DBG(sectionstr); DRW_DBG("  processDxf\n");
+ //found section, process it
+ if (sectionstr == "HEADER") {
+-processHeader();
++if (!processHeader()) {
++return false;
++}
+ } else if (sectionstr == "CLASSES") {
+ //processClasses();
+ } else if (sectionstr == "TABLES") {
+-processTables();
++if (!processTables()) {
++return false;
++}
+ } else if (sectionstr == "BLOCKS") {
+-processBlocks();
++if (!processBlocks()) {
++return false;
++}
+ } else if (sectionstr == "ENTITIES") {
+-processEntities(false);
++if (!processEntities(false)) {
++return false;
++}
+ } else if (sectionstr == "OBJECTS") {
+-processObjects();
++if (!processObjects()) {
++return false;
++}
+ }
+ }
+ }
+@@ -1875,7 +1885,14 @@ bool dxfRW::processHeader(

Bug#929020: SFTP ProFTPD session terminating after 'mkdir /' after upgrade to 1.3.5e+r1.3.5-2+deb8u1

2019-05-16 Thread Markus Koschany
On Wed, 15 May 2019 13:36:31 +0200 Julian Schustereit
 wrote:
> Package: proftpd-basic
> Version: 1.3.5e+r1.3.5-2+deb8u1
> 
> After the upgrade from version '1.3.5e-0+deb8u1' to '1.3.5e+r1.3.5-2+deb8u1' 
> the sftp session is being terminated when using the command 'mkdir /'.
> 
> Before the upgrade following error message got displayed: 'Couldn't create 
> directory: Failure' and the session stayed active.
> 
> After the upgrade we get the following message from our syslogd displayed in 
> our terminal:
> MKDIR / type=unknown;UNIX.mode=0777;: symbol lookup error: 
> /usr/lib/proftpd/mod_sftp.so: undefined symbol: pr_gid2str

Hello,

thanks for the report. I believe the session is terminating because of
the symbol lookup error. The function pr_gid2str was not backported and
the compiler was happy to accept that. I have changed the log message to
not use this function. The message in general is correct though.

Could you try the new package uploaded to


https://people.debian.org/~apo/proftpd/

and report back, if it fixes your problem?

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#928477: librecad: denial-of-service CVE-2018-19105

2019-05-16 Thread Markus Koschany
Control: tags -1 pending patch

On Sun, 5 May 2019 16:55:54 +0200 Markus Koschany  wrote:
> Package: librecad
> X-Debbugs-CC: t...@security.debian.org
> Severity: important
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for librecad.
> 
> CVE-2018-19105[0]:
> | LibreCAD 2.1.3 allows remote attackers to cause a denial of service
> | (0x89C04589 write access violation and application crash) or possibly
> | have unspecified other impact via a crafted file.

Dear maintainer,

I have uploaded a new revision of librecad to fix CVE-2018-19105. I
intend to file an unblock request as well.

Regards,

Markus
diff -Nru librecad-2.1.3/debian/changelog librecad-2.1.3/debian/changelog
--- librecad-2.1.3/debian/changelog 2018-09-17 19:23:30.0 +0200
+++ librecad-2.1.3/debian/changelog 2019-05-16 13:11:05.0 +0200
@@ -1,3 +1,13 @@
+librecad (2.1.3-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2018-19105:
+A vulnerability was found in LibreCAD, a computer-aided design system,
+which could be exploited to crash the application or cause other
+unspecified impact when opening a specially crafted file. (Closes: #928477)
+
+ -- Markus Koschany   Thu, 16 May 2019 13:11:05 +0200
+
 librecad (2.1.3-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru librecad-2.1.3/debian/patches/CVE-2018-19105.patch 
librecad-2.1.3/debian/patches/CVE-2018-19105.patch
--- librecad-2.1.3/debian/patches/CVE-2018-19105.patch  1970-01-01 
01:00:00.0 +0100
+++ librecad-2.1.3/debian/patches/CVE-2018-19105.patch  2019-05-16 
13:11:05.00000 +0200
@@ -0,0 +1,92 @@
+From: Markus Koschany 
+Date: Thu, 16 May 2019 13:08:48 +0200
+Subject: CVE-2018-19105
+
+Bug-Upstream: https://github.com/LibreCAD/LibreCAD/issues/1038
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928477
+Origin: 
https://github.com/LibreCAD/LibreCAD/commit/6da7cc5f7f31afb008f03dbd11e07207ccd82085
+Origin: 
https://github.com/LibreCAD/LibreCAD/commit/8604f171ee380f294102da6154adf77ab754d403
+---
+ libraries/libdxfrw/src/drw_header.cpp |  8 
+ libraries/libdxfrw/src/libdxfrw.cpp   | 29 +++--
+ 2 files changed, 31 insertions(+), 6 deletions(-)
+
+diff --git a/libraries/libdxfrw/src/drw_header.cpp 
b/libraries/libdxfrw/src/drw_header.cpp
+index 1e0530d..6465669 100644
+--- a/libraries/libdxfrw/src/drw_header.cpp
 b/libraries/libdxfrw/src/drw_header.cpp
+@@ -20,6 +20,7 @@ DRW_Header::DRW_Header() {
+ linetypeCtrl = layerCtrl = styleCtrl = dimstyleCtrl = appidCtrl = 0;
+ blockCtrl = viewCtrl = ucsCtrl = vportCtrl = vpEntHeaderCtrl = 0;
+ version = DRW::AC1021;
++curr = NULL;
+ }
+ 
+ void DRW_Header::addComment(std::string c){
+@@ -29,6 +30,13 @@ void DRW_Header::addComment(std::string c){
+ }
+ 
+ void DRW_Header::parseCode(int code, dxfReader *reader){
++if (NULL == curr && 9 != code) {
++DRW_DBG("invalid header code: ");
++DRW_DBG(code);
++DRW_DBG("\n");
++return;
++}
++
+ switch (code) {
+ case 9:
+ curr = new DRW_Variant();
+diff --git a/libraries/libdxfrw/src/libdxfrw.cpp 
b/libraries/libdxfrw/src/libdxfrw.cpp
+index 60d6b74..03da2a6 100644
+--- a/libraries/libdxfrw/src/libdxfrw.cpp
 b/libraries/libdxfrw/src/libdxfrw.cpp
+@@ -1839,17 +1839,27 @@ bool dxfRW::processDxf() {
+ DRW_DBG(sectionstr); DRW_DBG("  processDxf\n");
+ //found section, process it
+ if (sectionstr == "HEADER") {
+-processHeader();
++if (!processHeader()) {
++return false;
++}
+ } else if (sectionstr == "CLASSES") {
+ //processClasses();
+ } else if (sectionstr == "TABLES") {
+-processTables();
++if (!processTables()) {
++return false;
++}
+ } else if (sectionstr == "BLOCKS") {
+-processBlocks();
++if (!processBlocks()) {
++return false;
++}
+ } else if (sectionstr == "ENTITIES") {
+-processEntities(false);
++if (!processEntities(false)) {
++return false;
++}
+ } else if (sectionstr == "OBJECTS") {
+-processObjects();
++if (!processObjects()) {
++return false;
++}
+ }
+ }
+ }
+@@ -1875,7 +1885,14 @@ bool dxfRW::processH

Bug#928477: librecad: denial-of-service CVE-2018-19105

2019-05-05 Thread Markus Koschany
Package: librecad
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for librecad.

CVE-2018-19105[0]:
| LibreCAD 2.1.3 allows remote attackers to cause a denial of service
| (0x89C04589 write access violation and application crash) or possibly
| have unspecified other impact via a crafted file.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19105
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19105

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#925509: netbeans: Netbeans not usable with java in Buster

2019-05-03 Thread Markus Koschany
Hi Jochen,

Am 03.05.19 um 13:47 schrieb Jochen Sprickerhof:
[...]
> This is due to libnb-javaparser-java which is still on the jdk-9
> version. 

[...]

> So one way would be to get this packaged (maybe rename nb-javac-9-*.jar
> to nb-javac-11-*.jar) and convince the release team to include include
> this into buster.

Normally we should upgrade libnb-javaparser-java to the JDK 11
compatible version. If I had known such a version existed, I would have
packaged this one in January.

> An other option may be to drop the nb-javac.patch and reopen #920707.
> According to:
> 
> https://cwiki.apache.org/confluence/display/NETBEANS/Java+Editor+Using+JDK+javac
> 
> https://cwiki.apache.org/confluence/display/NETBEANS/Overview%3A+nb-javac
> 
> Netbeans should work without nb-javac (but I really tried it). This
> would trade the #925509 rc bug against a normal bug and we would be able
> to release with buster.
> 
> What do you think?

If we drop the nb-javac.patch we will surely see new bug reports because
the warning confuses people. Your links also mention some caveats when
not using nb-javac, possible code completion errors and whatnot. So the
user is forced to live with those caveats or download nb-javac manually.
The latter solution might be preferable at the moment because of the
freeze, but the point of packaging Netbeans for Debian was, that you can
install Netbeans with system libraries. Now you have to download
prebuilt binary files even for core features.

There is also bug #920706 that makes Git unusable. One cannot even work
around it by downloading the plugin from the internet.

So yes, we can do that but I wonder if we should keep Netbeans out of
Buster because it does not live up to the quality of the current version
in Stretch.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature


Bug#925509: netbeans: Netbeans not usable with java in Buster

2019-05-02 Thread Markus Koschany
Hi,

Am 02.05.19 um 20:56 schrieb Jochen Sprickerhof:
[...]
> I had a look into this was able to create new projects when I remove the
> nb-javac.patch. @Markus do we really need it?

The nb-javac patch is necessary, otherwise the nb-javac module is not
properly detected at runtime. You should see an error message when you
start Netbeans for the first time then. Did you remove ~/.netbeans and
~/.cache/netbeans before you installed the version without the patch? I
believe you are on the right track though.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#928240: etw: Segmentation fault at start

2019-05-01 Thread Markus Koschany
Thank you very much. I have uploaded a new revision with your patch a
few minutes ago. The game itself appears to work, the settings menu for
the controls is a bit hidden. ETW was originally developed for the
AMIGA, so that may explain some of the oddities.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#927270: proftpd-basic: jessie-security (1.3.5e) breaks directive with AuthAliasOnly

2019-05-01 Thread Markus Koschany
Control: tags -1 confirmed

Thanks for the report. I can confirm this issue is still present in
1.3.6-4. I have reverted to version 1.3.5 in Jessie again, so this
problem should not occur in Jessie anymore.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#928240: etw: Segmentation fault at start

2019-04-30 Thread Markus Koschany
Hi,

Am 01.05.19 um 00:31 schrieb Steinar H. Gunderson:
> On Tue, Apr 30, 2019 at 11:23:52PM +0100, Simon McVittie wrote:
>>> On a quick analysis: It appears that etw tries to find its own path by
>>> opening /proc/self/maps (code is in etw/prefix.c), looking for an executable
>>> mapping (r-xp) that contains the string "", and then looking at the path.
>> This seems unnecessarily complicated? /proc/self/maps is Linux-specific,
>> and if relying on Linux-specific things is acceptable, then
>> evaluating the symlink /proc/self/exe seems a lot easier. (See
>> e.g. Sys_FindExecutableName() in darkplaces.)
> 
> Yes; it seems to be written by someone whose primary experience was with
> Windows, given that it talks about LINUX and not Linux. :-)
> 
> However, given that we are in deep freeze, you probably want the smallest
> possible fix for buster.
> 
> /* Steinar */

Thanks for providing a solution and a way forward. Could you provide a
trivial fix/patch as well? I'm willing to test it and ask the release
team for an unblock. I currently don't understand the underlying issue
and why it was triggered in the first place but I gladly accept patches.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#926719: Info received (Bug#926719: SFTP ProFTPD terminating (signal 11) after Update to 1.3.5e-0+deb8u1)

2019-04-30 Thread Markus Koschany
Control: tags -1 pending

Hi,

Am 29.04.19 um 08:29 schrieb Ghislain Adnet:
> hi,
> 
>> https://people.debian.org/~apo/proftpd/
>>
> 
> i was able to install it and connect in sftp like before ! :)
> 
>  for the small test done:
> 
> 1/ get the old version and connect ok
> 2/ get the actual one and confirm i still cant login with it
> 3/ install your version and test i can connect with it
> 
> 
> so your version is working for me.

Thank you for testing the package. I will go ahead now and upload the
new version to Jessie. Afterwards I will prepare a Stretch update too.

Best,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#926719: Info received (Bug#926719: SFTP ProFTPD terminating (signal 11) after Update to 1.3.5e-0+deb8u1)

2019-04-28 Thread Markus Koschany
On Thu, 25 Apr 2019 13:53:06 +0200 Ghislain Adnet  wrote:
> hi,
> 
>   We are still using the old package not protected from the vulnerability, 
> any idea when sftp on jessie will work again ?
>   Is there anything i can do to help it ?
> 
> regards,
> Ghislain.

Hello and thanks for your offer. Since I haven't heard back from the
Debian maintainers of proftpd I decided to backport all memory leak and
DoS fixes to the old 1.3.5 version in Jessie. I think it makes no sense
to move forward to 1.3.6 because there is already another reported issue
in #927270 which affects 1.3.6 and 1.3.5e.

So in short even if I backport the latest upstream release to Jessie and
Stretch there will be new bugs and problems depending on your setup.

I have uploaded my new version for Jessie here:

https://people.debian.org/~apo/proftpd/

I would really appreciate it if you could give these packages a try and
report back if they work for you. To the best of my knowledge this
should fix all reported memory leaks but without the regressions
reported in this bug report.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#927901: unblock: lucene-solr/3.6.2+dfsg-19

2019-04-26 Thread Markus Koschany
Control: tags -1 - moreinfo

Am 24.04.19 um 23:08 schrieb Niels Thykier:
[...]
> Hi,
> 
> Thanks for working to improve buster.
> 
> I suspect this change is missing an "rm_conffile" for this misplaced
> configuration file (everything in /etc is by default tagged as a
> conffile for anything built with debhelper).  Could you please have a
> look at that and ensure this part is handled correctly?
> 
> (otherwise, I think the changes look good)
> 
> Thanks,
> ~Niels

Hi Niels,

thanks, you are right. I have uploaded a new revision, -20, that removes
the obsolete conf file with solr-tomcat.maintscript now.

Regards,

Markus
diff -Nru lucene-solr-3.6.2+dfsg/debian/changelog 
lucene-solr-3.6.2+dfsg/debian/changelog
--- lucene-solr-3.6.2+dfsg/debian/changelog 2019-04-19 00:39:36.0 
+0200
+++ lucene-solr-3.6.2+dfsg/debian/changelog 2019-04-25 16:39:14.0 
+0200
@@ -1,3 +1,10 @@
+lucene-solr (3.6.2+dfsg-20) unstable; urgency=medium
+
+  * Team upload.
+  * Remove now obsolete solr-permissions.conf in 
/etc/systemd/system/tomcat9.d/.
+
+ -- Markus Koschany   Thu, 25 Apr 2019 16:39:14 +0200
+
 lucene-solr (3.6.2+dfsg-19) unstable; urgency=medium
 
   * Team upload.
diff -Nru lucene-solr-3.6.2+dfsg/debian/solr-tomcat.maintscript 
lucene-solr-3.6.2+dfsg/debian/solr-tomcat.maintscript
--- lucene-solr-3.6.2+dfsg/debian/solr-tomcat.maintscript   1970-01-01 
01:00:00.0 +0100
+++ lucene-solr-3.6.2+dfsg/debian/solr-tomcat.maintscript   2019-04-25 
16:39:14.0 +0200
@@ -0,0 +1,2 @@
+rm_conffile /etc/systemd/system/tomcat9.d/solr-permissions.conf 3.6.2+dfsg-20~
+


signature.asc
Description: OpenPGP digital signature


Bug#927901: unblock: lucene-solr/3.6.2+dfsg-19

2019-04-24 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package lucene-solr

I made a mistake when I installed solr-permissions.conf into the wrong
/etc/systemd/system/ directory. This makes solr unusable because
tomcat can't write to /var/lib/solr. A user spotted the error and reported
it here:

https://salsa.debian.org/java-team/lucene-solr/commit/ae53f09f37b18aa836640b256137a3a9e26e186f

The only change is installing this file to
/etc/systemd/system/tomcat9.service.d now which makes it work again.

Regards,

Markus


unblock lucene-solr/3.6.2+dfsg-19

-- System Information:
Debian Release: 9.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru lucene-solr-3.6.2+dfsg/debian/changelog 
lucene-solr-3.6.2+dfsg/debian/changelog
--- lucene-solr-3.6.2+dfsg/debian/changelog 2019-03-02 23:02:16.0 
+0100
+++ lucene-solr-3.6.2+dfsg/debian/changelog 2019-04-19 00:39:36.0 
+0200
@@ -1,3 +1,10 @@
+lucene-solr (3.6.2+dfsg-19) unstable; urgency=medium
+
+  * Team upload.
+  * Install solr-permissions.conf into the correct directory.
+
+ -- Markus Koschany   Fri, 19 Apr 2019 00:39:36 +0200
+
 lucene-solr (3.6.2+dfsg-18) unstable; urgency=medium
 
   * Team upload.
diff -Nru lucene-solr-3.6.2+dfsg/debian/solr-tomcat.install 
lucene-solr-3.6.2+dfsg/debian/solr-tomcat.install
--- lucene-solr-3.6.2+dfsg/debian/solr-tomcat.install   2019-03-02 
23:02:16.0 +0100
+++ lucene-solr-3.6.2+dfsg/debian/solr-tomcat.install   2019-04-19 
00:39:36.0 +0200
@@ -1,3 +1,3 @@
 debian/solr-tomcat.xml /etc/solr/
 debian/tomcat.policy /etc/solr/
-debian/solr-permissions.conf /etc/systemd/system/tomcat9.d/
+debian/solr-permissions.conf /etc/systemd/system/tomcat9.service.d/


Bug#927389: unblock: lucene4.10/4.10.4+dfsg-5

2019-04-18 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package lucene4.10

We would like to remove simple-xml from Buster (#888547) because the
package is unmaintained and affected by CVE-2017-1000190. In order to
achieve that the build-dependency on simple-xml in
carrotsearch-randomizedtesting had to be removed which makes
lucene4.10 FTBFS now.

Since carrotsearch-randomizedtesting is only a test dependency, I
have added a patch to fix this problem.

unblock lucene4.10/4.10.4+dfsg-5

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru lucene4.10-4.10.4+dfsg/debian/changelog 
lucene4.10-4.10.4+dfsg/debian/changelog
--- lucene4.10-4.10.4+dfsg/debian/changelog 2019-01-19 23:19:03.0 
+0100
+++ lucene4.10-4.10.4+dfsg/debian/changelog 2019-04-17 00:24:30.0 
+0200
@@ -1,3 +1,12 @@
+lucene4.10 (4.10.4+dfsg-5) unstable; urgency=medium
+
+  * Team upload.
+  * Add carrotsearch-juni4-ant.patch and do not require
+libcarrotsearch-randomizedtesting-java as a test dependency anymore.
+This allows us to remove libsimple-xml-java from Buster.
+
+ -- Markus Koschany   Wed, 17 Apr 2019 00:24:30 +0200
+
 lucene4.10 (4.10.4+dfsg-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru lucene4.10-4.10.4+dfsg/debian/patches/carrotsearch-juni4-ant.patch 
lucene4.10-4.10.4+dfsg/debian/patches/carrotsearch-juni4-ant.patch
--- lucene4.10-4.10.4+dfsg/debian/patches/carrotsearch-juni4-ant.patch  
1970-01-01 01:00:00.0 +0100
+++ lucene4.10-4.10.4+dfsg/debian/patches/carrotsearch-juni4-ant.patch  
2019-04-17 00:24:30.0 +0200
@@ -0,0 +1,22 @@
+From: Markus Koschany 
+Date: Sun, 14 Apr 2019 23:09:21 +0200
+Subject: carrotsearch juni4-ant
+
+Do not use com.carrotsearch.randomizedtesting, so that libsimple-xml-java can
+be removed from Buster.
+---
+ test-framework/ivy.xml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/test-framework/ivy.xml b/test-framework/ivy.xml
+index 7390a0a..ace6359 100644
+--- a/test-framework/ivy.xml
 b/test-framework/ivy.xml
+@@ -33,7 +33,6 @@
+ 
+ 
+ 
+-
+ 
+ 
+  
diff -Nru lucene4.10-4.10.4+dfsg/debian/patches/series 
lucene4.10-4.10.4+dfsg/debian/patches/series
--- lucene4.10-4.10.4+dfsg/debian/patches/series2016-08-03 
18:54:38.0 +0200
+++ lucene4.10-4.10.4+dfsg/debian/patches/series2019-04-17 
00:24:30.0 +0200
@@ -1,3 +1,4 @@
 0005-Revert-upstream-removal-of-deprecated-QueryParser-co.patch
 0006-use-local-artifacts.patch
 0007-missing-hamcrest-dependency.patch
+carrotsearch-juni4-ant.patch


Bug#927388: unblock: carrotsearch-randomizedtesting/2.1.17-2

2019-04-18 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package carrotsearch-randomizedtesting

We would like to remove simple-xml from Buster (#888547) because the
package is unmaintained and affected by CVE-2017-1000190. In order to
achieve that the build-dependency on simple-xml in
carrotsearch-randomizedtesting had to be removed.

unblock carrotsearch-randomizedtesting/2.1.17-2

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru carrotsearch-randomizedtesting-2.1.17/debian/changelog 
carrotsearch-randomizedtesting-2.1.17/debian/changelog
--- carrotsearch-randomizedtesting-2.1.17/debian/changelog  2016-10-04 
14:12:44.0 +0200
+++ carrotsearch-randomizedtesting-2.1.17/debian/changelog  2019-04-17 
00:14:54.0 +0200
@@ -1,3 +1,18 @@
+carrotsearch-randomizedtesting (2.1.17-2) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Hilko Bengen ]
+  * Remove myself from Uploaders
+
+  [ Markus Koschany ]
+  * Remove libsimple-xml-java from B-D so this package can be removed from
+Testing.
+  * Ignore org.simpleframework:simple-xml
+  * Ignore junit4-ant module.
+
+ -- Markus Koschany   Wed, 17 Apr 2019 00:14:54 +0200
+
 carrotsearch-randomizedtesting (2.1.17-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru carrotsearch-randomizedtesting-2.1.17/debian/control 
carrotsearch-randomizedtesting-2.1.17/debian/control
--- carrotsearch-randomizedtesting-2.1.17/debian/control2016-10-04 
13:58:22.0 +0200
+++ carrotsearch-randomizedtesting-2.1.17/debian/control2019-04-17 
00:14:54.0 +0200
@@ -2,7 +2,6 @@
 Section: java
 Priority: optional
 Maintainer: Debian Java maintainers 

-Uploaders: Hilko Bengen 
 Build-Depends:
  debhelper (>= 9),
  default-jdk,
@@ -20,7 +19,6 @@
  libmaven-dependency-plugin-java,
  libmaven-invoker-plugin-java,
  libmaven-plugin-tools-java (>= 3.2),
- libsimple-xml-java (>> 2.7.1),
  maven
 Standards-Version: 3.9.8
 Vcs-Git: 
https://anonscm.debian.org/git/pkg-java/carrotsearch-randomizedtesting.git
diff -Nru 
carrotsearch-randomizedtesting-2.1.17/debian/libcarrotsearch-randomizedtesting-java.poms
 
carrotsearch-randomizedtesting-2.1.17/debian/libcarrotsearch-randomizedtesting-java.poms
--- 
carrotsearch-randomizedtesting-2.1.17/debian/libcarrotsearch-randomizedtesting-java.poms
2016-10-04 14:09:15.0 +0200
+++ 
carrotsearch-randomizedtesting-2.1.17/debian/libcarrotsearch-randomizedtesting-java.poms
2019-04-17 00:14:54.0 +0200
@@ -27,7 +27,7 @@
 #
 pom.xml --no-parent --has-package-version
 randomized-runner/pom.xml --has-package-version
-junit4-ant/pom.xml --has-package-version
+junit4-ant/pom.xml --ignore
 junit4-maven-plugin/pom.xml --ignore
 junit4-maven-plugin-tests/pom.xml --ignore
 examples/maven/pom.xml --ignore
diff -Nru carrotsearch-randomizedtesting-2.1.17/debian/maven.ignoreRules 
carrotsearch-randomizedtesting-2.1.17/debian/maven.ignoreRules
--- carrotsearch-randomizedtesting-2.1.17/debian/maven.ignoreRules  
2016-10-04 14:09:15.0 +0200
+++ carrotsearch-randomizedtesting-2.1.17/debian/maven.ignoreRules  
2019-04-17 00:14:54.0 +0200
@@ -6,3 +6,4 @@
 com.pyx4me proguard-maven-plugin * * * *
 net.sf.proguard proguard * * * *
 org.easytesting fest-assert-core * * * *
+org.simpleframework simple-xml * * * *


Bug#927152: teeworlds: CVE-2019-10877 CVE-2019-10878 CVE-2019-10879

2019-04-15 Thread Markus Koschany
Package: teeworlds
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for teeworlds.

CVE-2019-10877[0]:
| In Teeworlds 0.7.2, there is an integer overflow in CMap::Load() in
| engine/shared/map.cpp that can lead to a buffer overflow, because
| multiplication of width and height is mishandled.


CVE-2019-10878[1]:
| In Teeworlds 0.7.2, there is a failed bounds check in
| CDataFileReader::GetData() and CDataFileReader::ReplaceData() and
| related functions in engine/shared/datafile.cpp that can lead to an
| arbitrary free and out-of-bounds pointer write, possibly resulting in
| remote code execution.


CVE-2019-10879[2]:
| In Teeworlds 0.7.2, there is an integer overflow in
| CDataFileReader::Open() in engine/shared/datafile.cpp that can lead to
| a buffer overflow and possibly remote code execution, because size-
| related multiplications are mishandled.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10877
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10877
[1] https://security-tracker.debian.org/tracker/CVE-2019-10878
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10878
[2] https://security-tracker.debian.org/tracker/CVE-2019-10879
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10879

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#926719: SFTP ProFTPD terminating (signal 11) after Update to 1.3.5e-0+deb8u1

2019-04-15 Thread Markus Koschany
Hello,

Am 15.04.19 um 12:51 schrieb Timo Müller:
> Hello,
> 
> after testing with different working and not working configs of proftpd we 
> think we found a workaround.
> 
> The login is working with the following config:

I was also working on proftpd at the weekend and tried to gather more
information about this failure. Apparently it is not a general issue but
can only be triggered with certain configuration options. I found an
older Debian bug report that seems to describe a similar problem.

https://bugs.debian.org/839880

However the resolution was to upgrade to 1.3.6. and upstream did not
backport the fix to the 1.3.5 branch. I was under the impression 1.3.5
was a long-term supported branch but apparently I was wrong.

In #839880 one bug reporter mentioned that disabling PAM had no effect.
So in fact there could be more than one bug we are talking about now.

The changelog diff between 1.3.5e and 1.3.6 mentions a PAM related bug fix.

https://fossies.org/diffs/proftpd/1.3.5e_vs_1.3.6/ChangeLog-diff.html

At the moment I see two options to move forward.

I can either backport the current version of proftpd in Buster (1.3.6-4)
as I had initially intended which will most likely fix those issues or I
revert back to the previous version and try harder to fix the memory
leaks reported in

https://bugs.debian.org/923926

with targeted patches, the reason why we upgraded proftpd in the first
place. Unfortunately it is not clear what commit exactly addressed the
memory leaks, at one point someone just stated it works with 1.3.5d.

Maintainers of proftpd-dfsg, what is your preference?

Regards,

Markus




signature.asc
Description: OpenPGP digital signature


Bug#926586: ublock-origin: separate packages for Firefox and Chromium may be necessary

2019-04-15 Thread Markus Koschany
Hi,

Am 15.04.19 um 04:08 schrieb Paul Wise:
> On Sun, 07 Apr 2019 13:46:33 +0200 Markus Koschany wrote:
> 
>> Thoughts?
> 
> There is a better option for this:
> 
> Keep the one package but install a different manifest.json into the
> Firefox and Chrome extension directories. This should work since
> Firefox and Chrome look for their extensions in different directories.
> The only issue with this workaround is that it involves instead of just
> symlinking the directory, symlinking every file except manifest.json.
> The per-browser manifest.json should probably be created at build time.

True, that could work although we had some issues with Firefox, symlinks
and sandboxing in the past. For instance a symlink to font files doesn't
work. The advantage of two separate packages is that I can just use the
provided scripts in tools, tools/make-firefox.sh and
tools/make-chromium.sh to create the package. I presume upstream will
remove tools/make-webext.sh and the platform/webext directory. In
consequence I have to check every time whether there are other
differences between the Firefox or Chromium version of ublock-origin and
probably have to create my own webext.sh script. It's not just about the
manifest file, there is also some javascript code that can be different.

> PS: I think these incompatibilities should be communicated to the
> Chromium and Firefox developers so they can do something about it.

The Firefox developers are aware of the problem.

https://bugzilla.mozilla.org/show_bug.cgi?id=1380812

They simply don't support the complete webextension spec (yet?)

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#888547: CVE-2017-1000190

2019-04-14 Thread Markus Koschany
Hi,

Am 13.04.19 um 11:31 schrieb Ivo De Decker:
[...]
> It is possible to remove the test-dependency (probably by disabling the
> tests)? That way simple-xml could be removed from buster. Even if we don't do
> this for buster, it might be good to do this for bullseye anyway, if the
> package isn't really maintained.

Simple-xml is only required to build carrotsearch-randomizedtesting. It
is not a test-dependency though. However I have just disabled the only
module in carrotsearch-randomizedtesting that uses simple-xml, which is
junit4-ant.

If we do that then lucene4.10 will FTBFS but it requires only a simple
patch to tell the build system not to look for the now missing
junit4-ant dependency. Apparently the removal makes no difference for
lucene4.10. I can implement those changes in the coming days.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#927029: graphicsmagick: Multiple heap-based buffer over-reads

2019-04-13 Thread Markus Koschany
Package: graphicsmagick
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for graphicsmagick.

CVE-2019-11005[0]:
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based
| buffer overflow in the function SVGStartElement of coders/svg.c, which
| allows remote attackers to cause a denial of service (application
| crash) or possibly have unspecified other impact via a quoted font
| family value.


CVE-2019-11006[1]:
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based
| buffer over-read in the function ReadMIFFImage of coders/miff.c, which
| allows attackers to cause a denial of service or information
| disclosure via an RLE packet.


CVE-2019-11007[2]:
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based
| buffer over-read in the ReadMNGImage function of coders/png.c, which
| allows attackers to cause a denial of service or information
| disclosure via an image colormap.


CVE-2019-11008[3]:
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based
| buffer overflow in the function WriteXWDImage of coders/xwd.c, which
| allows remote attackers to cause a denial of service (application
| crash) or possibly have unspecified other impact via a crafted image
| file.


CVE-2019-11009[4]:
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based
| buffer over-read in the function ReadXWDImage of coders/xwd.c, which
| allows attackers to cause a denial of service or information
| disclosure via a crafted image file.


CVE-2019-11010[5]:
| In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a memory leak in
| the function ReadMPCImage of coders/mpc.c, which allows attackers to
| cause a denial of service via a crafted image file.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11005
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11005
[1] https://security-tracker.debian.org/tracker/CVE-2019-11006
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11006
[2] https://security-tracker.debian.org/tracker/CVE-2019-11007
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11007
[3] https://security-tracker.debian.org/tracker/CVE-2019-11008
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11008
[4] https://security-tracker.debian.org/tracker/CVE-2019-11009
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11009
[5] https://security-tracker.debian.org/tracker/CVE-2019-11010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11010

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#926719: SFTP ProFTPD terminating (signal 11) after Update to 1.3.5e-0+deb8u1

2019-04-11 Thread Markus Koschany
I just found this bug report which may be related:

https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/1794605


Can someone confirm that using RSA keys instead of

SFTPHostKey /etc/ssh/ssh_host_ecdsa_key

works for you?



signature.asc
Description: OpenPGP digital signature


Bug#926719: SFTP ProFTPD terminating (signal 11) after Update to 1.3.5e-0+deb8u1

2019-04-11 Thread Markus Koschany
Hello,

Am 11.04.19 um 22:59 schrieb Hilmar Preuße:
[...]
> Your latest upload to Debian oldstable introduced a new bug: the proftp
> server now crashes, upon SSH connections. As I don't have an oldstable
> system at hand: are you able to reproduce the issue using the package
> you built?

I cannot reproduce this issue. The Proftpd sftp server works fine on my
local system and I can connect with a local user. Signal 11 means there
is a segfault but I did not make any extra modifications to the upstream
code.

Could you send me your sftp configuration snippet for proftpd and tell
me more about your setup? How can you connect via command-line sftp but
not via filezilla?

Best regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#924291: closed by Markus Koschany (Bug#924291: fixed in netrek-client-cow 3.3.1-3)

2019-04-10 Thread Markus Koschany
Hello Helmut,

Am 10.04.19 um 06:33 schrieb Helmut Grohne:
> Control: reopen -1
> 
> Hi Markus,
> 
> On Sun, Mar 24, 2019 at 01:09:06PM +, Debian Bug Tracking System wrote:
>>* Fix infinite loop patch. Really (Closes: #924291)
> 
> As much as I hate to say this, it still loops. You can see failing
> (cross) builds at http://crossqa.debian.net/src/netrek-client-cow. All
> of them were terminated by manual intervention.
> 
> Remember: I'm not asking for netrek-client-cow to cross build. I'm
> asking for it to fail sanely.
> 
> The current version loops like this:
> 
> | /bin/sh: 1: ./mkkey: Exec format error
> | /bin/sh: 1: attempts: not found
> | /bin/sh: 1: test: -le: unexpected operator

I don't know why this happens now and on what system but I thought the
last update of the possible-infinite-loop.patch was correct.

> My initial report asked for what this key is being used for. It still
> seems strange to me to generate a key at build time and the distribute
> it to many users. Could you provide an initial answer on the purpose of
> this thing?

The answer is I'm not sure and I don't think it is important. I am not
the sole maintainer and just someone who didn't want to have the game
removed because of this bug. This game is more than 20 years old and the
package used to work in the past. The upstream servers are still online.
It can be reasonably rebuilt and modified and at the moment it even
builds on all Debian architectures.

Hence for me this is a very minor issue and not worth the time
exploring. I understand that you work on a part in Debian where such
issues are taken more seriously and I appreciate the work you're doing
in this field but I wished you guys would sometimes take a step back to
see the bigger picture and understand what is important for other
developers and users.

1. Can I rebuild the game and make modifications on my system? Yes.
2. Can it be rebuilt on official Debian infrastructure? Yes.

These are all factors worth considering before I raise the severity to
release-critical and route more developer time to this problem.

> It feels a little strange to invest a longer thread into something that
> should not be there (in my book). Would it be ok to pursue that question
> first?

If you come to the conclusion that the key is not important and not
really needed at all and the game keeps working as before, you always
can, especially as a member of the Games team, upload a new revision of
the package. It's not like we are against fixing bugs, when others lend
us a helping hand.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature


Bug#926688: unblock: robocode/1.9.3.3-2

2019-04-08 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package robocode

Robocode in Buster is affected by CVE-2019-10648. The fix applied
cleanly and all tests pass. This is Debian bug 926088.

Thank you.

unblock robocode/1.9.3.3-2

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru robocode-1.9.3.3/debian/changelog robocode-1.9.3.3/debian/changelog
--- robocode-1.9.3.3/debian/changelog   2018-09-13 13:52:33.0 +0200
+++ robocode-1.9.3.3/debian/changelog   2019-04-08 00:13:19.0 +0200
@@ -1,3 +1,13 @@
+robocode (1.9.3.3-2) unstable; urgency=medium
+
+  * Fix CVE-2019-10648:
+Robocode allows remote attackers to cause external service interaction
+(DNS), as demonstrated by a query for a unique subdomain name within an
+attacker-controlled DNS zone, because of a .openStream call within
+java.net.URL. (Closes: #926088)
+
+ -- Markus Koschany   Mon, 08 Apr 2019 00:13:19 +0200
+
 robocode (1.9.3.3-1) unstable; urgency=medium
 
   * New upstream version 1.9.3.3.
diff -Nru robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch 
robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch
--- robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch1970-01-01 
01:00:00.0 +0100
+++ robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch2019-04-08 
00:13:19.0 +0200
@@ -0,0 +1,235 @@
+From: Markus Koschany 
+Date: Mon, 8 Apr 2019 00:11:33 +0200
+Subject: CVE-2019-10648
+
+Bug-Debian: https://bugs.debian.org/926088
+Origin: 
https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd
+---
+ .../host/security/RobocodeSecurityManager.java | 26 ++--
+ .../src/main/java/tested/robots/DnsAttack.java | 18 +
+ .../test/robots/TestConstructorHttpAttack.java | 11 +++---
+ .../sf/robocode/test/robots/TestHttpAttack.java| 11 +++---
+ .../robots/TestStaticConstructorDnsAttack.java | 46 ++
+ 5 files changed, 96 insertions(+), 16 deletions(-)
+ create mode 100644 
robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+ create mode 100644 
robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+
+diff --git 
a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
 
b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+index bc4c85a..ebd23e9 100644
+--- 
a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
 
b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+@@ -12,7 +12,9 @@ import net.sf.robocode.host.IHostedThread;
+ import net.sf.robocode.host.IThreadManager;
+ import net.sf.robocode.io.RobocodeProperties;
+ 
++import java.net.SocketPermission;
+ import java.security.AccessControlException;
++import java.security.Permission;
+ 
+ 
+ /**
+@@ -49,7 +51,6 @@ public class RobocodeSecurityManager extends SecurityManager 
{
+   }
+ 
+   Thread c = Thread.currentThread();
+-
+   if (isSafeThread(c)) {
+   return;
+   }
+@@ -84,7 +85,7 @@ public class RobocodeSecurityManager extends SecurityManager 
{
+   if (robotProxy != null) {
+   robotProxy.punishSecurityViolation(message);
+   }
+-  throw new AccessControlException(message);
++  throw new SecurityException(message);
+   }
+   }
+ 
+@@ -94,7 +95,6 @@ public class RobocodeSecurityManager extends SecurityManager 
{
+   return;
+   }
+   Thread c = Thread.currentThread();
+-
+   if (isSafeThread(c)) {
+   return;
+   }
+@@ -123,9 +123,27 @@ public class RobocodeSecurityManager extends 
SecurityManager {
+   String message = "Robots are only allowed to create up 
to 5 threads!";
+ 
+   robotProxy.punishSecurityViolation(message);
+-  throw new AccessControlException(message);
++  throw new SecurityException(message);
+   }
+   }
++  
++public void checkPermission(Permission perm) {
++  if (RobocodeProperties.isSecurityOff()) {
++  return;
++  }
++  Thread c = Thread.currentThread();
++  if (isSafeThread(c)) {
++  return;
++  }
++super.checkPermission(perm);
++
++if (perm instanceof Socket

Bug#916145: closure-compiler: Not working with recent JS code

2019-04-07 Thread Markus Koschany
Am 07.04.19 um 20:36 schrieb Adrian Bunk:
> On Sun, Apr 07, 2019 at 11:12:30AM -0700, tony mancill wrote:
>> ...
>> Somewhat related, given that closure-compiler upstream releases about
>> once a month on average, perhaps it is a candidate for doing Something
>> Different.
> 
> That's pretty normal for a package, and we aren't even close to the 
> point where this would matter:
> 
> It is by design that stretch ships 2016 versions of packages and
> buster ships 2018 versions of packages.
> 
> But stretch and buster shipping a 2013 version of a package with more 
> recent versions means that even the version in stretch is 3 years
> older than it could be.

What tony wanted to imply is that closure-compiler requires more
maintenance effort than other packages and releases more frequently
which means more changes, more often, more new build-dependencies and
more work. The day is only 24 hours long for all of us. The maintainer
who introduced this package left the team shortly afterwards and tony
just spent some of his time to keep this package in Debian (a real team
effort) because it seems useful for other packages. Those who contribute
nothing to the packaging work, which also means packaging new
build-dependencies and making sure that r-deps continue to work, have
absolutely no right to complain about how up-to-date a package is.

>> Maybe a closure-compiler-installer package or something like that?
>> ...
> 
> The main user of the version currently in buster/unstable are reverse 
> dependencies inside Debian. And some are already blocked by the outdated 
> version.

This is the only reason why this package is still in Debian and
apparently closure-compiler seems to work for those packages, otherwise
the maintainers would have noticed it, I guess? So it is still useful
for its main purpose, being a build-dependency for other packages,
although heavily outdated.

The only positive way forward is to update this package and its
reverse-dependencies. The less positive way is to remove the package
from Debian. Just to be clear, personally I don't mind but the timing is
bad. Maintainers of reverse-dependencies should have had a chance to
contribute a fix or ensure that their packages work without
closure-compiler but it looks to me it never happened. So as long as
those r-deps are useful and work correctly, bug #916145 is not RC.

> closure-compiler-installer would force such packages out of main.

We know that. At least it would give users "something", that's the quick
and dirty approach. IMO this would be the perfect fit for our "bikeshed"
or the currently discussed Debian User Repository idea. However it isn't
implemented yet.






signature.asc
Description: OpenPGP digital signature


Bug#926586: ublock-origin: separate packages for Firefox and Chromium may be necessary

2019-04-07 Thread Markus Koschany
Source: ublock-origin
Version: 1.18.4+dfsg-2
Severity: wishlist

adding Sean to CC, perhaps he has some ideas too as the previous
maintainer.

Hi,

I was asked by upstream if we could package uBo for Firefox and
Chromium in separate packages again. The reasoning is that we had
recently two severe bugs in ublock-origin that broke the addon for
Firefox users (#925337 and #920652).

There are sometimes subtle and bigger differences between these two web
browsers. A seemingly simple configuration option in the manifest file
(#925337) disabled the addon completely or some code had to be
rewritten so it could be used for both browsers (vapi-webrequest.js in
#920652).

Upstream maintains the webext version of uBo because we asked him to
do that. I assume it was to simplify the Debian packaging, creating
one package that works for both browsers. This is obviously extra work
for upstream. Now we have a situation where we can't work around the
problem. The Firefox web browser does not support the ingocnito:split
option while Chromium does. Upstream told me that the alternative
option which is supported by both browsers, incognito:spanning,
breaks Chromium for certain use cases.

What are we going to do?

1. Is there a way to load or disable certain manifest file options for
a specific browser? If yes, we could probably continue the current
approach.

2. Would it be better to create two packages again? How can we make
sure that users still can use both web browsers at the same time with
ublock-origin? We would have to install both packages into different
directories. How can we make sure they are properly detected?

3. We could keep the current installation paths but then we had to use
Conflicts because it would not be possible to install both packages at the
same time anymore.

Thoughts?

Markus



Bug#871223: [871223] neverball: Strange squares instead of stars in the goals point

2019-04-05 Thread Markus Koschany
On Wed, 20 Mar 2019 17:50:39 + Qwerty Chouskie
 wrote:
> After much research at 
> https://github.com/Neverball/neverball/issues/170, it seems this issue 
> only affects the Debian package for some reason, likely a weird compiler 
> bug or such.  Anyways, the solution seems to be a rebuild of the 
> package.  No changes are needed, just re-compiling seems to fix the 
> issue.  If a maintainer can do this, the bug can be closed.

Just for the record: A rebuild doesn't change anything. I don't believe
that is a compiler bug. More likely it is related to libgl1-mesa-glx
[libgl1].





signature.asc
Description: OpenPGP digital signature


Bug#923926: proftpd has memory leaks, allows Denial-Of-Service attack

2019-04-05 Thread Markus Koschany
Am 05.04.19 um 13:56 schrieb Francesco P. Lovergine:
[...]
> That should be definitively the easiest solutions. Of course 1.3.5e does
> not strictly fix only those three leaks, so that update could be non
> acceptable for a secteam upload.

The security team has marked this issue as no-dsa, so stretch-pu is the
only route for an update now. I also tried to backport the specific
fixes for those leaks first but the changes were quite invasive and time
consuming. In my opinion the update to 1.3.5e is the better solution and
I hope I can convince the release team.




signature.asc
Description: OpenPGP digital signature


Bug#923926: proftpd has memory leaks, allows Denial-Of-Service attack

2019-04-05 Thread Markus Koschany
Hi,

Am 29.03.19 um 16:44 schrieb Francesco P. Lovergine:
> On Thu, Mar 28, 2019 at 01:49:51PM +0100, Markus Koschany wrote:
>> Hello Francesco,
>>
>> I intend to upgrade proftpd in Jessie to fix the memory leaks and
>> another unrelated issue. I think it would be best to backport the
>> version in testing. If you agree, I could also update proftpd in stable.
>> Please let me know if I can proceed.
>>
> 
> A conservative approach would be using latest 1.3.5 version, instead of
> 1.3.6.

I have backported version 1.3.5e to Stretch. I don't have access to the
Git repository but I have uploaded the new package to people.debian.org.

https://people.debian.org/~apo/proftpd/

where you can grab the sources. There were at least three different
memory leak issues that were fixed. Two of them are related to the
mod_sftp module and this bug report, another one was in mod_facl. I
intend to contact the release team next week for a stretch-pu.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#926423: webext-https-everywhere: Possible issue with https-everywhere crashing Firefox-ESR tabs.

2019-04-04 Thread Markus Koschany
Hi,

Am 04.04.19 um 23:32 schrieb Damon Thomas:
> Package: webext-https-everywhere
> Version: 2019.1.31-2
> Severity: normal
> 
> Dear Maintainer,
> 
> I was having issues with frequent "Gah. Your Tab Just Crashed" Firefox-ESR 
> errors.  
> This persisted through the recent FF-ESR point upgrade.  After disabling 
> https-everywhere this issue has stopped.  I had no similar problems with 
> Chromium 
> using this package. 
> 
> Damon Thomas
> 

I think those issues are not Debian specific. We don't make any changes
to the upstream code. Could you please report a new issue here:

https://github.com/EFForg/https-everywhere/issues/

and then also include the information on which sites this occurred and
how it is reproducible. The developers of https-everywhere are more able
to track this down. Then just send us the link to the upstream bug
report, so that we can follow up if necessary.

Thanks

Markus



signature.asc
Description: OpenPGP digital signature


Bug#925509: netbeans: Netbeans not usable with java in Buster

2019-04-02 Thread Markus Koschany
Hello Jaroslav,

On Mon, 01 Apr 2019 09:03:31 +0200 Jaroslav Tulach
 wrote:
[...]
> Hello Markus,
> it would be better to have a whole NetBeans log file instead of just the 
> stack 
> trace. Then we could see classpath, list of enabled modules and may be deduce 
> more.
> 
> Best regards.
> -jt

I think it's easy to reproduce. Just try to create a new Java project
with the Debian package. I believe this could be related to the removal
of langtools-9.zip in Debian. This is yet another file which is
downloaded at build-time. As far as I understand it, it is required to
build certain classes of Netbeans with the older OpenJDK 9 API. If I
include this file and remove the Debian specific langtools-9.patch I get
more compile errors later on. The build log is attached. It looks like
an error in src:libnb-platform18-java too. Netbeans depends on the
platform packages built by this source package.

Regards,

Markus


libnb-platform18-java_10.0+ds-1_amd64.build.gz
Description: application/gzip


signature.asc
Description: OpenPGP digital signature


Bug#923759: Update

2019-03-31 Thread Markus Koschany
Hi,

Am 31.03.19 um 20:59 schrieb Dominik Stadler:
> I think the current changes do not properly fix this, I created
> https://salsa.debian.org/java-team/netlib-java/merge_requests/2 with the
> set of changes based on previous patches that I think would make the
> classes be built again and also improve error handling slightly to make
> it easier to spot the actual error during building.

The latest revision of netlib-java does fix the class file generation
bug. It was already accepted by the release team. Your other changes can
be included in a future update of the package. I'm sure Andreas (CCed)
is interested in patches and will merge them.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#926122: nuget: CVE-2019-0757 tampering vulnerability

2019-03-31 Thread Markus Koschany
Package: nuget
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for nuget.

CVE-2019-0757[0]:
A tampering vulnerability exists in NuGet software when executed in a
Linux or Mac environment. An attacker who successfully exploited the
vulnerability could run arbitrary code in the context of the current user.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-0757
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0757

Please adjust the affected versions in the BTS as needed.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature


Bug#925327: gpsd: CVE-2018-17937

2019-03-30 Thread Markus Koschany
Hi,

On Sat, 30 Mar 2019 08:32:34 +0100 Salvatore Bonaccorso
 wrote:
> Hi Bernd,
> 
> On Fri, Mar 29, 2019 at 10:54:50PM +0100, Bernd Zeimetz wrote:
> > Hi Salvatore,
> > 
> > > The following vulnerability was published for gpsd, not competely sure
> > > on severity and on if the referenced upstream commit is enough.
> > > Ideally though the fix seems ideal to go to buster.
> > 
> > I've tried to get more information out of Upstream, but did not get a
> > reply yet. So I'll prepare an upload with the mentioned commit. Looking
> > trough the commit logs from gpsd it seems to be the only relevant one.
> 
> Ack thank you for investigating, I was neither more successfull to
> determine if that's enough.
> 
> Cc;ing the security team alias, if anyone has more ideas.

I think I would also backport

http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=9b3724cb7bca7a0776bcb9b054cd1d8d736278a4

and

http://git.savannah.nongnu.org/cgit/gpsd.git/commit/json.c?id=317375877576b10fd5312a7b0dec4a192881eead

for good measure.

But I agree that the essential fix seems to be

http://git.savannah.nongnu.org/cgit/gpsd.git/commit/?id=7646cbd04055a50b157312ba6b376e88bd398c19

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#926014: bwa: CVE-2019-10269

2019-03-30 Thread Markus Koschany
Package: bwa
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for bwa.

CVE-2019-10269[0]:
| BWA (aka Burrow-Wheeler Aligner) before 2019-01-23 has a stack-based
| buffer overflow in the bns_restore function in bntseq.c via a long
| sequence name in a .alt file.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10269
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10269

Please adjust the affected versions in the BTS as needed. Only Stretch
and later versions are affected.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#925337: Upload to unstable?

2019-03-29 Thread Markus Koschany
Hi,

Am 29.03.19 um 18:22 schrieb Eugen Dedu:
> On 29/03/2019 17:55, Markus Koschany wrote:
>> Am 29.03.19 um 17:38 schrieb Eugen Dedu:
>>> Wouldn't it make sense to upload to unstable instead of experimental?
>>> Currently, firefox 66 is in unstable, and does not work with ublock
>>> origin from unstable.  People who track unstable have to figure out that
>>> they need to install ublock origin from experimental to make it work
>>> with firefox.
>>
>> I am sorry but Debian development is frozen. If someone discovers an
>> issue in ublock-origin that affects the Firefox ESR browser in testing,
>> I have to make an upload to unstable first which would replace the old
>> version in unstable. Also there is an easy workaround: just use Firefox
>> ESR for now, if you don't want to use the experimental version.
> 
> I am not sure that I have well understood the situation, so sorry if I
> am wrong.  I put myself in the place of debian users.
> 
> Currently in unstable we have two dependent packages which do not work
> together.  This is not what users expect: they expect debian to just
> work, not bothering with installing some package from experimental to
> make an unstable package work.

[...]

To be frank here: Debian unstable is called "unstable" for a reason.
Most of the time it works very well and you will always get the latest
software. But sometimes things don't work. In this case Firefox 66 is
incompatible with Debian's ublock-origin package because the key-value
"igocnito: split" in the webext manifest file is no longer valid. Before
FF 66 there was only a warning, now it is fatal.

If I upload the package to unstable, chromium users will now be affected
by a regression because I removed this key-value which works perfectly
fine for Chromium users.

https://github.com/uBlockOrigin/uBlock-issues/issues/486

But what is more important is Debian testing, the next stable release.
Ublock-origin works fine with Firefox ESR and Chromium in testing. As I
said if a problem is discovered in testing then the fix must be minimal.
Before a package migrates to testing it must be in unstable. During a
freeze uploads that don't fix something in testing are discouraged hence
I uploaded ublock-origin to experimental. Unstable is for experienced
users who can deal with such situations.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#925337: Upload to unstable?

2019-03-29 Thread Markus Koschany
Am 29.03.19 um 17:38 schrieb Eugen Dedu:
> Wouldn't it make sense to upload to unstable instead of experimental?
> Currently, firefox 66 is in unstable, and does not work with ublock
> origin from unstable.  People who track unstable have to figure out that
> they need to install ublock origin from experimental to make it work
> with firefox.

I am sorry but Debian development is frozen. If someone discovers an
issue in ublock-origin that affects the Firefox ESR browser in testing,
I have to make an upload to unstable first which would replace the old
version in unstable. Also there is an easy workaround: just use Firefox
ESR for now, if you don't want to use the experimental version.






signature.asc
Description: OpenPGP digital signature


Bug#925964: activemq: CVE-2019-0222

2019-03-29 Thread Markus Koschany
Package: activemq
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for activemq.

CVE-2019-0222[0]:
| In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame
| can lead to broker Out of Memory exception making it unresponsive.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-0222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222

Please adjust the affected versions in the BTS as needed.

Regards,

Markus





signature.asc
Description: OpenPGP digital signature


Bug#923926: proftpd has memory leaks, allows Denial-Of-Service attack

2019-03-28 Thread Markus Koschany
Hello Francesco,

I intend to upgrade proftpd in Jessie to fix the memory leaks and
another unrelated issue. I think it would be best to backport the
version in testing. If you agree, I could also update proftpd in stable.
Please let me know if I can proceed.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#925509: netbeans: Netbeans not usable with java in Buster

2019-03-27 Thread Markus Koschany
Control: forcemerge 925509 925510
Control: severity -1 serious

Am 25.03.19 um 23:26 schrieb Wouter Wijsman:
[...]
> A java.lang.NoSuchMethodError exception has occurred.
> Please report this at 
> https://issues.apache.org/jira/projects/NETBEANS/issues,
> including a copy of your messages.log file as an attachment.
> The messages.log file is located in your
> /home/wouter/.netbeans/10.0/var/log folder.
> 
> The full log can be found here: https://pastebin.com/0wgJNt15
> 
> I hope that helps. I can provide more information if needed.

Hello and thanks for reporting!

java.lang.NoSuchMethodError:
com.sun.tools.javadoc.main.JavadocClassFinder: method
(Lcom/sun/tools/javac/util/Context;)V not found

This look like an incompatibility with Java 11.

Jaroslav and Jan, might this be related to nb-javac again? Here is the
full log.

https://pastebin.com/0wgJNt15

and the link to the full bug report.

https://bugs.debian.org/925509

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#923759: One step ahead but compile errors (Was: netlib-java contains nealy empty jar)

2019-03-25 Thread Markus Koschany

Thinking about it, the patch could be much simpler. Actually all you
need is the list of URLs. They are hardcoded but those jar files and
your build directory probably will never change again. It looks like
netlib-java is unmaintained and changes are unlikely. Please find
attached the updated version.

Cheers,

Markus
From: Markus Koschany 
Date: Mon, 25 Mar 2019 14:44:22 +0100
Subject: URLClassLoader

---
 src/org/netlib/generate/JavaGenerator.java | 14 --
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/org/netlib/generate/JavaGenerator.java b/src/org/netlib/generate/JavaGenerator.java
index fda8e9d..15815de 100644
--- a/src/org/netlib/generate/JavaGenerator.java
+++ b/src/org/netlib/generate/JavaGenerator.java
@@ -51,6 +51,8 @@ import org.netlib.util.doubleW;
 import org.netlib.util.floatW;
 import org.netlib.util.intW;
 
+import java.net.MalformedURLException;
+
 /**
  * Due to the depressing number of LAPACK routines, it is much more efficient to
  * auto-generate the Java code for the wrapper and corresponding Java and JNI
@@ -643,7 +645,8 @@ class JavaGenerator {
 	 * @return all classes in a given package
 	 * @see http://forum.java.sun.com/thread.jspa?threadID=757391=4326850
 	 */
-	private List> getClasses(String packageName, IClassFilter filter) {
+	private List> getClasses(String packageName, IClassFilter filter)
+		throws MalformedURLException{
 		String packagePath = packageName.replace('.', '/');
 //		ArrayList classpath = new ArrayList();
 //		String[] classpathString = System.getProperty("java.class.path").split(":");
@@ -658,7 +661,14 @@ class JavaGenerator {
 //	log(Level.SEVERE, classpathString[i] + " " + ex.getMessage());
 //			}
 //		}
-		URL [] classpath = ((URLClassLoader) ClassLoader.getSystemClassLoader()).getURLs();
+		URL url1 = new URL("file:///usr/share/java/junit-3.8.2.jar");
+		URL url2 = new URL("file:///usr/share/java/f2jutil-0.8.1.jar");
+		URL url3 = new URL("file:///usr/share/java/jlapack-blas-0.8.jar");
+		URL url4 = new URL("file:///usr/share/java/jlapack-lapack-0.8.jar");
+		URL url5 = new URL("file:///usr/share/java/jlapack-xerbla-0.8.jar");
+		URL url6 = new URL("file:///build/netlib-java-0.9.3/build/classes/");
+
+		URL [] classpath = { url1, url2, url3, url4, url5, url6 };
 		List> result = new ArrayList>();
 		System.out.println(Arrays.toString(classpath));
 		for (URL url : classpath) {


signature.asc
Description: OpenPGP digital signature


Bug#923759: One step ahead but compile errors (Was: netlib-java contains nealy empty jar)

2019-03-25 Thread Markus Koschany
Control: tags -1 patch

Hello Andreas,

I am attaching a patch that seems to fix the problem. This patch can be
applied on top of the current version in testing, no further changes are
required, but please double-check if the r-deps continue to work. At
least the classes are generated again.

The build should have horribly failed in my opinion because if you take
a look at the build log, there is a ClassCastException which makes it
impossible to generate the class files. This issue in turn is caused by
a change in Java 9 where you can no longer cast URLClassLoader due to
new restrictions, well explained here:

http://java9.wtf/class-loading/

(I love the homepage name)

I tried to follow the solution and hope it helps.

Regards,

Markus
From: Markus Koschany 
Date: Mon, 25 Mar 2019 14:44:22 +0100
Subject: URLClassLoader

---
 src/org/netlib/generate/JavaGenerator.java | 17 +++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/org/netlib/generate/JavaGenerator.java b/src/org/netlib/generate/JavaGenerator.java
index fda8e9d..88cb3f3 100644
--- a/src/org/netlib/generate/JavaGenerator.java
+++ b/src/org/netlib/generate/JavaGenerator.java
@@ -51,6 +51,8 @@ import org.netlib.util.doubleW;
 import org.netlib.util.floatW;
 import org.netlib.util.intW;
 
+import java.net.MalformedURLException;
+
 /**
  * Due to the depressing number of LAPACK routines, it is much more efficient to
  * auto-generate the Java code for the wrapper and corresponding Java and JNI
@@ -643,7 +645,8 @@ class JavaGenerator {
 	 * @return all classes in a given package
 	 * @see http://forum.java.sun.com/thread.jspa?threadID=757391=4326850
 	 */
-	private List> getClasses(String packageName, IClassFilter filter) {
+	private List> getClasses(String packageName, IClassFilter filter)
+		throws MalformedURLException{
 		String packagePath = packageName.replace('.', '/');
 //		ArrayList classpath = new ArrayList();
 //		String[] classpathString = System.getProperty("java.class.path").split(":");
@@ -658,7 +661,17 @@ class JavaGenerator {
 //	log(Level.SEVERE, classpathString[i] + " " + ex.getMessage());
 //			}
 //		}
-		URL [] classpath = ((URLClassLoader) ClassLoader.getSystemClassLoader()).getURLs();
+		URL url1 = new URL("file:///usr/share/java/junit-3.8.2.jar");
+		URL url2 = new URL("file:///usr/share/java/f2jutil-0.8.1.jar");
+		URL url3 = new URL("file:///usr/share/java/jlapack-blas-0.8.jar");
+		URL url4 = new URL("file:///usr/share/java/jlapack-lapack-0.8.jar");
+		URL url5 = new URL("file:///usr/share/java/jlapack-xerbla-0.8.jar");
+		URL url6 = new URL("file:///build/netlib-java-0.9.3/build/classes/");
+
+		URL [] path = { url1, url2, url3, url4, url5, url6 };
+		ClassLoader parent = ClassLoader.getPlatformClassLoader();
+		URLClassLoader loader = new URLClassLoader(path, parent);
+		URL classpath[] = loader.getURLs();
 		List> result = new ArrayList>();
 		System.out.println(Arrays.toString(classpath));
 		for (URL url : classpath) {


signature.asc
Description: OpenPGP digital signature


Bug#925337: webext-ublock-origin: deactivated with Firefox 66

2019-03-24 Thread Markus Koschany
Control: tags -1 pending

Hello!

Am 24.03.19 um 16:52 schrieb Olivier:
> Hello,
> 
> I just found out that the manifest.json in webext-ublock-origin contains an 
> incorrect value. The value 'split' of 'incognito' is not supported in Firefox 
> (https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/
> manifest.json/incognito).
> After removing it, the Ublock extension is back.
> 
> Regards
> Olivier

Thank you! Indeed that fixes the problem.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#923330: jajuk: Fails to start with Java Runtime Environment 1.7 minimum required. You use a JVM ext.JVM@23fc625e

2019-03-24 Thread Markus Koschany
Hi,

Am 24.03.19 um 20:41 schrieb Bertrand Florat:
> Hi,
> 
> FYI, the develop branch of jajuk works with the revival of substance
> (radiance), it works for instance with radiance-substance 2.0.1.
> 
> See https://github.com/kirill-grouchnikov/radiance

Thanks for the hint. Unfortunately development in Debian is frozen at
the moment. We can't package a new upstream version or even a new
upstream project for now. Ideally we need a targeted fix to resolve this
problem.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#923330: jajuk: Fails to start with Java Runtime Environment 1.7 minimum required. You use a JVM ext.JVM@23fc625e

2019-03-24 Thread Markus Koschany
Hi Andreas,

Am 24.03.19 um 18:09 schrieb Andreas Tille:
> Hi Markus,
> 
> you have set this bug pending but the fix seems not to be uploaded until
> now.  The package would have been removed from testing without my ping
> of the bug (which is the only thing I intend to do here.
> 
> Kind regards
> 
>   Andreas.

I removed the pending tag shortly after I discovered another problem
with jajuk. The reported error can be easily fixed but the underlying
issue is related to the substance library. If nobody can fix the null
pointer exception, then the removal from testing is correct.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#925404: unblock: sweethome3d/6.1.2+dfsg-2

2019-03-24 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear release team,

Please unblock package sweethome3d

The icedtea-netx-common package was removed from Debian. The
functionality is now provided by icedtea-netx. To fix #924594 I had to
replace the dependency.

Please find attached the debdiff.

Regards,

Markus


unblock sweethome3d/6.1.2+dfsg-2

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru sweethome3d-6.1.2+dfsg/debian/changelog 
sweethome3d-6.1.2+dfsg/debian/changelog
--- sweethome3d-6.1.2+dfsg/debian/changelog 2019-02-06 22:59:39.0 
+0100
+++ sweethome3d-6.1.2+dfsg/debian/changelog 2019-03-24 14:00:44.0 
+0100
@@ -1,3 +1,10 @@
+sweethome3d (6.1.2+dfsg-2) unstable; urgency=medium
+
+  * Replace dependency on icedtea-netx-common with icedtea-netx.
+(Closes: #924594)
+
+ -- Markus Koschany   Sun, 24 Mar 2019 14:00:44 +0100
+
 sweethome3d (6.1.2+dfsg-1) unstable; urgency=medium
 
   * New upstream version 6.1.2+dfsg.
diff -Nru sweethome3d-6.1.2+dfsg/debian/control 
sweethome3d-6.1.2+dfsg/debian/control
--- sweethome3d-6.1.2+dfsg/debian/control   2019-02-06 22:59:39.0 
+0100
+++ sweethome3d-6.1.2+dfsg/debian/control   2019-03-24 14:00:44.0 
+0100
@@ -8,7 +8,7 @@
  ant,
  debhelper (>= 11),
  default-jdk,
- icedtea-netx-common,
+ icedtea-netx,
  imagemagick,
  libbatik-java,
  libfreehep-graphicsio-svg-java,
@@ -24,7 +24,7 @@
 Architecture: all
 Depends:
  default-jre | java7-runtime,
- icedtea-netx-common | sun-java6-bin,
+ icedtea-netx | sun-java6-bin,
  java-wrappers,
  libbatik-java,
  libfreehep-graphicsio-svg-java,


Bug#925402: unblock: netrek-client-cow/3.3.1-3

2019-03-24 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package netrek-client-cow

The fix for #924291, a possible infinite loop, was wrong. This update
corrects the problem. My apologies for any inconvenience this may
cause.

Please find attached the debdiff.

Regards,

Markus

unblock netrek-client-cow/3.3.1-3

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru netrek-client-cow-3.3.1/debian/changelog 
netrek-client-cow-3.3.1/debian/changelog
--- netrek-client-cow-3.3.1/debian/changelog2019-03-20 21:31:57.0 
+0100
+++ netrek-client-cow-3.3.1/debian/changelog2019-03-24 13:31:40.0 
+0100
@@ -1,3 +1,10 @@
+netrek-client-cow (3.3.1-3) unstable; urgency=medium
+
+  * Team upload.
+  * Fix infinite loop patch. Really (Closes: #924291)
+
+ -- Markus Koschany   Sun, 24 Mar 2019 13:31:40 +0100
+
 netrek-client-cow (3.3.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru netrek-client-cow-3.3.1/debian/patches/possible-infinite-loop.patch 
netrek-client-cow-3.3.1/debian/patches/possible-infinite-loop.patch
--- netrek-client-cow-3.3.1/debian/patches/possible-infinite-loop.patch 
2019-03-20 21:31:57.0 +0100
+++ netrek-client-cow-3.3.1/debian/patches/possible-infinite-loop.patch 
2019-03-24 13:31:40.0 +0100
@@ -16,7 +16,7 @@
  
  newkey: mkkey
 -  until ./mkkey $(KEYFILE) "Client Of Win" $(DESC) $(MAKER) $(COMMENT) 
"inl,standard2"; do sleep 1; done
-+  attempts=32; until ./mkkey $(KEYFILE) "Client Of Win" $(DESC) $(MAKER) 
$(COMMENT) "inl,standard2"; do attempts=$(attempts - 1); test $(attempts) -le 0 
&& exit 1; sleep 1; done
++  attempts=32; until ./mkkey $(KEYFILE) "Client Of Win" $(DESC) $(MAKER) 
$(COMMENT) "inl,standard2"; do attempts=$$((attempts - 1)); test $$(attempts) 
-le 0 && exit 1; sleep 1; done
  
  mkkey: system.mk
$(MAKE) -f system.mk KEYDEF=$(KEYDEF) mkkey


Bug#924291: closed by Markus Koschany (Bug#924291: fixed in netrek-client-cow 3.3.1-2)

2019-03-24 Thread Markus Koschany

Am 24.03.19 um 07:33 schrieb Helmut Grohne:
> Control: reopen -1
> 
> On Thu, Mar 21, 2019 at 12:54:04AM +, Debian Bug Tracking System wrote:
>>* Fix possible infinite loop. (Closes: #924291)
> 
> Thank you for the timely fix. Unfortunately, it doesn't work as the
> variables are improperly escaped. The build continues to loop.
> 
> The patch has:
> 
> + attempts=32; until ./mkkey $(KEYFILE) "Client Of Win" $(DESC) $(MAKER) 
> $(COMMENT) "inl,standard2"; do attempts=$(attempts - 1); test $(attempts) -le 
> 0 && exit 1; sleep 1; done
> 
> It tries to interpolate make variables named "attempts - 1" and
> "attempts". Those are empty so the test expression always fails. With
> proper escaping it looks like this:
> 
> + attempts=32; until ./mkkey $(KEYFILE) "Client Of Win" $(DESC) $(MAKER) 
> $(COMMENT) "inl,standard2"; do attempts=$$((attempts - 1)); test $$(attempts) 
> -le 0 && exit 1; sleep 1; done
> 
> The double $ is unescaped by make to a single $ and the double braces
> are required to perform arithmetic in shell.

I have just uploaded a corrected version. Please provide a patch next
time that can be applied right away. Your original proposed solution
didn't work either and even caused a FTBFS:


attempts=32; until ./mkkey ...; do attempts=$((attempts - 1)); test
$attempts -le 0 && exit 1; sleep 1; done

Unfortunately I didn't remember the double dollar sign in makefiles too.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#925337: webext-ublock-origin: deactivated with Firefox 66

2019-03-24 Thread Markus Koschany


Am 24.03.19 um 09:36 schrieb Martin Steigerwald:
[...]
> Would it make sense to reassign this issue to Firefox package so the 
> maintainers of it can have a look at?

I don't know yet. Since the official version works, it is probably not a
Firefox bug. It is likely related to a missing Firefox specific file or
some Firefox-specific code. I need to contact upstream about it.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature


Bug#924594: Build-depend on icedtea-netx instead of icedtea-netx-common

2019-03-23 Thread Markus Koschany
On Thu, 14 Mar 2019 19:53:28 +0100 Matthias Klose  wrote:
> Package: src;sweethome3d
> Version: 6.1.2+dfsg-1
> Severity: serious
> Tags: sid buster
> 
> Build-depend on icedtea-netx instead of icedtea-netx-common (nbs).
> 
> Patch at
> http://launchpadlibrarian.net/415155485/sweethome3d_6.1.2+dfsg-1_6.1.2+dfsg-1ubuntu1.diff.gz

Hi tony,

thank you for fixing the other companion packages of sweethome3d.
Actually I wanted to downgrade the severity to normal because
icedtea-web provides icedtea-netx-common now, so this shouldn't be
release-critical anymore. I intended to fix it after the freeze. But I
guess since the other sweethome3d packages are fixed now, I can upload a
new revision of sweethome3d too to complete the work. Will do so after
some hours of sleep.

Cheers,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#925337: webext-ublock-origin: deactivated with Firefox 66

2019-03-23 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

[...]
> I will update ublock-origin to version 1.18.10 and see if it fixes
> the problem. I couldn't find a hint in the recent release notes, so
> it could also be a Firefox bug. I will investigate. Since Debian is
> currently in a full freeze mode and prepares to release Debian 10
> "Buster" and the bug also doesn't seem to affect the release, I
> will upload the new version to experimental.

I have updated ublock-origin to 1.18.10 but the problem still remains.
However I can confirm that the addon works in chromium 72.x (1.18.4
and 1.18.10). The official version from the Mozilla store (currently
1.18.6) works also fine in Firefox. At the moment I don't know why
there is a regression in Firefox 66.

I have pushed the new version to the experimental branch.

https://salsa.debian.org/webext-team/ublock-origin/tree/experimental


-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlyWtplfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRFhBAAumDA+MSKR6vNDNsK1OVsTM/sbR6rBQdimHbnEEGQw7RjYAKlEe3sDBEO
Uiv6Gq/Z/CUyLpS8OkC3NTsPcbVRJaRtssjm5GEOLJ8xHmA7YpRSKVDpixJADJav
dfZ7bojktgAzvHkMj9BI4FyEvl8y1wQZsQy+F/XAuvftuL9UHOJDZKxOP/vfHYck
I/bHfFa/yvhMq31GVVv7wlR8bRBCqhufZ2poIBpXpuHYKA8+Acw+FRmGYQoO/b9y
kGOcbCk40cKP9+snOAN7Q7tB2Aqn8Xt8b8rkZw6Czyq9/v4l04GhZMhMKCjPGged
ef2LM5Zs4vBCRvll6iQcW0E0LnqMQFAlsTvlfioZgit6xxxbwlktfmb+2Nx1L9/h
cWwknsvi2OI3c+TIoHm2aRdzxXFBzon1ZoHx0M1hKBd9Zn3jnTbB3RFRoMfht/Hl
d7HeEiSfwXuDjDgI243VAb2rv/qsK3jSpEkFE7AgPvLe4ZlIBNXbJ+nsWZwQyZfq
NB+e6p6obBXXJvgc2sPWwoXWSNMfLyDRzik1EDJ7WNuy+rDGmzic/B43MrnV9+EL
pGvhCHMB0q+G6dILLLu26Qc/+TkIipMN8JQdoKQLB+0tBKh93prwaXJYo4zdEcct
/gby0467B7SC7Iz0mojmSPg78D2rv2tXBl/edIyuOhPsRxVHg1E=
=Yi0w
-END PGP SIGNATURE-



Bug#925337: webext-ublock-origin: deactivated with Firefox 66

2019-03-23 Thread Markus Koschany
Control: tags -1 confirmed

Hello, and thank you both for the report.

Am 23.03.19 um 12:40 schrieb Martin Steigerwald:
> Package: webext-ublock-origin
> Version: 1.18.4+dfsg-2
> Severity: normal
> 
> Dear Markus,
> 
> uBlock Origin becomes deactivated with Firefox 66.0-1.
> 
> With Firefox ESR 60.6.0esr-1 it works okay.
> 
> With Firefox 65 it also worked.
> 
> Maybe the extension needs an update.
> 
> In Buster AFAIK there will only be Firefox ESR. So there does not seem
> to be a need to have an updated version in Buster. But for those users
> who use Debian Unstable an updated version in experimental would ne nice.

I will update ublock-origin to version 1.18.10 and see if it fixes the
problem. I couldn't find a hint in the recent release notes, so it could
also be a Firefox bug. I will investigate. Since Debian is currently in
a full freeze mode and prepares to release Debian 10 "Buster" and the
bug also doesn't seem to affect the release, I will upload the new
version to experimental.

Cheers,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#925189: unblock: netrek-client-cow/3.3.1-2

2019-03-20 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package netrek-client-cow

There was a possible infinite loop in netrek-client-cow when
generating the mkkey at build-time. This potential issue was resolved
by limiting the execution to create the key to 32 attempts.

This is Debian bug #924291.

Please find attached the debdiff.

unblock netrek-client-cow/3.3.1-2

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru netrek-client-cow-3.3.1/debian/changelog 
netrek-client-cow-3.3.1/debian/changelog
--- netrek-client-cow-3.3.1/debian/changelog2016-09-16 00:08:44.0 
+0200
+++ netrek-client-cow-3.3.1/debian/changelog2019-03-20 21:31:57.0 
+0100
@@ -1,3 +1,11 @@
+netrek-client-cow (3.3.1-2) unstable; urgency=medium
+
+  * Team upload.
+  * Fix possible infinite loop. (Closes: #924291)
+  * Move the package to salsa.debian.org.
+
+ -- Markus Koschany   Wed, 20 Mar 2019 21:31:57 +0100
+
 netrek-client-cow (3.3.1-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru netrek-client-cow-3.3.1/debian/control 
netrek-client-cow-3.3.1/debian/control
--- netrek-client-cow-3.3.1/debian/control  2016-09-16 00:08:44.0 
+0200
+++ netrek-client-cow-3.3.1/debian/control  2019-03-20 21:31:57.0 
+0100
@@ -15,8 +15,8 @@
  libxxf86vm-dev
 Standards-Version: 3.9.8
 Homepage: http://www.netrek.org
-Vcs-Svn: svn://anonscm.debian.org/pkg-games/packages/trunk/netrek-client-cow/
-Vcs-Browser: 
https://anonscm.debian.org/viewvc/pkg-games/packages/trunk/netrek-client-cow/
+Vcs-Git: https://salsa.debian.org/games-team/netrek-client-cow.git
+Vcs-Browser: https://salsa.debian.org/games-team/netrek-client-cow
 
 Package: netrek-client-cow
 Architecture: any
diff -Nru netrek-client-cow-3.3.1/debian/patches/possible-infinite-loop.patch 
netrek-client-cow-3.3.1/debian/patches/possible-infinite-loop.patch
--- netrek-client-cow-3.3.1/debian/patches/possible-infinite-loop.patch 
1970-01-01 01:00:00.0 +0100
+++ netrek-client-cow-3.3.1/debian/patches/possible-infinite-loop.patch 
2019-03-20 21:31:57.0 +0100
@@ -0,0 +1,22 @@
+From: Markus Koschany 
+Date: Wed, 20 Mar 2019 21:29:25 +0100
+Subject: possible infinite loop
+
+Bug-Debian: https://bugs.debian.org/924291
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index efb02ba..131f5af 100644
+--- a/Makefile
 b/Makefile
+@@ -31,7 +31,7 @@ convert: mkkey $(KEYFILE) $(KEYSH)
+   $(DESC) $(MAKER) $(COMMENT)
+ 
+ newkey: mkkey
+-  until ./mkkey $(KEYFILE) "Client Of Win" $(DESC) $(MAKER) $(COMMENT) 
"inl,standard2"; do sleep 1; done
++  attempts=32; until ./mkkey $(KEYFILE) "Client Of Win" $(DESC) $(MAKER) 
$(COMMENT) "inl,standard2"; do attempts=$(attempts - 1); test $(attempts) -le 0 
&& exit 1; sleep 1; done
+ 
+ mkkey: system.mk
+   $(MAKE) -f system.mk KEYDEF=$(KEYDEF) mkkey
diff -Nru netrek-client-cow-3.3.1/debian/patches/series 
netrek-client-cow-3.3.1/debian/patches/series
--- netrek-client-cow-3.3.1/debian/patches/series   2016-09-16 
00:08:44.0 +0200
+++ netrek-client-cow-3.3.1/debian/patches/series   2019-03-20 
21:31:57.0 +0100
@@ -1 +1,2 @@
 gcc5.patch
+possible-infinite-loop.patch


Bug#925177: webext-https-everywhere: wrong-timestamp-of-last-updated

2019-03-20 Thread Markus Koschany
Hello!

On Wed, 20 Mar 2019 20:33:10 +0100 Salman Mohammadi 
wrote:
> 
> Package: webext-https-everywhere
> Version: 2019.1.31-2
> Severity: minor
> 
> Dear Maintainer,
> 
> The timestamp which shows the last updated time is currently set to
> January 1, 1980 which is obviously not correct.
> 
> As I checked the changelog there was previously a patch called
> *use-newer-timestamp-date.patch* which is not in the debian/ directory
> anymore. Maybe it should be resurrected.

Thanks for reporting. Very interesting what people take notice of. :)
Indeed you are correct, the timestamp of the upstream files dates back
to January 1980. This appears to be wrong. This is clearly an upstream
bug. The use-newer-timestamp-date.patch can't be applied because the
create_xpi.py script does not exist anymore.

https://salsa.debian.org/webext-team/https-everywhere/blob/99fcc50e0bb5617c64e55457a7b3e502013e0dc8/debian/patches/use-newer-timestamp-date.patch

I have forwarded this bug report to

https://github.com/EFForg/https-everywhere/issues/17618

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

2019-03-20 Thread Markus Koschany
Hi Mike,

On Fri, 08 Mar 2019 22:40:52 + Mike Gabriel 
wrote:
[...]
> The critical patch is CVE-2019-6111-2.patch. With that patch added I  
> get segfaults with scp. Without that patch scp works, but is  
> susceptible to the earlier mentioned exploit for CVE-2019-6111.
> 
> I am a bit lost here and would appreciate some ideas about what is  
> going wrong here.

[...]

I think I have found the root cause of the segfault. In order to fix
CVE-2019-6111 we have to backport two functions, reallocarray and
recallocarray. There are some conditionals which must be defined first,
otherwise those functions won't be compiled and are not available at
runtime.

For instance

ifndef HAVE_REALLOCARRAY

So the solution is to define them in openbsd-compat/openbsd-compat.h

#ifndef HAVE_REALLOCARRAY
void *reallocarray(void *, size_t, size_t);
#endif

#ifndef HAVE_RECALLOCARRAY
void *recallocarray(void *, size_t, size_t, size_t);
#endif

and in config.h.in add

/* Define to 1 if you have the `reallocarray' function. */
#undef HAVE_REALLOCARRAY

/* Define to 1 if you have the `recallocarray' function. */
#undef HAVE_RECALLOCARRAY

After that all patches work as intended and I consider this issue to be
resolved for Wheezy. I'm going to upload a new revision now.

Regards,

Markus







signature.asc
Description: OpenPGP digital signature


Bug#925123: unblock: retroarch-assets/1.3.6+git20160731+dfsg1-2

2019-03-19 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package retroarch-assets

I have removed the alternative dependency on fonts-roboto that depends
on fonts-roboto-unhinted now. I opted
for keeping the dependency on fonts-roboto-hinted for Buster, thus I
have not closed bug #922947 yet which we have to fix eventually but
the RC issue (broken symlinks) is resolved.

Please find attached the debdiff.

Regards,

Markus

unblock retroarch-assets/1.3.6+git20160731+dfsg1-2

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru retroarch-assets-1.3.6+git20160731+dfsg1/debian/changelog 
retroarch-assets-1.3.6+git20160731+dfsg1/debian/changelog
--- retroarch-assets-1.3.6+git20160731+dfsg1/debian/changelog   2016-08-18 
03:23:42.0 +0200
+++ retroarch-assets-1.3.6+git20160731+dfsg1/debian/changelog   2019-03-20 
01:02:15.0 +0100
@@ -1,3 +1,11 @@
+retroarch-assets (1.3.6+git20160731+dfsg1-2) unstable; urgency=medium
+
+  * Team upload.
+  * Remove alternative dependency on fonts-roboto because it provides the
+unhinted version now. This fixes broken symlinks. See also #922947.
+
+ -- Markus Koschany   Wed, 20 Mar 2019 01:02:15 +0100
+
 retroarch-assets (1.3.6+git20160731+dfsg1-1) unstable; urgency=low
 
   * Updated to latest git, c8f7c0b.
diff -Nru retroarch-assets-1.3.6+git20160731+dfsg1/debian/control 
retroarch-assets-1.3.6+git20160731+dfsg1/debian/control
--- retroarch-assets-1.3.6+git20160731+dfsg1/debian/control 2016-08-18 
03:14:52.0 +0200
+++ retroarch-assets-1.3.6+git20160731+dfsg1/debian/control 2019-03-20 
01:02:15.0 +0100
@@ -9,6 +9,6 @@
 
 Package: retroarch-assets
 Architecture: all
-Depends: fonts-roboto | fonts-roboto-hinted, ${shlibs:Depends}, ${misc:Depends}
+Depends: fonts-roboto-hinted, ${shlibs:Depends}, ${misc:Depends}
 Description: RetroArch assets for XMB, GLUI and Zarch
  This package installs RetroArch assets for XMB, GLUI and Zarch menu drivers.


Bug#922947: retroarch-assets: please don’t use hinted Roboto fonts

2019-03-19 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Control: severity -1 normal

The RC issue was fixed in version 1.3.6+git20160731+dfsg1-2. Let's
keep this bug open for Debian 11. For Buster we can still depend on
the hinted fonts thus there is no risk of breaking anything.
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlyRhLJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRbaxAAvnN9EO/0Nl2YY1T8wJ9nYdeKVw7zsA5KH//MNHx05BspVHl5ee6xDZn4
zc9LVS+URHt9s1IvrfaW2E1DTPrCplft/h0mFyQAnNZJ0PJwyT2aALeqOHFWThEK
aUt0mukelF+VXvsdknQtFt/7AZO/3v7Z4z9NKjHtmTwejM+16mOtJ1GsytuH2Udu
9Mpnh2vNtXV/tQePlwKawzpJrbIA08vGSSVOvjtC8afrELV20ZPqTMwq55oMmSgA
YEsrlGdn1W70iV31DdzYbAkbm6TLWl/ubgKglc+nIZZvh2crVcoGfArUWL3jP4xb
zBVH/BjlunBTxXnT4+8hADBcjc+xdC7njXGHOisOyClqVcolzEjkEGUv/byNWZ+E
2zxVSUuiezpSgSMOXm2TcObAjaCjqeB/mgmQqpjjaohuvHy25zVo/BoH2yYolwxU
70n7+eaxG79JZjCxmukFgoHFSuUToN3KoF0MfC74XoCUzJb8JSQKqZe8rSxdr+zv
bMrJtjeIyZa3ZDiA3pJPhS6C49sv4qeJp+UUgoGxgF0BrDWwt5PEcWb+5zz22tul
V29LkJd7tvQUGx4jCdGwgvJ4O6SuZMJazRABotB6xjCgXcF3euKEdcYWCLFs6ESY
jQZUIIuVM5M01Civ3y/zX7okdxTYPgGY2naEqtWvTxKn7dN8XnE=
=6wrM
-END PGP SIGNATURE-



Bug#922947: retroarch-assets: please don’t use hinted Roboto fonts

2019-03-19 Thread Markus Koschany
Control: tags -1 confirmed pending

On Fri, 22 Feb 2019 09:18:51 +0100 Andrej Shadura 
wrote:
> Package: retroarch-assets
> Severity: normal
> 
> Dear Maintainer,
> 
> The Roboto upstream no longer provides hinted fonts, so
> fonts-roboto-hinted is now a transitional package providing symlinks to
> the unhinted fonts. Please modify your package to use the unhinted fonts
> instead.

Andrej, you should have also reverted fonts-roboto to depend on
fonts-roboto-hinted again when you fixed #922457. In case of
retroarch-assets which depends on fonts-roboto | fonts-roboto-hinted
this will pull in fonts-roboto-unhinted now when fonts-roboto-hinted is
not installed.

I'm going to fix this issue now in retroarch-assets by only depending on
fonts-roboto-hinted but such changes should not be made without proper
testing before a full freeze. :/

Markus



signature.asc
Description: OpenPGP digital signature


Bug#924339: javahelper regressed building -doc packages

2019-03-14 Thread Markus Koschany
Control: reassign 924328 javahelper
Control: forcemerge 924339 924328
Control: affects 924328 src:android-platform-build
Control: retitle 924328 javahelper: jh_build regressed for -doc packages

This issue is caused by the fix for #887666

https://bugs.debian.org/887666

It is not related to the fix for #923748.




signature.asc
Description: OpenPGP digital signature


Bug#923364: FTBS: Can't build against bouncy-castle build with newer jdk

2019-03-13 Thread Markus Koschany
Control: severity -1 important

On Sat, 2 Mar 2019 15:38:51 +0100 Markus Koschany  wrote:
[...]
> Could you elaborate on why this is a bug in libitext-java and how this
> is connected to bouncycastle?

Unfortunately you haven't responded to my last email. I can't reproduce
this behavior in libitext-java but I will gladly apply any patch that
fixes RC issues if further information are provided.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature


Bug#912549: icedtea-web FTBFS with OpenJDK 11

2019-03-13 Thread Markus Koschany


Am 13.03.19 um 17:47 schrieb Matthias Klose:
> On 13.03.19 10:54, Andreas Tille wrote:
>> On Tue, Mar 12, 2019 at 11:41:22AM +0100, Andreas Tille wrote:
>>> Michael Crusoe has suggested a workaround[1].  What do you think about
>>> this?
>>
>> In case there is no answer to this question I assume it is OK to
>> upload the workaround.  Hope you agree with this.
> 
> please look at the new upstream 1.7.2 and 1.8 releases.
> 

In https://bugs.debian.org/855686 Emmanuel wrote that icedtea-web will
be removed. I don't have a strong opinion in this case. If Michael's
workaround works, why not. However I think it is too late now for new
upstream releases as doko seems to imply.

Please note there are several other RC issues that are marked as pending
but I believe the "fix" is to remove the package from Debian.

https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=icedtea-web

Markus



signature.asc
Description: OpenPGP digital signature


Bug#924060: Serious regression in systemd 215-17+deb8u10

2019-03-13 Thread Markus Koschany
Control: tags -1 pending

Hi,

Am 11.03.19 um 23:16 schrieb Michael Biebl:
[...]
> 
> Thanks, Markus.
> 
> Also big thanks to the debian-lts team in general for backporting those
> security fixes for the systemd package in old-stable.

I could reproduce the memory leak with valgrind following the steps
provided by Dan. Indeed this issue is also known as CVE-2019-3815. I am
going to upload a new revision of systemd in Jessie now. Thank you all
for your feedback.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#923180: Please sponsor my game bug=923180

2019-03-12 Thread Markus Koschany
Hi,

Am 11.03.19 um 21:05 schrieb Pedro Pena:
> Hello Markus,
> 
> Very exciting..
> 
> I applied the patches and made the other changes as well.
> However, there are lintian warnings because infinitetux.jar
> is now included in the source files.

[...]

I think I know the reason. You used source format 1.0. Better is to use
format 3.0 (quilt). The changelog version should be 1.1-1 because
infinitetux is a non-native package meaning we append a Debian revision
number to the upstream version. The changelog should also close the ITP
bug. I have already updated the package accordingly.

I forgot to mention that you can even remove the compat file nowadays if
you build-depend on debhelper-compat (= 12) instead of just debhelper.
Less is more. :)

I also added a watch file. See https://wiki.debian.org/debian/watch for
future projects.

Thanks for changing infinitetux-data to .infinitetux. Everything else
looks good, I've just uploaded the package to NEW and imported it to

https://salsa.debian.org/games-team/infinitetux

If you want to improve the package or package a new upstream version,
you can ask for sponsorship on debian-devel-games directly. You don't
have to take the mentors route again. I have granted you access to our
Git repository so you can prepare new updates there.

Thanks for your contribution!

Regards,

Markus








signature.asc
Description: OpenPGP digital signature


Bug#924364: unblock: owasp-java-html-sanitizer/0.1+r88-2

2019-03-11 Thread Markus Koschany
Please find attached the debdiff.

diff -Nru owasp-java-html-sanitizer-0.1+r88/debian/changelog 
owasp-java-html-sanitizer-0.1+r88/debian/changelog
--- owasp-java-html-sanitizer-0.1+r88/debian/changelog  2012-03-22 
04:54:45.0 +0100
+++ owasp-java-html-sanitizer-0.1+r88/debian/changelog  2019-03-12 
01:25:43.0 +0100
@@ -1,3 +1,12 @@
+owasp-java-html-sanitizer (0.1+r88-2) unstable; urgency=medium
+
+  * Team upload.
+  * Remove obsolete DM-uploads-allowed field.
+  * Do not build-depend on libjsr305-java-doc anymore because it is gone.
+(Closes: #923654)
+
+ -- Markus Koschany   Tue, 12 Mar 2019 01:25:43 +0100
+
 owasp-java-html-sanitizer (0.1+r88-1) unstable; urgency=low
 
   * Initial Debian release (Closes: #664055)
diff -Nru owasp-java-html-sanitizer-0.1+r88/debian/control 
owasp-java-html-sanitizer-0.1+r88/debian/control
--- owasp-java-html-sanitizer-0.1+r88/debian/control2012-03-22 
04:54:45.0 +0100
+++ owasp-java-html-sanitizer-0.1+r88/debian/control2019-03-12 
01:25:43.0 +0100
@@ -3,14 +3,12 @@
 Priority: optional
 Maintainer: Debian Java Maintainers 

 Uploaders: James Page 
-DM-Upload-Allowed: yes
 Build-Depends: cdbs, debhelper (>= 7), default-jdk, maven-debian-helper (>= 
1.5)
 Build-Depends-Indep:
  default-jdk-doc,
  libguava-java,
  libguava-java-doc,
  libjsr305-java,
- libjsr305-java-doc,
  libmaven-javadoc-plugin-java
 Standards-Version: 3.9.3
 Homepage: http://code.google.com/p/owasp-java-html-sanitizer


signature.asc
Description: OpenPGP digital signature


Bug#924364: unblock: owasp-java-html-sanitizer/0.1+r88-2

2019-03-11 Thread Markus Koschany
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package owasp-java-html-sanitizer

The libjsr305-java-doc package was removed from Debian but it is not
really required to build owasp-java-html-sanitizer.

unblock owasp-java-html-sanitizer/0.1+r88-2

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect



Bug#924060: Serious regression in systemd 215-17+deb8u10

2019-03-11 Thread Markus Koschany

Am 11.03.19 um 15:51 schrieb Dan Poltawski:
> Thanks for your responses. One of my colleagues has been looking into this 
> trying to get the bottom of it and we do seem to have identified a memory 
> leak which isn't present on stretch. I note the report posted to the list 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924060.

[...]

Thank you for sharing your analysis with us. I will prepare a regression update 
shortly.
It appears the confusion stems from the fact that CVE-2018-16864 was already 
addressed
by version 215-17+deb8u9. Thus nobody saw a connection between the memory leak 
and the recent
upload which deals with another issue.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature


Bug#923748: marked as done (javahelper: javadoc: error - The code being documented uses packages in the unnamed module)

2019-03-10 Thread Markus Koschany
Control: reopen -1

Hello Andrej,

bug 923748 is about a different issue and unrelated to your recent upload.
We need to fix it too and I proposed a patch here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923756#30

Markus



signature.asc
Description: OpenPGP digital signature


Bug#924256: openjpeg2: FTBFS: Can't exec "jh_build": No such file or directory at /usr/bin/dh line 908.

2019-03-10 Thread Markus Koschany
Control: retitle -1 javahelper: javadoc: error - The code being documented uses 
packages in the unnamed module

Hi,

Am 10.03.19 um 18:15 schrieb Andreas Metzler:
> Control: reassign -1 javahelper 0.72.3
> Control: forcemerge 923748 924256
> Control: retitle -1 shebang line in jh_build "#!/use/bin/perl"
> 
> On 2019-03-10 Salvatore Bonaccorso  wrote:
>> Source: openjpeg2
>> Version: 2.3.0-1.1
>> Severity: serious
>> Justification: ftbfs
> 
>> Hi
> 
>> While trying to adress several CVEs fixed in the recent openjpeg2 DSA
>> openjpeg2 it FTBFS with:
> [...]
>> Can't exec "jh_build": No such file or directory at /usr/bin/dh line 908.
> 
> This is breakage in javahelper, reassigning and merging with the other
> reports.

This is a different bug caused by the recent upload of javahelper. The merged 
bugs
are all about a javadoc error.




signature.asc
Description: OpenPGP digital signature


Bug#923180: Please sponsor my game bug=923180

2019-03-10 Thread Markus Koschany
Hello Pedro,

Am 08.03.19 um 02:49 schrieb Pedro Pena:
> Hello Markus,
> 
> I found an online appstream generator that helped me create the appstream 
> file.
> 
> I built the package without any errors. and just uploaded it.
> 
> I installed the package hoping to see the appstream data rendered in 
> the package manager but I guess it only displays info from the
> control file when it isn't an official debian package.
> 
> Please let me know if I'm  missing anything.

I think we are very close now to upload infinitetux. I have attached two
patches. The first one will change the installation directory to
/usr/share/games. The other one will use the --release flag instead of
-source and -target. This prevents an error when using OpenJDK 8 to run
the game.

Please remove the executable bit from all java and resource files. chmod
a-x. Currently the game creates an infinitetux-data directory in the
user's home directory where it saves tiles.dat. This directory should be
hidden and renamed to .infinitetux. You could also consider to follow
the XDG specification.

https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html

Last but not least, please add some VCS links to debian/control and
change the maintainer field to

Debian Games Team 

and add yourself as Uploader.

Uploaders: qbancoffee 

This way it is easier for others to make changes to the package and keep
it in good shape.

Otherwise the rest looks good to me. I will import the next revision
into our Git repository. You can ask for access here:

https://salsa.debian.org/games-team

Cheers,

Markus
From 691369953345d31a88636c2f0f2aabdf0bb126f3 Mon Sep 17 00:00:00 2001
From: Markus Koschany 
Date: Sun, 10 Mar 2019 15:22:56 +0100
Subject: [PATCH 1/2] Install infinitetux.jar into /usr/share/games.

---
 debian/infinitetux.links | 2 +-
 debian/install   | 2 +-
 debian/rules | 5 +++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/debian/infinitetux.links b/debian/infinitetux.links
index 7c61489..6a78453 100644
--- a/debian/infinitetux.links
+++ b/debian/infinitetux.links
@@ -1 +1 @@
-/usr/share/infinitetux/infinitetux.jar /usr/games/infinitetux
+/usr/share/games/infinitetux/infinitetux.jar /usr/games/infinitetux
diff --git a/debian/install b/debian/install
index b317498..2f17a48 100644
--- a/debian/install
+++ b/debian/install
@@ -1,4 +1,4 @@
-../infinitetux.jar usr/share/infinitetux
+infinitetux.jar usr/share/games/infinitetux
 infinitetux.appdata.xml usr/share/metainfo
 infinitetux.desktop usr/share/applications
 infinitetux.png usr/share/icons/hicolor/256x256/apps
diff --git a/debian/rules b/debian/rules
index 091190d..7a62756 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,8 +5,9 @@
 override_dh_auto_build:
 	JAVA_HOME=/usr/lib/jvm/default-java
 	jh_build --no-javadoc --javacopts="-source 1.8 -target 1.8" \
-	--main=com.mojang.mario.FullScreenFrameLauncher ../infinitetux.jar src
+	--main=com.mojang.mario.FullScreenFrameLauncher infinitetux.jar src
 
 override_dh_install:
-	jar uf ../infinitetux.jar -C src/main/resources .
+	jar uf infinitetux.jar -C src/main/resources .
 	dh_install
+
-- 
2.20.1

From 824bce75f919d57e0019e3e842074583caaeeecc Mon Sep 17 00:00:00 2001
From: Markus Koschany 
Date: Sun, 10 Mar 2019 15:29:58 +0100
Subject: [PATCH 2/2] Use -release 8 option.

---
 debian/rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index 7a62756..90c82a9 100755
--- a/debian/rules
+++ b/debian/rules
@@ -4,7 +4,7 @@
 
 override_dh_auto_build:
 	JAVA_HOME=/usr/lib/jvm/default-java
-	jh_build --no-javadoc --javacopts="-source 1.8 -target 1.8" \
+	jh_build --no-javadoc --javacopts="--release 8" \
 	--main=com.mojang.mario.FullScreenFrameLauncher infinitetux.jar src
 
 override_dh_install:
-- 
2.20.1



signature.asc
Description: OpenPGP digital signature


Bug#875358: Powermock RC #875358

2019-03-09 Thread Markus Koschany


Am 09.03.19 um 18:55 schrieb Adam D. Barratt:
> On Fri, 2019-03-01 at 23:34 +0100, Markus Koschany wrote:
>> I have removed powermock from all reverse-dependencies. This bug
>> should no longer be a blocker for Buster and powermock can be safely
>> removed from testing.
> 
> You didn't, however, ask for unblocks for the reverse-dependencies.

Right, because I assumed they would auto-migrate to testing since they
were uploaded more than ten days before the full freeze.


> I've now unblocked them, and added a removal hint for powermock. This
> will hopefully sort itself out early next week.
> 
> Regards,
> 
> Adam

Thanks for taking care of that.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#923180: Please sponsor my game bug=923180

2019-03-07 Thread Markus Koschany
Control: reopen 923180

Am 07.03.19 um 05:24 schrieb Pedro Pena:
[...]
> "Bug #923180 does not belong to this package"
> 
> Is this normal?

Sorry, I got confused. This is your ITP bug.


https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922844

It must be closed in debian/changelog, then Lintian won't complain
anymore. You opened two RFS bugs. Let's close 923172 and continue our
discussion in 923180 now.

Markus



signature.asc
Description: OpenPGP digital signature


Bug#923180: Please sponsor my game bug=923180

2019-03-07 Thread Markus Koschany
Hi,

Am 07.03.19 um 05:24 schrieb Pedro Pena:
> Hello Markus,
> 
> The only thing I have left is figuring out how to create an appstream 
> file and how to integrate it.

There is a quick start guide which is quite helpful.

https://www.freedesktop.org/software/appstream/docs/chap-Quickstart.html#sect-Quickstart-DesktopApps

Here is an example file for another game in Debian.

https://sources.debian.org/src/cube2-data/1.2-1/cube2-data.appdata.xml/

In short appstream increases the visibility of software in Debian and
other distributions.


 All others things are done however,
> After uploading the source, lintian complains with the following
> error.
> 
> "Bug #923180 does not belong to this package"
> 
> Is this normal?
> 
> Does not having an appstream file pause this process?

This is unrelated. The error can be ignored. The ITP bug belongs to the
WNPP pseudo package and since infinitetux is not in Debian yet, there is
no possible way to reassign it.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature


Bug#923180: Please sponsor my game bug=923180

2019-03-06 Thread Markus Koschany

Am 06.03.19 um 03:20 schrieb Pedro Pena:
> Hello Markus,
> Good to hear you finally able to play infinitetux!
> 
> I'll start working on applying your suggestions.
> 
> As far as the OGA -BY license goes,it appears that 
> OpenGameArt does indeed have a specific license.
> 
> I don't see any non commercial wording in it, so is it still o.k.
> to use?
> 
> OpenGameArt has the following in the FAQ page.
> 
> "OGA-BY 3.0 explicitly allows content to be relicensed under CC-BY 3.0.  
> Just change the license to CC-BY 3.0.  No need to get explicit permission
> to do this, as the license already allows it."
> 
> https://opengameart.org/content/oga-by-30-faq
> 
> 
> Should I just re-license the file then?
> 
> Thank you for your help!

Thanks for the link and clarification. Then OGA-BY-3.0 is just a
slightly modified version of CC-BY-3.0. I'm fine with that.

There is at least one -NC license though.

Files: src/main/resources/endscene.gif
Copyright: 2018, Pedro Pena 
License: CC-BY-NC-4.0
Comment: Modified by Pedro Pena link to source provided.
  http://pngimg.com/uploads/linux/linux_PNG43.png


If the source file was already licensed this way, then you can't change
the license to a non-NC one. In this case you have to find another image
or the author might be willing to relicense it to CC-BY-4.0.

Something I forgot to write yesterday. The icon must be renamed to
infinitetux.png if you install it into the hicolor directory. The
resulting jar file should be installed into /usr/share/games/infinitetux
and the link should be in /usr/games not /usr/bin. Debian makes a
distinction between games and normal applications, whether it is useful
is another question, but that's the current policy.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature


Bug#923180: Please sponsor my game bug=923180

2019-03-05 Thread Markus Koschany
Hello Pedro,

Am 05.03.19 um 15:14 schrieb Pedro Pena:
> Hello Markus,
> 
> I have been able to remove the majority of the warnings that appear.
> Unfortunately I can not seem to get lintian to show me the same errors
> locally. I have to upload to mentors.debian.net to see the warnings.
> 
> I thought that this might be due to a version difference with lintian
> in  Ubuntu 16.04 so I installed debian 9.8.0 on a virtual machine
> in the hopes that that might makes things a little easier but the results 
> were the same.
> 
> I also have an issue with the deb helper version. When I change to a version
> higher than 10, debuild creates fatal errors.
> dpkg-checkbuilddeps: error: Unmet build dependencies: debhelper (>= 11)
> 
> Is it o.k. to leave it as 10 for now?

You can even use debhelper 12 in Debian unstable. It works for me just
fine. It is recommended to use an up-to-date Debian unstable/sid system
for development because older versions or derivatives like Ubuntu don't
provide all the features you need. Compat level 11 or 12 are not
available in Debian 9.

The package looks much better now and I could play the game for the
first time.

= copyright =

Please note that NC (= non commercial) licenses are not approved and you
must replace the content if you want to include infinitetux in Debian.

Is there really a specific OpenGameArt license? The OGA-BY-3.0 looks
similar to CC-BY-3.0.

= changelog =

The initial changelog should contain just one paragraph.

infinitetux (1.1) unstable; urgency=medium

  * Initial release. (Closes: #923180)

 -- qbancoffee   Thu, 27 Dec 2018 10:31:26 +


You can update the changelog timestamp by running dch -r.

= wrap-and-sort =

There is nice tool called wrap-and-sort in the devscripts package. As
the name implies it tidies your debian directory.

wrap-and-sort -sa

will also remove trailing whitespace (which is currently present in
d/copyright

= control =

The short description should be

Description: 2D platformer game inspired by Infinite Mario
 Here goes the long description.

Currently the long description is incomplete.

You duplicate the Homepage field.

Section should be games not X11.

desktop.file:

[Desktop Entry]
Comment=Infinite Tux.
Terminal=false
Name=Infinite Tux.
Exec=/usr/bin/infinitetux
Type=Application
Icon=/usr/share/doc/infinitetux/icon.png
NoDisplay=false
Categories=Game

The Comment should be different than the Name. I would change it to

[Desktop Entry]
Type=Application
Terminal=false
StartupNotify=false
Categories=Game;ArcadeGame;
Keywords=game;arcade;platform;
Icon=infinitetux
Exec=infinitetux
Name=Infinitetux
Comment=2D platformer game inspired by Infinite Mario

There is no need for absolute paths and you should install the icon into
the hicolor icon directory /usr/share/icons/hicolor/256x256/apps where
it will be detected automatically.

Bonus points if you create an appstream file as upstream too and install
it into /usr/share/metainfo

You can remove all maven.* files and infinitetux.poms because you don't
use Maven to build the package.

There is still one Lintian warning:

manpage-has-bad-whatis-entry

If you want to see all warnings including the experimental ones, then I
suggest to use

info=yes
display-info=yes
display-experimental=yes
pedantic=yes
show-overrides=yes
color=auto
verbose=yes

in ~/.config/lintian/lintianrc

We are getting closer!

Regards,

Markus




signature.asc
Description: OpenPGP digital signature


Bug#923756: libhac-java: FTBFS in buster/sid

2019-03-05 Thread Markus Koschany
Control: reassign -1 javahelper
Control: retitle -1 javahelper: javadoc: error - The code being documented uses 
packages in the unnamed module


Am 05.03.19 um 21:06 schrieb Andreas Tille:
[...]
> Considering that the problem can be solved by fixing javatools instead
> of libhac-java do you think it is appropriate to reassign the bug to
> javatools?
> 
> Otherwise I'd simply deactivate doc generation as Olivier proposed which
> would be a totally sufficient solution for this package which has very
> low chances to be used by developers who might read the doc but rather
> as a dependency for some (not even finished) package.

If you don't need the javadoc you can safely drop the package. We should
fix this bug in one place and the simplest way to achieve that is fixing
javahelper.



signature.asc
Description: OpenPGP digital signature


Bug#923756: libhac-java: FTBFS in buster/sid

2019-03-05 Thread Markus Koschany
Hello Andreas,

Am 05.03.19 um 06:11 schrieb Andreas Tille:
[...]
> Any idea how to fix this?

In my opinion this is a bug in OpenJDK and the new javadoc behavior is
too strict but it is probably useless to argue about it.

We currently work around this error in Maven by setting
detectJavaApiLinks to false by default. We could do a similar change in
javahelper.

jh_build, which is responsible for calling the javadoc command,
automatically tries to link against external classes with

-link /usr/share/doc/default-jdk-doc/api -link
/usr/share/doc/default-jre-headless/api

This way users can click on a link to an external class. If Debian's
corresponding -doc package is installed, the javadoc for this external
class would have been displayed in the past. This is why we recommend to
build-depend on -doc packages because jh_build scans the control file
for -doc packages and links against them. Now there is an
incompatibility between your documented code and the documented code in
default-jdk-doc. The workaround for javahelper could be to remove the
-link option and to not try to link against external classes by default.
The result would be links to external classes would be no longer
displayed but at least your own package with its own classes would be
documented again.

Maybe we should change our javadoc policy too. Developers shall not
build-depend on other -doc packages by default and override jh_build if
they wish to link against external packages. This way they have more
fine grained control about their -doc packages and we don't have to
worry about those errors anymore.

Here is my proposed patch for jh_build against src:javatools master.

Regards,

Markus
From e731cb503712fea1618b9b3bff041c89800bcf1d Mon Sep 17 00:00:00 2001
From: Markus Koschany 
Date: Tue, 5 Mar 2019 13:19:24 +0100
Subject: [PATCH] jh_build: Remove CLASSPATHDOCS variable and do not link to
 external classes

by default anymore.
---
 jh_build | 15 +++
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/jh_build b/jh_build
index 91ce0e2..3795096 100755
--- a/jh_build
+++ b/jh_build
@@ -116,7 +116,7 @@ my $CLASSPATH = $CLASSPATH_ORIG;
 my @JH_JAR_EXTRA;
 my $build_javadoc = 1;
 my (@javac_opts, @javadoc_opts, $main_class, $do_clean);
-my (@JAVAC, @JAVADOC, @JAR, @CLASSPATHDOCS, @builds);
+my (@JAVAC, @JAVADOC, @JAR, @builds);
 
 $CLASSPATH =~ tr/:/ / if defined($CLASSPATH_ORIG);
 @JH_JAR_EXTRA = split(' ', $ENV{'JH_JAR_EXTRA'}) if @JH_JAR_EXTRA;
@@ -222,13 +222,13 @@ sub do_build {
 		my $files_escaped = escape_shell(@srcfiles);
 		complex_doit(qq{find $dirs_escaped -name '*.java' -and -type f -print0 | xargs -s 512000 -0 @JAVAC -g -cp ${CLASSPATH_ORIG}:debian/_jh_build.$ext -d debian/_jh_build.$ext @javac_opts $files_escaped});
 		if ($build_javadoc) {
-			complex_doit(qq{find $dirs_escaped -name '*.java' -and -type f -print0 | xargs -s 512000 -0 @JAVADOC @CLASSPATHDOCS -classpath ${CLASSPATH_ORIG}:debian/_jh_build.$ext -d debian/_jh_build.javadoc/api -quiet $JH_JAVADOC_OPTS $files_escaped});
+			complex_doit(qq{find $dirs_escaped -name '*.java' -and -type f -print0 | xargs -s 512000 -0 @JAVADOC -classpath ${CLASSPATH_ORIG}:debian/_jh_build.$ext -d debian/_jh_build.javadoc/api -quiet $JH_JAVADOC_OPTS $files_escaped});
 		}
 
 	} elsif (@srcfiles) {
 		doit(@JAVAC, '-g', '-cp', "${CLASSPATH_ORIG}:_jh_build.$ext", '-d', "debian/_jh_build.$ext", '-quiet', @javac_opts, @srcfiles);
 		if ($build_javadoc) {
-			doit(@JAVADOC, @CLASSPATHDOCS, '-classpath', "${CLASSPATH_ORIG}:_jh_build.$ext", '-d', "debian/_jh_build.javadoc/api", '-quiet', @javadoc_opts, @srcfiles);
+			doit(@JAVADOC, '-classpath', "${CLASSPATH_ORIG}:_jh_build.$ext", '-d', "debian/_jh_build.javadoc/api", '-quiet', @javadoc_opts, @srcfiles);
 		}
 	} else {
 		return;
@@ -242,14 +242,6 @@ sub do_build {
 	return;
 }
 
-sub _classpath_docs {
-	my $source = sourcepackage();
-	return map {
-		chomp;
-		('-link', $_)
-	} `for i in \$(grep-dctrl --no-field-names --show-field Build-Depends,Build-Depends-Indep -F source "${source}" debian/control | tr , ' ' | sed 's/([^)]*)//g') ; do dpkg -L \$i 2>/dev/null | grep /usr/share/doc/.*/api\$; done`;
-}
-
 # By default, jh_build does nothing without a debian/javabuild file or explicit arguments.
 # PROMISE: DH NOOP WITHOUT pkgfile(javabuild)
 
@@ -269,7 +261,6 @@ if (@builds) {
 	@JAVAC = ("${JAVA_HOME}/bin/javac");
 	@JAVADOC = ("${JAVA_HOME}/bin/javadoc", '-locale', 'en_US');
 	@JAR = ("${JAVA_HOME}/bin/jar");
-	@CLASSPATHDOCS = _classpath_docs();
 	for my $build (@builds) {
 		do_build(@{$build});
 	}
-- 
2.20.1



signature.asc
Description: OpenPGP digital signature


Bug#919638: solr-tomcat: Permission problems after update to tomcat9

2019-03-03 Thread Markus Koschany
Control: severity -1 serious
Control: reassign -1 solr-tomcat


Am 01.03.19 um 19:58 schrieb Emmanuel Bourg:
> Le 01/03/2019 à 18:29, Markus Koschany a écrit :
> 
>> I have never extended security permissions of
>> another systemd service. How is this supposed to work?
> 
> I'm not used to this either, but I think we just have to install a
> /etc/systemd/system/tomcat9.d/solr-permissions.conf file with theses lines:
> 
>   [Service]
>   ReadWritePaths=/var/lib/solr/
> 
> A call to 'systemctl daemon-reload' is probably needed in the postinst
> script (but maybe there is a trigger taking care of that already).

Thanks. I didn't know about those config files. Usually
/etc/systemd/system is for the local administrator who can completely
override specific service files, so it might be dangerous to install
something in those directories. However I haven't found anything in the
Debian Policy about that, I just install solr-permissions.conf and
execute systemctl daemon-reload in postinst and hope that it resolves
the problem.

Markus



signature.asc
Description: OpenPGP digital signature


Bug#923364: FTBS: Can't build against bouncy-castle build with newer jdk

2019-03-02 Thread Markus Koschany
Control: tags -1 moreinfo

On Tue, 26 Feb 2019 23:07:43 +0100 Sjoerd Simons  wrote:
> Package: libitext-java
> Version: 2.1.7-12
> Severity: serious
> Tags: patch
> 
> Hey,
> 
> When rebuilding bouncy-castle the jar doesn't seem to have the same classpath

Hello, I guess you meant libitext-java?

> built-in as older builds did; specifically comparing a rebuild with an old
> debian build the MANIFEST.MF has the following diff (among other bits):
>   -Class-Path: bcprov.jar bcpkix.jar javax.mail.jar
>   +Class-Path: /usr/share/java/javax.mail.jar

I have just successfully rebuilt libitext-java and installed it. The
MANIFEST file of itext.jar looks normal to me:

Class-Path: /usr/share/java/bcprov.jar /usr/share/java/bcmail.jar /usr/s
 hare/java/bcpkix.jar

The classpath is defined in debian/libitext-java.classpath

Could you elaborate on why this is a bug in libitext-java and how this
is connected to bouncycastle?



signature.asc
Description: OpenPGP digital signature


  1   2   3   4   5   6   7   8   9   10   >