Bug#759665: RFS: libtorrent-rasterbar/0.16.17-1~bpo70+1 [NMU]

[Martino Dell'Ambrogio]

Hello Vincent,

Thank you for the recommendation.
I was going to propose a wheezy update at first, but I opted for 
wheezy-backports exactly because of devref 5.5.1:


Extra care should be taken when uploading to stable. Basically, a 
package should only be uploaded to stable if one of the following happens:

 * a truly critical functionality problem
 * the package becomes uninstallable
 * a released architecture lacks the package

The mentioned bug shows itself in at least some Xeon CPUs as far as I 
can tell, but only impacts encrypted BitTorrent transfers.

The library remains perfectly usable for unencrypted tranfers.

I also informed the current maintainer so that he may decide whether 
this is a truly critical functionality problem.

In my humble opinion it's not. It may be average or important, not critical.

Martino Dell'Ambrogio
Security Auditor
Web: http://www.tillo.ch/
Email: ti...@tillo.ch

On 08/31/2014 12:57 AM, Vincent Cheng wrote:

Hi Martino,

On Fri, Aug 29, 2014 at 2:03 AM, Martino Dell'Ambrogio ti...@tillo.ch wrote:

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package libtorrent-rasterbar on
wheezy-backports.

This is a straightforward rebuild of the current testing package.
The reason for wanting libtorrent-rasterbar 0.16.x (libtorrent-rasterbar7,
python-libtorrent...) on the current stable is that it fixes a crash bug
involving OpenSSL and encrypted transfers for any bittorrent client
depending on the library.

If your intent for providing this backport is to fix a bug in stable,
I strongly recommend that you instead fix it in stable proper, i.e.
prepare a minimal diff against the package in wheezy and file a wheezy
proposed update request against the release.debian.org pseudo-package
with reportbug (see devref 5.5.1 [1] for more details). Once the
release team approves of the debdiff, you can then request a sponsor
here as well (or contact the maintainers/uploaders to see if they'd be
interested in fixing the bug in wheezy themselves).

Regards,
Vincent

[1] 
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable





smime.p7s
Description: S/MIME Cryptographic Signature

Bug#759665: RFS: libtorrent-rasterbar/0.16.17-1~bpo70+1 [NMU]

[Martino Dell'Ambrogio]

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package libtorrent-rasterbar on 
wheezy-backports.


This is a straightforward rebuild of the current testing package.
The reason for wanting libtorrent-rasterbar 0.16.x 
(libtorrent-rasterbar7, python-libtorrent...) on the current stable is 
that it fixes a crash bug involving OpenSSL and encrypted transfers for 
any bittorrent client depending on the library.
For more information about the bug: 
https://bugs.launchpad.net/ubuntu/+source/deluge/+bug/1232311


* Package name: libtorrent-rasterbar
* Version : 0.16.17-1~bpo70+1
* Upstream Author : Rasterbar Software cont...@rasterbar.com
* URL : http://www.rasterbar.com/products/libtorrent/index.html
* License : http://www.opensource.org/licenses/bsd-license.php
* Section : libs

It builds those binary packages:

libtorrent-rasterbar-dbg - Debug symbols for libtorrent-rasterbar
libtorrent-rasterbar-dev - Development files for libtorrent-rasterbar
libtorrent-rasterbar-doc - Documentation for libtorrent-rasterbar
libtorrent-rasterbar7 - C++ bittorrent library by Rasterbar Software
python-libtorrent - Python bindings for libtorrent-rasterbar
python-libtorrent-dbg - Python bindings for libtorrent-rasterbar (debug 
symbols)

python3-libtorrent - Python bindings for libtorrent-rasterbar (Python 3)
python3-libtorrent-dbg - Python bindings for libtorrent-rasterbar (debug 
symbols) (Python


To access further information about this package, please visit the 
following URL:


http://mentors.debian.net/package/libtorrent-rasterbar

Alternatively, one can download the package with dget using this command:

dget -x 
http://mentors.debian.net/debian/pool/main/libt/libtorrent-rasterbar/libtorrent-rasterbar_0.16.17-1~bpo70+1.dsc


Thank you,
tillo

--
Martino Dell'Ambrogio
Security Auditor
Web: http://www.tillo.ch/
Email: ti...@tillo.ch




smime.p7s
Description: S/MIME Cryptographic Signature

Bug#748020: ditaa: Java Exception with HTML input

[Martino Dell'Ambrogio]

Package: ditaa
Version: 0.9+ds1-3
Severity: normal
Tags: upstream patch

Dear Maintainer,

When I invoke ditaa with -h to import any HTML file, a Java Exception
appears.

Here is an example of this behavior:

---

$ ditaa -h test.html

ditaa version 0.9, Copyright (C) 2004--2009  Efstathios (Stathis) 
Sideris


Running with options:
html
Exception in thread main java.lang.NoClassDefFoundError:
net/htmlparser/jericho/Segment
at
org.stathissideris.ascii2image.core.CommandLineConverter.main(CommandLineConverter.java:182)
Caused by: java.lang.ClassNotFoundException: 
net.htmlparser.jericho.Segment

at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:323)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:268)
... 1 more

---

The JAR manifest is apparently missing a Class-Path reference to the 
Jericho HTML

Parser, which I fixed in my patch.

While testing, I came across a second problem, also fixed in my patch.
This is an upstream bug, though:

---

$ ditaa -h test.html

ditaa version 0.9, Copyright (C) 2004--2009  Efstathios (Stathis) 
Sideris


Running with options:
html
Convering HTML file (test.html - test_processed.html)... Exception in
thread main java.lang.ClassCastException: 
net.htmlparser.jericho.StartTag

cannot be cast to net.htmlparser.jericho.Element
at
org.stathissideris.ascii2image.core.HTMLConverter.convertHTMLFile(HTMLConverter.java:119)
at
org.stathissideris.ascii2image.core.CommandLineConverter.main(CommandLineConverter.java:182)

---

Seems like getAllStartTags() is used instead of getAllElements() at
HTMLConverter.java:116.

When my patch is applied, I am able to use an HTML file as input.


-- System Information:
Debian Release: wheezy/sid
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), 
(500, 'precise')

Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-31-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ditaa depends on:
ii  default-jdk [java6-sdk]1:1.6-43ubuntu2
ii  default-jre [java6-runtime]1:1.6-43ubuntu2
ii  jarwrapper 0.40ubuntu1.1
ii  junit4 4.8.2-2
ii  libbatik-java  1.7.ubuntu-8ubuntu1
ii  libcommons-cli-java1.2-3
ii  libjericho-html-java   3.1-2
ii  libxml-commons-external-java   1.4.01-2
ii  openjdk-6-jdk [java6-sdk]  6b31-1.13.3-1ubuntu1~0.12.04.2
ii  openjdk-6-jre [java6-runtime]  6b31-1.13.3-1ubuntu1~0.12.04.2

ditaa recommends no packages.

ditaa suggests no packages.

-- no debconf information

--
Martino Dell'Ambrogio
Security Auditor
Web: http://www.tillo.ch/
Email: ti...@tillo.ch

diff -ur ditaa-0.9+ds1.orig/debian/manifest ditaa-0.9+ds1/debian/manifest
--- ditaa-0.9+ds1.orig/debian/manifest  2010-04-15 20:23:24.0 +0200
+++ ditaa-0.9+ds1/debian/manifest   2014-05-13 11:47:26.242177598 +0200
@@ -1,5 +1,5 @@
 usr/share/ditaa/ditaa.jar:
  Main-Class: org.stathissideris.ascii2image.core.CommandLineConverter
  Debian-Java-Home: /usr/lib/jvm/default-java
- Class-Path: /usr/share/java/junit4.jar 
/usr/lib/jvm/java-6-openjdk/lib/tools.jar /usr/share/java/commons-cli.jar 
/usr/share/java/batik-bridge.jar /usr/share/java/batik-dom.jar 
/usr/share/java/batik-gvt.jar /usr/share/java/batik-svg-dom.jar 
/usr/share/java/batik-awt-util.jar /usr/share/java/xml-apis-ext.jar 
/usr/share/java/batik-libs.jar
+ Class-Path: /usr/share/java/jericho-html.jar /usr/share/java/junit4.jar 
/usr/lib/jvm/java-6-openjdk/lib/tools.jar /usr/share/java/commons-cli.jar 
/usr/share/java/batik-bridge.jar /usr/share/java/batik-dom.jar 
/usr/share/java/batik-gvt.jar /usr/share/java/batik-svg-dom.jar 
/usr/share/java/batik-awt-util.jar /usr/share/java/xml-apis-ext.jar 
/usr/share/java/batik-libs.jar
 
diff -ur 
ditaa-0.9+ds1.orig/src/org/stathissideris/ascii2image/core/HTMLConverter.java 
ditaa-0.9+ds1/src/org/stathissideris/ascii2image/core/HTMLConverter.java
--- 
ditaa-0.9+ds1.orig/src/org/stathissideris/ascii2image/core/HTMLConverter.java   
2014-05-13 11:28:48.0 +0200
+++ ditaa-0.9+ds1/src/org/stathissideris/ascii2image/core/HTMLConverter.java
2014-05-13 11:55:53.460347558 +0200
@@ -113,7 +113,7 @@
int index = 1;
HashMap diagramList = new HashMap();

-   List linkStartTags = source.getAllStartTags(pre);
+   List linkStartTags = source.getAllElements(pre);
Iterator it = linkStartTags.iterator();
while (it.hasNext()) {
Element element = (Element) it.next();