Bug#1082053: RUSTSEC-2023-0086

2024-09-17 Thread Moritz Muehlenhoff 
Source: rust-lexical-core
Version: 0.7.6-2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

https://rustsec.org/advisories/RUSTSEC-2023-0086.html

https://github.com/Alexhuszagh/rust-lexical/issues/102
https://github.com/Alexhuszagh/rust-lexical/issues/101
https://github.com/Alexhuszagh/rust-lexical/issues/104
https://github.com/Alexhuszagh/rust-lexical/issues/95
https://github.com/Alexhuszagh/rust-lexical/issues/126

Cheers,
Moritz

Bug#1080080: RM: aiorwlock -- RoQA; RC-buggy, unmaintained

2024-08-30 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: aiorwl...@packages.debian.org
Control: affects -1 + src:aiorwlock
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove aiorwlock. It FTBFSes since three years and the last
maintainer upload was in 2019.

Cheers,
Moritz

Bug#1079993: RM: evqueue-core -- RoQA; unmaintained, RC-buggy

2024-08-29 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: evqueue-c...@packages.debian.org
Control: affects -1 + src:evqueue-core
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove evqueue-core. It's RC-buggy since over five years
and the last maintainer upload was in 2018.

Cheers,
Moritz

Bug#1079992: RM: aiocoap -- RoQA; unmaintained, RC-buggy

2024-08-29 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: aioc...@packages.debian.org
Control: affects -1 + src:aiocoap
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove aiocoap. It FTBFSes since over two years and the last maintainer
upload was in 2019.

Cheers,
Moritz

Bug#1079991: RM: aws-shell -- RoQA; unmaintained, RC-buggy

2024-08-29 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: aws-sh...@packages.debian.org
Control: affects -1 + src:aws-shell
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove aws-shell. It's RC-buggy and dropped from testing since 4.5 years
and the last maintainer upload was in 2018.

Cheers,
Moritz

Bug#1079990: RM: fonts-alegreya-sans -- RoQA; ummaintained, RC-buggy

2024-08-29 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: fonts-alegreya-s...@packages.debian.org
Control: affects -1 + src:fonts-alegreya-sans
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove fonts-alegreya-sans. There was only ever a single upload
back in 2019 and the package is RC-buggy since 5.5 years. It missed the
last two stable releases.

Cheers,
Moritz

Bug#1079989: RM: python-arrayfire -- RoQA; blocks removal of arrayfire

2024-08-29 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: python-arrayf...@packages.debian.org
Control: affects -1 + src:python-arrayfire
User: ftp.debian@packages.debian.org
Usertags: remove

src:arrayfire is RC-buggy and has a pending RM bug. This package contains
the Python bindings and needs to be removed alongside.

Cheers,
Moritz

Bug#1079988: RM: arrayfire -- RoQA; unmaintained, RC-buggy

2024-08-29 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: arrayf...@packages.debian.org
Control: affects -1 + src:arrayfire
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove arrayfire. The last upload was in 2016 and it's dropped
from testing due to RC bugs since 2018 (e.g. FTBFSes since GCC 8 became
the default...)

The RM bug for python-arrayfire needs to be processed first.

Cheers,
Moritz

Bug#1079695: RM: xmms2-scrobbler -- RoQA; broken, unmaintained

2024-08-26 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: xmms2-scrobb...@packages.debian.org
Control: affects -1 + src:xmms2-scrobbler
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove xmms2-scrobbler. It's broken since last.fm changed their site
in 2015 (!) (#798099) and the last maintainer upload was in 2013.

Cheers,
Moritz

Bug#1079694: RM: jajuk -- RoQA; unmaintained, RC-buggy

2024-08-26 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: ja...@packages.debian.org
Control: affects -1 + src:jajuk
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove jajuk. The last upload happened in 2017 and it's RC-buggy/removed
from testing for over five years now.

Cheers,
Moritz

Bug#1079690: RM: perl-doc-html -- RoQA; unmaintained, outdated

2024-08-26 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: perl-doc-h...@packages.debian.org
Control: affects -1 + src:perl-doc-html
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove perl-doc-html. It contains outdated docs, has been dropped
from testing since 2018 and is orphaned without an adopter since 2018.

Cheers,
Moritz

Bug#1079657: RM: fakeroot-ng -- RoQA; unmaintained, RC-buggy

2024-08-25 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: fakeroot...@packages.debian.org
Control: affects -1 + src:fakeroot-ng
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove fakeroot-ng. It FTBFSes since over two years without
any reaction and the last maintainer upload (who's also upstream)
was over a decade ago.

Cheers,
Moritz

Bug#1079656: RM: haskell98-tutorial -- RoQA; unmaintained, RC-buggy

2024-08-25 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: haskell98-tutor...@packages.debian.org
Control: affects -1 + src:haskell98-tutorial
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove haskell98-tutorial. It's RC-buggy since 2021
and up for adoption without any takers since 2014.

Cheers,
Moritz

Bug#1079647: RM: libneo4j-client -- RoQA; RC-buggy, unmaintained

2024-08-25 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: libneo4j-cli...@packages.debian.org
Control: affects -1 + src:libneo4j-client
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove libneo4j-client. It's RC-buggy since 2021 when
GCC 11 became the default and the last maintainer upload was
in 2017.

Cheers,
Moritz

Bug#1079645: RM: ifscheme -- RoQA; RC-buggy, unmaintained

2024-08-25 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: ifsch...@packages.debian.org
Control: affects -1 + src:ifscheme
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove ifscheme. It's broken since at least 2021 (#981637)
and orphaned without an adopter since 2020.

Cheers,
Moritz

Bug#1079643: RM: tldjs -- RoQA; unmaintained, RC-buggy

2024-08-25 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: tl...@packages.debian.org
Control: affects -1 + src:tldjs
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove tldjs. It's RC-buggy since 2021, missed the last
two stable releases and the last maintainer upload was in 2018.

Cheers,
Moritz

Bug#1079640: RM: binutils64 -- RoQA; unmaintained, RC-buggy

2024-08-25 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove binutils64. It's RC-buggy since (and thus never made it
into a stable release) since April 2021 without any maintainer reaction
and there were no further uploads after the initial ones in 2020.

Cheers,
Moritz

Bug#1079639: RM: bdfproxy -- RoQA; unmaintained, RC-buggy

2024-08-25 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: bdfpr...@packages.debian.org
Control: affects -1 + src:bdfproxy
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove bdfproxy. It's RC-buggy since 1.5 years and never
made it into any stable release. The last maintainer upload was
in 2018.

Cheers,
Moritz

Bug#1079638: RM: beanbag -- RoQA; unmaintained, RC-buggy

2024-08-25 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: bean...@packages.debian.org
Control: affects -1 + src:beanbag
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove beanbag. It FTBFSes since 2020 and the last maintainer
upload happened in 2015.

Cheers,
Moritz

Bug#1079637: RM: qiskit-aer -- RoQA; RC-buggy, unmaintained

2024-08-25 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: qiskit-...@packages.debian.org
Control: affects -1 + src:qiskit-aer
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove qiskit-aer. There's multiple RC bugs, the last maintainer upload 
was in
2021 and it has been dropped from testing for 1.5 years now (and never made it 
to
a stable release).

Cheers,
Moritz

Bug#1079636: RM: myhdl -- RoQA; unmaintained, RC-buggy

2024-08-25 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: my...@packages.debian.org
Control: affects -1 + src:myhdl
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove myhdl. The last upload was in 2019 and it's RC-buggy and dropped
from testing for over three years (and missed the last two stable releases
for that)

Cheers,
Moritz

Bug#1079453: RM: itop -- RoQA; unmaintained, broken

2024-08-23 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: i...@packages.debian.org
Control: affects -1 + src:itop
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove itop. The last maintainer upload was in 2008 and the package
is broken since 2018 (and dropped from testing since 2021).

Cheers,
Moritz

Bug#1079452: RM: obs-ptz -- RoQA; unmaintained, RC-buggy

2024-08-23 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: obs-...@packages.debian.org
Control: affects -1 + src:obs-ptz
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove obs-ptz. There was only ever a single upload and the package
FTBFSes since October 2022 without any maintainer reaction.

Cheers,
Moritz

Bug#1079451: RM: pdfrw -- RoQA; unmaintained, RC-buggy

2024-08-23 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pd...@packages.debian.org
Control: affects -1 + src:pdfrw
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove pdfrw. The last maintainer upload was in 2018 and it's broken 
since
Python 3.7 became the default and thus dropped from testing since over four 
years.

Cheers,
Moritz

Bug#1079449: RM: literki -- RoQA; unmaintained, RC-buggy

2024-08-23 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: lite...@packages.debian.org
Control: affects -1 + src:literki
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove literki. The last maintainer upload happened in 2010
and the package has multiple open RC bugs and hasn't been part of
testing for over six years.

Cheers,
Moritz

Bug#1079448: RM: lilyterm -- RoQA; unmaintained, RC-buggy

2024-08-23 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: lilyt...@packages.debian.org
Control: affects -1 + src:lilyterm
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove lilyterm. The last upload happened in 2017 and the package is
RC-buggy since 2020.

Cheers,
Moritz

Bug#1079447: RM: ricochet-im -- RoQA; unmaintained, RC-buggy

2024-08-23 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: ricochet...@packages.debian.org
Control: affects -1 + src:ricochet-im
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove ricochet-im. The last upload happened 5.5 years
ago and the package is RC-buggy since 2021.

Cheers,
Moritz

Bug#1079445: RM: pstack -- RoQA; unmaintained, RC-buggy

2024-08-23 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pst...@packages.debian.org
Control: affects -1 + src:pstack
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove pstack. The last upload was in 2011 and it's RC-buggy since 4.5 
years.

Cheers,
Moritz

Bug#1079444: RM: pxe-kexec -- RoQA; unmaintained, FTBFS

2024-08-23 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
Tags: ftbfs
X-Debbugs-Cc: pxe-ke...@packages.debian.org
Control: affects -1 + src:pxe-kexec
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove pxe-kexec. The last upload was in 2012
and it FTBFSes due to missing compat with GCC 11 since
2021.

Cheers,
Moritz

Bug#1079372: RM: watson -- RoQA; unmaintained, FTBFS

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
Tags: ftbfs
X-Debbugs-Cc: wat...@packages.debian.org
Control: affects -1 + src:watson
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove watson. The last maintainer upload was in 2019 and the
package FTBFSes since 2021.

Cheers,
Moritz

Bug#1079371: RM: drmips -- RoQA; RC-buggy, unmaintained

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: drm...@packages.debian.org
Control: affects -1 + src:drmips
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove drmips. The last maintainer upload was in 2016
and the packages FTBFSes since four years.

Cheers,
Moritz

Bug#1079370: RM: effcee -- RoQA; RC-buggy, unmaintained

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: eff...@packages.debian.org
Control: affects -1 + src:effcee
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove effcee. There was only ever a single upload and the package
FTBFSes since three years.

Cheers,
Moritz

Bug#1079351: RM: rdup -- RoQA; RC-buggy, unmaintained

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: r...@packages.debian.org
Control: affects -1 + src:rdup
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove rdup. It's RC-buggy since 2019 and dropped from testing
since then. The last maintainer upload was in 2017.

Cheers,
Moritz

Bug#1079349: RM: pafy -- RoQA; Broken, unmaintained, alternatives exist

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: p...@packages.debian.org
Control: affects -1 + src:pafy
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove pafy. It's broken since two years and already missed
Bookworm for that. The last maintainer upload was in 2016.

Cheers,
Moritz

Bug#1079322: RM: origami -- RoQA; unmaintained, RC-buggy

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: orig...@packages.debian.org
Control: affects -1 + src:origami
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove origami. It's broken since 4.5 years (953144) and
thus missed the last two stable releases. The last maintainer
upload was in 2011.

Cheers,
Moritz

Bug#1079321: RM: privbind -- RoQA; unmaintained, RC-buggy

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: privb...@packages.debian.org
Control: affects -1 + src:privbind
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove privbind. The last maintainer upload was in 2010
and it is RC-buggy since 2021 (and thus missed Bookworm already)

Cheers,
Moritz

Bug#1079318: RM: mahimahi -- RoQA; unmaintained, RC-buggy

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: mahim...@packages.debian.org
Control: affects -1 + src:mahimahi
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove mahimahi, the last maintainer upload was in 2017
and it FTBFSes since 3.5 years (and thus missed Bookworm already)

Cheers,
Moritz

Bug#1079314: RM: ignore-me -- RoQA; RC-buggy, unmaintained

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: ignore...@packages.debian.org
Control: affects -1 + src:ignore-me
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove ignore-me. There was only ever a single upload
in 2018 and the package FTBFSes since 6.5 years.

Cheers,
Moritz

Bug#1079315: RM: bwctl -- RoQA; unmaintained, RC-buggy

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: bw...@packages.debian.org
Control: affects -1 + src:bwctl
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove bwctl. The last maintainer upload was in 2015 and
it FTBFSes since 2021 (and thus missed Bookworm already).

Cheers,
Moritz

Bug#1079311: RM: gli -- RoQA; RC-buggy, unmaintained

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: g...@packages.debian.org
Control: affects -1 + src:gli
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove gli. The last upload was in 2017 and it FTBFSes since 6.5 years.
There are no reverse dependencies.

Cheers,
Moritz

Bug#1079309: RM: lsdb -- RoQA; RC-buggy, unmaintained

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: l...@packages.debian.org
Control: affects -1 + src:lsdb
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove lsdb. It's RC-buggy since 2020 and missed Bookworm
already. The last maintainer upload was in 2007 and it has been
put out for adoption without any reply in 2012 (#654945).

Cheers,
Moritz

Bug#1079308: RM: picprog -- RoQA; RC-buggy, unmaintained

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: picp...@packages.debian.org
Control: affects -1 + src:picprog
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove picprog. It's RC-buggy since 2019 and thus missed
the last two stable releases (since Linux 5.5 entered Debian).
It's orphaned without an adopter since 2017.

Cheers,
Moritz

Bug#1079306: RM: openmx -- RoQA; RC-buggy, unmaintained

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: ope...@packages.debian.org
Control: affects -1 + src:openmx
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove openmx. It FTBFSes since GCC 10 was made the default
in 2020 and thus missed the last two stable releases and it's
orphaned without an adopter since 2019.

Cheers,
Moritz

Bug#1079303: RM: navi2ch -- RoQA; unmaintained, RC-buggy

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: navi...@packages.debian.org
Control: affects -1 + src:navi2ch
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove navi2ch. There was only ever a single upload in 2012
and the package is RC-buggy since 2020 and thus missed the two
last stable releases.

Cheers,
Moritz

Bug#1079304: RM: mxt-app -- RoQA; RC-buggy, unmaintained

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: mxt-...@packages.debian.org
Control: affects -1 + src:mxt-app
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove mxt-app. It's FTBFSes without any maintainer
reaction since 4.5 years and thus missed the last two
stable releases.

Cheers,
Moritz

Bug#1079294: RM: termtris -- RoQA; unmaintained, RC-buggy, not in any stable release

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: termt...@packages.debian.org
Control: affects -1 + src:termtris
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove termtris. It's unmaintained (there was only ever a single upload
in 2019) and it's RC-buggy since 2020 (and thus never made it in any stable
release)

Cheers,
Moritz

Bug#1079290: RM: twofish -- RoQA; unmaintained, dead upstream, RC-buggy

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: twof...@packages.debian.org
Control: affects -1 + src:twofish
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove twofish. It's RC-buggy since 2021 and already missed
Bookworm due to that. Upstream is dead and there are no reverse deps.

Cheers,
Moritz

Bug#1079289: RM: xjig -- RoQA; Unmaintained, RC-buggy, dead upstream

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: x...@packages.debian.org
Control: affects -1 + src:xjig
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove xjig. It's dead upstream, unmaintained (last maintainer
upload in 2013) and RC-buggy due to netpbm changes. It already missed
Bookworm for that and is dropped from testing for over two years.

Cheers,
Moritz

Bug#1079287: RM: gems -- RoQA; unmaintained, RC-buggy, dead upstream

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: g...@packages.debian.org
Control: affects -1 + src:gems
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove gems. It's unmaintained (last upload 13 years ago),
it's RC-buggy since 2021 and missed the last stable release.

Cheers,
Moritz

Bug#1079286: RM: snort -- RoQA; unmaintained, RC-buggy

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: sn...@packages.debian.org
Control: affects -1 + src:snort
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove snort. It's unmaintained (last upload three years ago), it
missed two stable releases and there's plenty of open security issues.

In addition snort 2 is EOLed since three years (1019230) and thus incompatible
with rules updates.

There's also plenty of other open RC bugs (#1064328, #1068036, #56) and
it includes non-free code (#1067951)

Cheers,
Moritz

Bug#1079285: RM: enigmail -- RoQA; obsolete

2024-08-22 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: enigm...@packages.debian.org
Control: affects -1 + src:enigmail
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove enigmail. Thunderbird now has native GPG support and the package
was only needed in old releases to support migrations (which are now all 
complete)

Cheers,
Moritz

Bug#1074275: Depends on gpac

2024-06-25 Thread Moritz Muehlenhoff 
Source: ogmrip
Version: 1.0.1-4
Severity: serious

gpac is unsupportable and thus orphaned and not in stable.
It should be removed, but ogmrip depends on it. From a
quick glance ogmrip also supports mencoder, so possibly
that dependency could simply get removed?

Cheers,
Moritz

Bug#1074276: Depends on gpac

2024-06-25 Thread Moritz Muehlenhoff 
Source: ccextractor
Version: 0.94+ds1-3
Severity: serious

gpac is unsupportable, thus orphaned and not in Bookworm. It should
be removed, but ccextractor build depends on it. From a quick glance
is also has some build flags for ffmpeg, so maybe that's an alternative?

Cheers,
Moritz

Bug#1074225: RM: watchcatd -- RoQA; dead upstream, obsolete

2024-06-24 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: watchc...@packages.debian.org
Control: affects -1 + src:watchcatd
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove watchcatd. It's dead upstream and generally obsolete,
such process supervision is built into systemd natively.

Bug#1073968: RM: sleepd -- RoQA; unmaintained, dead upstream

2024-06-20 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: sle...@packages.debian.org
Control: affects -1 + src:sleepd
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove sleepd. Upstream development has stopped a long time ago,
and it's orphaned for a decade without an adopter.

Cheers,
Moritz

Bug#1073235: bookworm-pu: package bluez/5.66-1+deb12u2

2024-06-18 Thread Moritz Muehlenhoff 
On Mon, Jun 17, 2024 at 06:18:40PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2024-06-14 at 23:25 +0200, Moritz Muehlenhoff wrote:
> > Attached debdiff fixes three minor security issues. The update
> > has been tested on a Bookworm system. debdiff below.
> 
> Please go ahead.

Uploaded, thanks.

Cheers,
Moritz

Bug#1072366: libndp: CVE-2024-5564

2024-06-16 Thread Moritz Muehlenhoff 
On Fri, Jun 14, 2024 at 07:30:46AM +0200, Florian Ernst wrote:
> On Thu, Jun 13, 2024 at 08:17:41PM +0200, Moritz Muehlenhoff wrote:
> > Thanks, these look good! Please upload to security-master, I'll take care
> > of the DSA over the weekend.
> 
> Thanks for verifying, thus just uploaded to security-master. And thanks
> in advance for taking care of the DSA.

DSA has been released, thanks!

Cheers,
Moritz

Bug#1073277: RM: ramond -- RoQA; unmaintained, dead upstream, unused

2024-06-15 Thread Moritz Muehlenhoff 
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: ram...@packages.debian.org
Control: affects -1 + src:ramond
User: ftp.debian@packages.debian.org
Usertags: remove

Please remove ramond. It's dead upstream, the last maintainer upload
was in 2012 without a new adopter and it's basically non-existent
in popcon.

Cheers,
Moritz

Bug#1073235: bookworm-pu: package bluez/5.66-1+deb12u2

2024-06-14 Thread Moritz Muehlenhoff 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: bl...@packages.debian.org, iwama...@debian.org
Control: affects -1 + src:bluez
User: release.debian@packages.debian.org
Usertags: pu

Attached debdiff fixes three minor security issues. The update
has been tested on a Bookworm system. debdiff below.

Cheers,
Moritz

diff -Nru bluez-5.66/debian/changelog bluez-5.66/debian/changelog
--- bluez-5.66/debian/changelog 2023-12-10 17:57:24.0 +0100
+++ bluez-5.66/debian/changelog 2024-06-12 23:13:32.0 +0200
@@ -1,3 +1,10 @@
+bluez (5.66-1+deb12u2) bookworm; urgency=medium
+
+  * CVE-2023-27349
+  * CVE-2023-50229 / CVE-2023-50230
+
+ -- Moritz Mühlenhoff   Wed, 12 Jun 2024 23:13:32 +0200
+
 bluez (5.66-1+deb12u1) bookworm-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru bluez-5.66/debian/patches/CVE-2023-27349.patch 
bluez-5.66/debian/patches/CVE-2023-27349.patch
--- bluez-5.66/debian/patches/CVE-2023-27349.patch  1970-01-01 
01:00:00.0 +0100
+++ bluez-5.66/debian/patches/CVE-2023-27349.patch  2024-06-12 
16:27:04.0 +0200
@@ -0,0 +1,42 @@
+From f54299a850676d92c3dafd83e9174fcfe420ccc9 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz 
+Date: Wed, 22 Mar 2023 11:34:24 -0700
+Subject: avrcp: Fix crash while handling unsupported events
+
+The following crash can be observed if the remote peer send and
+unsupported event:
+
+ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11
+ at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0
+ WRITE of size 1 at 0x60b000148f11 thread T0
+ #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907
+ #1 0x559644536c22 in control_response profiles/audio/avctp.c:939
+ #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108
+ #3 0x7fbcb3e51c43 in g_main_context_dispatch 
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
+ #4 0x7fbcb3ea66c7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
+ #5 0x7fbcb3e512b2 in g_main_loop_run 
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
+ #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66
+ #7 0x559644755606 in mainloop_run_with_signal 
src/shared/mainloop-notify.c:188
+ #8 0x5596445bb963 in main src/main.c:1289
+ #9 0x7fbcb3bafd8f in __libc_start_call_main 
../sysdeps/nptl/libc_start_call_main.h:58
+ #10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392
+ #11 0x5596444e8224 in _start 
(/usr/local/libexec/bluetooth/bluetoothd+0xf0224)
+---
+ profiles/audio/avrcp.c | 6 ++
+ 1 file changed, 6 insertions(+)
+
+--- bluez-5.66.orig/profiles/audio/avrcp.c
 bluez-5.66/profiles/audio/avrcp.c
+@@ -3901,6 +3901,12 @@ static gboolean avrcp_handle_event(struc
+   case AVRCP_EVENT_UIDS_CHANGED:
+   avrcp_uids_changed(session, pdu);
+   break;
++  default:
++  if (event > AVRCP_EVENT_LAST) {
++  warn("Unsupported event: %u", event);
++  return FALSE;
++  }
++  break;
+   }
+ 
+   session->registered_events |= (1 << event);
diff -Nru bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch 
bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch
--- bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch   
1970-01-01 01:00:00.0 +0100
+++ bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch   
2024-06-12 16:28:23.0 +0200
@@ -0,0 +1,61 @@
+From 5ab5352531a9cc7058cce569607f3a6831464443 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz 
+Date: Tue, 19 Sep 2023 12:14:01 -0700
+Subject: [PATCH] pbap: Fix not checking Primary/Secundary Counter length
+
+Primary/Secundary Counters are supposed to be 16 bytes values, if the
+server has implemented them incorrectly it may lead to the following
+crash:
+
+=
+==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
+0x60701878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
+
+ READ of size 48 at 0x60701878 thread T0
+ #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, 
void const*, unsigned long), void const*, void const*, unsigned long) 
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
+ #1 0x7f95a1575ba6 in __interceptor_memcmp 
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
+ #2 0x7f95a1575ba6 in __interceptor_memcmp 
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
+ #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288
+ #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352
+ #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374
+ #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921
+ #7 0x564df69d56b0 in get_xfer_progres

Bug#1072366: libndp: CVE-2024-5564

2024-06-13 Thread Moritz Muehlenhoff 
Hi Florian,

> Please give those packages an additional check, and feel free to just
> upload them when they indeed meet your requirements, or briefly ping me
> back for me to upload them / possibly apply further changes, whatever
> suits you best.

Thanks, these look good! Please upload to security-master, I'll take care
of the DSA over the weekend.

Cheers,
Moritz

Bug#1073012: Automatically rewrite incoming entries from some CNAs as NFUs

2024-06-11 Thread Moritz Muehlenhoff 
Package: security-tracker
Severity: wishlist

These days the scopes of CNAs are usually narrow and scoped to a specific 
vendor.
We should leverage this for pre-processing incoming data and to reduce toil.

We can do this by extending the "automatic update" job to automatically 
annotate CVEs assigned
by a given CNA as NFU entries. As an example all CVEs coming from the 
"Wordfence" CNA should
be automatically added as "NOT-FOR-US: WordPress plugin". This avoids 
cumbersome manual
triage (and review would still happen on the commited entries).

Same for many commercial software vendors, e.g. a company like SAP which has no 
ties to
FLOSS everything coming from their CNA should automatically be added as 
"NOT-FOR-US: SAP"
without human interaction. We should only extend this on a case-by-case basis. 
E.g. Oracle
has a lot of propietary software, but they also maintain mysql, Java and 
virtualbox, so
they need manual review still.

Cheers,
Moritz

Bug#1072366: libndp: CVE-2024-5564

2024-06-10 Thread Moritz Muehlenhoff 
Hi Florian,

On Mon, Jun 10, 2024 at 08:41:27AM +0200, Florian Ernst wrote:
> Dear Security Team,
> 
> On Sat, Jun 01, 2024 at 04:57:53PM +0200, Salvatore Bonaccorso wrote:
> > [...]
> > [0] https://security-tracker.debian.org/tracker/CVE-2024-5564
> > https://www.cve.org/CVERecord?id=CVE-2024-5564
> 
> An updated package containing upstream's fix has just been uploaded and
> is waiting to be processed for unstable.
> 
> Upstream's fix: 
> https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af
> (as referenced from https://github.com/jpirko/libndp/issues/26 and
> already seen by carnil)
> Debian change: 
> https://salsa.debian.org/debian/libndp/-/commit/a6136d60ef278c1aebee32f805ff473f0ee6ef99
> 
> The corresponding Debian change applies cleanly on bookworm / stable
> (naturally, as until today bookworm and sid both had libndp 1.8-1) and
> also on bullseye / oldstable and buster / oldoldstable (both having
> libndp 1.6-1).
> 
> I could prepare packages targeting (old)stable, if so desired. Or would
> it be easier for you if you just take over from here?

It would be great if you could prepare updates for bullseye-security and
bookworm-security [1]. Please use 1.6-1+deb11u1 and 1.8-1+deb12u1 as the
respective version numbers. security.debian.org also has autopkgtests set
up, so we should get some good coverage by reverse deps.

Cheers,
Moritz

[1] 
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security

Bug#1072720: libglib2.0-0: Following fix #1070745, typing `A keys doesn't type an À anymore

2024-06-09 Thread Moritz Muehlenhoff 
On Sun, Jun 09, 2024 at 06:23:00PM +0100, Simon McVittie wrote:
> On Sun, 09 Jun 2024 at 17:23:27 +0200, gru...@laposte.net wrote:
> > Please note that ^e gives ê correctly but `A doesn't
> 
> Security team:
> 
> Based on this information, I don't think this is a regression caused by
> the GLib security update, or in fact anything to do with GLib: it seems
> that ibus is "mostly" working, and the GLib regression resulted in ibus
> not working at all.

Ack, thanks for the detailed followup.

Cheers,
Moritz

Bug#1072527: Mark libreswan as EOLed in Bullseye

2024-06-03 Thread Moritz Muehlenhoff 
Source: debian-security-support
Version: 1:13+2024.05.15
Severity: wishlist
X-Debbugs-Cc: d...@fifthhorseman.net

Security support for libreswan in Bullseye is EOLed, the recent
security fixes for CVE-2023-38710 are too intrusive/risky to
backport (also see https://github.com/libreswan/libreswan/issues/1233)

Cheers,
Moritz

Bug#1072124: gnome-shell: CVE-2024-36472

2024-05-28 Thread Moritz Muehlenhoff 
On Tue, May 28, 2024 at 05:33:32PM -0400, Jeremy Bícha wrote:
> Control: forwarded -1 https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688
> 
> On Tue, May 28, 2024 at 5:24 PM Moritz Mühlenhoff  wrote:
> > CVE-2024-36472[0]:
> > | In GNOME Shell through 45.7, a portal helper can be launched
> > | automatically (without user confirmation) based on network responses
> > | provided by an adversary (e.g., an adversary who controls the local
> > | Wi-Fi network), and subsequently loads untrusted JavaScript code,
> > | which may lead to resource consumption or other impacts depending on
> > | the JavaScript code's behavior.
> 
> The initial GNOME issue was closed already (the CVE was requested by
> someone who is not a GNOME developer). But GNOME Shell may change the
> workflow for the captive portal helper so we can leave this bug open,
> pointing to the new issue that was opened upstream.

Yeah, the never filed a bug for the botched CVE assignment, this is the
bug reference explocitly for the followup actionable filed by Michael Catanzaro

Cheers,
Moritz

Bug#1071628: python-pymysql: CVE-2024-36039

2024-05-28 Thread Moritz Muehlenhoff 
On Tue, May 28, 2024 at 09:06:51AM +0200, Thomas Goirand wrote:
> On 5/22/24 17:08, Moritz Mühlenhoff wrote:
> > The following vulnerability was published for python-pymysql.
> > 
> > We should also fix this in a DSA, could you prepare debdiffs for
> > bookworm-security and bullseye-security?
> > 
> > CVE-2024-36039[0]:
> > | PyMySQL through 1.1.0 allows SQL injection if used with untrusted
> > | JSON input because keys are not escaped by escape_dict.
> > 
> > https://github.com/advisories/GHSA-v9hf-5j83-6xpp
> > https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c
> >  (v1.1.1)
> > 
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2024-36039
> >  https://www.cve.org/CVERecord?id=CVE-2024-36039
> > 
> > Please adjust the affected versions in the BTS as needed.
> 
> Hi,
> 
> Please find attached to this message, the fixes I would like to upload to
> bullseye and bookworm. Please allow these uploads.
> 
> Note that I have uploaded latest upstream version 1.1.1-1 to unstable, that
> includes the patch in these debdiffs.

Thanks! These look fine, please build both with -sa and upload to 
security-master.

Cheers,
Moritz

Bug#1071746: clojure: CVE-2024-22871

2024-05-24 Thread Moritz Muehlenhoff 
On Fri, May 24, 2024 at 11:42:38AM -0400, Louis-Philippe Véronneau wrote:
> On Fri, 24 May 2024 16:53:28 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=
>  wrote:
> > Source: clojure
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: important
> > Tags: security
> > 
> > Hi,
> > 
> > The following vulnerability was published for clojure.
> > 
> > CVE-2024-22871[0]:
> > | An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an
> > | attacker to cause a denial of service (DoS) via the
> > | clojure.core$partial$fn__5920 function.
> > 
> > https://github.com/advisories/GHSA-vr64-r9qj-h27f
> > 
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2024-22871
> > https://www.cve.org/CVERecord?id=CVE-2024-22871
> > 
> > Please adjust the affected versions in the BTS as needed.
> 
> Hi,
> 
> Thanks for the report. Maybe I'm reading this wrong, but the Debian archive
> has clojure 1.10 (oldstable) and 1.11 (stable and up).
> 
> The CVE seems to apply only from 1.12.0-alpha5 to 1.20. Can you confirm why
> we are affected by this CVE?

The CVE descriptions are often bogus, see the upstream I advisory I listed:
| The affected Clojure classes (Cycle, Repeat, Iterate) exist in Clojure 
1.7.0-1.11.1, 1.12.0-alpha1-1.12.0-alpha8.

Cheers,
Moritz

Bug#1053004: CVE-2019-10784 and CVE-2023-40619

2024-05-22 Thread Moritz Muehlenhoff 
On Wed, May 22, 2024 at 02:42:58PM -0300, Leandro Cunha wrote:
> Hi everyone,
> 
> On Wed, May 22, 2024 at 12:39 PM Moritz Mühlenhoff  wrote:
> >
> > Am Wed, Mar 06, 2024 at 06:39:01AM -0300 schrieb Leandro Cunha:
> > > Hi Christoph Berg,
> > >
> > > On Wed, Mar 6, 2024 at 5:42 AM Christoph Berg  wrote:
> > > >
> > > > Re: Leandro Cunha
> > > > > The
> > > > > next job would be to make it available through backports and I would
> > > > > choose to remove this package from stable. But I would only leave
> > > > > bookworm backports due to other bugs found (this CVEs too) and fixed
> > > > > in 7.14.7.
> > > > > I have to search about the status of backports to oldstable. But I'm
> > > > > also studying the possibility of working with patches for these two
> > > > > versions.
> > > >
> > > > Why would you want to remove it from stable? In closed environments,
> > > > CVEs are often not a problem.
> > > >
> > > > Christoph
> > >
> > > In addition to the CVEs, phppgadmin which is present in stable does
> > > not connect to PostgreSQL 15 and 16 without a patch I inserted in
> > > 7.13.0+dfsg-3, but I can add the same patch by reopening bug #1029516
> > > or opening another important bug (I am aware that the bug must have a
> > > severity greater than important)[3] for the stable and submission of
> > > new bug to the release team for approval. That way it would be
> > > released in a future release a version with this issue fixed (if
> > > approved). But CVE-2023-40619 is treated with critical severity and
> > > CVE-2019-10784 is also critical according to the NVD[1][2]. The Debian
> > > LTS team handled this with DLA-3644-1 (CVE-2023-40619)[4] in buster
> > > (oldoldstable) and of OpenSUSE team also handled both CVEs in
> > > Leap[5][6].
> > > Removing this package in stable will not leave users without them and
> > > we can release it in backports.
> > > I can treat this as a job of ensuring the quality of what is
> > > distributed by Debian.
> >
> > Agreed, if the package is actually broken with the version of PostgreSQL
> > in stable and if there's no sensible backport for the open security issues,
> > then let's rather remove it by the next point release.
> >
> > Cheers,
> > Moritz
> 
> It's the best thing to do, the package with the necessary corrections
> is already present in bookworm-backports and the user just needs to
> run apt install -t bookworm-backports phppgadmin[1][2][3] with
> sponsorship of Christoph Berg (thank you for that) and thanks also to
> the Debian Security Team.

Ack, will you do the removal request? You can do that with
"reportbug release.debian.org" and then selecting the
"rm stable/testing removal requests" option.

Cheers,
Moritz

Bug#1071127: Mark slurm-wlm as EOLed in Bullseye

2024-05-14 Thread Moritz Muehlenhoff 
Source: debian-security-support
Version: 1:13+2024.01.30
Severity: wishlist
X-Debbugs-Cc: gennaro.ol...@gmail.com

Security support for slurm-wlm in Bullseye is EOLed, the recent
changes were too intrusive too meaningfully backport.

Bug#1070175: RM: salt/3002.6+dfsg1-4+deb11u1

2024-05-01 Thread Moritz Muehlenhoff 
On Wed, May 01, 2024 at 06:29:29PM +0100, Adam D. Barratt wrote:
> On Wed, 2024-05-01 at 13:02 +0200, Moritz Muehlenhoff wrote:
> > Please remove salt in the next Bullseye point release.
> > It was already removed frm unstable for being unsupportable
> > and unmaintained (https:://bugs.debian.org/1069654).
> > 
> > There are two related packages which need to be removed
> > alongside, since salt-common depends on them (but which
> > have no other dependencies outside of salt):
> > 
> > pytest-salt-factories 0.93.0-1
> > pytest-testinfra 6.1.0-1
> 
> I'm not doubting whether at least the former should be removed, but
> "salt-common depends on them" isn't a reason to remove things in
> itself. A relationship in the opposite direction certainly would be
> (i.e. "they depend on salt-common").

It's actually build dependencies, both pytest-salt-factories and
pytest-testinfra build depend on salt-common.

Cheers,
Moritz

Bug#1070176: Mark pdns-recursor as EOLed in Bullseye

2024-05-01 Thread Moritz Muehlenhoff 
Source: debian-security-support
Version: 1:13+2024.01.30
Severity: wishlist
X-Debbugs-Cc: z...@debian.org

Please mark pdns-recursor as EOL/no longer covered by security support
in Bullseye. These packages can still be used for select use cases
(internal resolver within a company network), but 4.4 is lagging too
much behind to be supportable as a general purpose resolver.

Cheers,
Moritz

Bug#1070175: RM: salt/3002.6+dfsg1-4+deb11u1

2024-05-01 Thread Moritz Muehlenhoff 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: s...@packages.debian.org
Control: affects -1 + src:salt
User: release.debian@packages.debian.org
Usertags: rm

Please remove salt in the next Bullseye point release.
It was already removed frm unstable for being unsupportable
and unmaintained (https:://bugs.debian.org/1069654).

There are two related packages which need to be removed
alongside, since salt-common depends on them (but which
have no other dependencies outside of salt):

pytest-salt-factories 0.93.0-1
pytest-testinfra 6.1.0-1

Cheers,
Moritz

Bug#1069762: pdns-recursor: CVE-2024-25583 - 4.8.8 for stable

2024-04-24 Thread Moritz Muehlenhoff 
On Thu, Apr 25, 2024 at 08:37:14AM +0200, Chris Hofstaedtler wrote:
> Hi Moritz,
> 
> could we once again use the upstream release for stable?
> debdiff 4.8.7-1 -> 4.8.8-1 is attached.

Ack. Following the 4.8 releases has served us well. debdiff looks fine,
please build with -sa and upload to security-master.

Cheers,
Moritz

Bug#1068818: sngrep: CVE-2024-3119 CVE-2024-3120

2024-04-21 Thread Moritz Muehlenhoff 
On Sun, Apr 21, 2024 at 07:35:43PM +, Victor Seva wrote:
> Hi,
> 
> 
> I've just uploaded sngrep 1.8.1-1 to sid and prepared 1.6.0-1+deb12u1 for 
> bookworms-security [0].
> 
> Attached debdiff file.
> 
> Waiting for you reply,
> Victor
> 
> [0] 
> https://salsa.debian.org/pkg-voip-team/sngrep/-/tags/debian%2F1.6.0-1+deb12u1

Hi Victor,
diff looks fine, but I don't believe this really needs a DSA; it's rather 
obscure attack vector.
I think addressing this via the next Bookworm point release is perfectly fine, 
what do you think?

Procedure is outlined at
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions

Cheers,
Moritz

Bug#1064183: libapache2-mod-auth-openidc: CVE-2024-24814

2024-04-18 Thread Moritz Muehlenhoff 
On Thu, Apr 18, 2024 at 02:40:41PM +0200, Moritz Schlarb wrote:
> Dear Salvatore,
> 
> I've prepared, built, tested and uploaded fixed versions for bullseye
> (2.4.9.4-0+deb11u4), bookworm (2.4.12.3-2+deb12u1) and trixie (2.4.15.7-1).
> 
> Would you like to issue a DSA for them or is it enough that they are
> included in the next stable point release?

Hi Moritz,
I think it's sufficient if we only fix these via the next point release(s),
thanks!

Cheers,
Moritz

Bug#1068451: bookworm-pu: package libtommath/1.2.0-6+deb12u1

2024-04-05 Thread Moritz Muehlenhoff 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libtomm...@packages.debian.org
Control: affects -1 + src:libtommath

Addresses CVE-2023-36328, debdiff below. Acked by Dominique before.

Cheers,
Moritz

diff -Nru libtommath-1.2.0/debian/changelog libtommath-1.2.0/debian/changelog
--- libtommath-1.2.0/debian/changelog   2021-02-07 11:58:15.0 +0100
+++ libtommath-1.2.0/debian/changelog   2024-04-04 22:20:38.0 +0200
@@ -1,3 +1,9 @@
+libtommath (1.2.0-6+deb12u1) bookworm; urgency=medium
+
+  * CVE-2023-36328 (Closes: #1051100)
+
+ -- Moritz Mühlenhoff   Thu, 04 Apr 2024 22:20:38 +0200
+
 libtommath (1.2.0-6) unstable; urgency=medium
 
   [ Helmut Grohne ]
diff -Nru libtommath-1.2.0/debian/patches/CVE-2023-36328.patch 
libtommath-1.2.0/debian/patches/CVE-2023-36328.patch
--- libtommath-1.2.0/debian/patches/CVE-2023-36328.patch1970-01-01 
01:00:00.0 +0100
+++ libtommath-1.2.0/debian/patches/CVE-2023-36328.patch2024-04-04 
22:20:38.0 +0200
@@ -0,0 +1,121 @@
+From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001
+From: czurnieden 
+Date: Tue, 9 May 2023 17:17:12 +0200
+Subject: [PATCH] Fix possible integer overflow
+
+---
+ bn_mp_2expt.c| 4 
+ bn_mp_grow.c | 4 
+ bn_mp_init_size.c| 5 +
+ bn_mp_mul_2d.c   | 4 
+ bn_s_mp_mul_digs.c   | 4 
+ bn_s_mp_mul_digs_fast.c  | 4 
+ bn_s_mp_mul_high_digs.c  | 4 
+ bn_s_mp_mul_high_digs_fast.c | 4 
+ 8 files changed, 33 insertions(+)
+
+--- libtommath-1.2.0.orig/bn_mp_2expt.c
 libtommath-1.2.0/bn_mp_2expt.c
+@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b)
+ {
+mp_errerr;
+ 
++   if (b < 0) {
++  return MP_VAL;
++   }
++
+/* zero a as per default */
+mp_zero(a);
+ 
+--- libtommath-1.2.0.orig/bn_mp_grow.c
 libtommath-1.2.0/bn_mp_grow.c
+@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size)
+int i;
+mp_digit *tmp;
+ 
++   if (size < 0) {
++  return MP_VAL;
++   }
++
+/* if the alloc size is smaller alloc more ram */
+if (a->alloc < size) {
+   /* reallocate the array a->dp
+--- libtommath-1.2.0.orig/bn_mp_init_size.c
 libtommath-1.2.0/bn_mp_init_size.c
+@@ -6,6 +6,11 @@
+ /* init an mp_init for a given size */
+ mp_err mp_init_size(mp_int *a, int size)
+ {
++
++   if (size < 0) {
++  return MP_VAL;
++   }
++
+size = MP_MAX(MP_MIN_PREC, size);
+ 
+/* alloc mem */
+--- libtommath-1.2.0.orig/bn_mp_mul_2d.c
 libtommath-1.2.0/bn_mp_mul_2d.c
+@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b,
+mp_digit d;
+mp_err   err;
+ 
++   if (b < 0) {
++  return MP_VAL;
++   }
++
+/* copy */
+if (a != c) {
+   if ((err = mp_copy(a, c)) != MP_OKAY) {
+--- libtommath-1.2.0.orig/bn_s_mp_mul_digs.c
 libtommath-1.2.0/bn_s_mp_mul_digs.c
+@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, co
+mp_word r;
+mp_digit tmpx, *tmpt, *tmpy;
+ 
++   if (digs < 0) {
++  return MP_VAL;
++   }
++
+/* can we use the fast multiplier? */
+if ((digs < MP_WARRAY) &&
+(MP_MIN(a->used, b->used) < MP_MAXFAST)) {
+--- libtommath-1.2.0.orig/bn_s_mp_mul_digs_fast.c
 libtommath-1.2.0/bn_s_mp_mul_digs_fast.c
+@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *
+mp_digit W[MP_WARRAY];
+mp_word  _W;
+ 
++   if (digs < 0) {
++  return MP_VAL;
++   }
++
+/* grow the destination as required */
+if (c->alloc < digs) {
+   if ((err = mp_grow(c, digs)) != MP_OKAY) {
+--- libtommath-1.2.0.orig/bn_s_mp_mul_high_digs.c
 libtommath-1.2.0/bn_s_mp_mul_high_digs.c
+@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *
+mp_word  r;
+mp_digit tmpx, *tmpt, *tmpy;
+ 
++   if (digs < 0) {
++  return MP_VAL;
++   }
++
+/* can we use the fast multiplier? */
+if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST)
+&& ((a->used + b->used + 1) < MP_WARRAY)
+--- libtommath-1.2.0.orig/bn_s_mp_mul_high_digs_fast.c
 libtommath-1.2.0/bn_s_mp_mul_high_digs_fast.c
+@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_
+mp_digit W[MP_WARRAY];
+mp_word  _W;
+ 
++   if (digs < 0) {
++  return MP_VAL;
++   }
++
+/* grow the destination as required */
+pa = a->used + b->used;
+if (c->alloc < pa) {
diff -Nru libtommath-1.2.0/debian/patches/series 
libtommath-1.2.0/debian/patches/series
--- libtommath-1.2.0/debian/patches/series  2021-02-07 11:58:15.0 
+0100
+++ libtommath-1.2.0/debian/patches/series  2024-04-04 22:20:38.0 
+0200
@@ -2,3 +2,4 @@
 remove-undefined-macro
 fix-shift-count-overflow-on-x32
 use-utc-timezone
+CVE-2023-36328.patch

Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709

2024-04-05 Thread Moritz Muehlenhoff 
On Fri, Apr 05, 2024 at 08:16:43AM +0400, Yadd wrote:
> On 4/4/24 22:51, Moritz Mühlenhoff wrote:
> > Source: apache2
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: grave
> > Tags: security
> > 
> > Hi,
> > 
> > The following vulnerabilities were published for apache2.
> > 
> > CVE-2024-27316[0]:
> > https://www.kb.cert.org/vuls/id/421644
> > https://www.openwall.com/lists/oss-security/2024/04/04/4
> > 
> > CVE-2024-24795[1]:
> > https://www.openwall.com/lists/oss-security/2024/04/04/5
> > 
> > CVE-2023-38709[2]:
> > https://www.openwall.com/lists/oss-security/2024/04/04/3
> > 
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2024-27316
> >  https://www.cve.org/CVERecord?id=CVE-2024-27316
> > [1] https://security-tracker.debian.org/tracker/CVE-2024-24795
> >  https://www.cve.org/CVERecord?id=CVE-2024-24795
> > [2] https://security-tracker.debian.org/tracker/CVE-2023-38709
> >  https://www.cve.org/CVERecord?id=CVE-2023-38709
> > 
> > Please adjust the affected versions in the BTS as needed.
> 
> Hi,
> 
> I'm ready to push 2.4.59 into bookworm-security. Note that this includes a
> test-framework update

Target distribution needs to be bookworm-security, with that please upload.
Can you also preparea the equivalent change for bullseye-security?

The uploads can already happen, but let's keep the update unreleased until
next week, then we can look for regressions reported in unstable (and check
with Ondrej if we received reports based on his repo)

Cheers,
Moritz

Bug#1056156: varnish: CVE-2023-44487: VSV00013 Varnish HTTP/2 Rapid Reset Attack

2024-04-04 Thread Moritz Muehlenhoff 
On Thu, Apr 04, 2024 at 05:54:51AM +0200, Salvatore Bonaccorso wrote:
> Hi Marco,
> 
> [CC'ing security team]
> 
> On Mon, Apr 01, 2024 at 04:25:05PM +0200, Marco d'Itri wrote:
> > Control: found -1 5.0.0-1
> > Control: fixed -1 7.4.2
> > 
> > On Nov 17, Salvatore Bonaccorso  wrote:
> > 
> > > CVE-2023-44487[0]:
> > > | The HTTP/2 protocol allows a denial of service (server resource
> > > | consumption) because request cancellation can reset many streams
> > > | quickly, as exploited in the wild in August through October 2023.
> > Fixing this issue would require backporting a significant amount of 
> > new features in varnish and I do not believe that it would be practical.
> > 
> > I am inclined to downgrade this bug because:
> > - this is just a DoS attack
> > - it only concerns people using hitch for TLS termination instead of 
> >   a full web server like nginx or haproxy
> > 
> > nginx in stable is also vulnerable, BTW.
> 
> While I do agree (and it was filled with this severity), the bug
> severity would not be RC, varnish currently seem to lack active
> maintainership. 

Ok, fair enough.
We'll mark CVE-2023-44487 (and also 
https://varnish-cache.org/security/VSV00014.html)
as no-dsa for bookworm/bullseye.

> As such an RC bug keeps it out of testing until someone steps up for a
> commitment maintaining varnish.

The reason here isn't really a commitment, but a lack of a suitable LTS
branch for stable/oldstable. We wouldn't be in this position if Debian
were following the official 6.0 LTS branch. That ship has now sailed
but when upstream announces a new 7.x LTS at some point we need to
use that for stable/oldstable, the current model isn't working.

Cheers,
Moritz

Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security

2024-04-03 Thread Moritz Muehlenhoff 
Hi Adrian,
> >...
> > > debdiffs contain only changes to debian/
> > 
> > The bookworm/bullseye debdiffs looks good, please upload to 
> > security-master, thanks!
> 
> both are now uploaded.

DSA has been released, thanks!
 
> > Note that both need -sa, but dak needs some special attention when
> > uploading to security-master. You'll need to wait for the ACCEPTED mail
> > before you can upload the next one.
> 
> Done, but I am not sure this was necessary in this case since these are 
> different upstream tarballs gtkwave_3.3.118.orig.tar.gz and 
> gtkwave_3.3.104+really3.3.118.orig.tar.gz
> 
> (The contents also differs since as mentioned one is the GTK 2+3 
>  upstream tarball and the other one is the GTK 1+2 upstream tarball.)

You're correct indeed.

Cheers,
Moritz

Bug#1032670: allegro4.4: CVE-2021-36489

2024-03-24 Thread Moritz Muehlenhoff 
On Thu, Mar 21, 2024 at 09:33:51PM +0100, Andreas Rönnquist wrote:
> On Fri, 10 Mar 2023 18:04:23 +0100 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= 
>  wrote:
> > Source: allegro4.4
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: important
> > Tags: security
> > 
> > Hi,
> > 
> > The following vulnerability was published for allegro4.4.
> > 
> > CVE-2021-36489[0]:
> > | Buffer Overflow vulnerability in Allegro through 5.2.6 allows
> > | attackers to cause a denial of service via crafted PCX/TGA/BMP files
> > | to allegro_image addon.
> > 
> > https://github.com/liballeg/allegro5/issues/1251
> > https://github.com/liballeg/allegro5/pull/1253
> > 
> > These fixes landed in Allegro 5.2.8.0:
> > https://github.com/liballeg/allegro5/commit/3f2dbd494241774d33aaf83910fd05b2a590604a
> >  (5.2.8.0)
> > https://github.com/liballeg/allegro5/commit/cca179bc16827f358153060cd10ac73d394e758c
> >  (5.2.8.0)
> > https://github.com/liballeg/allegro5/commit/a2c93939f6997a96ecac1865dbb4fa3f66b5e1b7
> >  (5.2.8.0)
> > https://github.com/liballeg/allegro5/commit/0294e28e6135292eab4b2916a7d2223b1bb6843e
> >  (5.2.8.0)
> > 
> > In allegro 4.4, code is in src/[pcx|tga].c instead
> > 
> 
> Hey
> 
> I just tried to reproduce this now on the version of Allegro 4.4 in
> Debian, and using the crash file as mentioned in
> https://github.com/liballeg/allegro5/issues/1251
> 
> I cannot reproduce the crash on 4.4.
> 
> Can you still reproduce the crash on allegro4.4 from the debian package?
> 
> For me when running './ex_bitmap crash' I get a dialog "Error reading
> bitmap file 'crash'", but no crash of the program

I never tried to reproduce these, but reproducability of a given PoC made 
against
a current version not working with an older version doesn't mean the old version
isn't affected. From a quick glance the equivalent of the checks added in 5 are
also needed in 4.4, e.g. rle_tga_read8() lacks a check for w overstepping c.

Given that all these image files are typically read from a trusted 
location/source
shipped by a given game it's not a big deal, but I'd suggest to keep the bug
open until 4.4 has been fully phased out or the fixes backported.

Cheers,
Moritz

Bug#1064517: texlive-bin: CVE-2024-25262

2024-02-23 Thread Moritz Muehlenhoff 
On Fri, Feb 23, 2024 at 10:13:53PM +0100, Hilmar Preuße wrote:
> On 23.02.24 16:31, Moritz Mühlenhoff wrote:
> 
> Hello Moritz,
> 
> > The following vulnerability was published for texlive-bin.
> > 
> > CVE-2024-25262[0]:
> > | texlive-bin commit c515e was discovered to contain heap buffer
> > | overflow via the function ttfLoadHDMX:ttfdump. This vulnerability
> > | allows attackers to cause a Denial of Service (DoS) via supplying a
> > | crafted TTF file.
> > 
> 
> I'll upload tl-bin -9 soon. Do we need a fix in Debian stable too?

It's rather harmless, I don't believe we need a DSA. If you make an
update for a forthcoming point release to fix other bugs it's worth
piggybacking this, though.

Cheers,
Moritz

Bug#1060016: packagekit: CVE-2024-0217

2024-02-21 Thread Moritz Muehlenhoff 
On Wed, Feb 21, 2024 at 04:15:17PM +0100, Matthias Klumpp wrote:
> I'd read the "unaffected at 1.2.7" as version 1.2.7 and higher not
> having the bug... But then again, on another page it said that the
> respective patch only lowered the impact...
> I remember merging that patch, and it was a pretty good robustness
> improvement, we didn't talk about any use-after-free issue there
> though (so it's not obvious why this changes anything either).
> 
> Let's see if we get a reply from the CVE reporter!

Sounds good. If there's no further information provided I'll mark the
entry as non actionable in the Debian security tracker and deassociate
it from https://security-tracker.debian.org/tracker/source-package/packagekit

Cheers,
Moritz

Bug#1060016: packagekit: CVE-2024-0217

2024-02-21 Thread Moritz Muehlenhoff 
On Tue, Feb 20, 2024 at 10:11:35PM +0100, Matthias Klumpp wrote:
> The CVE page lists that commit as "patch" now, and given that emitting
> a finished transaction as finished multiple times could indeed cause
> issues (and use-after-free issues potentially as well), I am inclined
> to think that that's indeed the issue here and that the patch fixes
> it.

Ok.

> That would mean though that all PK versions starting from and
> including 1.2.7 are not vulnerable... But the CVE tells otherwise.
> Very odd.

But https://www.cve.org/CVERecord?id=CVE-2024-0217 only states
"unaffected at 1.2.7", which seems to be based on the git tag of
the referenced commit?

Cheers,
Moritz

Bug#1063736: snort removal from bullseye (Re: Bug#1063736: RM: snort -- RoQA; security issues, unmaintained)

2024-02-12 Thread Moritz Muehlenhoff 
On Mon, Feb 12, 2024 at 06:16:48PM +, Jonathan Wiltshire wrote:
> On Mon, Feb 12, 2024 at 09:24:47AM +, Holger Levsen wrote:
> > hi,
> > 
> > On Sun, Feb 11, 2024 at 09:44:18PM +, Jonathan Wiltshire wrote:
> > > Requested by security team. Not in stable or testing.
> > 
> > once this has happened we should communicate this to our users via
> > debian-security-upload to bullseye.
> 
> Looping in security in case security support should be withdrawn earlier.
> (The removal won't happen until the next and final point release.)

That's fine, all current bugs are addressed in bullseye, except a
minor logrotate issue.

Cheers,
Moritz

Bug#1063534: [Debian-iot-maintainers] Bug#1063534: libjwt: CVE-2024-25189

2024-02-09 Thread Moritz Muehlenhoff 
On Fri, Feb 09, 2024 at 04:40:31PM +0100, Thorsten Alteholz wrote:
> Hi Moritz,
> 
> thanks for the bug. Upstream knows about the issue and already fixed it [1]
> + [2].

Thanks. I think the real worl impact is pretty negligible, it's enough to land
a fix for the next release, but not for released suites.

Cheers,
Moritz

Bug#1061543: indent: CVE-2024-0911

2024-01-28 Thread Moritz Muehlenhoff 
On Fri, Jan 26, 2024 at 08:48:47PM +0100, Santiago Vila wrote:
> severity 1061543 important
> found 1061543 2.2.12-1
> found 1061543 2.2.12-4+deb12u2
> thanks
> 
> El 26/1/24 a las 8:52, Moritz Mühlenhoff escribió:
> > Source: indent
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: normal
> > Tags: security
> > 
> > Hi,
> > 
> > This was assigned CVE-2024-0911:
> > https://lists.gnu.org/archive/html/bug-indent/2024-01/msg1.html
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> [...]
> 
> Thanks for the report.
> 
> I've just applied the (code part of the) patch for unstable.
> 
> Can you confirm that proposed-updates is good enough to fix this in stable?
> (i.e. no DSA, like other recent previous indent CVEs).

Confirmed :-)

Cheers,
Moritz

Bug#1061572: bullseye-pu: package unadf/0.7.11a-4+deb11u1

2024-01-26 Thread Moritz Muehlenhoff 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: un...@packages.debian.org
Control: affects -1 + src:unadf

Addresses two no-dsa security issues, same fix already rolled out
for Bookworm. Debdiff below.

Cheers,
Moritz

diff -Nru unadf-0.7.11a/debian/changelog unadf-0.7.11a/debian/changelog
--- unadf-0.7.11a/debian/changelog  2016-09-24 17:43:06.0 +0200
+++ unadf-0.7.11a/debian/changelog  2023-11-24 16:39:48.0 +0100
@@ -1,3 +1,9 @@
+unadf (0.7.11a-4+deb11u1) bullseye; urgency=medium
+
+  * CVE-2016-1243 / CVE-2016-1244 (Closes: #838248)
+
+ -- Moritz Mühlenhoff   Fri, 24 Nov 2023 18:34:16 +0100
+
 unadf (0.7.11a-4) unstable; urgency=high
 
   * Orphan package with security issues.
diff -Nru unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244 
unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244
--- unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-12441970-01-01 
01:00:00.0 +0100
+++ unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-12442023-11-24 
16:38:37.0 +0100
@@ -0,0 +1,146 @@
+Description: Fix unsafe extraction by using mkdir() instead of shell command
+  This commit fixes following vulnerabilities:
+
+  - CVE-2016-1243: stack buffer overflow caused by blindly trusting on
+pathname lengths of archived files
+
+Stack allocated buffer sysbuf was filled with sprintf() without any
+bounds checking in extracTree() function.
+
+  - CVE-2016-1244: execution of unsanitized input
+
+Shell command used for creating directory paths was constructed by
+concatenating names of archived files to the end of the command
+string.
+
+  So, if the user was tricked to extract a specially crafted .adf file,
+  the attacker was able to execute arbitrary code with privileges of the
+  user.
+
+  This commit fixes both issues by
+
+1) replacing mkdir shell commands with mkdir() function calls
+2) removing redundant sysbuf buffer
+
+Author: Tuomas Räsänen 
+Last-Update: 2016-09-20
+--
+--- a/Demo/unadf.c
 b/Demo/unadf.c
+@@ -24,6 +24,8 @@
+ 
+ #define UNADF_VERSION "1.0"
+ 
++#include 
++#include 
+ 
+ #include
+ #include
+@@ -31,17 +33,15 @@
+ 
+ #include "adflib.h"
+ 
+-/* The portable way used to create a directory is to call the MKDIR command 
via the
+- * system() function.
+- * It is used to create the 'dir1' directory, like the 'dir1/dir11' directory
++/* The portable way used to create a directory is to call mkdir()
++ * which is defined by following standards: SVr4, BSD, POSIX.1-2001
++ * and POSIX.1-2008
+  */
+ 
+ /* the portable way to check if a directory 'dir1' already exists i'm using 
is to
+  * do fopen('dir1','rb'). NULL is returned if 'dir1' doesn't exists yet, an 
handle instead
+  */
+ 
+-#define MKDIR "mkdir"
+-
+ #ifdef WIN32
+ #define DIRSEP '\\'
+ #else
+@@ -51,6 +51,13 @@
+ #define EXTBUFL 1024*8
+ 
+ 
++static void mkdirOrLogErr(const char *const path)
++{
++  if (mkdir(path, S_IRWXU | S_IRWXG | S_IRWXO))
++  fprintf(stderr, "mkdir: cannot create directory '%s': %s\n",
++  path, strerror(errno));
++}
++
+ void help()
+ {
+ puts("unadf [-lrcsp -v n] dumpname.adf [files-with-path] [-d 
extractdir]");
+@@ -152,7 +159,6 @@ void extractTree(struct Volume *vol, str
+ {
+   struct Entry* entry;
+ char *buf;
+-char sysbuf[200];
+ 
+ while(tree) {
+ entry = (struct Entry*)tree->content;
+@@ -162,16 +168,14 @@ void extractTree(struct Volume *vol, str
+ buf=(char*)malloc(strlen(path)+1+strlen(entry->name)+1);
+ if (!buf) return;
+ sprintf(buf,"%s%c%s",path,DIRSEP,entry->name);
+-sprintf(sysbuf,"%s %s",MKDIR,buf);
+ if (!qflag) printf("x - %s%c\n",buf,DIRSEP);
++if (!pflag) mkdirOrLogErr(buf);
+ }
+ else {
+-sprintf(sysbuf,"%s %s",MKDIR,entry->name);
+ if (!qflag) printf("x - %s%c\n",entry->name,DIRSEP);
++if (!pflag) mkdirOrLogErr(entry->name);
+ }
+ 
+-if (!pflag) system(sysbuf);
+-
+   if (tree->subdir!=NULL) {
+ if (adfChangeDir(vol,entry->name)==RC_OK) {
+ if (buf!=NULL)
+@@ -301,21 +305,20 @@ void processFile(struct Volume *vol, cha
+ extractFile(vol, name, path, extbuf, pflag, qflag);
+ }
+ else {
+-/* the all-in-one string : to call system(), to find the filename, 
the convert dir sep char ... */
+-bigstr=(char*)malloc(strlen(MKDIR)+1+strlen(path)+1+strlen(name)+1);
++bigstr=(char*)malloc(strlen(path)+1+strlen(name)+1);
+ if (!bigstr) { fprintf(stderr,"processFile : malloc"); return; }
+ 
+ /* to build to extract path */
+ if (strlen(path)>0) {
+-sprintf(bigstr,"%s %s%c%s",MKDIR,path,DIRSEP,name);
+-cdstr = bigstr+strlen(MKDIR)+1+str

Bug#1060861: RUSTSEC-2023-0078

2024-01-16 Thread Moritz Muehlenhoff 
On Mon, Jan 15, 2024 at 09:10:57PM +0100, Salvatore Bonaccorso wrote:
> Hi Moritz,
> 
> On Mon, Jan 15, 2024 at 08:49:04PM +0100, Moritz Muehlenhoff wrote:
> > Source: rust-tracing
> > Version: 0.1.37-1
> > Severity: important
> > Tags: security
> > X-Debbugs-Cc: Debian Security Team 
> > 
> > https://rustsec.org/advisories/RUSTSEC-2023-0078.html
> > https://github.com/tokio-rs/tracing/pull/2765
> > Fixed by: 
> > https://github.com/tokio-rs/tracing/commit/20a1762b3fd5f1fafead198fd18e469c68683721
> >  (tracing-0.1.40)
> 
> Please double-check but I think no Debian released version was ever
> affected. The issue is fixed in 0.1.40 already upstream, with the
> above commit (backed by
> https://rustsec.org/advisories/RUSTSEC-2023-0078.html). The issue on
> the other hand is introduced in
> https://github.com/tokio-rs/tracing/commit/3a65354837a0f176178e15787fc700dd6fa11a92
> which is first in 0.1.38. 
> 
> In unstable we ever had only 0.1.37-1, then moved to 0.1.40-1.

That's in fact true! Still let's update to the latest release anyway.

Cheers,
Moritz

Bug#1060861: RUSTSEC-2023-0078

2024-01-15 Thread Moritz Muehlenhoff 
Source: rust-tracing
Version: 0.1.37-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team 

https://rustsec.org/advisories/RUSTSEC-2023-0078.html
https://github.com/tokio-rs/tracing/pull/2765
Fixed by: 
https://github.com/tokio-rs/tracing/commit/20a1762b3fd5f1fafead198fd18e469c68683721
 (tracing-0.1.40)

Bug#1060407: Multiple security issues

2024-01-10 Thread Moritz Muehlenhoff 
Source: gtkwave
Version: 3.3.116-1
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team 

A very thorough security audit of gtkwave unveiled a total of 82 security
issues in gtkwave, all fixed in 3.3.118:

CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004
CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703
CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957
CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961
CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969
CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994
CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746
CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915
CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417
CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442
CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446
CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575
CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921
CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618
CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622
CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650
CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657
CVE-2023-39234 CVE-2023-39235 CVE-2023-39270 CVE-2023-39271
CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275
CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414
CVE-2023-39443 CVE-2023-39444

Let's first fix unstable and then we can simple build 3.3.118
for stable-security and oldstable-security as well.

Full details in these advisories from TALOS:
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1777
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1783
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1785
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1786
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1789
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1790
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1791
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1792
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1793
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1797
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1798
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1803
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1804
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1805
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1806
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1807
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1810
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1811
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1812
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1813
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1814
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1815
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1816
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1817
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1819
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1820
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1821
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1822
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1823
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1824
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1826
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1827

Cheers,
Moritz

Bug#1059426: bookworm-pu: package haproxy/2.6.12-1+deb12u1

2023-12-25 Thread Moritz Muehlenhoff 
On Mon, Dec 25, 2023 at 10:32:41AM +0100, Tobias Frost wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: hapr...@packages.debian.org
> X-Debbugs-Cc: t...@security.debian.org
> Control: affects -1 + src:haproxy
> 
> Hi,
> 
> For ELTS I was fixing haproxy's CVES CVE-2023-40225 and CVE-2023-45539,
> and I also like to fix those for stable and oldstable.

Please don't just go ahead and prepare updates for bullseye/bookworm
without prior coordination.

haproxy is listed in data/dsa-needed.txt as Salvatore as working on it
(and in fact updates are already uploaded/built on security-master)

Cheers,
Moritz

Bug#1039990: [Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590

2023-12-22 Thread Moritz Muehlenhoff 
On Fri, Dec 22, 2023 at 05:47:20PM +0100, Jérémy Lal wrote:
> Le jeu. 21 déc. 2023 à 23:30, Jérémy Lal  a écrit :
> 
> >
> >
> > Le jeu. 21 déc. 2023 à 20:34, Moritz Mühlenhoff  a écrit :
> >
> >> Am Thu, Dec 21, 2023 at 11:29:12AM +0100 schrieb Jérémy Lal:
> >> > Le jeu. 21 déc. 2023 à 10:54, Moritz Muehlenhoff  a
> >> écrit :
> >> >
> >> > > On Thu, Dec 21, 2023 at 06:43:35AM +0100, Salvatore Bonaccorso wrote:
> >> > > > Hi,
> >> > > >
> >> > > > [CC'ing node-undici uploader]
> >> > >
> >> >
> >> > [CC-ing the good email address for node-undici uploader]
> >> >
> >> > Attached is a debdiff for a node-undici update (which backports what has
> >> > been done in testing).
> >>
> >> Looks good to me, please build with -sa (since it's the first upload
> >> to bookworm-security) and upload to security-master.
> >>
> >
> > Note that nodejs 18.19.0 doesn't need this node-undici version to be built,
> > only typescript consumers need it (when rebuilding packages in bookworm,
> > or when simply using a typescript compiler in bookworm).

Ack!

> nodejs (18.19.0+dfsg-6~deb11u1) is ready and built with -sa.

The bookworm branch looks good, but the version is wrong, Bookworm was the
12th Debian release, so this should be 18.19.0+dfsg-6~deb12u1 instead.

With that change, please upload to security-master.

Cheers,
Moritz

Bug#1059259: lwip: CVE-2023-49287

2023-12-22 Thread Moritz Muehlenhoff 
On Fri, Dec 22, 2023 at 10:28:42AM +0100, Samuel Thibault wrote:
> Control: severity -1 wishlist
> 
> Hello,
> 
> Moritz Mühlenhoff, le ven. 22 déc. 2023 10:03:28 +0100, a ecrit:
> > CVE-2023-49287[0]:
> > | TinyDir is a lightweight C directory and file reader. Buffer
> > | overflows in the `tinydir_file_open()` function. This vulnerability
> > | has been patched in version 1.2.6.
> > 
> > https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf
> > https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d
> > https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt
> > 
> > falcosecurity-libs embeds a copy of tinydir, if it's not used to
> > open files from potentially untrusted paths, feel free to downgrade.
> 
> The tinydir_file_open function is not used at all indeed.
> (and we don't ship the only lwip app that includes tinydir.h anyway)

Thanks, I'll make a note in the Debian security, let's just close
the bug, then I'd say, no need to keep it open for a random change
not affecting the Debian build.

Cheers,
Moritz

Bug#1039990: [Pkg-javascript-devel] Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590

2023-12-21 Thread Moritz Muehlenhoff 
On Thu, Dec 21, 2023 at 06:43:35AM +0100, Salvatore Bonaccorso wrote:
> Hi,
> 
> [CC'ing node-undici uploader]
> > >> Ack, let's do that. Could you prepare bookworm-security updates
> > >> based on 18.17.0 (after it has landed in unstable)?
> > >
> > nodejs 18.19.0 has landed in testing.
> > It rebuilds fine in bookworm, and test-suite-during-build pass on amd64.
> > 
> > It also requires "node-undici", precisely for that change:
> > 
> > node-undici (5.28.2+dfsg1+~cs23.11.12.3-2) unstable; urgency=medium
> > 
> >   * Build and publish undici-types, needed by new @types/node
> > 
> > Is there a way to deal with this ?
> 
> Then I guess we need this as pre-requisite upload to bookworm as well.
> 
> Maybe Moritz has a better idea, but one option is to propose this
> update regularly as bookworm-pu and once it's in proposed update ask
> DSA to make the security chroots pick as well updates from
> prpopsoed-updates if we plan to release nodejs via a DSA (or otherwise
> via bookworm-pu as well).
> 
> One other alternative is to make a non-security upload for
> node-unidici containing that change to the security archive, which the
> nodejs update can pick.

I think we can handle it similar to what we recently did when OpenJDK bumped
it's requirement for jtreg: When we have a suitable update for node-undici
we upload it to security-master and the security buildds will be able to
use it to build the new nodejs. And then it simply gets released along with
the nodejs update.

Cheers,
Moritz

Bug#1059054: nss: CVE-2023-6135

2023-12-20 Thread Moritz Muehlenhoff 
On Wed, Dec 20, 2023 at 11:43:11AM +0900, Mike Hommey wrote:
> Version: 2:3.95-1
> 
> On Tue, Dec 19, 2023 at 10:21:27PM +0100, Moritz Mühlenhoff wrote:
> > Source: nss
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: grave
> > Tags: security
> > 
> > Hi,
> > 
> > The following vulnerability was published for nss.
> > 
> > CVE-2023-6135[0]:
> > | Multiple NSS NIST curves were susceptible to a side-channel attack
> > | known as "Minerva". This attack could potentially allow an attacker
> > | to recover the private key. This vulnerability affects Firefox <
> > | 121.
> > 
> > The bug linked from
> > https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6135
> > is restricted, do you happen to have a commit reference for NSS itself?
> 
> It was fixed via https://bugzilla.mozilla.org/show_bug.cgi?id=1861728
> and https://bugzilla.mozilla.org/show_bug.cgi?id=1863605, apparently, in
> a version that was released last month.

Thanks!

Cheers,
Moritz

Bug#1057755: Qt WebEngine Security Support In Stable

2023-12-15 Thread Moritz Muehlenhoff 
On Fri, Dec 15, 2023 at 10:39:04AM +0200, Adrian Bunk wrote:
> > That is a good point. However, I consider full coverage of security support
> > for stable to be an improvement over the current situation. Explicitly
> > stating that security support is not shipped for oldstable does not do any
> > more harm to users than what we currently do by explicitly stating that
> > security support is not shipped for either stable or oldstable.
> 
> >From a policy point of view, the duration of security support is a 
> Debian-wide policy and not a per-package policy.
> 
> >From a user point of view, an organization/company running Debian on 
> their user/employee desktops would not schedule upgrades to a new 
> stable on release day - 1 year of migration time is really necessary.

We already set some tighter deadlines, Chromium security support will
also end six months after the release of the next stable release.

But I agree with the general sentiment that this too much work to directly
commit to full security support. A first step would be to initially commit
to rebase to the latest LTS release in every point release. That would already
be an improvement.

Cheers,
Moritz

Bug#1058624: CVE-2023-5616: if sshd is enabled but socket-activated, control-center will say it's disabled

2023-12-15 Thread Moritz Muehlenhoff 
Hi Simon,

> Unless the security team have reasons to want this to be treated as
> urgent, I would suggest that instead of rushing to apply Ubuntu's
> solution, we should see what happens upstream, and then follow that in
> Debian when the dust has settled.

Agreed, this isn't an issue we need to rush a fix for.

Cheers,
Moritz

Bug#1057418: Mark consul as EOLed in Bullseye

2023-12-04 Thread Moritz Muehlenhoff 
Source: debian-security-support
Version: 1:13+2023.09.27
Severity: wishlist

Hashicorp changed the license of Consul and MPLed patches are onky
provided until Dec 31. As such, it has been removed from unstable
and needs to be EOLed for bullseye (removal from bullseye isn't
simple, it would require source uploads to packages like Prometheus
currently building with Consul support).

Bug#1057343: Processed: Re: Bug#1057315: tiles: CVE-2023-49735

2023-12-04 Thread Moritz Muehlenhoff 
On Mon, Dec 04, 2023 at 09:13:41AM +, Holger Levsen wrote:
> Hi Salvatore,
> 
> thanks for your continous work on Debian security!
> 
> On Sun, Dec 03, 2023 at 08:03:05PM +, Debian Bug Tracking System wrote:
> > > clone -1 -2 -3
> > Bug #1057315 [src:tiles] tiles: CVE-2023-49735
> > Bug 1057315 cloned as bugs 1057342-1057343
> > > retitle -2 tiles: Add README.Debian.security to document support status
> > > reassign -3 src:debian-security-support
> > > retitle -3 Mark tiles as only supported for building applications shipped 
> > > in Debian
>  
> ack & this starts when? with 3.0.7-4 in buster? or 20231204? or?

The note to EOL libspring-java is only in Bookworm, so this is only needed for
Bookworm as well.

For Buster Spring is marked as EOLed, so it should probably just use the same,
I'll someone from Debian LTS chime in.

Cheers,
Moritz

Bug#1057315: tiles: CVE-2023-49735

2023-12-03 Thread Moritz Muehlenhoff 
Salvatore Bonaccorso wrote:
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> The project is dead-upstream TTBOMK, so not sure if/what we can do at
> all for this issue. Removal seems not possible as per:
> 
> carnil@respighi:~$ dak rm --suite=unstable -n -R tiles
> Will remove the following packages from unstable:
> 
> libtiles-java |3.0.7-5 | all
> libtiles-java-doc |3.0.7-5 | all
>  tiles |3.0.7-5 | source
> 
> Maintainer: Debian Java Maintainers 
> 
> 
> --- Reason ---
> 
> --
> 
> Checking reverse dependencies...
> # Broken Build-Depends:
> libspring-java: libtiles-java (>= 3.0)
> 
> Dependency problem found.
> 
> carnil@respighi:~$
> 
> But maybe we can set it as "no-dsa", is it only used as build
> dependency for libspring-java and not sensible outside?

Spring is already marked as unsupported, so we can simply extend that.

Cheers,
Moritz

  1   2   3   4   5   6   7   8   9   10   >