Bug#1061552: crmsh broken with python3-parallax 1.0.6

[wferi]

Indeed, parallax.run was added only in version 1.0.7 by
https://github.com/krig/parallax/commit/38bac0eb3cb20e9df8cbbf585cf9353793ffdba2.
Thanks for the report!
--
Feri (only acknowledging it; I don't use crmsh, so no promises).

Bug#997016: RFS: swtpm/0.7.0-rc2-1 [ITA] -- Libtpms-based TPM emulator

[wferi]

Seunghun Han  writes:

>>>   swtpm - Libtpms-based TPM emulator
>>>   swtpm-dev - Include files for the TPM emulator's CUSE interface
>>>   swtpm-libs - Common libraries for TPM emulators
>>
>> Why do you deviate from the usual libswtpm-dev/libswtpm0 package names?
>> Including the SO version in the package name enables installing
>> incompatible versions side-by-side, which is useful.
>>
>> Also, shipping static libraries (like libswtpm_libtpms.a) is generally
>> recommended against in Debian.  Does this package warrant it?
>
> The upstream version already has some debian-related files, and I
> changed them to adopt the package. The author of it wants to name it
> like libswtpm0, so I used the name. The static libraries are also
> involved in upstream debian files. Should I change the name like
> libswtpm instead of libswtpm0 and remove static libraries from the
> package?

I questioned the package name, not the names of the shared object
within.  After a closer look, though, libswtpm_libtpms.so.0.0.0 looks
more like an internal convenience library than something which other
projects call into.  If this is so, the package name loses its
relevance, I wonder why it's packaged separately, even.  Or why it isn't
compiled straight into the single binary (swtpm) linked against it.

>>>   swtpm-tools - Tools for the TPM emulator
>>
>> Why do you put swtpm-create-tpmca, swtpm-create-user-config-files and
>> swtpm-localca into /usr/share/swtpm instead of /usr/bin?  (This emits
>> several Lintian information tags.)
>
> The author of the upstream project wanted to put them to
> /usr/share/swtpm. The files are just for the initialization and don't
> be used for TPM operations directly, so maybe he wanted to put
> /usr/share/swtpm instead of /usr/bin. Should I move them to /usr/bin?

That they have man pages suggests that they are meant for human use.
That their man pages are in section 8 suggests that they should live in
/usr/sbin.  But this is unreliable, since even the *.conf man pages are
in section 8, while those belong to section 5.  This actually depends on
whether the executables are generally used by the system administrator
or nonprivileged users (or only internally, in which case the scripts
would indeed belong into /usr/share/swtpm).  I started to suspect that
the current decision wasn't based on the expected usage pattern, but
rather on the implementation method (interpreted script or compiled
binary), which isn't very useful.  But I know too little about the swtpm
ecosystem to be sure about the best filesystem layout for the future.
-- 
Regards,
Feri

Bug#997016: RFS: swtpm/0.7.0-rc2-1 [ITA] -- Libtpms-based TPM emulator

[wferi]

Seunghun Han  writes:

>  * Package name: swtpm
>Version : 0.7.0-rc2-1

Hi,

The upstream version number should be 0.7.0~rc2 with a tilde instead of
a hyphen to ensure proper ordering (as Lintian warns about).  To do such
transformations automatically, put something like this in the watch file:

uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/

>   swtpm - Libtpms-based TPM emulator
>   swtpm-dev - Include files for the TPM emulator's CUSE interface
>   swtpm-libs - Common libraries for TPM emulators

Why do you deviate from the usual libswtpm-dev/libswtpm0 package names?
Including the SO version in the package name enables installing
incompatible versions side-by-side, which is useful.

Also, shipping static libraries (like libswtpm_libtpms.a) is generally
recommended against in Debian.  Does this package warrant it?

>   swtpm-tools - Tools for the TPM emulator

Why do you put swtpm-create-tpmca, swtpm-create-user-config-files and
swtpm-localca into /usr/share/swtpm instead of /usr/bin?  (This emits
several Lintian information tags.)
-- 
Thanks for you work!
Regards,
Feri

Bug#995569: debhelper: act on service files placed in usr/lib/systemd/system

[wferi]

Niels Thykier  writes:

> Unfortunately, I have no intention of acting on this request until the
> tech-ctte has resolved their advice on how they want the /usr-merge
> transition to be resolved (per #995569).
> [...]
> I wish I could provide you with something better, but I am personally
> not ready to invest in implementing this feature while there is a
> considerably risk that I would need to revert it again or it would be
> interpreted as "promoting dissent" against the upcoming /usr-merge
> transition[1].
> [...]
> [1] I have raised objections in public about some of the /usr-merge
> transition plans. I feel this is not an entirely theoretical concern
> that other project members would see it as a statement from me if I was
> to implement this feature without the explicit approval of the tech-ctte
> at this point in time.

Hi Niels,

Wow.  Ugh.  Thanks for your elaborate answer.  Don't worry, I can
certainly live without this feature, and I'm perfectly fine with this
aspect being handled as a minor bullet point in the eventual /usr-merge
transition plan.  The main point of my report was to avoid losing sight
of the issue.  And you've already ensured that. :)
-- 
Thanks again,
Feri

Bug#918137: marked as pending in lintian

[wferi]

Felix Lechner  writes:

> According to my research, the functionality was added in this commit [1] and
> released in this one [2] as part of init-system-helpers 1.52.

Hi Felix,

Thanks for the thorough research and the fix.  Does this mean that
Debhelper is too strict generating the init-system-helpers (>= 1.54~)
pre-dependency and it should use >= 1.52~ instead?
-- 
Thanks,
Feri

Bug#991423: xmltooling: autopkgtest regression since mid-July 2021

[wferi]

Control: forwarded -1 https://issues.shibboleth.net/jira/browse/CPPXT-151

Hi Graham,

Thanks for the report!
I think it's just some fallout from the upstream wiki migration.
Let's see if they can provide a quick fix.
-- 
Regards,
Feri.

Bug#991005: unblock: corosync/3.1.2-2

[wferi]

Adrian Bunk  writes:

> Please age package corosync
>
>   * [f641780] New patch: stats: fix crash when iterating over deleted keys.
> Cherry-picked from v3.1.4.
> (change by Ferenc Wágner)
>
> autopkgtest for corosync/3.1.2-2: amd64: Pass, arm64: Pass, armhf: Pass, 
> i386: Pass, ppc64el: Pass
> Too young, only 7 of 20 days old
>
> This would reach 20 days after the deadline July 17th.

Thanks for submitting the request, Adrian!  I second it as maintainer.
Upstream released 3.1.4 with this single crash fix, so I planned to
request an unblock anyway (since corosync is a key package, aging it is
not enough).
-- 
Thanks,
Feri

Bug#987941: buster-pu: package pacemaker/2.0.1-5+deb10u2

[wferi]

On Wed, 09 Jun 2021 09:17:26 +0200 wf...@niif.hu wrote:

> Andreas kindly provided further refinements for his patch in #985173.
> I'll update this stable update request with the new debdiff shortly.

Here it is:

$ debdiff pacemaker_2.0.1-5+deb10u1.dsc pacemaker_2.0.1-5+deb10u2.dsc
diff -Nru pacemaker-2.0.1/debian/changelog pacemaker-2.0.1/debian/changelog
--- pacemaker-2.0.1/debian/changelog2020-11-07 20:21:48.0 +0100
+++ pacemaker-2.0.1/debian/changelog2021-06-10 21:45:34.0 +0200
@@ -1,3 +1,19 @@
+pacemaker (2.0.1-5+deb10u2) buster; urgency=medium
+
+  [ Andreas Beckmann ]
+  * [1088b23] pacemaker-resource-agents: Bump Breaks+Replaces: pacemaker
+to (<< 2)
+A new upstream release instroduced as security update 1.1.24-0+deb9u1 in
+stretch added the new file /usr/lib/ocf/resource.d/pacemaker/ifspeed to
+pacemaker, while it resides in pacemaker-resource-agents in buster.
+(Closes: #985173)
+  * [4f1844b] libpe-status28/libpengine27: Add Breaks against libpe-
+status10/libpengine10 (>= 1.1.24)
+The version in stretch-security shipped libraries with SOVERSION 16
+instead of 10.  (See: #981088)
+
+ -- Ferenc Wágner   Thu, 10 Jun 2021 21:45:34 +0200
+
 pacemaker (2.0.1-5+deb10u1) buster-security; urgency=high
 
   * [bf23450] Apply patch series fixing CVE-2020-25654: ACL bypass.
diff -Nru pacemaker-2.0.1/debian/control pacemaker-2.0.1/debian/control
--- pacemaker-2.0.1/debian/control  2020-11-07 20:21:48.0 +0100
+++ pacemaker-2.0.1/debian/control  2021-06-10 21:44:36.0 +0200
@@ -84,9 +84,9 @@
  ${misc:Depends},
 # split out of pacemaker so that pacemaker-remote can also use them:
 Breaks:
- pacemaker (<< 1.1.14-2~),
+ pacemaker (<< 2),
 Replaces:
- pacemaker (<< 1.1.14-2~),
+ pacemaker (<< 2),
 Description: cluster resource manager general resource agents
  ${S:X-Common-Description}
  .
@@ -270,6 +270,10 @@
 Depends:
  ${misc:Depends},
  ${shlibs:Depends},
+Breaks:
+# The new upstream version in stretch-security shipped
+# SOVERSION 16 instead of 10 (see #981088), get it removed:
+ libpe-status10 (>= 1.1.24),
 Description: cluster resource manager Policy Engine status library
  ${S:X-Common-Description}
  .
@@ -282,6 +286,10 @@
 Depends:
  ${misc:Depends},
  ${shlibs:Depends},
+Breaks:
+# The new upstream version in stretch-security shipped
+# SOVERSION 16 instead of 10 (see #981088), get it removed:
+ libpengine10 (>= 1.1.24),
 Description: cluster resource manager Policy Engine library
  ${S:X-Common-Description}
  .

I'm ready to upload if you agree.
-- 
Thanks,
Feri

Bug#987941: Acknowledgement (buster-pu: package pacemaker/2.0.1-5+deb10u2)

[wferi]

Andreas kindly provided further refinements for his patch in #985173.
I'll update this stable update request with the new debdiff shortly.
-- 
Feri

Bug#959757: This is a regression

[wferi]

Peter Leipold  writes:

> On 5/2/21 2:54 PM, Salvatore Bonaccorso wrote:
>
>> On Sun, Jul 05, 2020 at 01:15:38PM +0200, wf...@niif.hu wrote:
>>
>>> I started to see this problem after upgrading from 5.4.0-0.bpo.4-amd64
>>> to 5.5.0-0.bpo.2-amd64.  It goes like:
>>
>> Do you still have the issue reproducible with a recent kernel from
>> unstable or buster-backports?
>
> Hi, I'm the original reporter. FYI, the problem was fixed with one of
> the kernel updates on last summer. It's stable since then.

Hi,

I certainly can't reproduce it with the current 5.10.24-1~bpo10+1.  Not
even with 5.10.13-1~bpo10+1, and I haven't got older logs anymore.
-- 
Feri

Bug#987662: unblock: shibboleth-sp/3.2.2+dfsg1-1

[wferi]

Sebastian Ramacher  writes:

> Since the new upstream release only fixes the security issue, let's take
> 3.2.2+dfsg1-1.

Thanks, uploaded.
-- 
Feri

Bug#987608: shibboleth-sp: Session recovery feature contains a null pointer deference

[wferi]

Salvatore Bonaccorso  writes:

> MITRE has assigned CVE-2021-31826 for this issue.

Thanks.  I guess you don't want a new security upload for this, but I'll
certainly include it in the changelog of the unstable upload.  (And in
the changelog of the next security upload, whenever that happens.)
-- 
Feri

Bug#892058: Thanks for the reminder

[wferi]

Hi,

Thanks for the timely reminder with all the relevant dates included.
I find this service useful and I'm grateful for it.
-- 
Feri

Bug#981088: pacemaker: crm shell can't be executed due to a library error

[wferi]

Markus Koschany  writes:

> Am Freitag, den 26.03.2021, 16:37 +0100 schrieb wf...@niif.hu:
>
>> Thorsten Rehm  writes:
>> 
>>> In my opinion the crmsh package should be more strict with the
>>> pacemaker-cli-utils package
>> 
>> Sorry for not looking into this sooner.  What do you mean by being
>> "more strict"?  Does crmsh require a specific version of
>> pacemaker-cli-utils to function correctly?
>
> Yes, exactly. There should be a versioned dependency on
> pacemaker-cli-utils.

What kind of versioned dependency?  What's your source?  I don't
maintain crmsh, so I'm not familiar with its requirements.

>> While that's possible, I don't think it has anything to do with your
>> problem, which is that crm_mon requires the libpe_status.so.10 shared
>> library, but that is not provided by the 1.1.24-0+deb9u1 version of
>> libpe-status10.  Because it switched to providing libpe_status.so.16
>> instead.  The library changed SONAME, but the package name did not
>> change, which is forbidden.  The same applies to libpengine10.
>> 
>> Markus, I know introducing new packages through the security channel
>> is highly unusual, but is it entirely impossible?  Or can you
>> recommend some other solution?
>
> In my opinion this issue has been resolved in Stretch. It's up to you
> if you want to tighten the dependency on pacemaker-cli-utils in
> unstable releases but we don't need to change that in Stretch right
> now.

I wonder if pacemaker Recommending the same version of
pacemaker-cli-utils would have helped here...  probably not.
Switching to Depends isn't unreasonable, but not compelling either.

> Pacemaker works fine, there was just a corner case when some packages
> were put on hold hence my suggestion to tighten the dependency.

You needn't put anything on hold to reproduce this problem.  Just
install pacemaker-cli-utils from stretch, then upgrade libpe-status10
from stretch-security, and crm_mon can't start anymore.  Surely it isn't
a common scenario, and any affected users are probably past this by now,
but this is the gist of the problem.  We may leave it at there, though.

> We usually don't change package names in oldstable releases. In this
> case there were no other reverse-dependencies which had to be
> rebuilt. If there were any we would just rebuilt affected packages.

I see.  This still risks breaking software built by the user, because it
violates Policy 8.1: "The run-time shared library must be placed in a
package whose name changes whenever the SONAME of the shared library
changes."  Anyway, we have to find out if there's anything to do here.
-- 
Thanks,
Feri

Bug#985173: pacemaker-resource-agents: missing Breaks+Replaces: pacemaker (<< 2)

[wferi]

Hi Andreas,

Sorry for not responding sooner, some mail forwarding problem
intervened.  Looks like there's another serious problem with the
security upload breaking the buster upgrade path, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981088.  I haven't
asked the Security Team yet, but if that problem can be solved through
the security channel, then maybe this one could be as well?  I mean a
hypothetical 1.1.24-0+deb9u2 upload would (besides introducing the new
binary packages for the new SONAMEs to fix #981088) also move
/usr/lib/ocf/resource.d/pacemaker/ifspeed from pacemaker into
pacemaker-resource-agents, fixing the buster upgrade.  Do you think that
would work out well?  Or should we push this change regardless into
buster and unstable and bullseye?

(I understand that introducing libpe-status16 wouldn't fix the damage
already done by 1.1.24-0+deb9u2, and the workaround (upgrading
pacemaker-cli-utils) is easy and already happened anyway in most of the
cases.  So we could also follow the tactic of leaving stretch-security
alone, and tighten Breaks+Replaces in buster and beyond as you
implemented here.)
-- 
Thanks,
Feri

Bug#981088: pacemaker: crm shell can't be executed due to a library error

[wferi]

Control: reassign -1 libpe-status10 1.1.24-0+deb9u1
Control: severity -1 serious

Thorsten Rehm  writes:

> In my opinion the crmsh package should be more strict with the
> pacemaker-cli-utils package

Sorry for not looking into this sooner.  What do you mean by being "more
strict"?  Does crmsh require a specific version of pacemaker-cli-utils
to function correctly?

While that's possible, I don't think it has anything to do with your
problem, which is that crm_mon requires the libpe_status.so.10 shared
library, but that is not provided by the 1.1.24-0+deb9u1 version of
libpe-status10.  Because it switched to providing libpe_status.so.16
instead.  The library changed SONAME, but the package name did not
change, which is forbidden.  The same applies to libpengine10.

Markus, I know introducing new packages through the security channel is
highly unusual, but is it entirely impossible?  Or can you recommend
some other solution?
-- 
Thanks,
Feri

Bug#984888: pam-mysql: Newly added test with 323 hashed passwords fail on s390x

[wferi]

Balint Reczey  writes:

> On Sun, Mar 14, 2021 at 3:49 PM  wrote:
>
>> Debugging suggests that the internal SHA-1 implementation does not work
>> on big-endian architectures.  The easy way out is switching to the
>> libcrypto implementation (the package already depends on libssl1.1 and
>> the PAM module links against libcrypto.so.1).  The hard way is finding
>> the bug and fixing it for arbitrary endianness.  I wonder which one the
>> Release Team prefers...
>
> I'm sure the Release Team would prefer using a well known SHA
> implementation rather than an internal one especially when the
> internal one proved to be broken.

Actually the fix is already uploaded, though debci hasn't tested it yet.
The internal implementation had the necessary conditional compilation
directives, but the corresponding Autoconf test was missing.  So a
one-line patch (already merged upstream) sufficed.  In the past I tried
to persuade upstream into dropping the internal crypto routines, but
the idea didn't get traction.
-- 
Cheers,
Feri

Bug#983569: [Pkg-net-snmp-devel] Bug#983569: net-snmp: please enable systemd integration

[wferi]

wf...@debian.org writes:

> Turns out the upstream socket activation code does not include UDP.
> I addressed that in the merge request as well.

For what it's worth, net-snmp upstream merged the patch from
https://github.com/net-snmp/net-snmp/pull/274.
-- 
Regards,
Feri

Bug#985054: coturn: fails to purge: rmdir: failed to remove '/var/lib/turn': No such file or directory

[wferi]

Control: tag 985054 + pending

Andreas Beckmann  writes:

> That's something I haven't come across so far ;-) (Conditional usage
> of /usr/share/doc content in postinst, unconditional usage of the
> generated side effect in postrm purge.)
> Please move the bits needed by the package out of /usr/share/doc/$pkg
> to /usr/share/$pkg and use it from there.

The schema file is already present there as well, so it's a simple
matter of changing the path in the postinst.

> PS: for your reference, this is the template we use for packages
> failing to access /usr/share/doc content in nodocs tests: [...]

Thanks, that's abundantly clear.  Pity it wasn't triggered, but the
report was right anyway.
-- 
Feri

Bug#985054: coturn: fails to purge: rmdir: failed to remove '/var/lib/turn': No such file or directory

[wferi]

wf...@niif.hu writes:

> Andreas Beckmann  writes:
>
>> According to policy 7.2 you cannot rely on the depends being available
>> during purge, only the essential packages are available for sure.
>
> I can't see coturn rely on any of its dependencies during purge, do you?

Hi Andreas,

Have you got anything to add here?

>> (this was observed in a piuparts nodocs test)
>
> Could you please explain to me what a "nodocs" test is?

I read through the Salsa repo, I get it now.

> Since the postinst creates /var/lib/turn/turndb if it doesn't exist,
> I've got no idea how /var/lib/turn can be missing during purge.

Now I understand: it's created only if the needed schema file is
present.  Unfortunately it's used from under /usr/share/doc.  I'll
upload a fix shortly.
-- 
Thanks,
Feri

Bug#985405: src:shibboleth-sp: Error templates allow query-based override of variables

[wferi]

Moritz Muehlenhoff  writes:

> debdiff looks fine, please upload when you had a chance to test it

The updated packages work fine in our infrastructure.
I uploaded the full source package.
-- 
Thanks,
Feri

Bug#985405: src:shibboleth-sp: Error templates allow query-based override of variables

[wferi]

Dear Security Team,

Please review the debdiff below for a buster-security upload.
The advisory text changed a little meanwhile, adding credits to Toni
Huttunen, Fraktal Oy for discovering the problem, mentioning the style
sheet spoofing and adding some mitigation tips.

I haven't got a concrete exploit on hand, but I'll start testing the
updated package shortly.

diff -Nru shibboleth-sp-3.0.4+dfsg1/debian/changelog 
shibboleth-sp-3.0.4+dfsg1/debian/changelog
--- shibboleth-sp-3.0.4+dfsg1/debian/changelog  2019-03-16 20:51:16.0 
+0100
+++ shibboleth-sp-3.0.4+dfsg1/debian/changelog  2021-03-17 16:55:49.0 
+0100
@@ -1,3 +1,26 @@
+shibboleth-sp (3.0.4+dfsg1-1+deb10u1) buster-security; urgency=high
+
+  * [594074b] New patch: SSPCPP-922 - Add externalParameters option to Errors
+element.
+Fix a phishing vulnerability: Template generation allows external
+parameters to override placeholders
+The primitive template engine used to render error pages allows
+replacement via query parameters also, though this is not a typical
+need. Because of this feature, it's possible to cause the SP to
+display some templates containing values supplied externally by URL
+manipulation. Though the values are encoded to prevent script
+injection, the content nevertheless appears to come from the server
+and so would be interpreted as trustworthy, allowing email addresses,
+logos, or support URLs to be manipulated by an attacker.
+This update adds a new  setting to the configuration called
+externalParameters, which defaults to false. When false, support for
+this "feature" is disabled.
+https://shibboleth.net/community/advisories/secadv_20210317.txt
+https://issues.shibboleth.net/jira/browse/SSPCPP-922
+Thanks to Scott Cantor (Closes: #985405)
+
+ -- Ferenc Wágner   Wed, 17 Mar 2021 16:55:49 +0100
+
 shibboleth-sp (3.0.4+dfsg1-1) unstable; urgency=medium
 
   * [f284741] New upstream release: 3.0.4
diff -Nru shibboleth-sp-3.0.4+dfsg1/debian/gbp.conf 
shibboleth-sp-3.0.4+dfsg1/debian/gbp.conf
--- shibboleth-sp-3.0.4+dfsg1/debian/gbp.conf   2019-03-13 20:06:54.0 
+0100
+++ shibboleth-sp-3.0.4+dfsg1/debian/gbp.conf   2021-03-17 16:21:54.0 
+0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/buster
 upstream-branch = upstream/latest
 pristine-tar = True
 
diff -Nru shibboleth-sp-3.0.4+dfsg1/debian/patches/series 
shibboleth-sp-3.0.4+dfsg1/debian/patches/series
--- shibboleth-sp-3.0.4+dfsg1/debian/patches/series 2019-03-16 
20:48:54.0 +0100
+++ shibboleth-sp-3.0.4+dfsg1/debian/patches/series 2021-03-17 
16:54:46.0 +0100
@@ -3,3 +3,4 @@
 Debianize-the-systemd-service-file-of-shibd.patch
 seckeygen-defaults-for-Debian.patch
 Use-runstatedir-from-future-Autoconf-2.70.patch
+SSPCPP-922-Add-externalParameters-option-to-Errors-elemen.patch
diff -Nru 
shibboleth-sp-3.0.4+dfsg1/debian/patches/SSPCPP-922-Add-externalParameters-option-to-Errors-elemen.patch
 
shibboleth-sp-3.0.4+dfsg1/debian/patches/SSPCPP-922-Add-externalParameters-option-to-Errors-elemen.patch
--- 
shibboleth-sp-3.0.4+dfsg1/debian/patches/SSPCPP-922-Add-externalParameters-option-to-Errors-elemen.patch
1970-01-01 01:00:00.0 +0100
+++ 
shibboleth-sp-3.0.4+dfsg1/debian/patches/SSPCPP-922-Add-externalParameters-option-to-Errors-elemen.patch
2021-03-17 16:54:46.0 +0100
@@ -0,0 +1,125 @@
+From: Scott Cantor 
+Date: Tue, 16 Mar 2021 10:56:22 -0400
+Subject: SSPCPP-922 - Add externalParameters option to Errors element
+
+https://issues.shibboleth.net/jira/browse/SSPCPP-922
+
+Closes: #985405
+---
+ schemas/shibboleth-3.0-native-sp-config.xsd |  1 +
+ shibsp/ServiceProvider.cpp  | 11 +--
+ shibsp/handler/impl/AttributeCheckerHandler.cpp | 12 ++--
+ shibsp/handler/impl/FormSessionInitiator.cpp| 12 +++-
+ shibsp/handler/impl/LogoutHandler.cpp   | 10 +-
+ 5 files changed, 40 insertions(+), 6 deletions(-)
+
+diff --git a/schemas/shibboleth-3.0-native-sp-config.xsd 
b/schemas/shibboleth-3.0-native-sp-config.xsd
+index 5bfa3a2..3b1a664 100644
+--- a/schemas/shibboleth-3.0-native-sp-config.xsd
 b/schemas/shibboleth-3.0-native-sp-config.xsd
+@@ -732,6 +732,7 @@
+ 
+ 
+ 
++
+ 
+   
+ 
+diff --git a/shibsp/ServiceProvider.cpp b/shibsp/ServiceProvider.cpp
+index aacbba1..b9f6e4c 100644
+--- a/shibsp/ServiceProvider.cpp
 b/shibsp/ServiceProvider.cpp
+@@ -71,9 +71,16 @@ namespace shibsp {
+ if (!app)
+ app = request.getServiceProvider().getApplication(nullptr);
+ 
+-const PropertySet* props=app->getPropertySet("Errors");
++const PropertySet* props = app->getPropertySet("Errors");
+ 
+-// First look for settings in the request map of the form pageError.
++// If the externalParameters option isn't set, clear out the request 
field.
++pair externalParameters =
++ 

Bug#983569: [Pkg-net-snmp-devel] Bug#983569: net-snmp: please enable systemd integration

[wferi]

wf...@debian.org writes:

> Craig Small  writes:
>
>> Also, how confident are you writing unit files? I can write them but must
>> admit I don't fully understand some of the more exotic features such as
>> socket activation.
>
> My on-hands experience with socket activation is rather limited, but the
> concept is not new, inetd did the trick in a more limited way.  The
> technology is widely used and there's even a short snmptrapd.socket
> upstream, albeit with a somewhat confusing comment about matching.
>
> Aside, I'd recommend using Type=exec everywhere instead of (the default)
> Type=simple for the sake of better error reporting.

I opened https://salsa.debian.org/debian/net-snmp/-/merge_requests/8
with all these changes and more.  And with a new autopkgtest. :)

>> The net-snmp upstream seems to think you only should do socket
>> activation for snmptrapd only, but I think you are only targeting that
>> one anyway.
>
> Yes.

Turns out the upstream socket activation code does not include UDP.
I addressed that in the merge request as well.  Unfortunately this makes
the change rather bigger than I expected originally.
-- 
Regards,
Feri

Bug#984888: pam-mysql: Newly added test with 323 hashed passwords fail on s390x

[wferi]

Balint Reczey  writes:

> Autopkgtests are failing in CI on s390x due to the following newly added 
> tests:
>
> ...
> OK: Y_MD5: correct password accepted
> OK: Y_MD5: incorrect password refused
> FAIL: mysql: correct password refused
> OK: mysql: incorrect password refused
> ...

(It isn't the 323 variant that fails, but anyway...)

Debugging suggests that the internal SHA-1 implementation does not work
on big-endian architectures.  The easy way out is switching to the
libcrypto implementation (the package already depends on libssl1.1 and
the PAM module links against libcrypto.so.1).  The hard way is finding
the bug and fixing it for arbitrary endianness.  I wonder which one the
Release Team prefers...
-- 
Feri

Bug#984888: pam-mysql: Newly added test with 323 hashed passwords fail on s390x

[wferi]

Balint Reczey  writes:

> Autopkgtests are failing in CI on s390x due to the following newly added 
> tests:
>
> debian/tests/auth:
> ...
> 'mysql': { 'crypt':  2, '323': 'false', 'hash':
> '*1A8A8D8A90F03E8A15D4FFB3FC91A4693F077A84' }, # select
> PASSWORD('foopwd')
> ...

Szia Bálint,

Could you plese show me what SELECT PASSWORD('foopwd') returns on the
server fired up by the autopkgtest on s390x?  I can't easily try this
myself, but I plan to add this to the test in the next upload.
-- 
Thanks,
Feri

Bug#985054: coturn: fails to purge: rmdir: failed to remove '/var/lib/turn': No such file or directory

[wferi]

Andreas Beckmann  writes:

> According to policy 7.2 you cannot rely on the depends being available
> during purge, only the essential packages are available for sure.

Hi Andreas,

I can't see coturn rely on any of its dependencies during purge, do you?

> (this was observed in a piuparts nodocs test)

Could you please explain to me what a "nodocs" test is?  Since the
postinst creates /var/lib/turn/turndb if it doesn't exist, I've got no
idea how /var/lib/turn can be missing during purge.  Was it removed by
the testing framework for being "unowned", for example?  (Anyway, I
agree that the postrm should be protected from such occurrences.)

> From the attached log (scroll to the bottom...):
>
>   Purging configuration files for coturn (4.5.2-2) ...
>   rmdir: failed to remove '/var/lib/turn': No such file or directory
>   dpkg: error processing package coturn (--purge):
>installed coturn package post-removal script subprocess returned error 
> exit status 1
>   Errors were encountered while processing:
>coturn
>
> Why don't you ship the (empty) directory in the package and let dpkg
> take care of creation and removal?

The postinst creates a database in /var/lib/turn, so dpkg --remove could
only emit a warning about not removing an empty directory in most cases.
So the database (and the containing /var/lib/turn directory) must be
removed by the postrm during purge.  Thus I don't see much point in
shipping an empty /var/lib/turn, but I may be overlooking something.
And I actually do, as this bug report proves; but what is it?

(BTW the current setup has another problem: /var/lib/turn must also be
writable by the server for the SQLite database within being writable.)
-- 
Thanks,
Feri

Bug#984501: unblock: libqb/2.0.3-1

[wferi]

Sebastian Ramacher  writes:

> The changes look ok. Under the assumption that the upload happens soon,
> please go ahead.

Thank you, uploaded.
-- 
Regards,
Feri

Bug#983569: [Pkg-net-snmp-devel] Bug#983569: net-snmp: please enable systemd integration

[wferi]

Craig Small  writes:

> On Fri, 26 Feb 2021 at 23:12, Ferenc Wágner  wrote:
>
>> file.  If you aren't comfortable with changing the unit files now,
>> shortly before hard freeze, at least enabling support in the daemons
>> would still be very useful and also very easy with the --with-systemd
>> configure flag.  That wouldn't change behavior, only enable taking
>> advantage of the support via local configuration.  If you're interested,
>> I'm willing to open a merge request for easier review.  The Salsa CI
>> passed on my fork with the trivial change.
>
> Do you know if anything is linked to a systemd library (therefore the
> dependencies change) is that is enabled?

Hi Craig,

No, the necessary systemd code is included in snmplib/sd-daemon.c and
appears in libnetsnmp.so, so the new binaries aren't linked against
libsystemd.

> Also, how confident are you writing unit files? I can write them but must
> admit I don't fully understand some of the more exotic features such as
> socket activation.

My on-hands experience with socket activation is rather limited, but the
concept is not new, inetd did the trick in a more limited way.  The
technology is widely used and there's even a short snmptrapd.socket
upstream, albeit with a somewhat confusing comment about matching.

Aside, I'd recommend using Type=exec everywhere instead of (the default)
Type=simple for the sake of better error reporting.

> The net-snmp upstream seems to think you only should do socket
> activation for snmptrapd only, but I think you are only targeting that
> one anyway.

Yes.

> A merge request on salsa seems the easiest way for me. If its not too big
> an impact then it might be able to get it in before the freeze.

I opened the simplest possible merge request based on the tree I did my
testing on.  It does not touch the unit files.  I'm afraid whatever we
do, we'll have to get a manual unblock from the release team, if they
keep to their schedule (and they'll probably do so).
-- 
Regards,
Feri

Bug#983598: lintian: package-installs-apt-sources emitted for packages whose names end in -archive-keyring

[wferi]

Felix Lechner  writes:

> On Fri, Feb 26, 2021 at 2:36 PM Ferenc Wágner  wrote:
>
>> only the first suffix is exempted
>
> Which package triggers the false positive, please? Thank you!

Hi Felix,

The one I created tonight based on the instructions at
https://wiki.debian.org/DebianRepository/UseThirdParty, called
elastic-archive-keyring.  It indeed ships a file under
/etc/apt/sources.list.d.  (And another under /etc/apt/preferences.d,
which Lintian also complains about, but that tag hasn't got
contradicting documentation.)
-- 
Regards,
Feri

Bug#981404: Fix seems incomplete

[wferi]

Hi,

The patch in this bug report very much shrinks the window of the
vulnerability, but doesn't close it completely: the file is still
created with default permissions, then chmodded as a separate step.
It's hard, but not impossible to still win the race and open the file
before the chmod, enabling the same attack.  I recommend something like

fd = open(dstFileName, O_WRONLY|O_CREAT|O_EXCL, 0600);
if (fd != -1)
f = fdopen( fd, "wb" );
if (fd == -1 || f == NULL)
DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno));
return f;

for example.
-- 
Regards,
Feri

Bug#981230: Unrecoverable split.

[wferi]

On Wed, 27 Jan 2021 23:21:08 + Maurizio Cimaschi  
wrote:

> it seems that in version 3.0.1 of corosync there's a bug which causes
> unrecoverable splits; it seems that it had been corrected in 3.0.3. Please
> see Github issue #506.
> 
>  -> https://github.com/corosync/corosync/issues/506
> 
> The issue is unclear if the bug is in corosync or in Kronosnet, and it
> seems to suggests to use at least library version 1.13. Besides in
> buster-backports there's already version 1.16.

To my best understanding this issue was actually in Kronosnet.  Can you
reproduce the problem with the backports version (1.16-2~bpo10+1)
installed?

> Please could the upgrade to newer version of corosync be considered ? It
> should also require a dependency on the same version of
> "libknet" in backports.

I'll certainly consider backporting Corosync if really needed.
-- 
Regards,
Feri

Bug#979450: booth: autopkgtest fails on ci-worker-ppc64el-01 (but apparently not on other ppc64el workers)

[wferi]

Paul Gevers  writes:

> On 27-01-2021 22:41, Valentin Vidic wrote:
>
>> On Wed, Jan 27, 2021 at 10:37:56PM +0100, Paul Gevers wrote:
>>
>>> debian@ci-worker-ppc64el-01:~$ sudo cat /etc/lxc/default.conf
>>> # MANAGED WITH CHEF; DON'T CHANGE BY HAND
>>> lxc.net.0.type = veth
>>> lxc.net.0.link = virbr0
>>> lxc.net.0.flags = up
>>> lxc.apparmor.profile = generated
>>> lxc.apparmor.allow_nesting = 1
>> 
>> I think this is only for new containers and for the existing ones these
>> options would be in /var/lib/lxc//config. Also apparmor
>> should log mount failures in kernel log or somewhere...
>
> We generate fresh containers on a daily basis.

Hi Paul,

These systemd messages are emitted during service setup, before the
service binary is even started, and are very much characteristic to the
Apparmor misconfiguration described in the LXC 3 NEWS file.  I can
readily reproduce them with another systemd-hardened package:

systemd[697]: coturn.service: Failed to set up mount namespacing: Permission 
denied
systemd[697]: coturn.service: Failed at step NAMESPACE spawning 
/usr/bin/turnserver: Permission denied

and such messages are neatly paired with these in the host syslog:

audit: type=1400 audit(1611830306.349:157): apparmor="DENIED" operation="mount" 
info="failed flags match" error=-13 profile="lxc-container-default-cgns" 
name="/" pid=27587 comm="(rnserver)" flags="rw, rslave"

Can you see such messages?  Are you sure that the failed runs had

lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1

in their LXC configuration?
-- 
Feri

Bug#979450: booth: autopkgtest fails on ci-worker-ppc64el-01 (but apparently not on other ppc64el workers)

[wferi]

On Wed, 6 Jan 2021 22:31:26 +0100 Paul Gevers  wrote:

> Do you have any idea why the test would only be failing on this host?

Hi Paul,

Not offhand.  It certainly failed to start the Corosync daemon (which
should automatically start after installation, but that's beside the
point).  So there's ample chance this is a Corosync peculiarity after
all; can't you see a similar pattern in the Corosync autopkgtest
results?  I often find myself wishing the logs were available when
debugging autopkgtest failures.  Before I'm starting to add journal
dumps everywhere: don't you think it would be sensible to automatically
add the created journal file (or something equivalent) to the test log
or artifacts?
-- 
Thanks,
Feri

Bug#979320: transition: xmltooling

[wferi]

Sebastian Ramacher  writes:

> On 2021-01-05 10:47:56 +0100, Ferenc Wágner wrote:
> 
>> I'd like to do successive sourceful uploads for these (the updated
>> packages are already in experimental).  The two other impacted
>> packages build fine without any change: shibboleth-resolver and
>> moonshot-gss-eap.
>
> Please go ahead

The sourceful uploads of xmltooling, opensaml and shibboleth-sp are done
and built or all release architectures, please trigger the binNMUs for
shibboleth-resolver and moonshot-gss-eap.
-- 
Thanks,
Feri

Bug#909267: library-not-linked-against-libc: downgrade from error

[wferi]

On Mon, 15 Jun 2020 15:23:28 -0700 Felix Lechner  
wrote:

> Hi Russ,
> 
>> I wonder if we would get all of the utility out of the tag if instead it
>> looked for shared libraries with no NEEDED metadata.

Doesn't shared-lib-without-dependency-information check for that?

>> I think it's only catching libraries that aren't linked with anything
>> else

Unfortunately library-not-linked-against-libc fires for thin wrapper
libraries and adaptor plugins as well (for example) since as-needed
linking is the default.

> This tag will be removed in the near future.

Sounds great!
-- 
Thanks,
Feri

Bug#978155: transition: libqb

[wferi]

Sebastian Ramacher  writes:

> On 2020-12-26 19:43:53 +0100, Ferenc Wágner wrote:
> 
>> I'd like to transition to libqb version 2.  The dependency list is
>> fairly short, and mostly contains packages under the HA Team umbrella.
>> The only breakage is caused by symbols file changes, which I'm ready to
>> fix by sourceful uploads of corosync and pacemaker.  The kronosnet
>> package will also receive a sourceful upload to use the new binary
>> package doxygen2man.  Altogether I rebuilt the following packages in
>> preparation:
>> 
>> kronosnet (with source changes)
>> corosync (with source changes)
>> corosync-qdevice
>> pacemaker (with source changes)
>> dlm
>> booth
>> fence-virt
>> sbd
>> ocfs2-tools
>> lvm2
>> usbguard
> 
> Please go ahead with the uploads to unstable.

Hi,

Thanks for triggering the sbd binNMU right after the pacemaker upload
finished buiding on all architectures!  The other packages mentioned
above are all transitive build dependencies, I think they are safe to be
left alone.

There's one last thing which may cause problems (or not): the libqb
testing migration is blocked with the excuse "missing build on all".
However, libqb-doc isn't built anymore, so libqb 2 doesn't ship any
arch-all packages.  If this needs manual intervention, please effect it.

Whoops, you already requested its removal in #979045.  I'm amazed by
your level of attention!  Much appreciated!
-- 
Thanks,
Feri

Bug#977331: Archive rebuild with Autconf 2.70

[wferi]

On Mon, 21 Dec 2020 09:45:24 +0100 Matthias Klose  wrote:

> will try to get an archive test rebuild done.

Hi,

Lucas did an archive rebuild with a beta release, see
https://lists.gnu.org/archive/html/autoconf/2020-09/msg00027.html
(Just in case you didn't notice.)
-- 
Regards,
Feri

Bug#977568: xml-security-c changes for xalan 1.12

[wferi]

Bill Blough  writes:

> I've uploaded xalan 1.12 to unstable.  If you would like me to NMU
> xml-security-c with the necessary changes (attached to 977568), I would
> be happy to do so.

Hi Bill,

Thanks for the patch, I included it in the xml-security-c 2.0.2-4
upload.
-- 
Regards,
Feri

Bug#974009: debhelper: please document that dh_installsystemd ignores unit failures in maintainer scripts

[wferi]

Michael Biebl  writes:

> On Mon, 09 Nov 2020 00:40:31 +0100 =?utf-8?q?Ferenc_W=C3=A1gner?= 
>  wrote:
>
>> I was surprised that a daemon start failure during install did not stop
>> dpkg from exiting with a successful exit status.  After much digging I
>> found https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766194#22, which
>> explains the asymmetry with dh_installinit.
>
> I'm not sure there is an asymmetry with sysvinit, on the contrary.

Hi Michael,

I actually took the wording from the linked comment, where Niels wrote:
"Note that debhelper's tooling for init scripts vs. systemd has the
asymmetry that the systemd tooling ignores all failures basically."
Since the maintainer script snippets generated for SysV init scripts
don't ignore the init script failures, the asymmetry is clearly present.

But let's not dwell on this.

>> While I'd find an option for this more appropriate than different
>> behavior, I also feel like the current state merits some much more
>> prominent documentation at least.  Please consider addig it to the
>> respective compat level as well.
>
> The "not-fail-on-failures" in dh-systemd (and later dh_installsystemd)
> was modelled after sysvinit where SysV init scripts typically have an
> "exit 0" at the end of the init script, thus basically ignoring any
> error in the init script.

Maybe, but that's at the clear discretion of the package maintainer.
(And I don't find it correct practice, but that's not my point now.)

> systemd/systemctl internally is more strict, that's why we picked the
> "|| true" approach to mimic the old sysvinit behaviour.

My problem is that this rather mimics badly written init scripts,
without even warning the maintainers (who supposedly want to take
advantage of the more correct/strict systemd behaviour) or letting them
opt out (without wholly ditching the debhelper maintscript snippets).

> Obviously, we could change that to be more picky and abort if a service
> fails to start. Question is: do we want that? And if so, why?

See above.  But I'm not sure that changing behaviour would be a good
idea, that's why I asked for documentation in this report.  I was bitten
by this in autopkgtest settings, so I'll be adding daemon status checks
to my autopakgtests.  It just took me too long to find out that this
behaviour is intended, because I didn't expect the above asymmetry and
the manual pages don't mention it either.
-- 
Thanks,
Feri

Bug#974563: corosync unable to communicate with pacemaker 1.1.16-1+deb9u1 which contains the fix for CVE-2020-25654

[wferi]

On Tue, 17 Nov 2020 09:16:48 +0100 Markus Koschany  wrote:

> This time I intend to upgrade pacemaker to the latest upstream release
> in the 1.1.x branch which is currently 1.1.24~rc1. This one also
> includes fixes for CVE-2018-16878 and CVE-2018-16877.

Hi Markus,

Please close #927714 if you fix those CVEs.  Unfortunately I forgot to
upload the prepared package after getting the blessing of the Security
Team, so it slept in my local packaging repo until I noticed it again
importing your 1.1.16-1+deb9u1 upload.  Tagged as wferi/1.1.16-1+deb9u1
and pushed to Salsa in case you want to have a look; lacking it might
even be the reason behind the current IPC problems, I don't know.
-- 
Cheers,
Feri

Bug#973254: pacemaker: CVE-2020-25654 upload prepared

[wferi]

Moritz Mühlenhoff  writes:

> On Sat, Nov 07, 2020 at 08:56:38PM +0100, wf...@niif.hu wrote:
> 
>> I propose a security upload with the debdiff below.  The patch series
>> posted by upstream against 2.0.3 applies cleanly to the buster source,
>> and is hereby included.  I'll try to do some testing while you review.
>
> Thanks, this looks. I also compared the upstream 2.0.3 patch set against
> the update Ubuntu released for their 20.4 release (which also ships
> 2.0.3) and which is identical (and without reported regressions so far)

Cool.  One can't possibly test all relevant use cases here.

> Please upload to security-master if your tests were fine as well

Done.  I managed to provoke some of the new denials with the updated
package, and basic cluster operation remained unperturbed.

I think the changelog entry will work well enough as the DSA text.
The LTS update used a shorter version, which is fine as well.

> (and remember to build with -sa since pacemaker is new in
> buster-security (ftp.debian.org and security.debian.org don't share
> tarballs)

The --source-only-changes switch of sbuild seems to counteract -sa, but
I tried to revert that with changestool.  Hope it's fine.  If only I
also remembered to remove the buildinfo file...  Or is that problem
fixed already?

Salvatore Bonaccorso  writes:

> Thanks for your upload to unstable!
>
> On Tue, Nov 10, 2020 at 10:34:18PM +, Debian FTP Masters wrote:
>>* [6956006] New upstream pre-release (2.0.5~rc2) (Closes: #973254)
>
> Bonus point: please do include the assigned CVE id references which
> makes it easier to cross-check and track fixes for security issues.

I'll add the CVE ID to the changelog in the next upload, sorry.

> Thanks for your work here and for the stable upload!

Rather: thanks for your (plural) tireless work archive wide!
-- 
Cheers,
Feri

Bug#973254: pacemaker: CVE-2020-25654 upload prepared

[wferi]

Control: tag 973254 + patch

Dear Security Team,

I propose a security upload with the debdiff below.  The patch series
posted by upstream against 2.0.3 applies cleanly to the buster source,
and is hereby included.  I'll try to do some testing while you review.

Regards,
Feri

diff -Nru pacemaker-2.0.1/debian/changelog pacemaker-2.0.1/debian/changelog
--- pacemaker-2.0.1/debian/changelog2019-06-02 14:01:06.0 +0200
+++ pacemaker-2.0.1/debian/changelog2020-11-07 20:21:48.0 +0100
@@ -1,3 +1,19 @@
+pacemaker (2.0.1-5+deb10u1) buster-security; urgency=high
+
+  * [bf23450] Apply patch series fixing CVE-2020-25654: ACL bypass.
+A vulnerability was found in Pacemaker allowing a user who is in the
+haclient group but restricted by ACLs to bypass those ACLs, providing
+cluster-wide arbitrary code execution with root privileges.  When the
+enable-acl cluster option isn't set to true, members of the haclient
+group (and root) can modify Pacemaker's CIB without restriction, which
+already gives them these capabilities, so there is no additional
+exposure in that case.
+More info: https://www.openwall.com/lists/oss-security/2020/10/27/1
+Patches: 
https://lists.clusterlabs.org/pipermail/developers/2020-October/002324.html
+Thanks to Ken Gaillot (Closes: #973254)
+
+ -- Ferenc Wágner   Sat, 07 Nov 2020 20:21:48 +0100
+
 pacemaker (2.0.1-5) unstable; urgency=medium
 
   * [17ae230] Backport three more patches from upstream fixing memory safety
diff -Nru pacemaker-2.0.1/debian/gbp.conf pacemaker-2.0.1/debian/gbp.conf
--- pacemaker-2.0.1/debian/gbp.conf 2019-06-02 13:44:18.0 +0200
+++ pacemaker-2.0.1/debian/gbp.conf 2020-11-07 19:23:46.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/buster
 upstream-branch = upstream/latest
 
 [import-orig]
diff -Nru 
pacemaker-2.0.1/debian/patches/CVE-2020-25654/Fix-fencer-restrict-certain-IPC-requests-to-privileged-us.patch
 
pacemaker-2.0.1/debian/patches/CVE-2020-25654/Fix-fencer-restrict-certain-IPC-requests-to-privileged-us.patch
--- 
pacemaker-2.0.1/debian/patches/CVE-2020-25654/Fix-fencer-restrict-certain-IPC-requests-to-privileged-us.patch
   1970-01-01 01:00:00.0 +0100
+++ 
pacemaker-2.0.1/debian/patches/CVE-2020-25654/Fix-fencer-restrict-certain-IPC-requests-to-privileged-us.patch
   2020-11-07 19:43:41.0 +0100
@@ -0,0 +1,105 @@
+From: Ken Gaillot 
+Date: Fri, 9 Oct 2020 11:55:26 -0500
+Subject: Fix: fencer: restrict certain IPC requests to privileged users
+
+The fencer IPC API allows clients to register fence devices.
+
+If ACLs are enabled, this could allow an ACL-restricted user to bypass ACLs to
+configure fencing. If the user is able to install executables to the standard
+fencing agent locations, have arbitrary code executed as root (the standard
+locations generally require root for write access, so that is unlikely to be an
+issue).
+
+If ACLs are not enabled, users in the haclient group have full access to the
+CIB, which already gives them these capabilities, so there is no additional
+exposure in that case.
+
+This commit does not restrict unprivileged users from using other fencing API,
+such as requesting actual fencing.
+---
+ daemons/fenced/fenced_commands.c | 41 
+ 1 file changed, 37 insertions(+), 4 deletions(-)
+
+diff --git a/daemons/fenced/fenced_commands.c 
b/daemons/fenced/fenced_commands.c
+index b394fd6..1cc7d06 100644
+--- a/daemons/fenced/fenced_commands.c
 b/daemons/fenced/fenced_commands.c
+@@ -2474,6 +2474,18 @@ handle_request(crm_client_t * client, uint32_t id, 
uint32_t flags, xmlNode * req
+ const char *op = crm_element_value(request, F_STONITH_OPERATION);
+ const char *client_id = crm_element_value(request, F_STONITH_CLIENTID);
+ 
++bool allowed = true;
++
++#if ENABLE_ACL
++/* IPC commands related to fencing configuration may be done only by
++ * privileged users (i.e. root or hacluster) when ACLs are supported,
++ * because all other users should go through the CIB to have ACLs applied.
++ */
++if (client != NULL) {
++allowed = is_set(client->flags, crm_client_flag_ipc_privileged);
++}
++#endif
++
+ crm_element_value_int(request, F_STONITH_CALLOPTS, _options);
+ 
+ if (is_set(call_options, st_opt_sync_call)) {
+@@ -2623,27 +2635,43 @@ handle_request(crm_client_t * client, uint32_t id, 
uint32_t flags, xmlNode * req
+ } else if (crm_str_eq(op, STONITH_OP_DEVICE_ADD, TRUE)) {
+ const char *device_id = NULL;
+ 
+-rc = stonith_device_register(request, _id, FALSE);
++if (allowed) {
++rc = stonith_device_register(request, _id, FALSE);
++} else {
++rc = -EACCES;
++}
+ do_stonith_notify_device(call_options, op, rc, device_id);
+ 
+ } else if (crm_str_eq(op, STONITH_OP_DEVICE_DEL, TRUE)) {
+ xmlNode *dev = 

Bug#971427: lintian: false positive package-contains-documentation-outside-usr-share-doc for SNMP MIB files

[wferi]

Control: tags 971427 - moreinfo

"Chris Lamb"  writes:

>> SNMP MIB files are generally /usr/share/snmp/mibs/*.txt, though
>> these text files aren't documentation.  Please make them exempt
>> from package-contains-documentation-outside-usr-share-doc.
>
> Totally ACK that these are false-positives. However, I am not sure
> that this is a general or widespread issue which would warrant an
> exception being made in Lintian itself.
>
> As in, compared to adding a Lintian override in your specific
> package.

Hi Chris,

Based on main/Contents-amd64, the following packages are affected:

corosync-notifyd  1
keepalived3
pacemaker-common  1
pcs-snmp  2
libsnmp-base 13
cyrus-common  1
dnsdist   1
pdns-recursor 1

I'll certainly add overrides to my packages if Lintian doesn't make the
exception.
-- 
Regards,
Feri

Bug#968684: libqb: Please make autopkgtests cross-test-friendly

[wferi]

On Wed, 19 Aug 2020 14:04:15 -0700 Steve Langasek 
 wrote:

> In Ubuntu, we have moved the i386 architecture to a compatibility-only layer
> on amd64, and therefore we are also moving our autopkgtest infrastructure to
> test i386 binaries in a cross-environment.
> 
> This requires changes to some tests so that they are cross-aware and can do
> the right thing.

Hi,

Would the following change work for Ubuntu?  I find using a single code
path slightly cleaner.
(https://salsa.debian.org/ha-team/libqb/-/commit/21c2e77428fa0e2bba35b43523a7af028bc3e676)

commit 21c2e77428fa0e2bba35b43523a7af028bc3e676 (HEAD -> debian/crosstest, 
salsa/debian/crosstest)
Author: Ferenc Wágner 
Date:   Sat Aug 22 18:30:57 2020 +0200

Make our autopkgtest cross-test-friendly

diff --git a/debian/tests/control b/debian/tests/control
index 35c6ed9a..0354a969 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,3 +1,5 @@
-Depends: libqb-dev, gcc, libc6-dev, pkg-config
+Depends: libqb-dev,
+ build-essential,
+ pkg-config,
 Tests: ipc
 Restrictions: allow-stderr
diff --git a/debian/tests/ipc b/debian/tests/ipc
index e24cf411..baec3e8e 100755
--- a/debian/tests/ipc
+++ b/debian/tests/ipc
@@ -1,14 +1,18 @@
 #!/bin/sh -ex
 
+DEB_HOST_GNU_TYPE=$(dpkg-architecture -q DEB_HOST_GNU_TYPE)
+CC=$DEB_HOST_GNU_TYPE-gcc
+PKG_CONFIG=$DEB_HOST_GNU_TYPE-pkg-config
+
 cd examples
 # the os_base.h in-tree header includes inttypes.h for the examples
 ln -sf /usr/include/inttypes.h os_base.h # -f to enable repeated runs
-gcc $(pkg-config --cflags libqb) \
+$CC $($PKG_CONFIG --cflags libqb) \
 -o ipcserver ipcserver.c \
-$(pkg-config --libs libqb)
-gcc $(pkg-config --cflags libqb) \
+$($PKG_CONFIG --libs libqb)
+$CC $($PKG_CONFIG --cflags libqb) \
 -o ipcclient ipcclient.c \
-$(pkg-config --libs libqb)
+$($PKG_CONFIG --libs libqb)
 
 OUT="${AUTOPKGTEST_ARTIFACTS:-.}/out.txt"
 ERR="${AUTOPKGTEST_ARTIFACTS:-.}/err.txt"
-- 
Feri

Bug#680148: python-pam: Please include python3 support

[wferi]

Florian Best  writes:

> I would be interested in maintaining this package.

Great!  Do you happen to know the upstream project for this software?
The single upstream version ever uploaded to Debian is 0.4.2 from 1999.
It could be useful to know if upstream moved on, the project was
replaced by another, or whatever happened.  Just to make sure your work
isn't put into something abandoned if better alternatives are available.

> I am not yet a Debian Maintainer and don't yet know how to get
> one. But I'll read about it.

You become a Debian Maintainer by maintaining packages.  You can
contribute without having any official status, you just need somebody to
upload (sponsor) your work.  After establishing a track record, you can
apply for direct upload rights.

If you decide that you'd like to maintain this package, take a look at
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#package-salvaging
which is the definitive reference for package salvaging.  I suggest that
you open the ITS bug as explained therein, create a packaging
repository, import the previous dscs to incorporate the past history of
the package, then add further changes fixing this bug and doing other
changes you wish.  Finally, upload your package to mentors.debian.net
and also advertise it here to find sponsors.  Don't hesitate to ask for
help here or (better) on the mentors list if needed, you'll find some
starting points at https://wiki.debian.org/DebianMentorsFaq.

On the other hand, if you (or anybody) don't want to commit for longer
term maintainership, we'll have to migrate off this package or do
another NMU to fix this issue for the short term.
-- 
Regards,
Feri

Bug#950488: buster-pu: package kronosnet/1.8-2

[wferi]

wf...@niif.hu writes:

> We'd be immensely grateful for your input on this matter, since your
> position more or less determines how we can plan to support the HA users
> in Debian.  We'd still prefer a stable update (either to 1.13 as in the
> original request or to a more recent stable release), but if that isn't
> possible, we'll move forward with backports.  (Which isn't a particularly
> appealing option in itself, because the imminent libqb 2 transition will
> cause much churn across the stack.)

Dear Stable Release Team,

Although we've uploaded 1.16-2~bpo10+1 to backports, we'd still be
interested in doing a stable update (as above) if possible.  Is there
anything we can do to that end?
-- 
Thanks,
Feri

Bug#964244: stretch-pu: package xml-security-c/1.7.3-4+deb9u2

[wferi]

"Adam D. Barratt"  writes:

> Please go ahead, bearing in mind that the window for getting fixes into
> the final stretch point release closes this weekend.

Thanks, uploaded.
-- 
Feri

Bug#959757: This is a regression

[wferi]

Control: found -1 5.5.0-0.bpo.2-amd64

I started to see this problem after upgrading from 5.4.0-0.bpo.4-amd64
to 5.5.0-0.bpo.2-amd64.  It goes like:

[21825.096887] rtw_pci :04:00.0: start vif dc:f5:05:54:f6:0d on port 0
[21829.406272] wlo1: authenticate with 38:43:7d:8a:89:0e
[21829.914017] wlo1: send auth to 38:43:7d:8a:89:0e (try 1/3)
[21829.935816] wlo1: authenticated
[21829.941105] wlo1: associate with 38:43:7d:8a:89:0e (try 1/3)
[21829.984243] wlo1: RX AssocResp from 38:43:7d:8a:89:0e (capab=0x1511 status=0 
aid=3)
[21829.986178] rtw_pci :04:00.0: sta 38:43:7d:8a:89:0e joined with macid 0
[21830.045633] rtw_pci :04:00.0: wrong bfee role
[21830.048864] wlo1: associated
[21830.050828] [ cut here ]
[21830.051893] invalid ra report c2h length
[21830.052890] WARNING: CPU: 2 PID: 280 at 
drivers/net/wireless/realtek/rtw88/fw.c:117 rtw_fw_c2h_cmd_handle+0x11a/0x130 
[rtw88]
[21830.053924] Modules linked in: cmac bnep bbswitch(OE) snd_sof_pci 
snd_sof_intel_hda_common snd_sof_intel_hda snd_sof_intel_byt snd_sof_intel_ipc 
snd_sof snd_sof_xtensa_dsp nls_ascii snd_soc_skl nls_cp437 snd_soc_hdac_hda 
vfat btusb snd_hda_ext_core fat btrtl snd_soc_sst_ipc snd_hda_codec_hdmi btbcm 
snd_soc_sst_dsp btintel ext4 snd_soc_acpi_intel_match x86_pkg_temp_thermal 
snd_soc_acpi snd_hda_codec_realtek intel_powerclamp rtwpci mbcache coretemp 
snd_soc_core snd_hda_codec_generic bluetooth jbd2 rtw88 ledtrig_audio 
snd_compress kvm_intel snd_hda_intel mac80211 drbg kvm snd_intel_dspcfg 
uvcvideo videobuf2_vmalloc irqbypass snd_hda_codec joydev videobuf2_memops 
ansi_cprng videobuf2_v4l2 asus_nb_wmi snd_hda_core cfg80211 videobuf2_common 
ecdh_generic intel_cstate asus_wmi snd_hwdep ecc intel_rapl_msr efi_pstore 
sparse_keymap intel_uncore videodev snd_pcm serio_raw intel_rapl_perf pcspkr 
snd_timer mc iTCO_wdt efivars wmi_bmof snd mei_me processor_thermal_device 
rfkill iTCO_vendor_support
[21830.053944]  soundcore hid_multitouch watchdog crc16 libarc4 
intel_rapl_common mei int3403_thermal sg intel_soc_dts_iosf intel_pch_thermal 
ac int340x_thermal_zone tpm_crb tpm_tis tpm_tis_core tpm rng_core 
int3400_thermal evdev acpi_thermal_rel acpi_pad acpi_tad efivarfs ip_tables 
x_tables autofs4 btrfs blake2b_generic xor zstd_decompress zstd_compress 
raid6_pq libcrc32c crc32c_generic algif_skcipher af_alg dm_crypt dm_mod sd_mod 
hid_generic spi_pxa2xx_platform dw_dmac dw_dmac_core i2c_designware_platform 
i2c_designware_core i915 crct10dif_pclmul crc32_pclmul crc32c_intel 
ghash_clmulni_intel ahci libahci i2c_algo_bit mxm_wmi drm_kms_helper xhci_pci 
xhci_hcd aesni_intel libata drm usbcore crypto_simd cryptd glue_helper scsi_mod 
i2c_hid i2c_i801 intel_lpss_pci hid intel_lpss idma64 usb_common mfd_core 
battery wmi video button
[21830.063782] CPU: 2 PID: 280 Comm: kworker/u16:2 Tainted: G   OE 
5.5.0-0.bpo.2-amd64 #1 Debian 5.5.17-1~bpo10+1
[21830.064901] Hardware name: ASUSTeK COMPUTER INC. VivoBook_ASUSLaptop 
X430FN_S430FN/X430FN, BIOS X430FN.308 05/28/2019
[21830.066026] Workqueue: phy0 rtw_c2h_work [rtw88]
[21830.067158] RIP: 0010:rtw_fw_c2h_cmd_handle+0x11a/0x130 [rtw88]
[21830.068241] Code: cc 35 00 00 e8 f7 33 0d 00 e9 77 ff ff ff 48 89 ee 4c 89 
f7 e8 07 70 ff ff e9 67 ff ff ff 48 c7 c7 c1 e4 2d c1 e8 a1 6c 80 de <0f> 0b e9 
54 ff ff ff e8 4a 6a 80 de 66 2e 0f 1f 84 00 00 00 00 00
[21830.069391] RSP: 0018:ac2d8073be30 EFLAGS: 00010286
[21830.070515] RAX:  RBX: 93e3a126bfd8 RCX: 
[21830.071635] RDX: 93e3a5ca9740 RSI: 93e3a5c99a48 RDI: 93e3a5c99a48
[21830.072694] RBP: 93e39b91b000 R08: 0426 R09: 00aa
[21830.073764] R10:  R11: ac2da09d8220 R12: 93e3a0a65b78
[21830.074835] R13: 0006 R14: 93e3a0a61e60 R15: 93e3a0a65c30
[21830.075842] FS:  () GS:93e3a5c8() 
knlGS:
[21830.076866] CS:  0010 DS:  ES:  CR0: 80050033
[21830.077827] CR2: 558372174ed8 CR3: 00015540a004 CR4: 003606e0
[21830.078780] Call Trace:
[21830.079736]  ? skb_dequeue+0x52/0x60
[21830.080674]  rtw_c2h_work+0x40/0x60 [rtw88]
[21830.081602]  process_one_work+0x1a7/0x360
[21830.082532]  worker_thread+0x30/0x390
[21830.083458]  ? create_worker+0x1a0/0x1a0
[21830.084385]  kthread+0x112/0x130
[21830.085353]  ? kthread_park+0x80/0x80
[21830.086276]  ret_from_fork+0x35/0x40
[21830.087246] ---[ end trace defb67375a180861 ]---
[21831.010482] wlo1: deauthenticated from 38:43:7d:8a:89:0e (Reason: 
2=PREV_AUTH_NOT_VALID)
[21831.045061] rtw_pci :04:00.0: sta 38:43:7d:8a:89:0e with macid 0 left
[21831.722504] wlo1: authenticate with 38:43:7d:8a:89:41
[21832.230266] wlo1: send auth to 38:43:7d:8a:89:41 (try 1/3)
[21832.236978] wlo1: authenticated
[21832.242505] wlo1: associating with AP with corrupt probe response
[21832.247217] wlo1: associate with 38:43:7d:8a:89:41 (try 1/3)
[21832.274448] wlo1: RX AssocResp from 

Bug#922984: stretch update requested

[wferi]

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964244

Bug#962454: Link failures after upgrade to +deb10u1

[wferi]

Alberto Gonzalez Iniesta  writes:

> Hi, again. After some days with libknet1=1.16-2, I'm still getting
> errors from time to time (less than with buster's libknet1):
> Jun 22 01:16:54 selma corosync[28610]:   [KNET  ] link: host: 1 link: 0 is 
> down
> Jun 22 01:16:54 selma corosync[28610]:   [KNET  ] host: host: 1 (passive) 
> best link: 1 (pri: 1)
> Jun 22 01:16:55 selma corosync[28610]:   [KNET  ] rx: host: 1 link: 0 is up
> Jun 22 01:16:55 selma corosync[28610]:   [KNET  ] host: host: 1 (passive) 
> best link: 0 (pri: 1)
> Jun 24 06:50:30 selma corosync[28610]:   [KNET  ] link: host: 1 link: 0 is 
> down
> Jun 24 06:50:30 selma corosync[28610]:   [KNET  ] host: host: 1 (passive) 
> best link: 1 (pri: 1)
> Jun 24 06:50:31 selma corosync[28610]:   [KNET  ] rx: host: 1 link: 0 is up
> Jun 24 06:50:31 selma corosync[28610]:   [KNET  ] host: host: 1 (passive) 
> best link: 0 (pri: 1)

Hi,

Is this with corosync 3.0.1-2+deb10u1?
Please enable debug logging and collect full info for a link flap.
Do these correlate with some cluster or host activity?
Does your network link transfer big packets (up to 65536 bytes) reliably?
Can you capture the Kronosnet network traffic (preferably on both nodes)
around the time of a link flap?

I won't be able to interpret such detailed information, but I suggest
you open an issue at https://github.com/kronosnet/kronosnet/issues
complete with it.
-- 
Regards,
Feri

Bug#963081: src:camera.app: Please switch to using pkg-config for libgphoto2

[wferi]

Yavor Doganov  writes:

> wf...@niif.hu wrote:
>
>> Yavor Doganov  writes:
>> 
>>> Thanks; I'll fix this shortly -- the upload will depend on my sponsor
>>> though.  Meanwhile, feel free to upload libgphoto2 whenever you like
>>> and raise the severity of this bug to serious.
>> 
>> Did so, thanks.  I'm willing to sponsor your upload fixing this issue if
>> needed.
>
> It has a bunch of other changes so I'm not sure you'll be comfortable
> reviewing them.  And I've already contacted my sponsor...  Anyway, the
> updated package is available at mentors.d.n and also on Salsa.

Some of those changes are indeed out of my zone. :)

> P.S. I noticed that libgphoto2/2.5.25-1 FTBFS almost everywhere, you
> might want to take a look.

Yes, stupid overlook.  Thanks for the heads-up, fixed!
-- 
Feri

Bug#963081: src:camera.app: Please switch to using pkg-config for libgphoto2

[wferi]

Control: severity -1 serious

Yavor Doganov  writes:

> Thanks; I'll fix this shortly -- the upload will depend on my sponsor
> though.  Meanwhile, feel free to upload libgphoto2 whenever you like
> and raise the severity of this bug to serious.

Did so, thanks.  I'm willing to sponsor your upload fixing this issue if
needed.
-- 
Regards,
Feri

Bug#950488: buster-pu: package kronosnet/1.8-2

[wferi]

Dear Stable Release Team,

We'd be immensely grateful for your input on this matter, since your
position more or less determines how we can plan to support the HA users
in Debian.  We'd still prefer a stable update (either to 1.13 as in the
original request or to a more recent stable release), but if that isn't
possible, we'll move forward with backports.  (Which isn't a particularly
appealing option in itself, because the imminent libqb 2 transition will
cause much churn across the stack.)
-- 
Thanks,
Feri

Bug#347650: Buster links with --as-needed by default

[wferi]

Hi,

Just noting that according to #956146 "the bullseye toolchain defaults
to linking with --as-needed", so this won't hurt us so bad in the
future.
-- 
Feri

Bug#950488: buster-pu: package kronosnet/1.8-2

[wferi]

Control: tags -1 - moreinfo

"Adam D. Barratt"  writes:

> Apologies for not replying sooner.

No problem.  I was starting to accept that my request was so outlandish
that it didn't even warrant a reply. :)

> On Sun, 2020-02-02 at 14:47 +0100, Ferenc Wágner wrote:
>> I'v got a bold request: please let me update Kronosnet in buster from
>> 1.8-2 to 1.13-something to fix #946222.  During the buster freeze
>> period, upstream released 1.9 and 1.10, but those didn't bring
>> important
>> fixes, so I didn't request freeze exceptions for them.  However, when
>> Proxmox VE 6.0 got released (based on Debian buster), their users
>> reported lots of intertwined bugs, and the developers iterated
>> through
>> 1.11, 1.12 and 1.13 in quick succession to fix them, see the linked
>> https://forum.proxmox.com/threads/pve-5-4-11-corosync-3-x-major-issues.56124.
>
> Do upstream have a stable or LTS tree? I see that unstable currently
> contains 1.15, so 1.X is presumably not it.

Actually it is.  Even 1.16 was released on Thursday from the stable1
branch, I just haven't got around uploading it yet.  The master branch
contains bigger changes targeting a future Kronosnet 2.

> Usually when considering a larger update, we'd be looking for
> information such as:
>
> - What sort of changes get included in upstream releases? Are they just
> bug fixes, or are there new features included, or other changes?

The bulk is bug fixes, but there are occasional feature changes as well.
Besides man page improvements and improved error reporting, ACL and zstd
support was added in 1.10, for example.  I didn't deem those worth a
freeze exception, though.  1.11 to 1.13 focused on fixing PMTU
discovery, and this is the main reason for this stable update request,
but meanwhile added a new API and musl support (the ABI remained
stable).  I linked to the above release announcements in the message
opening this bug, but here are the later ones, too:

1.14 https://lists.kronosnet.org/pipermail/users/2020-January/25.html
All fixes.  Sounds useful, even though the most serious part does not
affect the stock buster kernels.

1.15 https://lists.kronosnet.org/pipermail/users/2020-March/26.html
All fixes.  Nice to have, but not critical unless your application
gathers statistics.

1.16 https://lists.kronosnet.org/pipermail/users/2020-April/27.html
Fixes a special SCTP case.  But also contains some code reorganization,
to fix build issues under GCC 10.  Otherwise, it's meant to be a no-op, as
https://github.com/kronosnet/kronosnet/pull/301#issuecomment-620515274
explains in detail.

> - What sort of testing do the new releases get? Is the testing
> automated?

Yes, https://ci.kronosnet.org/ runs across the full Kronosnet - Corosync
- Pacemaker stack, so correct operation is ensured on a basic level.
The maintainers also run more complicated tests on large clusters on a
regular basis (it's an official RedHat project with dedicated staff).
HA cluster setups are very diverse, though, and the failures they are
designed to mitigate are even more so.  This is why the past releases
had to concentrate on fixing various connectivity recovery scenarios.

> - What sort of regressions are reported against new releases? How
> quickly are they resolved?

There aren't many.  The developer team is active and responsive, see
https://github.com/kronosnet/kronosnet/issues/218 for example.  The
cooperation with Corosync (only known user of Kronosnet) is fluid, they
are managed under the same umbrella.  The above report came from
Proxmox, a company specializing in HA virtualization (based on Debian).
They were the main driving force behind the 1.11-1.13 updates, seeking
to provide support for their customers.  Since they upgraded to 1.13,
things calmed down; they're sitting at 1.14 since February as far as I
can see (https://git.proxmox.com/?p=kronosnet.git).

Hope it answers your questions, just flip back the moreinfo tag if not.
Meanwhile I'll upload 1.16 to unstable.
-- 
Feri

Bug#955206: freeradius: Daemon has write privilege to configuration

[wferi]

"Debian Bug Tracking System"  writes:

> - set ReadOnlyDirectories to the configuration (Closes: #955206)

Well, not very transparent or general, but certainly address my main
concern.  However, the file ownerships still send the wrong message to
me.  Could you please explain why the configuration files are owned by
the freerad user?
-- 
Thanks,
Feri

Bug#953189: src:libgphoto2: fails to migrate to testing for too long

[wferi]

Hi,

I'd like to upload the new versions of gphoto2 and libgphoto2 to fix
this migration bug (and to make use of them in qstopmotion).  If you
agree, please accept my membership request on Salsa and I'll go ahead.
-- 
Thanks,
Feri

Bug#896463: autopkgtest-build-lxc times out waiting for network-online.target

[wferi]

On Mon, 2 Jul 2018 12:10:34 +0200 Paul Gevers  wrote:

> On Sat, 21 Apr 2018 12:15:28 +0200 =?utf-8?q?Ferenc_W=C3=A1gner?= 
>  wrote:
>
>> --- /usr/bin/autopkgtest-build-lxc   2018-04-18 10:44:36.0 +0200
>> +++ /home/wferi/autopkgtest-build-lxc2018-04-19 18:36:05.937432180 
>> +0200
>> @@ -123,7 +123,7 @@
>>  }
>>  
>>  # wait until a systemd based container has networking
>> -if ! echo '[ ! -d /run/systemd/system ] || systemctl start 
>> network-online.target' | timeout 60 lxc-attach --name=$1 -- sh -e; then
>> +if ! echo '[ ! -d /run/systemd/system ] || systemctl start 
>> network-online.target' | lxc-attach --name=$1 -- sh -e; then
>>  echo "Timed out waiting for container to start 
>> network-online.target" >&2
>>  exit 1
>>  fi
>> 
>> That is, simply removing "timeout 60".
> 
> I fear that this may work for you, but isn't robust. I think we want
> some form of timeout there to prevent infinite hang-ups.
> 
>> Maybe an alternate solution could be designed by installing a systemd
>> service in the guest to run the setup-testbed and customize scripts
>> without requiring these lxc-attach commands.  Just an idea, I'll be
>> happy with any fix you prefer.
> 
> I think this isn't a great solution either, as that means we depend on
> systemd in the guest. I don't think we should (yet?).

Hi Paul,

What about forgetting about network-online.target and similar hacks
(https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
doesn't think about it highly) altogether, and instead configuring
apt-get for a dozen or so retries (that seems to be the first command in
setup-testbed requiring network access).  The build process is rather
noisy already, so this could be a simple init-system-agnostic solution.
-- 
Regards,
Feri

Bug#950478: buster-pu: package corosync/3.0.1-2

[wferi]

"Adam D. Barratt"  writes:

> On Sun, 2020-02-02 at 12:46 +0100, Ferenc Wágner wrote:
>
>> +corosync (3.0.1-2+deb10u1) buster; urgency=medium
>> +
>> +  * [f826af9] This branch is for buster updates
>
> That doesn't really belong in the package changelog.

Agreed.

>> +  * [bfbfd3e] New patch: totemsrp: Reduce MTU to left room second
>> mcast.
>> +Thanks to Jan Friesse (Closes: #950476)
>> 
>
> Please go ahead.

Uploaded with pruned changelog.
-- 
Thanks,
Feri

Bug#680148: python-pam: Please include python3 support

[wferi]

Hi,

Sadly, it looks like Dima Barksy, the maintainer, isn't around any more.
Is anybody interested in salvaging this package?  (Both in the sense of
keeping it around after the Python 2 removal in bullseye and in that of
https://wiki.debian.org/PackageSalvaging.)
-- 
Regards,
Feri

Bug#950139: buster-pu: package xmltooling/3.0.4-1

[wferi]

"Adam D. Barratt"  writes:

> On Fri, 2020-01-31 at 23:30 +0100, wf...@niif.hu wrote:
>
>> +xmltooling (3.0.4-1+deb10u1) buster; urgency=medium
>> +
>> +  * [7c6eb12] This branch is for buster updates
>> +  * [97e580e] New patch: CPPXT-145 - DataSealer is sharing non-
>> thread safe keys.
>
> Please go ahead; thanks.

Uploaded.
-- 
Thanks,
Feri

Bug#950139: buster-pu: package xmltooling/3.0.4-1

[wferi]

On Wed, 29 Jan 2020 12:24:36 +0100 =?utf-8?q?Ferenc_W=C3=A1gner?= 
 wrote:

> I'm looking for guidance first: I'd like to fix #950135 (libxmltooling8:
> Race condition bug in new session cookie feature leads to SP crash) in
> buster.
> [...]
> Upstream cut a new release (3.0.5) for this fix specifically, but the
> full diff between 3.0.4 and 3.0.5 is much longer due to changes in the
> version number in several files, VC project files, generated Autotools
> files, RPM spec file and Windows resource file.  Still not huge, and
> most of that is entirely irrelevant for Debian.  But in the 3.0.5-1
> upload I included some packaging changes (mainly autopkgtest and Salsa
> CI, but also a no-effect upgrade to debhelper compat 12).  I guess you'd
> rather not review all this in a stable update, right?  Then I'll add a
> quilt patch and submit that, as you prefer.

Here's the minimal debdiff containing only a quilt patch:

$ debdiff xmltooling_3.0.4-1.dsc xmltooling_3.0.4-1+deb10u1.dsc 
diff -Nru xmltooling-3.0.4/debian/changelog xmltooling-3.0.4/debian/changelog
--- xmltooling-3.0.4/debian/changelog   2019-03-14 14:58:36.0 +0100
+++ xmltooling-3.0.4/debian/changelog   2020-01-31 23:06:07.0 +0100
@@ -1,3 +1,11 @@
+xmltooling (3.0.4-1+deb10u1) buster; urgency=medium
+
+  * [7c6eb12] This branch is for buster updates
+  * [97e580e] New patch: CPPXT-145 - DataSealer is sharing non-thread safe 
keys.
+Thanks to Scott Cantor (Closes: #950135)
+
+ -- Ferenc Wágner   Fri, 31 Jan 2020 23:06:07 +0100
+
 xmltooling (3.0.4-1) unstable; urgency=high
 
   * [f185b26] New upstream security release: 3.0.4
diff -Nru xmltooling-3.0.4/debian/gbp.conf xmltooling-3.0.4/debian/gbp.conf
--- xmltooling-3.0.4/debian/gbp.conf2019-03-14 14:34:19.0 +0100
+++ xmltooling-3.0.4/debian/gbp.conf2020-01-31 22:59:40.0 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/buster
 upstream-branch = upstream/latest
 pristine-tar = True
 
diff -Nru 
xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch
 
xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch
--- 
xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch
  1970-01-01 01:00:00.0 +0100
+++ 
xmltooling-3.0.4/debian/patches/CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch
  2020-01-31 23:04:41.0 +0100
@@ -0,0 +1,42 @@
+From: Scott Cantor 
+Date: Tue, 1 Oct 2019 19:16:19 -0400
+Subject: CPPXT-145 - DataSealer is sharing non-thread safe keys
+
+Xmltooling versions 3.0.0 to 3.0.4 suffer from a race condition bug that
+leads to a crash under load.
+
+https://issues.shibboleth.net/jira/browse/CPPXT-145
+
+Closes: #950135
+---
+ xmltooling/security/impl/DataSealer.cpp | 8 ++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/xmltooling/security/impl/DataSealer.cpp 
b/xmltooling/security/impl/DataSealer.cpp
+index c7ec7f9..aef85b7 100644
+--- a/xmltooling/security/impl/DataSealer.cpp
 b/xmltooling/security/impl/DataSealer.cpp
+@@ -156,8 +156,10 @@ string DataSealer::wrap(const char* s, time_t exp) const
+ 
+ safeBuffer ciphertext;
+ try {
++// Keys are not threadsafe, use a clone to encrypt.
++scoped_ptr clonedKey(defaultKey.second->clone());
+ scoped_ptr 
method(XENCEncryptionMethod::create(env.get(), algorithm));
+-if (!handler->encryptToSafeBuffer(, method.get(), 
defaultKey.second, dummydoc, ciphertext)) {
++if (!handler->encryptToSafeBuffer(, method.get(), clonedKey.get(), 
dummydoc, ciphertext)) {
+ throw XMLSecurityException("Data encryption failed.");
+ }
+ }
+@@ -235,8 +237,10 @@ string DataSealer::unwrap(const char* s) const
+ unsigned int len = 0;
+ safeBuffer plaintext;
+ try {
++// Keys are not threadsafe, use a clone to decrypt.
++scoped_ptr clonedKey(requiredKey.second->clone());
+ scoped_ptr 
method(XENCEncryptionMethod::create(env.get(), algorithm));
+-len = handler->decryptToSafeBuffer(, method.get(), 
requiredKey.second, dummydoc, plaintext);
++len = handler->decryptToSafeBuffer(, method.get(), 
clonedKey.get(), dummydoc, plaintext);
+ }
+ catch (const XSECException& ex) {
+ auto_ptr_char msg(ex.getMsg());
diff -Nru xmltooling-3.0.4/debian/patches/series 
xmltooling-3.0.4/debian/patches/series
--- xmltooling-3.0.4/debian/patches/series  1970-01-01 01:00:00.0 
+0100
+++ xmltooling-3.0.4/debian/patches/series  2020-01-31 23:04:41.0 
+0100
@@ -0,0 +1 @@
+CPPXT-145-DataSealer-is-sharing-non-thread-safe-keys.patch

I'm ready to upload this if you feel like going straight to 3.0.5-1 (in
unstable) would be too much.
-- 
Thanks,
Feri

Bug#948715: stretch-pu: package xml-security-c/1.7.3-4+deb9u1

[wferi]

On Tue, 28 Jan 2020 08:42:50 + "Adam D. Barratt"  
wrote:
 
> On 2020-01-12 14:39, Ferenc Wágner wrote:
>
>> +xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium
>> +
>> +  * [12dd825] New patches: DSA verification crashes OpenSSL on invalid
>> +combinations of key content.
>> +Particular KeyInfo combinations result in incomplete DSA key structures
>> +that OpenSSL can't handle without crashing.  In the case of Shibboleth
>> +SP software this manifests as a crash in the shibd daemon.  Exploitation
>> +is believed to be possible only in deployments employing the PKIX trust
>> +engine, which is generally recommended against.
>> +The upstream patches backported from 2.0.2 apply analogous safeguards to
>> +the RSA and ECDSA key handling as well.
> 
> Please go ahead.

Uploaded.
-- 
Thanks,
Feri

Bug#947936: chrony: Does (still) not start properly on boot on buster

[wferi]

Hi,

Don't you think #873057 is actually the same issue discovered with ntp?
Please consider merging it in if you agree.
-- 
Thanks,
Feri

Bug#945741: tcvt: Python2 removal in sid/bullseye

[wferi]

wf...@niif.hu writes:

> Helmut Grohne  writes:
>
>> On Wed, Nov 27, 2019 at 11:58:53PM +, Sandro Tosi wrote:
>>
>>> - Convert your Package to Python3. This is the preferred option.
>>
>> Upstream here. While tcvt started on Python2, much of its development
>> actually happend on Python3, so just changing the #! should work.
>
> And I wanted to package it for Python3 in the first place.  I'm puzzled
> that it uses Python2 despite dh --with python3 and the python3 build
> dependency.  I'd be grateful for an explanation or some suggestions.

Maybe I expected too much of dh_python3.  Patching the interpreter name
to /usr/bin/python3 works of course, I'm just not sure it's best
practice.
-- 
Regards,
Feri

Bug#945741: tcvt: Python2 removal in sid/bullseye

[wferi]

Helmut Grohne  writes:

> On Wed, Nov 27, 2019 at 11:58:53PM +, Sandro Tosi wrote:
>
>> - Convert your Package to Python3. This is the preferred option.
>
> Upstream here. While tcvt started on Python2, much of its development
> actually happend on Python3, so just changing the #! should work.

And I wanted to package it for Python3 in the first place.  I'm puzzled
that it uses Python2 despite dh --with python3 and the python3 build
dependency.  I'd be grateful for an explanation or some suggestions.
-- 
Thanks,
Feri

Bug#895450: slapd: segfault in back_mdb

[wferi]

Ryan Tandy  writes:

> With your coredump, could you dig a little further into the two
> "sml_mod" structures and show their sm_desc/sm_values/sm_nvalues?

Sure:

(gdb) p *modlist->sml_mod.sm_desc
$8 = {ad_next = 0x0, ad_type = 0x5652a198da20, ad_cname = {bv_len = 3, bv_val = 
0x5652a198d900 "uid"}, ad_tags = {bv_len = 0, bv_val = 0x0}, ad_flags = 0, 
  ad_index = 47}
(gdb) p *modlist->sml_mod.sm_values
$9 = {bv_len = 12, bv_val = 0x7ff46c11d940 "jeszenszkyan"}
(gdb) p *modlist->sml_mod.sm_nvalues
$10 = {bv_len = 12, bv_val = 0x7ff46c11d990 "jeszenszkyan"}

and

(gdb) p *modlist->sml_next->sml_mod.sm_desc
$11 = {ad_next = 0x0, ad_type = 0x5652a198da20, ad_cname = {bv_len = 3, bv_val 
= 0x5652a198d900 "uid"}, ad_tags = {bv_len = 0, bv_val = 0x0}, 
  ad_flags = 0, ad_index = 47}
(gdb) p *modlist->sml_next->sml_mod.sm_values
$12 = {bv_len = 11, bv_val = 0x7ff46c11d860 "jeszenszkya"}
(gdb) p *modlist->sml_next->sml_mod.sm_nvalues
$13 = {bv_len = 11, bv_val = 0x7ff46c11d8b0 "jeszenszkya"}


> (For the "sm_op" values, 1 is LDAP_MOD_DELETE and 4096 is
> SLAP_MOD_SOFTADD.)

Makes sense, I guess...

> Also, if the frame is still valid, the contents of "dni" in
> syncrepl_entry (frame #4) would be useful too.

(gdb) up
#4  0x5652a06c29df in syncrepl_entry (syncCSN=0x7ff46c115400, 
syncUUID=0x7ff47a6ca070, syncstate=, modlist=0x7ff47a6c9d30, 
entry=0x5652a19a8f38, op=0x7ff47a6ca760, si=0x5652a1a39600) at 
../../../../servers/slapd/syncrepl.c:3273
3273rc = op->o_bd->be_modrdn( op, _modify );
(gdb) p dni
$14 = {new_entry = 0x5652a19a8f38, dn = {bv_len = 45, bv_val = 0x7ff46c000ff0 
"uid=jeszenszkyan,ou=users,o=niifi,o=niif,c=hu"}, ndn = {bv_len = 45, 
bv_val = 0x7ff46c001028 "uid=jeszenszkyan,ou=users,o=niifi,o=niif,c=hu"}, 
nnewSup = {bv_len = 0, bv_val = 0x0}, renamed = 1, delOldRDN = 1, 
  modlist = 0x7ff47a6c9d30, mods = 0x0, oldNcount = 1, oldDesc = 
0x5652a198dc00, newDesc = 0x5652a198dc00}
(gdb) p *dni.new_entry
$16 = {e_id = 0, e_name = {bv_len = 44, bv_val = 0x7ff46c115430 
"uid=jeszenszkya,ou=users,o=niifi,o=niif,c=hu"}, e_nname = {bv_len = 44, 
bv_val = 0x7ff46c1191c0 "uid=jeszenszkya,ou=users,o=niifi,o=niif,c=hu"}, 
e_attrs = 0x5652a19bed90, e_ocflags = 0, e_bv = {bv_len = 0, bv_val = 0x0}, 
  e_private = 0x0}

(gdb) p dni.modlist->sml_mod
$18 = {sm_desc = 0x5652a198d870, sm_values = 0x7ff46c119200, sm_nvalues = 
0x7ff46c8bd960, sm_numvals = 1, sm_op = 2, sm_flags = 0, sm_type = {bv_len = 2, 
bv_val = 0x7ff46c114aed "cn"}}
(gdb) p dni.modlist->sml_mod.sm_desc
$19 = (AttributeDescription *) 0x5652a198d870
(gdb) p *dni.modlist->sml_mod.sm_desc
$20 = {ad_next = 0x5652a1bfcf80, ad_type = 0x5652a198d650, ad_cname = {bv_len = 
2, bv_val = 0x5652a198d590 "cn"}, ad_tags = {bv_len = 0, bv_val = 0x0}, 
  ad_flags = 0, ad_index = 46}
(gdb) p *dni.modlist->sml_mod.sm_values
$21 = {bv_len = 16, bv_val = 0x7ff46c10d5c0 "Jeszenszky Andor"}
(gdb) p *dni.modlist->sml_mod.sm_nvalues
$22 = {bv_len = 16, bv_val = 0x7ff46c8bd990 "jeszenszky andor"}
[...]
(gdb) p 
dni.modlist->sml_next->sml_next->sml_next->sml_next->sml_next->sml_next->sml_next->sml_next
$32 = (Modifications *) 0x0

(gdb) p *dni.oldDesc
$34 = {ad_next = 0x0, ad_type = 0x5652a198da20, ad_cname = {bv_len = 3, bv_val 
= 0x5652a198d900 "uid"}, ad_tags = {bv_len = 0, bv_val = 0x0}, 
  ad_flags = 0, ad_index = 47}

Hope this helps.
-- 
Regards,
Feri

Bug#895450: slapd: segfault in back_mdb

[wferi]

Control: tag -1 - moreinfo

On Wed, 11 Apr 2018 10:08:25 -0700 Ryan Tandy  wrote:

> On Wed, Apr 11, 2018 at 06:41:08PM +0200, Ferenc Wágner wrote:
>
>> slapd[4515]: segfault at 4c ip 7f71abdbfc9b sp 7f716f184780 error 4 
>> in back_mdb-2.4.so.2.10.7[7f71abdb+39000]
>
> Not familiar to me, nor to upstream based on the information provided. 
> Feel free to remove the 'moreinfo' tag if it happens again and you're 
> able to capture a core or stacktrace.

Hi Ryan,

One and a half year later, and I've got a core dump!  Stretch system,
slapd 2.4.44+dfsg-5+deb9u3, segmentation fault at the same point, but
with a different value:

Dec 19 10:31:40 birch slapd[19274]: do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE 
- NEW_COOKIE
Dec 19 10:31:40 birch slapd[19274]: do_syncrep2: rid=001 NEW_COOKIE: 
rid=001,csn=20191219093138.816310Z#00#000#00
Dec 19 10:31:40 birch slapd[19274]: slap_queue_csn: queueing 0x7ff460102d90 
20191219093138.816310Z#00#000#00
Dec 19 10:31:40 birch slapd[19274]: slap_graduate_commit_csn: removing 
0x7ff460102d90 20191219093138.816310Z#00#000#00
Dec 19 10:31:59 birch slapd[19274]: do_syncrep2: rid=001 
cookie=rid=001,csn=20191219093159.802851Z#00#000#00
Dec 19 10:31:59 birch slapd[19274]: syncrepl_message_to_entry: rid=001 DN: 
uid=jeszenszkya,ou=users,o=niifi,o=niif,c=hu, UUID: 
6eb0ba40-14b1-1039-9559-11af45fdb739
Dec 19 10:31:59 birch slapd[19274]: syncrepl_entry: rid=001 
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
Dec 19 10:31:59 birch slapd[19274]: syncrepl_entry: rid=001 be_search (0)
Dec 19 10:31:59 birch slapd[19274]: syncrepl_entry: rid=001 
uid=jeszenszkya,ou=users,o=niifi,o=niif,c=hu
Dec 19 10:31:59 birch slapd[19274]: slap_queue_csn: queueing 0x7ff46c11d760 
20191219093159.802851Z#00#000#00
Dec 19 10:31:59 birch kernel: [3068983.104734] slapd[19276]: segfault at 
80b9542009 ip 7ff4b7304c9b sp 7ff47a6c9700 error 4 in 
back_mdb-2.4.so.2.10.7[7ff4b72f5000+39000]

Some random info that looked useful at first sight:

(gdb) bt
#0  mdb_modify_internal (op=op@entry=0x7ff47a6ca760, 
tid=tid@entry=0x5652a1c04f50, 
modlist=0x7ff46c11d8d0, e=e@entry=0x7ff47a6c9850, 
text=text@entry=0x7ff47a6ca020, 
textbuf=textbuf@entry=0x7ff47a6c98d0 "\024", textlen=256)
at ../../../../../servers/slapd/back-mdb/modify.c:99
#1  0x7ff4b7307f8e in mdb_modrdn (op=0x7ff47a6ca760, rs=0x7ff47a6ca000)
at ../../../../../servers/slapd/back-mdb/modrdn.c:509
#2  0x5652a06cb040 in overlay_op_walk (op=op@entry=0x7ff47a6ca760, 
rs=0x7ff47a6ca000, 
which=op_modrdn, oi=0x5652a1a2a850, on=)
at ../../../../servers/slapd/backover.c:677
#3  0x5652a06cb19d in over_op_func (op=0x7ff47a6ca760, rs=, 
which=)
at ../../../../servers/slapd/backover.c:730
#4  0x5652a06c29df in syncrepl_entry (syncCSN=0x7ff46c115400, 
syncUUID=0x7ff47a6ca070, 
syncstate=, modlist=0x7ff47a6c9d30, entry=0x5652a19a8f38, 
op=0x7ff47a6ca760, 
si=0x5652a1a39600) at ../../../../servers/slapd/syncrepl.c:3273
#5  do_syncrep2 (op=op@entry=0x7ff47a6ca760, si=si@entry=0x5652a1a39600)
at ../../../../servers/slapd/syncrepl.c:1040
#6  0x5652a06c4134 in do_syncrepl (ctx=ctx@entry=0x7ff47a6cac10, 
arg=arg@entry=0x5652a1a21e90)
at ../../../../servers/slapd/syncrepl.c:1564
#7  0x5652a065deed in connection_read_thread (ctx=0x7ff47a6cac10, argv=0xb)
at ../../../../servers/slapd/connection.c:1296
#8  0x7ff4bbe3efda in ?? () from 
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#9  0x7ff4ba3a74a4 in start_thread (arg=0x7ff47a6cb700) at 
pthread_create.c:456
#10 0x7ff4ba0e9d0f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:97

(gdb) p *modlist
$9 = {sml_mod = {sm_desc = 0x5652a198dc00, sm_values = 0x7ff46c11d910, 
sm_nvalues = 0x7ff46c11d960, 
sm_numvals = 1, sm_op = 1, sm_flags = 0, sm_type = {bv_len = 0, bv_val = 
0x0}}, 
  sml_next = 0x7ff46c11d7f0}
(gdb) p *modlist->sml_next
$10 = {sml_mod = {sm_desc = 0x5652a198dc00, sm_values = 0x7ff46c11d830, 
sm_nvalues = 0x7ff46c11d880, 
sm_numvals = 1, sm_op = 4096, sm_flags = 0, sm_type = {bv_len = 0, bv_val = 
0x0}}, 
  sml_next = 0x80b9541fed}
(gdb) p mod
$12 = (Modification *) 0x80b9541fed
(gdb) p >sm_op
$13 = (short *) 0x80b9542009

The end of the console output:

$ /usr/sbin/slapd -h ldapi:/// -F /etc/ldap/slapd.d -d Stats,Stats2
[...]
5dfb4079 conn=1001 op=4783 SRCH base="o=niifi,o=niif,c=hu" scope=2 deref=0 
filter="(&(objectClass=posixAccount)(uid=jsj))"
5dfb4079 conn=1001 op=4783 SRCH attr=uidNumber cn gecos uid objectClass 
homeDirectory gidNumber loginShell
5dfb4079 conn=1001 op=4783 SEARCH RESULT tag=101 err=0 nentries=0 text=
Segmentation fault

I'm ready to extract more info from the core dump or provide the
configuration if needed.  In short, it's a partial replica (constrained
by ACLs) from a wheezy slapd (2.4.40-4~bpo70+2).
-- 
Thanks,
Feri

Bug#886974: note to self

[wferi]

A random observation: the segmentation fault happens after outputting
4096 bytes to the test log.  It may be related to stdio buffering and
thus it may never appear with line buffered output.

Bug#873057: ntpd startup broke after buster upgrade

[wferi]

Hi,

I agree that in theory this should work, but apparently it isn't
reliable.  During the first two startups after the buster upgrade ntpd
was started, but during the third startup it was skipped:

$ systemctl status ntp.service systemd-timesyncd.service 
● ntp.service - Network Time Service
   Loaded: loaded (/lib/systemd/system/ntp.service; enabled; vendor preset: 
enabled)
   Active: inactive (dead)
 Docs: man:ntpd(8)

● systemd-timesyncd.service - Network Time Synchronization
   Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; 
vendor preset: enabled)
  Drop-In: /lib/systemd/system/systemd-timesyncd.service.d
   └─disable-with-time-daemon.conf
   Active: inactive (dead)
Condition: start condition failed at Tue 2019-09-17 19:21:35 CEST; 1 day 16h ago
   └─ ConditionFileIsExecutable=!/usr/sbin/ntpd was not met
 Docs: man:systemd-timesyncd.service(8)

While man systemd.unit says that "the unit that conflicts will be
started and the unit that is conflicted is stopped", this doesn't always
work out as expected.  From the syslog of the last two reboots:

wferi@noc7:~$ zegrep "Network Time|Reached target" /var/log/syslog.2.gz 
Sep 17 18:16:02 noc7 systemd[1]: Reached target Local File Systems (Pre).
Sep 17 18:16:02 noc7 systemd[1]: Reached target Swap.
Sep 17 18:16:02 noc7 systemd[1]: Reached target Network (Pre).
Sep 17 18:16:02 noc7 systemd[1]: Reached target Local File Systems.
Sep 17 18:16:02 noc7 systemd[1]: Reached target RPC Port Mapper.
Sep 17 18:16:02 noc7 systemd[1]: Reached target Remote File Systems (Pre).
Sep 17 18:16:02 noc7 systemd[1]: Reached target Remote File Systems.
Sep 17 18:16:02 noc7 systemd[1]: Reached target System Initialization.
Sep 17 18:16:02 noc7 systemd[1]: Reached target Paths.
Sep 17 18:16:02 noc7 systemd[1]: Reached target Sockets.
Sep 17 18:16:02 noc7 systemd[1]: Reached target Basic System.
Sep 17 18:16:02 noc7 systemd[1]: Reached target Timers.
Sep 17 18:16:46 noc7 systemd[1]: Reached target Network.
Sep 17 18:16:46 noc7 systemd[1]: Starting Network Time Service...
Sep 17 18:16:46 noc7 systemd[1]: Reached target Network is Online.
Sep 17 18:16:47 noc7 systemd[1]: Started Network Time Service.
Sep 17 18:16:47 noc7 systemd[1]: Reached target Login Prompts.
Sep 17 18:16:59 noc7 systemd[1]: Reached target Multi-User System.
Sep 17 18:16:59 noc7 systemd[1]: Reached target Graphical Interface.

Sep 17 19:21:38 noc7 systemd[1]: Reached target Local File Systems (Pre).
Sep 17 19:21:38 noc7 systemd[1]: Reached target Network (Pre).
Sep 17 19:21:38 noc7 systemd[1]: Reached target Swap.
Sep 17 19:21:38 noc7 systemd[1]: Reached target Local File Systems.
Sep 17 19:21:38 noc7 systemd[1]: Condition check resulted in Network Time 
Synchronization being skipped.
Sep 17 19:21:38 noc7 systemd[1]: Reached target RPC Port Mapper.
Sep 17 19:21:38 noc7 systemd[1]: Reached target Remote File Systems (Pre).
Sep 17 19:21:38 noc7 systemd[1]: Reached target Remote File Systems.
Sep 17 19:21:38 noc7 systemd[1]: Reached target System Initialization.
Sep 17 19:21:38 noc7 systemd[1]: Reached target Sockets.
Sep 17 19:21:38 noc7 systemd[1]: Reached target Timers.
Sep 17 19:21:38 noc7 systemd[1]: Reached target Paths.
Sep 17 19:21:38 noc7 systemd[1]: Reached target Basic System.
Sep 17 19:21:41 noc7 systemd[1]: Reached target Network.
Sep 17 19:21:42 noc7 systemd[1]: Reached target Network is Online.
Sep 17 19:21:42 noc7 systemd[1]: Reached target Login Prompts.
Sep 17 19:21:54 noc7 systemd[1]: Reached target Multi-User System.
Sep 17 19:21:54 noc7 systemd[1]: Reached target Graphical Interface.

Some more details (hopefully defaults):

$ systemctl show -p 
After,Before,Wants,WantedBy,Requres,RequiredBy,Conflicts,ConflictedBy 
ntp.service systemd-timesyncd.service
Wants=
RequiredBy=
WantedBy=multi-user.target
Conflicts=shutdown.target systemd-timesyncd.service
ConflictedBy=
Before=multi-user.target shutdown.target
After=-.mount systemd-tmpfiles-setup.service sysinit.target system.slice 
tmp.mount var.mount systemd-journald.socket network.target basic.target

Wants=time-sync.target
RequiredBy=
WantedBy=sysinit.target
Conflicts=shutdown.target
ConflictedBy=ntp.service
Before=time-sync.target sysinit.target shutdown.target
After=var.mount systemd-journald.socket systemd-tmpfiles-setup.service 
system.slice -.mount tmp.mount systemd-sysusers.service 
systemd-remount-fs.service

I failed to identify the problem, your help would be much welcome.
-- 
Thanks,
Feri

Bug#928605: No irq handler for vector

[wferi]

Hi,

I'm also getting such messages since the buster upgrade:

Message from syslogd@lant at Aug 26 20:05:12 ...
 kernel:[686221.093605] do_IRQ: 1.52 No irq handler for vector

Message from syslogd@lant at Aug 27 01:03:12 ...
 kernel:[704101.075251] do_IRQ: 1.43 No irq handler for vector
-- 
Regards,
Feri

Bug#843640: bluez: Unable to transfer files over bluetooth - no file transfer settings shown

[wferi]

I can transfer files to my computer only if "Accept files from trusted
devices" in "Transfer Settings" in the "Local Services" dialog is
*unchecked*.  Otherwise the accept dialog does not appear on incoming
transfers, and in 40 seconds the transfer eventually times out with
FORBIDDEN(0x43).  The sending device is trusted.
-- 
Regards,
Feri

Bug#933398: resource-agents: ZFS resource agent contains a bashism and fails

[wferi]

Valentin Vidić  writes:

> The updated for stable is a bit more tricky because:
>
> https://www.debian.org/doc/manuals/developers-reference/ch05.html#upload-stable
> "Basically, a package should only be uploaded to stable if one of the 
> following
> happens:
>
> * a truly critical functionality problem

As I understand it, the resource agent does not work at all currently.
I'd consider this "truly critical", but we'll have to ask the stable
release team.
-- 
Feri

Bug#930887: [Debian-ha-maintainers] Bug#930887: CVE-2019-10153

[wferi]

Valentin Vidić  writes:

> On Mon, Jun 24, 2019 at 02:03:11PM +0200, wf...@niif.hu wrote:
>
>> According to https://security-tracker.debian.org/tracker/CVE-2019-10153,
>> the vulnerable code is not present in stretch.  However, I don't
>> understand why this does not count:
>> 
>> https://salsa.debian.org/ha-team/fence-agents/blob/debian/4.0.25-1/fence/agents/rhevm/fence_rhevm.py#L124
>> 
>> Also, according to http://pycurl.io/docs/latest/unicode.html#unicode the
>> URL conversion to ASCII can fail even when it's implicit, though that
>> probably isn't user controllable, thus may not count.
>
> I suppose the upstream marked it for 4.3.3

https://bugzilla.redhat.com/show_bug.cgi?id=1716286 is more general,
mentioning "fence-agents prior to version 4.3.4"

> but we can make a fix for stretch to be on the safe side?

I think so, but I may overlook something.  Also, I find the switch to
UTF-8 decoding a somewhat unsatisfactory fix: is it wise to depend on
the result being correctly UTF-8 encoded?  If anything goes wrong, an
exception is thrown all the same, it depends on the server.  It may be
desirable, though, I don't know a thing about rhevm.
-- 
Feri

Bug#930887: [Debian-ha-maintainers] Bug#930887: CVE-2019-10153

[wferi]

Moritz Muehlenhoff  writes:

> Please see https://bugzilla.redhat.com/show_bug.cgi?id=1716286

Hi Moritz,

According to https://security-tracker.debian.org/tracker/CVE-2019-10153,
the vulnerable code is not present in stretch.  However, I don't
understand why this does not count:

https://salsa.debian.org/ha-team/fence-agents/blob/debian/4.0.25-1/fence/agents/rhevm/fence_rhevm.py#L124

Also, according to http://pycurl.io/docs/latest/unicode.html#unicode the
URL conversion to ASCII can fail even when it's implicit, though that
probably isn't user controllable, thus may not count.
-- 
Thanks,
Feri

Bug#930671: libauthen-radius-perl: most basic usage stopped working

[wferi]

gregor herrmann  writes:

> Upstream has now closed the CPAN RT ticket and released a 0.31
> version which fixes the issue (differently).
>
> I've "backported" the fix (i.e. took most of the 0.31 diff and added
> it as a quilt patch) and pushed it to git. For convenience I'm also
> attaching the patch here.
>
> Feri, could you try this patch as well so that we can be sure that it
> works before we proceed with an upload and unblock request?

I built 0.29-2 from Salsa and installed it.  It works fine for my (very
limited) purposes.
-- 
Thanks,
Feri

Bug#930671: libauthen-radius-perl: most basic usage stopped working

[wferi]

Niko Tyni  writes:

> I've reported this upstream with the attached proposed patch.

Hi Niko,

I tried to apply the Radius.pm part to the installed package, but it
failed at first due to a whitespace error: the installed file is
indented with TAB characters, not spaces like your patch.  After
adjusting that the patched code works fine for me.

> Will wait a bit before applying the patch for Debian in case upstream
> has comments.

Great, thanks a lot!
-- 
Regards,
Feri

Bug#930671: additional info

[wferi]

Commenting out the offending conditional die() in
/usr/share/perl5/Authen/Radius.pm:865 restores the expected behavior.

On the other hand, loading dictionary.rfc2865 does not make any difference.
-- 
Regards,
Feri

Bug#927159: libqb: CVE-2019-12779: Insecure Temporary Files

[wferi]

Dear Security Team,

I'm ready to upload libqb-1.0.1-1+deb9u1 with the following debdiff:

diff -Nru libqb-1.0.1/debian/changelog libqb-1.0.1/debian/changelog
--- libqb-1.0.1/debian/changelog2016-12-07 14:55:45.0 +0100
+++ libqb-1.0.1/debian/changelog2019-06-16 23:41:50.0 +0200
@@ -1,3 +1,21 @@
+libqb (1.0.1-1+deb9u1) stretch-security; urgency=high
+
+  * [38e0e13] Backport upstream security fixes for CVE-2019-12779.
+Libqb creates files in world-writable directories (/dev/shm, /tmp) with
+rather predictable file names (for example in case of USBGuard with names
+like /dev/shm/qb-usbguard-request-7096-835-12-data). Also O_EXCL flag is
+not used when opening the files. This could be exploited by a local
+attacker to overwrite privileged system files (if not restricted by
+sandboxing, MAC or symlinking policies).
+Original report:  https://github.com/ClusterLabs/libqb/issues/338
+Add O_EXCL:   https://github.com/ClusterLabs/libqb/pull/339
+Use mkdtemp():https://github.com/ClusterLabs/libqb/pull/345
+Regression fixes: https://github.com/ClusterLabs/libqb/pull/349
+(Closes: #927159)
+  * [79734d7] Acknowledge new internal symbol
+
+ -- Ferenc Wágner   Sun, 16 Jun 2019 23:41:50 +0200
+
 libqb (1.0.1-1) unstable; urgency=medium
 
   [ Christoph Berg ]
diff -Nru libqb-1.0.1/debian/gbp.conf libqb-1.0.1/debian/gbp.conf
--- libqb-1.0.1/debian/gbp.conf 2016-12-07 14:47:16.0 +0100
+++ libqb-1.0.1/debian/gbp.conf 2019-06-16 22:48:22.0 +0200
@@ -1,14 +1,12 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/stretch
 upstream-branch = upstream/latest
-debian-tag-msg = Debian release %(version)s
-
-[import-orig]
 pristine-tar = True
 
-[gbp-pq]
-patch-numbers = False
-
-[gbp-dch]
+[dch]
+full = True
 multimaint-merge = True
 id-length = 7
+
+[pq]
+patch-numbers = False
diff -Nru libqb-1.0.1/debian/libqb0.symbols libqb-1.0.1/debian/libqb0.symbols
--- libqb-1.0.1/debian/libqb0.symbols   2016-12-07 14:47:16.0 +0100
+++ libqb-1.0.1/debian/libqb0.symbols   2019-06-16 23:41:22.0 +0200
@@ -236,5 +236,6 @@
  qb_util_timespec_from_epoch_get@Base 0.11.1
  qb_vsnprintf_deserialize@Base 0.11.1
  qb_vsnprintf_serialize@Base 0.14.2
+ remove_tempdir@Base 1.0.1-1+deb9u1~
  strlcat@Base 0.11.1
  strlcpy@Base 0.11.1
diff -Nru 
libqb-1.0.1/debian/patches/CVE-2019-12779/Allow-group-access-to-the-IPC-directory.patch
 
libqb-1.0.1/debian/patches/CVE-2019-12779/Allow-group-access-to-the-IPC-directory.patch
--- 
libqb-1.0.1/debian/patches/CVE-2019-12779/Allow-group-access-to-the-IPC-directory.patch
 1970-01-01 01:00:00.0 +0100
+++ 
libqb-1.0.1/debian/patches/CVE-2019-12779/Allow-group-access-to-the-IPC-directory.patch
 2019-06-16 23:10:03.0 +0200
@@ -0,0 +1,29 @@
+From: =?utf-8?q?Ferenc_W=C3=A1gner?= 
+Date: Thu, 18 Apr 2019 13:20:38 +0200
+Subject: Allow group access to the IPC directory
+
+And don't abort if we aren't permitted to chown() it.  The client might
+still have the privileges to enter it.
+---
+ lib/ipc_setup.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/ipc_setup.c b/lib/ipc_setup.c
+index f6f1d7d..6183001 100644
+--- a/lib/ipc_setup.c
 b/lib/ipc_setup.c
+@@ -640,11 +640,12 @@ handle_new_connection(struct qb_ipcs_service *s,
+   res = -errno;
+   goto send_response;
+   }
+-  res = chown(c->description, c->auth.uid, c->auth.gid);
+-  if (res != 0) {
++  if (chmod(c->description, 0770)) {
+   res = -errno;
+   goto send_response;
+   }
++  /* chown can fail because we might not be root */
++  (void)chown(c->description, c->auth.uid, c->auth.gid);
+ 
+   /* We can't pass just a directory spec to the clients */
+   strncat(c->description,"/qb", CONNECTION_DESCRIPTION);
diff -Nru 
libqb-1.0.1/debian/patches/CVE-2019-12779/Errors-are-represented-as-negative-values.patch
 
libqb-1.0.1/debian/patches/CVE-2019-12779/Errors-are-represented-as-negative-values.patch
--- 
libqb-1.0.1/debian/patches/CVE-2019-12779/Errors-are-represented-as-negative-values.patch
   1970-01-01 01:00:00.0 +0100
+++ 
libqb-1.0.1/debian/patches/CVE-2019-12779/Errors-are-represented-as-negative-values.patch
   2019-06-16 23:10:03.0 +0200
@@ -0,0 +1,27 @@
+From: =?utf-8?q?Ferenc_W=C3=A1gner?= 
+Date: Wed, 17 Apr 2019 15:09:42 +0200
+Subject: Errors are represented as negative values
+
+---
+ lib/ipc_setup.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/ipc_setup.c b/lib/ipc_setup.c
+index a66004d..f6f1d7d 100644
+--- a/lib/ipc_setup.c
 b/lib/ipc_setup.c
+@@ -637,12 +637,12 @@ handle_new_connection(struct qb_ipcs_service *s,
+   snprintf(c->description, CONNECTION_DESCRIPTION,
+"/dev/shm/qb-%d-%d-%d-XX", s->pid, ugp->pid, 
c->setup.u.us.sock);
+   if (mkdtemp(c->description) == NULL) {
+-  res = 

Bug#929467: RFS: tfortune-1.0.0 [ITP]

[wferi]

Andre Noll  writes:

> I also had to override dh_autoreconf for reasons explained in the
> commit message.

It isn't a packaging issue, I just wonder: why do you wrap configure?
The usual approach to making it available is distributing it (and not
requiring Autoconf to build the software from the distribution tarball,
only to build it from the VCS checkout).
-- 
Regards,
Feri

Bug#927714: CVE-2019-3885 CVE-2018-16877 CVE-2018-16878

[wferi]

On Wed, 24 Apr 2019 17:50:02 +0200 wf...@niif.hu wrote:

> On Mon, 22 Apr 2019 09:07:04 +0200 Salvatore Bonaccorso  
> wrote:
> 
>>> Please see https://www.openwall.com/lists/oss-security/2019/04/17/1
>> 
>> Please note that when fixing the issues, in the original patchsets
>> there were some behaviour regressions, I think they should be adressed
>> in the followups as noted in
>> https://www.openwall.com/lists/oss-security/2019/04/18/2
> 
> After several readings of the followup you linked to I think those
> "prior behavioral changes" are the fixes themselves, that is, the more
> thorough authorization checks.  Don't you agree?

According to
https://github.com/ClusterLabs/pacemaker/pull/1750#issuecomment-494765240,
those behavioral changes are already addressed in the pull request.

> I proceeded to apply the patches in the pull request to the pacemaker
> quilt queue.  Unfortunately they introduce new symbols in libcrmcommon:
> crm_ipc_is_authentic_process and pcmk__ipc_is_authentic_process_active.
> Am I expected to update the libtool version info in light of this?

I left those internal symbols unaccounted for now, just tell if it needs
adjustment.

As per the previous comment CVE-2019-3885 does not affect 1.1.16 (the
version in stretch), so that patch was left out (you may want to
indicate this in the security tracker).  On the other hand three
followup patches fixing two bugs in the security fixes are included
based on
https://lists.clusterlabs.org/pipermail/users/2019-May/025822.html.

Here is the full glorious debdiff:

diff -Nru pacemaker-1.1.16/debian/changelog pacemaker-1.1.16/debian/changelog
--- pacemaker-1.1.16/debian/changelog   2016-12-01 14:15:23.0 +0100
+++ pacemaker-1.1.16/debian/changelog   2019-06-02 08:08:12.0 +0200
@@ -1,3 +1,35 @@
+pacemaker (1.1.16-1+deb9u1) stretch-security; urgency=high
+
+  [ Christoph Berg ]
+  * [d3d1561] Remove myself from Uploaders.
+
+  [ Ferenc Wágner ]
+  * [53a63fc] Backport upstream security fixes from pull request #1749.
+1. CVE-2018-16877: Insufficient local IPC client-server authentication
+   on the client's side can lead to local privesc.  A local attacker
+   could use this flaw, and combine it with other IPC weaknesses, to
+   achieve local privilege escalation.
+2. CVE-2018-16878: Insufficient verification inflicted preference of
+   uncontrolled processes can lead to DoS.
+The backported patch bundles were taken from
+
https://src.fedoraproject.org/rpms/pacemaker/c/f48a85ec68e299dfc53655b121e661b7c488ed71?branch=f28:
+- High-pacemakerd-vs.-IPC-procfs-confused-deputy-authentic.patch
+  (fixes CVE-2018-16877 and CVE-2018-16878)
+- Med-controld-fix-possible-NULL-pointer-dereference.patch
+  (fixes an additional problem which is more likely triggerable now that
+  the problems related to CVE-2018-16878 are avoided)
+CVE-2019-3885 does not affect Pacemaker 1.1.16, so
+High-libservices-fix-use-after-free-wrt.-alert-handl.patch is not
+included in this backport.
+Thanks to Jan Pokorný  (Closes: #927714)
+  * [fcbaaae] Acknowledge the new symbols
+  * [babde58] Backport three more patches from upstream fixing memory safety
+bugs.
+Clearing up fallout from the preceding security fixes.
+Thanks to Ken Gaillot 
+
+ -- Ferenc Wágner   Sun, 02 Jun 2019 08:08:12 +0200
+
 pacemaker (1.1.16-1) unstable; urgency=medium
 
   * [d90daf5] Refresh our patches
diff -Nru pacemaker-1.1.16/debian/control pacemaker-1.1.16/debian/control
--- pacemaker-1.1.16/debian/control 2016-12-01 14:14:42.0 +0100
+++ pacemaker-1.1.16/debian/control 2019-05-18 16:41:29.0 +0200
@@ -5,7 +5,6 @@
 Uploaders:
  Richard B Winters ,
  Ferenc Wágner ,
- Christoph Berg ,
  Adrian Vondendriesch ,
 Build-Depends:
  cluster-glue-dev,
diff -Nru pacemaker-1.1.16/debian/gbp.conf pacemaker-1.1.16/debian/gbp.conf
--- pacemaker-1.1.16/debian/gbp.conf2016-12-01 14:07:08.0 +0100
+++ pacemaker-1.1.16/debian/gbp.conf2019-05-22 11:01:26.0 +0200
@@ -1,15 +1,12 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/stretch
 upstream-branch = upstream/latest
-debian-tag-msg = Debian release %(version)s
-
-[import-orig]
 pristine-tar = True
 
-[gbp-pq]
+[pq]
 patch-numbers = False
 
-[gbp-dch]
+[dch]
 full = True
 multimaint-merge = True
 id-length = 7
diff -Nru pacemaker-1.1.16/debian/libcrmcommon3.symbols 
pacemaker-1.1.16/debian/libcrmcommon3.symbols
--- pacemaker-1.1.16/debian/libcrmcommon3.symbols   2016-12-01 
14:14:42.0 +0100
+++ pacemaker-1.1.16/debian/libcrmcommon3.symbols   2019-05-22 
11:56:47.0 +0200
@@ -94,6 +94,7 @@
  crm_ipc_default_buffer_size@Base 1.1.11
  crm_ipc_destroy@Base 1.1.9
  crm_ipc_get_fd@Base 1.1.9
+ crm_ipc_is_authentic_process@Base 1.1.16-1+deb9u1~
  crm_ipc_name@Base 1.1.9
  crm_ipc_new@Base 1.1.9
  crm_ipc_prepare@Base 1.1.9
@@ -292,6 +293,7 @@
  parse_date@Base 1.1.9
  parse_op_key@Base 1.1.9
  

Bug#927714: CVE-2019-3885 CVE-2018-16877 CVE-2018-16878

[wferi]

On Mon, 22 Apr 2019 09:07:04 +0200 Salvatore Bonaccorso  
wrote:

>> Please see https://www.openwall.com/lists/oss-security/2019/04/17/1
> 
> Please note that when fixing the issues, in the original patchsets
> there were some behaviour regressions, I think they should be adressed
> in the followups as noted in
> https://www.openwall.com/lists/oss-security/2019/04/18/2

Hi Salvatore,

After several readings of the followup you linked to I think those
"prior behavioral changes" are the fixes themselves, that is, the more
thorough authorization checks.  Don't you agree?

I proceeded to apply the patches in the pull request to the pacemaker
quilt queue.  Unfortunately they introduce new symbols in libcrmcommon:
crm_ipc_is_authentic_process and pcmk__ipc_is_authentic_process_active.
Am I expected to update the libtool version info in light of this?
-- 
Thanks,
Feri

Bug#926162: unblock: opensaml/3.0.1-1

[wferi]

Control: tags -1 - moreinfo

Niels Thykier  writes:

> Please go ahead with the upload and remove the moreinfo tag when it is
> ready for unblocking.

Hi, opensaml 3.0.1-1 is already in unstable, ready for unblocking.
-- 
Thanks,
Feri

Bug#925978: shibboleth-sp2-common: fills up the /var/cache directory with incommon-metadata.xml.XXXX

[wferi]

Control: reassign 925978 src:shibboleth-sp
Control: forwarded 925978 https://issues.shibboleth.net/jira/browse/SSPCPP-731
Control: tags 925978 + upstream
Control: fixed 925978 3.0.2+dfsg1-1

Matt Weatherford  writes:

> This continues to happen, but is easy to manually clear up so low
> priority...  I wanted to report it out of respect for the work you
> guys do & in hopes its already fixed in the 3.0 release

"Cantor, Scott"  writes:

> Those are discovery feed cache files, and yes, it's fixed in V3, it
> was a regression that got fixed and rebroken a couple of times. It's
> an easy fix to backport if need be.

Thanks for the report, Matt, and thanks for the fix, Scott.  As we're
currently working on backporting V3 to stretch, I've got no immediate
plans to do a stable update for this.  However, I'm somewhat confused
about the fix: [1] says it's a "one character fix", but d2e6d712 is a
little more elaborate.  How do these fit together?

[1] 
https://issues.shibboleth.net/jira/browse/SSPCPP-731?focusedCommentId=27304=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-27304
  
-- 
Thanks,
Feri

Bug#925524: init-system-helpers: Please provide a stretch backport for debhelper 12~

[wferi]

Michael Biebl  writes:

> Personally I prefer to revert the compat bumps when doing backports for
> stretch (like in [1]) as I like to to keep the impact on the stable
> system as minimal as possible. Pulling in a newer i-s-h is a rather
> significant change.

 I see.  Dropping back to compat 10 is certainly an option, now that I
 know that only compat 11 is affected.  Thing is, this package never
 used compat 10, so this requires careful review.

> Thankfully not as significant as we had between jessie → stretch. So a
> backport of i-s-h might indeed be feasible on a cursory glance.

Given that it would potentially help several maintainers, could you
please give this some more serious consideration?  Strictly on the
theoretical level, of course. :)
-- 
Thanks,
Feri

Bug#925524: init-system-helpers: Please provide a stretch backport for debhelper 12~

[wferi]

Felipe Sateler  writes:

> I'm not opposed to a backport, and I don't think there are many
> problems with attempting it. However, I do not have time to prepare
> and test such a backport. Help welcome.

I can do the busy-work of backporting, but I lack the perspective to
tell whether it's feasible now or in the long run.  Looking at the
changelog it feels safe to install 1.56 on a stretch system, and this
close to the release I wouldn't expect anything to come up before
stretch-backports closes, though...
-- 
Regards,
Feri

Bug#925524: init-system-helpers: Please provide a stretch backport for debhelper 12~

[wferi]

Niels Thykier  writes:

> I don't think I have much to add to it really beyond what is covered in
> https://nthykier.wordpress.com/2019/01/04/debhelper-compat-12-is-now-released/

Thanks for the good writeup, I missed it.

> Sure it would be great to have one less caveat for upgrating to compat
> 12.  But mostly release compat 12 before buster was to ensure people
> could assume compat 12 was present in buster (and less about stretch).

I see.  I was forced to compat 12 by #887904 for shibboleth-sp back in
August, and now we try to backport it to stretch.  Working around
#887904 on compat 11 does not seem a simple exercise for me, that's why
I decided to pursue an init-system-helpers backport.  Please correct me
if I overlook something.

> Related note (with my RT hat on): Please defer debhelper compat bumps
> for anything targeting buster as it is not considered a "minimal change".

I didn't even think of such things. :)  However, now that you reminded
me, I've got a tricky minimal change for your RT hat, let me put that
forward as well...
-- 
Thanks,
Feri

Bug#925524: init-system-helpers: Please provide a stretch backport for debhelper 12~

[wferi]

On Tue, 26 Mar 2019 11:29:29 +0100 =?utf-8?q?Ferenc_W=C3=A1gner?= 
 wrote:
 
> Debhelper compat level 12 is stable and available in stretch-backports,
> but uses the --skip-systemd-native option of invoke-rc.d, thus adds
> init-system-helpers (>= 1.54~) to misc:Pre-Depends.  This is necessary
> to fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887904.
> However, the resulting pre-dependency can't be satisfied in stretch,
> making the resulting binaries of compat 12 packages uninstallable in
> stretch.  Could you please provide a stretch backport of a suitable
> init-system-helpers version to accompany debhelper 12~, or do you
> recommend some other solution to this problem?  (I suppose installing a
> newer version of init-system-helpers manually to a stretch system
> wouldn't break it, but it's rather inconvenient even if you confirm it.)

Hi Niels,

I'm not sure you noticed this report.  In any case, I'd be much
interested to hear your opinion concerning this issue.
-- 
Thanks,
Feri

Bug#925354: [Debian-ha-maintainers]: Bug#925354: pacemaker-dev: missing Breaks+Replaces: libcrmcluster1-dev

[wferi]

Valentin Vidic  writes:

> On Mon, Mar 25, 2019 at 03:45:58PM +0100, Andreas Beckmann wrote:
>
>> In that case you should probably add Breaks+Replaces against all of the
>> old -dev packages that were merged, just to be on the safe side.
>
> Yes, that is the plan. I think wferi will take care of it if he
> has time?

Yes, I'm on it.  It's somewhat bizarre: libcrmcluster1-dev wasn't part
of jessie or stretch.  Similarly, pacemaker-dev was present in wheezy
only, until I reintroduced it recently, and looks like its ghost came
back to haunt us.  I didn't anticipate piuparts to start with wheezy
when testing buster upgrades.
-- 
Thanks,
Feri

Bug#924962: unblock: coturn/4.5.1.1-1

[wferi]

Dear Release Team,

I sponsored the late upload of 4.5.1.1-1, please let me try to make up
for that by providing some more information (hopefully) in favor of the
unblock.

First of all, the Docker changes, which are the biggest part of the src
debdiff, do not affect the binary package at all, please just ignore
them.

On Tue, 19 Mar 2019 09:25:13 +0100 =?utf-8?b?TcOpc3rDoXJvcyBNaWjDoWx5?= 
 wrote:

> In 4.5.1.0 we droped root privilege but we didn't considered that in
> the defualt file logging it will cause an issue.

The issue is the logs being put into (after several fallback steps due
to lack of privileges) the private tmpfs created by systemd.  This makes
them ephemeral, and uses memory for doing so.  Also, the package does
not provide any logrotate config, so syslog is a better choice for this
reason as well.  This change is implemented by shipping the conffile
/etc/turnserver.conf again (it was inadvertently dropped from 4.5.1.0-1)
and patching it to use syslog.

The TTL query always returns 0 on Sparc64, so the relay code has use the
default 64 on that architecture to work at all.  This is a workaround
for some bug, possibly in libc.

The "pwd check" part fixes a NULL pointer dereference, which was an
oversight, a regression introduced in 4.5.1.0.

All the remaining changes fix #916919, the alignment problem.
-- 
Thanks for your consideration,
Feri

Bug#924748: unblock: shibboleth-sp/3.0.4+dfsg1-1

[wferi]

Control: tag -1 - moreinfo

Jonathan Wiltshire  writes:

> Please go ahead and remove the moreinfo tag when it is ready to unblock.

Thanks, uploaded.  Looks like Niels has already unblocked it, but I'm
removing the moreinfo tag nevertheless.
-- 
Regards,
Feri

Bug#924577: unblock: xmltooling/3.0.4-1

[wferi]

Emilio Pozuelo Monfort  writes:

> The diff looks fine, please go ahead with 3.0.4-1.

Uploaded, thanks!
-- 
Feri

Bug#924346: xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration

[wferi]

Moritz Muehlenhoff  writes:

> On Tue, Mar 12, 2019 at 10:19:00AM +0100, wf...@niif.hu wrote:
>
>> The resulting packages works fine in my setup.  However, I failed to
>> reproduce the original issue under stretch.  After consulting upstream,
>> it turns out that the old Xerces library actually helps somewhat in this
>> case, please see Scott Cantor's reply below.  So the known exploit
>> (using an invalid XML declaration) does not work on stable, but if
>> somebody finds a way to trigger a DOMException in Xerces 3.1, any
>> xmltooling users will crash all the same.  See also his comment on
>> https://issues.apache.org/jira/browse/XERCESC-2016.
>
> I think we can still fix this via stretch-security

OK, uploaded.

> it's better to fix the root cause nonetheless.

Even though the Xerces change is suspicious, the documentation allows
the parser to throw DOMExceptions, so they must be handled by the
callers, which this fix achieves.
-- 
Regards,
Feri

Bug#924346: xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration

[wferi]

Salvatore Bonaccorso  writes:

> On Sat, Mar 09, 2019 at 07:25:52PM +0100, wf...@niif.hu wrote:
>
>> I reserved a CVE from Mitre, backported the probable patch to
>> xmltooling 1.6.0-4+deb9u1 in stable and prepared a tentative package
>> with it, please see the debdiff below.  I plan to add more
>> substantive info to the changelog as I get hold of any, but I expect
>> no other changes.
>
> Thanks for preparing the update, the issue is now public, so filled a
> respective Debian bug for it. 

Thanks, Salvatore!

> Were you able to test the resulting package in some extend under
> stretch?

The resulting packages works fine in my setup.  However, I failed to
reproduce the original issue under stretch.  After consulting upstream,
it turns out that the old Xerces library actually helps somewhat in this
case, please see Scott Cantor's reply below.  So the known exploit
(using an invalid XML declaration) does not work on stable, but if
somebody finds a way to trigger a DOMException in Xerces 3.1, any
xmltooling users will crash all the same.  See also his comment on
https://issues.apache.org/jira/browse/XERCESC-2016.

JFYI: we plan to upload the Shibboleth 3 stack to stretch-backports,
which will use the xerces-c 3.2 stretch backport.  These will be fixed
packages, though, in whatever form the Release Team gives its blessing
for.

> I think it sounds sensible to release a DSA for it, so in case yes
> please do upload to security-master (you might add the Debian bug
> closer as well if you need to rebuild and want to add additional
> information).

It will add the closer and the extra information, but won't upload to
security-master unless you tell me so again after reassessing the
situation based on the new information here.

"Cantor, Scott"  writes:

> Yeah, it's a Xerces change. I didn't make it, but it was applied to
> the trunk as part of XERCES-2016 and there's a very odd change that
> causes the XMLScanner to leak through versions that start with "1." It
> doesn't look correct to me, but it's not for me to say.
>
> Anything up to Xerces 3.1.x catches that and raises the old
> XMLException type that was already caught. Xerces 3.2 ends up with a
> DOMException, which is what caused the crash.
>
> Now: the bug is still a bug. I have no idea under what conditions
> other DOMExceptions could be triggered, and if it happens, you have a
> crash. And the DOMLSParser::parse method is absolutely allowed to
> throw that type of exception, that's in the docs and in the DOM
> standard. But this specific case is only exploitable under Xerces 3.2.
>
> Personally, I would just push the fix and be done with it, it's not a
> hard change, but it's certainly your call. I had to because I require
> Xerces 3.2 at this point in all my packages.
>
> I may update the advisory, but I'm not enthused about overcomplicating
> the message I'm sending with more caveats and conditions.
>
> Good catch though.
>
> -- Scott
-- 
Regards,
Feri

Bug#923740: unblock: pacemaker/2.0.1-1

[wferi]

Control: tags -1 - moreinfo

Jonathan Wiltshire  writes:

> On Tue, Mar 05, 2019 at 09:45:26AM +0100, Paul Gevers wrote:
>
>> I propose you let 2.0.1~rc5-1 migrate to testing, upload 2.0.1-1 to
>> unstable after that, provide us with a debdiff between 2.0.1~rc5-1 and
>> 2.0.1-1 in this bug report and we'll look at that diff. That way, the
>> review is much more trivial for us. Please remove the moreinfo tag once
>> we are there.
>
> ~rc5-1 just migrated.

Indeed, thanks for the note!  Accordingly, 2.0.1-1 is uploaded, and the
debdiff has already been posted earlier.  So, dear Release Team, please
unblock pacemaker 2.0.1-1.
-- 
Thanks,
Feri

Bug#923740: unblock: pacemaker/2.0.1-1

[wferi]

Paul Gevers  writes:

> I propose you let 2.0.1~rc5-1 migrate to testing

Hi Paul,

OK, this is what Niels suggested as well (I think).

> upload 2.0.1-1 to unstable after that

Without a definite ACK from you?

> provide us with a debdiff between 2.0.1~rc5-1 and 2.0.1-1 in this bug
> report

That's what I submitted in the first place, so already done.

> Please remove the moreinfo tag once we are there.

I'll do so once 2.0.1~rc5-1 migrated to testing.

> By the way, you would have probably missed it by more than one day.

I'm tragic at simulating archive maintenance in my head. :)  Upload time
of day certainly is a factor in such computations, and I don't know the
timing of the cron jobs.  If you happen to know offhand: which was the
last second for uploads targeting buster to not need a manual unblock?
-- 
Thanks,
Feri

Bug#843419: init-d-script: please provide a way to not use the --name option of start-stop-daemon

[wferi]

Dmitry Bogatov  writes:

> What about this patch? Would it satisfy your need?

Perfectly.  The extra braces (${COMMAND_NAME}, ${NAME}) look somewhat
alien, but as you prefer.

> Can you please review wording -- I am very bad at writing manpages.

I'm no native speaker either, but inserted a couple of
articles/alternatives below.

> +Argument to

The argument of the

> +.I --name
> +option of

option of the

> +.B start-stop-daemon
> +program is  COMMAND_NAME variable, if it is set, or NAME otherwise.

program is the value of the COMMAND_NAME variable if set, otherwise the
value of the NAME variable.

> +.P
>  If the daemon support reloading, implement the do_reload function to

If the daemon supports...

I hope this makes sense.  Do you think it can reach buster?  It isn't
critical, though.  Thanks for your work!
-- 
Cheers,
Feri

Bug#922984: xml-security-c: ECDSA XML signature generation segmentation fault

[wferi]

Alejandro Claro  writes:

> We found a bug in Apache Santuario C, related to ECDSA signature
> generation, few years ego. We provide the fix to the Apache team, and
> Scott Cantor kindly accepted the fix in the project. How ever the fix
> was introduced in series 2.x of the the library.

Dear Alejandro,

I can propose your fix for the next stable update, but I don't know when
that will be released.  On the other hand, if this buffer overflow leads
to an exploitable vulnerability, the Security Team could fast-track the
fix.  Have you got such a scenario?
-- 
Thanks,
Feri

Bug#843419: init-d-script: please provide a way to not use the --name option of start-stop-daemon

[wferi]

control: tags -1 -moreinfo

Dmitry Bogatov  writes:

> Sorry, I do not understand. You, as init script writer, choose value of
> argument to $NAME. Why can't you limit it to required length?

Sorry, I indeed left out important context, thus even I had difficulty
recalling the reason for my report now.  So:

I use /lib/init/init-d-script to provide an init script for the
corosync-qdevice daemon.  I have to set NAME="corosync-qdevice", because
the NAME variable is used in several informational messages as well
besides as the --name value for start-stop-daemon.  But then I have to
override the do_start_cmd() and do_stop_cmd() shell functions to use the
correct --name value (or not use one at all).  The other choice would be
letting the informational messages use the truncated name, which is
suboptimal in a different (and visible) way.

I imagine that having an optional COMM_NAME (pick any name) variable
would solve this nicely, if it was used in preference to NAME for the
--name option of start-stop-daemon if it was set, like

start-stop-daemon --name "${COMM_NAME:-$NAME}"

or maybe even (just an untested idea):

if [ -n "${COMM_NAME:=$NAME}" ]; then
   NAME_ARG="--name=$COMM_NAME"
else
   NAME_ARG=""
fi
[...]
start-stop-daemon [...] "$NAME_ARG" [...]
-- 
Thanks,
Feri

Bug#923050: RFS: pk2/1.2.1-1 [ITP] -- 2D Oldschool platform game where you control a rooster

[wferi]

Hi,

Is the g++ dependency of the main game binary intentional?

I built the game for stretch, it went OK (after reducing the debhelper
compatibility level to 11, but that isn't a problem).  The game starts,
but I'm unable to select a map: the presented list is empty, though
strace shows it finds the /usr/share/games/pk2/data/episodes directory.

Also, it tries to create the config directory in
/usr/share/games/pk2/data, which fails with permission denied.
-- 
Regards,
Feri