Bug#912977: iptables: nftables layer breaks ipsec/policy keyword
On Tue, Nov 06, 2018 at 02:02:06PM +0100, Arturo Borrero Gonzalez wrote: > Control: forwarded -1 https://bugzilla.netfilter.org/show_bug.cgi?id=1290 > > Hopefully next upstream release will contain a fix. Hi, Thanks Arturo. After some more testing, it seems the bug would be less severe than it looks: - the (iptables) rules seems to work, the nft dump can just not show them (which is a bug, but less important) This was tested for the policy module, for OUTPUT. - the iptables rules can be saved and reloaded as usual - the produced nft ruleset should not be used (for ex to switch to nftables), as it will load without error but without the nft_compat keywords. This would also be a different bug. I'm still running some more tests, but I think the severity can be lowered. Regards, Pierre
Bug#912977: iptables: nftables layer breaks ipsec/policy keyword
Package: iptables
Version: 1.8.1-2
Severity: grave
Tags: security
Justification: breaks rules, inserts pass-all rules
X-Debbugs-Cc: t...@security.debian.org,
secure-testing-t...@lists.alioth.debian.org
Hi,
The debian package for iptables now transparently converts inserted
rules to nftables, which is great.
However, some keywords are not supported (like the 'policy' keyword for
IPsec transforms). The bad part is, these rules are inserted
*without* the matches, which makes in some cases your firewall useless.
For ex:
# iptables -F
# iptables -A OUTPUT -m policy --dir out --pol ipsec --strict --mode tunnel -o
eth0 -j ACCEPT
# echo $?
0
# nft list ruleset
chain OUTPUT {
type filter hook output priority 0; policy accept;
oifname "eth0" counter packets 90 bytes 26085 accept
}
}
As you can see, the inserted rule allows everything, while the expected
behavior would be 'only if going through an IPsec tunnel'.
Even worse: inserting the rule did not fail.
Until the 'ipsec' (or 'secpath') keyword works properly (and supports
all options), an acceptable behavior would be to reject the rule if one
or more keywords are not supported by nftables.
Regards,
Pierre
Bug#897465: sagan: FTBFS: ./conftest.c:120: undefined reference to `strlcat'
tags 897465 - moreinfo unreproducible severity 897465 normal thanks Hi Lucas, I cannot reproduce this FTBFS here (in pbuilder), nor in a porter box. However, I just uploaded sagan-1.1.8-2, where a build-dep was missing. These issues may be related (though I don't see how). Can you test again and confirm if it is fixed ? Thanks, Pierre On Wed, May 02, 2018 at 10:05:20PM +0200, Lucas Nussbaum wrote: > Source: sagan > Version: 1.1.8-1 > Severity: serious > Tags: buster sid > User: debian...@lists.debian.org > Usertags: qa-ftbfs-20180502 qa-ftbfs > Justification: FTBFS on amd64 > > Hi, > > During a rebuild of all packages in sid, your package failed to build on > amd64. > > Relevant part (hopefully): > > gcc: fatal error: no input files > > compilation terminated. > > configure:5639: $? = 1 > > configure:5643: checking whether we are using the GNU C compiler > > configure:5671: result: yes > > configure:5680: checking whether gcc accepts -g > > configure:5741: result: yes > > configure:5758: checking for gcc option to accept ISO C89 > > configure:5834: result: none needed > > configure:5859: checking whether gcc understands -c and -o together > > configure:5896: result: yes > > configure:5920: checking whether make sets $(MAKE) > > configure:5942: result: yes > > configure:6008: checking for pkg-config > > configure:6026: found /usr/bin/pkg-config > > configure:6038: result: /usr/bin/pkg-config > > configure:6063: checking pkg-config is at least version 0.9.0 > > configure:6066: result: yes > > configure:6076: checking for ANSI C header files > > configure:6180: result: yes > > configure:6188: checking for sys/wait.h that is POSIX.1 compatible > > configure:6214: gcc -c -g -O2 -fdebug-prefix-map=/<>=. > > -fstack-protector-strong -Wformat -Werror=format-security -D__Linux__ > > -Wdate-time -D_FORTIFY_SOURCE=2 conftest.c >&5 > > configure:6214: $? = 0 > > configure:6221: result: yes > > configure:6233: checking stdio.h usability > > configure:6233: gcc -c -g -O2 -fdebug-prefix-map=/<>=. > > -fstack-protector-strong -Wformat -Werror=format-security -D__Linux__ > > -Wdate-time -D_FORTIFY_SOURCE=2 conftest.c >&5 > > configure:6233: $? = 0 > > configure:6233: result: yes > > configure:6233: checking stdio.h presence > > configure:6233: gcc -E -Wdate-time -D_FORTIFY_SOURCE=2 conftest.c > > configure:6233: $? = 0 > > configure:6233: result: yes > > configure:6233: checking for stdio.h > > configure:6233: result: yes > > configure:6233: checking for stdlib.h > > configure:6233: result: yes > > configure:6233: checking for sys/types.h > > configure:6233: result: yes > > configure:6233: checking for unistd.h > > configure:6233: result: yes > > configure:6233: checking for stdint.h > > configure:6233: result: yes > > configure:6233: checking for inttypes.h > > configure:6233: result: yes > > configure:6233: checking ctype.h usability > > configure:6233: gcc -c -g -O2 -fdebug-prefix-map=/<>=. > > -fstack-protector-strong -Wformat -Werror=format-security -D__Linux__ > > -Wdate-time -D_FORTIFY_SOURCE=2 conftest.c >&5 > > configure:6233: $? = 0 > > configure:6233: result: yes > > configure:6233: checking ctype.h presence > > configure:6233: gcc -E -Wdate-time -D_FORTIFY_SOURCE=2 conftest.c > > configure:6233: $? = 0 > > configure:6233: result: yes > > configure:6233: checking for ctype.h > > configure:6233: result: yes > > configure:6233: checking errno.h usability > > configure:6233: gcc -c -g -O2 -fdebug-prefix-map=/<>=. > > -fstack-protector-strong -Wformat -Werror=format-security -D__Linux__ > > -Wdate-time -D_FORTIFY_SOURCE=2 conftest.c >&5 > > configure:6233: $? = 0 > > configure:6233: result: yes > > configure:6233: checking errno.h presence > > configure:6233: gcc -E -Wdate-time -D_FORTIFY_SOURCE=2 conftest.c > > configure:6233: $? = 0 > > configure:6233: result: yes > > configure:6233: checking for errno.h > > configure:6233: result: yes > > configure:6233: checking fcntl.h usability > > configure:6233: gcc -c -g -O2 -fdebug-prefix-map=/<>=. > > -fstack-protector-strong -Wformat -Werror=format-security -D__Linux__ > > -Wdate-time -D_FORTIFY_SOURCE=2 conftest.c >&5 > > configure:6233: $? = 0 > > configure:6233: result: yes > > configure:6233: checking fcntl.h presence > > configure:6233: gcc -E -Wdate-time -D_FORTIFY_SOURCE=2 conftest.c > > configure:6233: $? = 0 > > configure:6233: result: yes > > configure:6233: checking for fcntl.h > > configure:6233: result: yes > > configure:6233: checking for sys/stat.h > > configure:6233: result: yes > > configure:6233: checking for string.h > > configure:6233: result: yes > > configure:6233: checking getopt.h usability > > configure:6233: gcc -c -g -O2 -fdebug-prefix-map=/<>=. > > -fstack-protector-strong -Wformat -Werror=format-security -D__Linux__ > > -Wdate-time -D_FORTIFY_SOURCE=2 conftest.c >&5 > > configure:6233: $? = 0 > > configure:6233: result: yes > > configure:6233: checking getopt.h presence > > configure:6233: gcc -E -Wdate-time
Bug#828577: The patch is upstream
On Thu, Nov 17, 2016 at 07:47:56PM -0500, Hon Ching(Vicky) Lo wrote:
> On Thu, 2016-11-17 at 16:29 -0500, Hon Ching(Vicky) Lo wrote:
> > Hi
> >
> > The patch is upstream:
> > https://sourceforge.net/p/trousers/tpm-tools/ci/6fb8a3c5ad3bc6e62f6895a4fcf3540faa29b4f2/
> >
> >
> > Thanks,
> > Vicky
>
> The patch above is based off the latest code in tpm-tools 1.3.9. Please
> rebase to tpm-tools 1.3.9 to pick up the patch instead. Thanks!
>
Hi,
Version 1.3.9 does not fix the build with OpenSSL 1.1. It still fails
with the following error:
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -D_LINUX -Wdate-time
-D_FORTIFY_SOURCE=2 -g -O2
-fdebug-prefix-map=/home/pollux/DEBIAN/TPM-TOOLS/tpm-tools=.
-fstack-protector-strong -Wformat -Werror=format-security -m64 -Wall
-Wno-unused -Wno-implicit-function-declaration -Wreturn-type -Wsign-compare -c
-o data_import.o data_import.c
data_import.c: In function ‘readX509Cert’:
data_import.c:375:26: error: dereferencing pointer to incomplete type ‘EVP_PKEY
{aka struct evp_pkey_st}’
if ( EVP_PKEY_type( pKey->type ) != EVP_PKEY_RSA ) {
^~
In file included from /usr/include/openssl/asn1.h:24:0,
from /usr/include/openssl/rsa.h:16,
from data_import.c:34:
data_import.c: In function ‘createRsaPubKeyObject’:
data_import.c:694:34: error: dereferencing pointer to incomplete type ‘RSA {aka
struct rsa_st}’
int nLen = BN_num_bytes( a_pRsa->n );
^
Makefile:524: recipe for target 'data_import.o' failed
OpenSSL decided not to allow access to these fields anymore. At this
point, I have no idea on how to fix this.
Best regards,
Pierre
Bug#828579: The patch is upstream
On 11/18/2016 01:46 AM, Hon Ching(Vicky) Lo wrote: > On Thu, 2016-11-17 at 14:18 -0500, Hon Ching(Vicky) Lo wrote: >> The patch that supports OpenSSL 1.1 (backward-compatible) is upstream: >> https://sourceforge.net/p/trousers/trousers/ci/05411ea68746acbaf4e69295be50b9a47cddb2fd/ >> >> >> Vicky > > The patch above is based off the latest code in Trousers-0.3.14. Please > rebase to Trousers-0.3.14 to pick up the patch instead. Thanks! > Hi, I am currently trying to rebase on 0.3.14, however the upstream tarball is completely broken: - does not include the package name + version - contains .o files - has /home/lo1 hardcoded everywhere in makefiles - has wrong version in files (0.3.13 in headers) The only good news is that it seems to build with openssl 1.1.0. I'm doing my best to fix all of this, but I can't say when the upload will be done. Best regards, Pierre
Bug#819050: Please leave the severity at serious, this bug is a security issue.
On 03/24/2016 09:38 AM, Yves-Alexis Perez wrote: > control: affects -1 suricata > On jeu., 2016-03-24 at 07:20 +0100, Florian Weimer wrote: >> * Hilko Bengen: >> >>> >>> the original report may not have been 100% clear on this, but the bug is >>> the main cause of a vulnerability in Suricata (a network IDS/IPS) that >>> allows for remote denial of service, possibly remote code execution by >>> simply passing crafted packets by a Suricata installation. >> Without the complete test case, that's hard to tell. >> >> If we cannot reproduce this, perhaps Suricata (at least in stable) >> should not explicitly enable the PCRE JIT compiler? > > Adding Pierre (Suricata maintainer) to the loop then. > Hi, Is it the same bug on PCRE that was reported last year ? If so, I have confirmed that it is reproducible in a mail to security@ (<564c6de1.9000...@debian.org>) The bug is in libpcre, see https://lists.exim.org/lurker/message/20140425.115921.793bec64.en.html for details, and http://vcs.pcre.org/pcre?view=revision=1475 for the upstream fix. It indeed affects programs using the JIT feature, that includes suricata. Cheers, Pierre
Bug#810084: RM: websvn (RoQA; unmaintained, rc-buggy, inactive upstream, alternatives exist)
On 01/06/2016 11:49 AM, Thijs Kinkhorst wrote: > Package: websvn > Severity: serious > > I propose to remove websvn from Debian. > > The package is unmaintained with last maintainer upload in 2011. There was > also > no response to a security issues which I fixed in an NMU one year ago. I then > noticed and reported several packaging issues which have gone unaddressed. > > A bug was upgraded to RC over 200 days ago with no response to date. > > Last upstream release was in 2011. There are several alternatives to this > package. > > I will reassign this bug to ftp-master when no objections arrive 'soon'. > > Cheers, > Thijs > Hi Thijs, websvn is not developed anymore (and I do not use it, which does not help for testing/resolving bugs) since 2011, so I also think the removal is the best option. Cheers, Pierre
Bug#772551: Suricata: missing library libhtp-0.5.12.so.1
On Mon, Feb 09, 2015 at 10:42:26PM +0100, Arturo Borrero Gonzalez wrote: On 9 February 2015 at 15:05, Pierre Chifflier pol...@debian.org wrote: This bug is solved by the next (pending) uploading, to be validated by the release team. I have a some questions: * How this could happen? Aren't these errors supposed to show up on build logs? * Why this doesn't seem to affect the version in wheezy-backports? I would give suricata a basic autopkgtest support. Hi, This has nothing to do with the override - it is caused by the fact that a newer libhtp was uploader *after* suricata. I think a triggered rebuild of suricata could be enough, but since we are going to upload suricata to close the other bugs, this will also resolve the problem. That mostly means that libhtp must always be uploaded before suricata (and wait for all the buildd to finish building it). Cheers, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772551: Suricata: missing library libhtp-0.5.12.so.1
tags 772551 + pending block 772551 by 777042 thanks Hi, This bug is solved by the next (pending) uploading, to be validated by the release team. The two bug reports for the unblock requests are: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777040 (libhtp) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777042 (suricata) Best regards, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772685: sagan: abandoned package/no longer works
severity 772685 normal thanks Hi, While it's true the packaging is late (mainly due to the fact that upstream completely changed the relation with libee/liblogorm, and that the released versions did not compile because the autotools files were broken), the severity of this bug is absolutely not critical. Thanks, Pierre On Tue, Dec 09, 2014 at 08:30:15PM -0500, westlake wrote: Package: sagan Version: 0.2.1.r1-1 Severity: critical The upstream of this package is edition 1.0 while this package edition on debian is actually quite 2 years out of date. bug 681794 here on Jessie/testing appears to be the same as filed back in 2012 ( https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681794 ) It would be great if this package got updated as this software is still being actively developed. thanks -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#767690: trousers: fails to install: subprocess installed post-installation script returned error exit status 2
severity 767690 normal tags 767690 + unreproducible moreinfo thanks Hi, I tried for a few days to reproduce the bug on different hosts, without any luck. I'm therefore lowering the severity to normal, until having more information. Preparing to unpack .../trousers_0.3.13-2_amd64.deb ... Unpacking trousers (0.3.13-2) ... Processing triggers for man-db (2.7.0.1-1) ... Setting up trousers (0.3.13-2) ... root:~# ls -al /dev/tpm0 crw--- 1 tss tss 10, 224 Nov 3 21:28 /dev/tpm0 root:~# ps ax |grep tcs 10173 ?Ss 0:00 /usr/sbin/tcsd The attached log is also useless, it does not provide any info on the failure. Maybe adding set -x to the postinst script could help determining if adduser failed (?), or if the udev commands failed. Regards, Pierre On Sat, Nov 01, 2014 at 10:06:32PM +0100, Andreas Beckmann wrote: Package: trousers Version: 0.3.13-2 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package failed to install. As per definition of the release team this makes the package too buggy for a release, thus the severity. From the attached log (scroll to the bottom...): Selecting previously unselected package trousers. (Reading database ... 7406 files and directories currently installed.) Preparing to unpack .../trousers_0.3.13-2_amd64.deb ... Unpacking trousers (0.3.13-2) ... Setting up trousers (0.3.13-2) ... dpkg: error processing package trousers (--configure): subprocess installed post-installation script returned error exit status 2 Errors were encountered while processing: trousers cheers, Andreas -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#736309: libnetfilter-queue serious bug, #736309
Hi Alexandr,
Bug #736309:
libnetfilter-queue-{dev, dbg}: unhandled symlink to directory conversion:
/usr/share/doc/PACKAGE
is marked as serious, and is causing several packages (in my cast,
suricata and nfqueue-bindings) to be scheduled for autoremove.
Do you plan to upload a fixed version ?
Thanks,
Pierre
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#693892: Still applies to unstable
On Tue, Aug 20, 2013 at 03:23:33PM +0200, gregor herrmann wrote: On Mon, 12 Aug 2013 16:46:41 +0200, Dominic Hargreaves wrote: This bug still appears to exist in unstable, and since glibc 2.16 is now in unstable, should probably be upgraded. It also blocks the perl 5.18 transition which will start soon. Please could the fix be uploaded to unstable? Some investigation: 1) This seems to be a duplicate of #701412 which claims to be fixed in 1.0.1-5. 2) 1.0.1-5 from unstable builds fine for me in a sid and in a exp+perl5.18 amd64 chroot. 3) I'd close the bug with this version but would like to check if you still get the build failure yourself? Hi, I just uploaded a few minutes ago libprelude 1.0.0-11, built for unstable, with an additional fix for some missing libs in the prelude-admin link phase. Regards, Pierre signature.asc Description: Digital signature
Bug#692649: trousers: CVE-2012-0698
Sorry for the late reply. This seems to have fallen through the cracks and I'm currently catching up with old mail. I think this doesn't warrant a DSA, but could you fix this through a stable point update? http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable (Adding Jonathan, the stable point update security coordinator to CC) Hi Moritz, This CVE (CVE-2012-0698) has already been closed by an upload on November 27th, acked by Yves-Alexis Perez (see [1] for history), so trousers is now fixed for all versions in Debian. Cheers, Pierre [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692649 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692649: [Fwd: Bug#692649: trousers: CVE-2012-0698]
On Sat, Nov 17, 2012 at 03:00:04PM +0100, Yves-Alexis Perez wrote: On sam., 2012-11-17 at 11:30 +0100, Pierre Chifflier wrote: Hi Security Team, I'm forwarding this email to ask for review on the correction for CVE-2012-0698 in stable (other versions are not affected). Hey, is the fixed package robust against the python script and did you test if it didn't break anything? Hi, I've basically tested the package (running tpm_info), so far it seems ok. The server does not crash anymore on the python script. This comment (https://bugzilla.redhat.com/show_bug.cgi?id=781648#c12) from the redhat bug is a bit concerning, although I'm not sure to what it's referring too. That is the upstream fix I have included. I think the comments is related to the fact that, while it does fix the crash from the python script, there may be concerns from other possible functions affected by the same problem. None seems to have happened since this fix, so I think it's ok to include it in stable, and testing/sid have newer versions. Regards, Pierre signature.asc Description: Digital signature
Bug#692649: trousers: CVE-2012-0698
On Thu, Nov 08, 2012 at 08:03:35AM +0100, Moritz Muehlenhoff wrote:
Package: trousers
Severity: grave
Tags: security
Justification: user security hole
Please see here for details:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0698
Cheers,
Moritz
Hi Moritz,
I have tested with the python script referenced in the sourceforge
ticket [1], and testing/unstable version is not affected.
Version in squeeze seems affected, so I have prepared an upload with the
fix from upstream [2]. I am attaching the diff to this email, can you
confirm me if it is fine, and if I can upload it ?
Regards,
Pierre
[1]
http://sourceforge.net/tracker/index.php?func=detailaid=3473554group_id=126012atid=704358
[2]
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commit;h=ae0c2f8c1fd7a96ba0191f83b6057f8cbc51e786
diff -Nru trousers-0.3.5/debian/changelog trousers-0.3.5/debian/changelog
--- trousers-0.3.5/debian/changelog 2010-07-12 10:46:22.0 +0200
+++ trousers-0.3.5/debian/changelog 2012-11-08 22:17:25.0 +0100
@@ -1,3 +1,10 @@
+trousers (0.3.5-2+squeeze1) stable-security; urgency=high
+
+ * Fix crash when malformed packet is received (CVE-2012-0698)
+Closes: #692649
+
+ -- Pierre Chifflier pol...@debian.org Thu, 08 Nov 2012 22:08:58 +0100
+
trousers (0.3.5-2) unstable; urgency=low
* QA upload.
diff -Nru trousers-0.3.5/debian/patches/04-security-cve-2012-0698.patch trousers-0.3.5/debian/patches/04-security-cve-2012-0698.patch
--- trousers-0.3.5/debian/patches/04-security-cve-2012-0698.patch 1970-01-01 01:00:00.0 +0100
+++ trousers-0.3.5/debian/patches/04-security-cve-2012-0698.patch 2012-11-08 22:17:16.0 +0100
@@ -0,0 +1,252 @@
+From ae0c2f8c1fd7a96ba0191f83b6057f8cbc51e786 Mon Sep 17 00:00:00 2001
+From: Rajiv Andrade sra...@linux.vnet.ibm.com
+Date: Tue, 17 Jan 2012 15:32:42 -0200
+Subject: [PATCH 1/1] TCSD robustness
+
+Included a set of boundary checks to increase TCSD robustness.
+
+Signed-off-by: Rajiv Andrade sra...@linux.vnet.ibm.com
+---
+ src/include/rpc_tcstp.h |2 +-
+ src/include/rpc_tcstp_tcs.h |4 ++--
+ src/include/tcs_tsp.h |5 +
+ src/include/tcs_utils.h |5 -
+ src/tcs/rpc/tcstp/rpc.c | 15 ++-
+ src/tcs/tcs_pbg.c |9 +
+ src/tcs/tcs_utils.c |4 ++--
+ src/tcsd/tcsd_threads.c |2 +-
+ src/tspi/rpc/tcstp/rpc.c| 12 ++--
+ 9 files changed, 36 insertions(+), 22 deletions(-)
+
+diff --git a/src/include/rpc_tcstp.h b/src/include/rpc_tcstp.h
+index ed79911..50859e2 100644
+--- a/src/include/rpc_tcstp.h
b/src/include/rpc_tcstp.h
+@@ -31,7 +31,7 @@ struct tcsd_packet_hdr {
+
+ struct tcsd_comm_data {
+ BYTE *buf;
+- int buf_size;
++ UINT32 buf_size;
+ struct tcsd_packet_hdr hdr;
+ } STRUCTURE_PACKING_ATTRIBUTE;
+
+diff --git a/src/include/rpc_tcstp_tcs.h b/src/include/rpc_tcstp_tcs.h
+index 9f32814..57eab27 100644
+--- a/src/include/rpc_tcstp_tcs.h
b/src/include/rpc_tcstp_tcs.h
+@@ -392,8 +392,8 @@ void LoadBlob_LOADKEY_INFO(UINT64 *, BYTE *, TCS_LOADKEY_INFO *);
+ void UnloadBlob_LOADKEY_INFO(UINT64 *, BYTE *, TCS_LOADKEY_INFO *);
+ void LoadBlob_PCR_EVENT(UINT64 *, BYTE *, TSS_PCR_EVENT *);
+ TSS_RESULT UnloadBlob_PCR_EVENT(UINT64 *, BYTE *, TSS_PCR_EVENT *);
+-int setData(TCSD_PACKET_TYPE, int, void *, int, struct tcsd_comm_data *);
+-UINT32 getData(TCSD_PACKET_TYPE, int, void *, int, struct tcsd_comm_data *);
++int setData(TCSD_PACKET_TYPE, unsigned int, void *, int, struct tcsd_comm_data *);
++UINT32 getData(TCSD_PACKET_TYPE, unsigned int, void *, int, struct tcsd_comm_data *);
+ void initData(struct tcsd_comm_data *, int);
+ int recv_from_socket(int, void *, int);
+ int send_to_socket(int, void *, int);
+diff --git a/src/include/tcs_tsp.h b/src/include/tcs_tsp.h
+index bba3258..fdca21e 100644
+--- a/src/include/tcs_tsp.h
b/src/include/tcs_tsp.h
+@@ -90,4 +90,9 @@ struct key_disk_cache
+ /* needed by execute transport in the TSP */
+ #define TSS_TPM_TXBLOB_HDR_LEN (sizeof(UINT16) + (2 * sizeof(UINT32)))
+
++#define TSS_TPM_TXBLOB_SIZE (4096)
++#define TSS_TXBLOB_WRAPPEDCMD_OFFSET (TSS_TPM_TXBLOB_HDR_LEN + sizeof(UINT32))
++#define TSS_MAX_AUTHS_CAP (1024)
++#define TSS_REQ_MGR_MAX_RETRIES (5)
++
+ #endif
+diff --git a/src/include/tcs_utils.h b/src/include/tcs_utils.h
+index 71cf3f7..0f0f4ce 100644
+--- a/src/include/tcs_utils.h
b/src/include/tcs_utils.h
+@@ -92,11 +92,6 @@ TSS_RESULT owner_evict_init();
+ #define EVENT_LOG_final()
+ #endif
+
+-#define TSS_TPM_TXBLOB_SIZE (4096)
+-#define TSS_TXBLOB_WRAPPEDCMD_OFFSET (TSS_TPM_TXBLOB_HDR_LEN + sizeof(UINT32))
+-#define TSS_MAX_AUTHS_CAP (1024)
+-#define TSS_REQ_MGR_MAX_RETRIES (5)
+-
+ #define next( x ) x = x-next
+
+ TSS_RESULT key_mgr_dec_ref_count(TCS_KEY_HANDLE);
+diff --git a/src/tcs/rpc/tcstp/rpc.c b/src/tcs/rpc/tcstp/rpc.c
+index ca1a4df..849f652 100644
+--- a/src/tcs/rpc/tcstp/rpc.c
b/src/tcs/rpc/tcstp/rpc.c
+@@ -181,7 +181,7
Bug#689417: opencryptoki: CVE-2012-4454 CVE-2012-4455
On Tue, Oct 30, 2012 at 06:21:07PM +0100, Moritz Muehlenhoff wrote: On Sun, Oct 21, 2012 at 10:57:38PM +0200, Arthur de Jong wrote: On Tue, 2012-10-02 at 14:37 +0200, Moritz Muehlenhoff wrote: Please see the thread starting at http://www.openwall.com/lists/oss-security/2012/09/07/2 for details. I've had a quick look at this bug to see if it can be fixed in Debian. There are four patches referenced in the thread (I haven't verified if there are more patches required): - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=b7fcb3eb0319183348f1f4fb90ede4edd6487c30 32 files changed, 182 insertions(+), 1166 deletions(-) This change is huge and mainly seems to be quivalent to setting SPINXPL as defined and ensuring SYSVSEM isn't. There are however a few other changes in there which may be due to the removal of the compatibility code. This patch doesn't apply cleanly to 2.3.1 in Debian but I've managed to manually fix it (attached is a version if anyone is interested). - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=58345488c9351d9be9a4be27c8b407c2706a33a9 31 files changed, 2975 insertions(+), 280 deletions(-) Lots of changes in the tests but it also seems to contain some cleanups related to the previous change, a change from lock_shm() to XProcLock(), some moving of locks to /var/lock and a few other changes. - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=8a63b3b17d34718d0f8c7525f93b5eb3c623076a 23 files changed, 449 insertions(+), 99 deletions(-) Includes a FAQ typo fix and the introduction of a lot of new code. - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=5667edb52cd27b7e512f48f823b4bcc6b872ab15 1 files changed, 3 insertions(+), 3 deletions(-) Very small change in the Makfile which creates the lock directory. Should not be relevant for Debian because subdirectories of /var/lock should be created on the fly. The changes are huge and can probably not be easily backported to Debian's 2.3.1. A few other options come to mind: - see if upstream can provide patches for 2.3.1 - see if the necessary fixes can be made some other way - upgrade to upstream 2.4.2 - remove from wheezy (the only reverse dependency for opencryptoki seems to be tpm-tools) Anyway, I don't think I can do much more for this bug because I'm afraid it will take a little more time than I have available at the moment. I was having a look and I though I would just add my notes to the bug log. Good luck with this bug! ;) Removing opencryptoki from Wheezy seems best to me. We should't keep outdated crypto toolkits without an active maintainer in the archive. CCing the Pierre, the tpm-tools maintainer to see, whether tpm-tools is usable withput opencryptoki or whether he's interested in adopting it himself. Hi, IMHO the best solution would be to upgrade opencryptoki, including Wheezy. Trying to backport many patches will be complex to maintain and will create a version that could be very different from upstream, leading to bugs (on functionalities, and security). tpm-tools can be compiled without opencryptoki, but this would disable the pkcs#11 support and so loose some functionalities. Except the dependency in debian/control, there should not be any other changes to be done. Cheers, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631807: segfault in libcap-ng0 is back on armel - filecap , bluetoothd etc
Hi, I have merged the patch from Alban Browaeys (thanks to him for writing it) in version 0.6.6-2, just uploaded a few moments ago. Thanks, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666330: suricata: FTBFS: cp: cannot stat `debian/tmp/suricata-debian.yaml': No such file or directory
tags 666330 + moreinfo unreproducible severity 666330 normal thanks On Fri, Mar 30, 2012 at 11:21:15AM +0200, Lucas Nussbaum wrote: Source: suricata Version: 1.2.1-1 Severity: serious Tags: wheezy sid User: debian...@lists.debian.org Usertags: qa-ftbfs-20120330 qa-ftbfs qa-ftbfs-buildarch Justification: FTBFS on amd64 Hi, During a rebuild of all packages in sid, your package failed to build on amd64. This rebuild was done by building only architecture:any binary packages (binary-arch target of debian/rules), and using a recent dpkg that uses the build-arch target if available. Also, only the Build-Depends were installed, not the Build-Depends-Indep. Hi Lucas, I tried for some time to reproduce the problem, without success - I may be missing something here. apt-get source suricata + apt-get build-dep suricata = works The only difference I have in the build-logs is that the dh_install line does not mention the same directory (you have debian/tmp/suricata-debian.yaml, while I get ./suricata-debian.yaml). Any idea ? Relevant part: make[3]: Entering directory `/«PKGBUILDDIR»' make[3]: Nothing to be done for `install-exec-am'. make[3]: Nothing to be done for `install-data-am'. make[3]: Leaving directory `/«PKGBUILDDIR»' make[2]: Leaving directory `/«PKGBUILDDIR»' make[1]: Leaving directory `/«PKGBUILDDIR»' dh_install -a cp -a debian/tmp/suricata-debian.yaml debian/suricata//etc/suricata/ cp: cannot stat `debian/tmp/suricata-debian.yaml': No such file or directory dh_install: cp -a debian/tmp/suricata-debian.yaml debian/suricata//etc/suricata/ returned exit code 1 make: *** [binary-arch] Error 2 The full build log is available from: http://people.debian.org/~lucas/logs/2012/03/30/suricata_1.2.1-1_unstable.log A list of current common problems and possible solutions is available at http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute! About the archive rebuild: The rebuild was done on about 50 AMD64 nodes of the Grid'5000 platform, using a clean chroot. Internet was not accessible from the build systems. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652756: sslsniff: FTBFS: SSLConnectionManager.cpp:47:74: error: 'boost::asio::ip::tcp::acceptor' has no member named 'io_service'
retitle 652756 sslsniff: does not build with boost 1.48 severity 652756 normal thanks Hi, This was caused by the temporary upload of boost-dev defaulting to 1.48, which was reverted to 1.46 (so not affecting the current version anymore). I'm keeping the bug open to track the compatibility with boost 1.48. Pierre On Tue, Dec 20, 2011 at 03:50:49PM +0100, Lucas Nussbaum wrote: Source: sslsniff Version: 0.8-2 Severity: serious Tags: wheezy sid User: debian...@lists.debian.org Usertags: qa-ftbfs-20111220 qa-ftbfs Justification: FTBFS on amd64 Hi, During a rebuild of all packages in sid, your package failed to build on amd64. Relevant part: g++ -DPACKAGE_NAME=\\ -DPACKAGE_TARNAME=\\ -DPACKAGE_VERSION=\\ -DPACKAGE_STRING=\\ -DPACKAGE_BUGREPORT=\\ -DPACKAGE_URL=\\ -DPACKAGE=\sslsniff\ -DVERSION=\0.8\ -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -I.-ggdb -g -O2 -MT SSLConnectionManager.o -MD -MP -MF .deps/SSLConnectionManager.Tpo -c -o SSLConnectionManager.o SSLConnectionManager.cpp In file included from SSLBridge.hpp:41:0, from HTTPSBridge.hpp:24, from FirefoxUpdater.hpp:23, from FirefoxAddonUpdater.hpp:26, from SSLConnectionManager.cpp:20: certificate/Certificate.hpp: In member function 'std::string Certificate::parseNameFromOCSPUrl(std::string)': certificate/Certificate.hpp:60:52: warning: overflow in implicit constant conversion [-Woverflow] SSLConnectionManager.cpp: In member function 'void SSLConnectionManager::acceptIncomingConnection()': SSLConnectionManager.cpp:47:74: error: 'boost::asio::ip::tcp::acceptor' has no member named 'io_service' SSLConnectionManager.cpp: In member function 'void SSLConnectionManager::shuttleConnection(boost::shared_ptrboost::asio::basic_stream_socketboost::asio::ip::tcp , boost::asio::ip::tcp::endpoint)': SSLConnectionManager.cpp:79:78: error: 'boost::asio::ip::tcp::acceptor' has no member named 'io_service' SSLConnectionManager.cpp: In member function 'void SSLConnectionManager::interceptSSL(boost::shared_ptrboost::asio::basic_stream_socketboost::asio::ip::tcp , boost::asio::ip::tcp::endpoint, bool)': SSLConnectionManager.cpp:137:41: error: 'boost::asio::ip::tcp::acceptor' has no member named 'io_service' make[1]: *** [SSLConnectionManager.o] Error 1 The full build log is available from: http://people.debian.org/~lucas/logs/2011/12/20/sslsniff_0.8-2_lsid64.buildlog A list of current common problems and possible solutions is available at http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute! About the archive rebuild: The rebuild was done on about 50 AMD64 nodes of the Grid'5000 platform, using a clean chroot. Internet was not accessible from the build systems. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#645612: libopenscap1 and libopenscap0: error when trying to install together
On Mon, Oct 17, 2011 at 01:20:53PM +0200, Ralf Treinen wrote: Package: libopenscap0,libopenscap1 Version: libopenscap0/0.7.3-1 Version: libopenscap1/0.8.0-1 Severity: serious User: trei...@debian.org Usertags: edos-file-overwrite Date: 2011-10-17 Architecture: amd64 Distribution: sid Hi, automatic installation tests of packages that share a file and at the same time do not conflict by their package dependency relationships has detected the following problem: Arg, I forgot to add the Conflict/Replace lines for the transition. I'll upload a fixed version ASAP. In the meantime you can safely remove libopenscap0 (both versions are not meant to be installed at the same time). BR, Pierre WARNING: The following packages cannot be authenticated! libsasl2-2 libldap-2.4-2 libpcre3 libnl1 libcap2 libxml2 libxslt1.1 libopenscap0 libopenscap1 Authentication warning overridden. Can not write log, openpty() failed (/dev/pts not mounted?) Selecting previously unselected package libsasl2-2. (Reading database ... 10586 files and directories currently installed.) Unpacking libsasl2-2 (from .../libsasl2-2_2.1.25.dfsg1-2_amd64.deb) ... Selecting previously unselected package libldap-2.4-2. Unpacking libldap-2.4-2 (from .../libldap-2.4-2_2.4.25-3_amd64.deb) ... Selecting previously unselected package libpcre3. Unpacking libpcre3 (from .../libpcre3_8.12-4_amd64.deb) ... Selecting previously unselected package libnl1. Unpacking libnl1 (from .../libnl1_1.1-7_amd64.deb) ... Selecting previously unselected package libcap2. Unpacking libcap2 (from .../libcap2_1%3a2.22-1_amd64.deb) ... Selecting previously unselected package libxml2. Unpacking libxml2 (from .../libxml2_2.7.8.dfsg-5_amd64.deb) ... Selecting previously unselected package libxslt1.1. Unpacking libxslt1.1 (from .../libxslt1.1_1.1.26-8_amd64.deb) ... Selecting previously unselected package libopenscap0. Unpacking libopenscap0 (from .../libopenscap0_0.7.3-1_amd64.deb) ... Selecting previously unselected package libopenscap1. Unpacking libopenscap1 (from .../libopenscap1_0.8.0-1_amd64.deb) ... dpkg: error processing /var/cache/apt/archives/libopenscap1_0.8.0-1_amd64.deb (--unpack): trying to overwrite '/usr/bin/oscap', which is also in package libopenscap0 0.7.3-1 configured to not write apport reports dpkg-deb: error: subprocess paste was killed by signal (Broken pipe) Processing triggers for man-db ... Errors were encountered while processing: /var/cache/apt/archives/libopenscap1_0.8.0-1_amd64.deb E: Sub-process /usr/bin/dpkg returned an error code (1) This is a serious bug as it makes installation fail, and violates sections 7.6.1 and 10.1 of the policy. An optimal solution would consist in only one of the packages installing that file, and renaming or removing the file in the other package. Depending on the circumstances you might also consider Replace relations or file diversions. If the conflicting situation cannot be resolved then, as a last resort, the two packages have to declare a mutual Conflict. Please take into account that Replaces, Conflicts and diversions should only be used when packages provide different implementations for the same functionality. Here is a list of files that are known to be shared by both packages (according to the Contents file for sid/amd64, which may be slightly out of sync): /usr/bin/oscap /usr/lib/openscap/probe_dnscache /usr/lib/openscap/probe_dpkginfo /usr/lib/openscap/probe_family /usr/lib/openscap/probe_file /usr/lib/openscap/probe_filehash /usr/lib/openscap/probe_inetlisteningservers /usr/lib/openscap/probe_interface /usr/lib/openscap/probe_ldap57 /usr/lib/openscap/probe_partition /usr/lib/openscap/probe_password /usr/lib/openscap/probe_process /usr/lib/openscap/probe_runlevel /usr/lib/openscap/probe_shadow /usr/lib/openscap/probe_sysctl /usr/lib/openscap/probe_system_info /usr/lib/openscap/probe_textfilecontent /usr/lib/openscap/probe_textfilecontent54 /usr/lib/openscap/probe_uname /usr/lib/openscap/probe_xinetd /usr/lib/openscap/probe_xmlfilecontent /usr/share/man/man8/oscap.8.gz /usr/share/openscap/scap-fedora14-oval.xml /usr/share/openscap/scap-fedora14-xccdf.xml /usr/share/openscap/scap-rhel6-oval.xml /usr/share/openscap/scap-rhel6-xccdf.xml /usr/share/openscap/schemas/oval/5.8/aix-definitions-schema.xsd /usr/share/openscap/schemas/oval/5.8/aix-system-characteristics-schema.xsd /usr/share/openscap/schemas/oval/5.8/apache-definitions-schema.xsd /usr/share/openscap/schemas/oval/5.8/apache-system-characteristics-schema.xsd /usr/share/openscap/schemas/oval/5.8/catos-definitions-schema.xsd /usr/share/openscap/schemas/oval/5.8/catos-system-characteristics-schema.xsd /usr/share/openscap/schemas/oval/5.8/debian-definitions-schema.xsd /usr/share/openscap/schemas/oval/5.8/debian-system-characteristics-schema.xsd
Bug#645612: libopenscap1 and libopenscap0: error when trying to install together
On Mon, Oct 17, 2011 at 02:39:52PM +0200, Julien Cristau wrote: On Mon, Oct 17, 2011 at 14:13:03 +0200, Pierre Chifflier wrote: On Mon, Oct 17, 2011 at 01:20:53PM +0200, Ralf Treinen wrote: Package: libopenscap0,libopenscap1 Version: libopenscap0/0.7.3-1 Version: libopenscap1/0.8.0-1 Severity: serious User: trei...@debian.org Usertags: edos-file-overwrite Date: 2011-10-17 Architecture: amd64 Distribution: sid Hi, automatic installation tests of packages that share a file and at the same time do not conflict by their package dependency relationships has detected the following problem: Arg, I forgot to add the Conflict/Replace lines for the transition. I'll upload a fixed version ASAP. In the meantime you can safely remove libopenscap0 (both versions are not meant to be installed at the same time). Note that that'd still be buggy. Shared library packages must not contain non-versioned files, see policy 8.2. Please fix this properly instead. Yep, according to policy 8.2 the probe files (required by the lib at runtime, and cannot be run by user directly) should go to /usr/lib/openscap1 instead of /usr/lib/openscap/ and the only binary to another package. I'll take care of that after this upload. Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#641350: patch for #641350
tags 641350 + patch thanks Hi, The attached patch fixes the build error for bash with -Werror=format-security BR, Pierre diff -ruN bash-4.1.orig/debian/patches/harden-formatstring.dpatch bash-4.1/debian/patches/harden-formatstring.dpatch --- bash-4.1.orig/debian/patches/harden-formatstring.dpatch 1970-01-01 01:00:00.0 +0100 +++ bash-4.1/debian/patches/harden-formatstring.dpatch 2011-10-04 20:49:52.532989904 +0200 @@ -0,0 +1,34 @@ +#! /bin/sh -e + +if [ $# -eq 3 -a $2 = '-d' ]; then +pdir=-d $3 +elif [ $# -ne 1 ]; then +echo 2 `basename $0`: script expects -patch|-unpatch as argument +exit 1 +fi +case $1 in +-patch) patch $pdir -f --no-backup-if-mismatch -p1 $0;; +-unpatch) patch $pdir -f --no-backup-if-mismatch -R -p1 $0;; +*) + echo 2 `basename $0`: script expects -patch|-unpatch as argument + exit 1 +esac +exit 0 + +# DP: your description + +Author: Pierre Chifflier +Description: Fix build error with -Werror=format-security hardening flag. + +diff -ruN bash-4.1.orig/print_cmd.c bash-4.1/print_cmd.c +--- bash-4.1.orig/print_cmd.c 2009-09-16 21:32:26.0 +0200 bash-4.1/print_cmd.c 2011-09-16 11:38:40.0 +0200 +@@ -1374,7 +1374,7 @@ + for (i = 0; amount 0; amount--) + indentation_string[i++] = ' '; + indentation_string[i] = '\0'; +- cprintf (indentation_string); ++ cprintf (%s, indentation_string); + } + + static void diff -ruN bash-4.1.orig/debian/rules bash-4.1/debian/rules --- bash-4.1.orig/debian/rules 2011-10-04 20:47:34.0 +0200 +++ bash-4.1/debian/rules 2011-10-04 20:48:20.636991913 +0200 @@ -523,6 +526,7 @@ exec-redirections-man \ bash-aliases-repeat \ builtins-declare-fix \ + harden-formatstring \ ifeq ($(with_gfdl),yes) debian_patches += \
Bug#629280: python-nfqueue: Does not work with the default Python 2.6 version
On Sun, Jun 05, 2011 at 02:49:30PM +0200, Jakub Wilk wrote: severity 629280 serious tags 629280 + patch unarchive 580503 found 580503 2.8.4-1 thanks * Vangelis Koukis vkou...@cslab.ece.ntua.gr, 2011-06-05, 13:22: python-nfqueue only provides packages for Python v2.7, so one cannot import nfqueue when using Python v2.6, which is the default Python version on Sid. This is because cmake helpfully chooses the highest possible version of Python rather than the default one (bug #580503). The attached patch fixes the bug in nfqueue-bindings, but I'd love to see it fixed in cmake, too. (Please note that Python packaging of python-nfqueue is a bit odd: one one hand the package uses XS-Python-Version: current and debian/rules builds extension modules only for a single version, on the other hand it build-depends on python-all-dev, which suggests that is should support all of them.) Hi Jakub, Thanks for the explanation and patch. In fact, I was already working on a different kind of patch, which build against all (current) versions of python. Package should be ready today. BR, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#620646: pgdesigner: uninstallable in sid
On 04/26/2011 11:33 PM, Michael Biebl wrote: Hi Pierre, I've prepared an NMU and uploaded it to DELAYED/7. The changelog reads: pgdesigner (1.2.17-2.1) unstable; urgency=low * Non-maintainer upload. * Drop dependency on gambas2-gb-qt-kde and gambas2-gb-qt-kde-html. See http://wiki.debian.org/kdelibs4c2aRemoval. (Closes: #620646) -- Michael Bieblbi...@debian.org Tue, 26 Apr 2011 23:24:24 +0200 Cheers, Michael Hi, I have tested the packages here. Unfortunately, it does not solve the problem since these dependencies are required at runtime: $ pgdesigner ERROR: #27: Cannot load component 'gb.qt.kde': cannot find library file After discussing with the Gambas maintainer and upstream, it seems that upstream does not want to port gambas to Qt4, meaning that gambas2-gb-qt-kde will probably not be available anymore in Debian. Most probable solution is that I'll have to ask the removal of the package from Debian until its dependencies can be packaged. In the meantime, I'll ask you to cancel your upload an keep the bug open. Thanks, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#620646: RM: pgdesigner -- ROM; uninstallable, blocks kdelibs removal
Hi, pgdesigner is actually uninstallable due to the removal of gambas2-gb-qt-kde and gambas2-gb-qt-kde-html (See #620646). After some discussions with the gambas maintainer (#620646) and upstream, it seems there is no solution since upstream is not really willing to port gambas to Qt4 [1] Without any better solution, I request the removal of pgdesigner. Cheers, Pierre [1] http://sourceforge.net/mailarchive/forum.php?thread_name=4D77ED70.9060804%40csolve.netforum_name=gambas-devel -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#609336: [pgdesigner] pgdesigner crashes with a CApp.MenuProjectUpdate.1435: #29: Invalid object error on new project.
On 01/10/2011 12:06 PM, Julien Cristau wrote: user release.debian@packages.debian.org usertag 609336 squeeze-will-remove kthxbye On Sun, Jan 9, 2011 at 01:13:56 +0800, Paolo Scarabelli wrote: Package: pgdesigner Version: 1.2.17-1 Severity: grave --- Please enter the report below this line. --- I just installed pgdesigner but it's unusable in my system. It keeps crashing whenever I try to open a project, create a new project or import from db (I didn't try other menu items/buttons). Confirmed; I'll remove the package from testing in a few days if this is not fixed. Hi, I'm currently trying to backport the fix from the svn repository. Please wait a few days before removing the package BR, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598389: Unblock request for suricata 1.0.2
On 12/01/2010 10:48 PM, Adam D. Barratt wrote:
I've just had a quick look at your t-p-u upload for suricata. Without
getting too far in to checking the patches themselves, one thing that I
noticed is that the diff adds nine new patches to debian/patches but
debian/patches/series is only eight lines long.
0012-moving-http_client_body-logic-to-use-it-per-transact.patch is
mentioned neither in debian/patches/series, nor the changelog; was it
intended to be included in the package, or is it simply cruft which
{sh,c}ould be ignored when reviewing the diff?
Hi Adam,
Good catch: this patch was a candidate for inclusion, but was not
included because it is not a bugfix (and cause a conflict). I forgot to
remove it from disk (and it is pretty big: 57k) so it should be ignored
for the review. If you think the size is a problem, just tell me I'll
resend a package without this patch.
Pierre
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#598389: Unblock request for suricata 1.0.2
Hi, Suricata 1.0.2 was released after the freeze, and it fixes several bugs (exactly, half a dozen TCP evasions). See http://www.packetstan.com/2010/09/suricata-tcp-evasions.html The git commits are more or less exactly the fixes, so I am proposing to unblock suricata 1.0.2 since porting the fixes would be equivalent to the entire release .. Can you unblock suricata 1.0.2-1 ? Thanks, Pierre 2010/11/9 Nico Golde n...@debian.org: Hi, * Paul Wise p...@debian.org [2010-11-09 07:10]: # Automatically generated email from bts, devscripts version 2.10.35lenny7 tags 598389 + security severity 598389 serious Pierre, can you ask for an unblock of this version so this fix can make it into squeeze? Thanks Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#582024: eh
On Tue, Aug 17, 2010 at 09:51:13PM +0200, Luca Bruno wrote: Adam D. Barratt scrisse: This has been tagged pending for a few weeks; are you planning on uploading the fix in the near future? I marked this as pending, as I was ready to NMU. Original maintainer said he would have taken care of this, so I didn't proceed on this. Pierre, can you please upload it? Otherwise I'll proceed with a delayed NMU soon. Hi, Sorry for the delay, I've been quite busy these weeks. I'll work on the bugs and upload a new version ASAP. Regards, Pierre signature.asc Description: Digital signature
Bug#582024: #582024 inguma: scapext.py doesn't work with Python2.6
On Tue, Jun 15, 2010 at 08:19:39PM +0200, Luca Bruno wrote: Hi, attached a patch for this. If Pierre doesn't step up in the meantime, I'll do a deferred NMU in a couple of days. No high priority, as the internal copy of scapy shouldn't be currently in use. Hi Luca, Thanks for the patch. I've checked, and indeed the internal copy of scapy is removed during installation, so this shouldn't change anything. I'll upload a new version with the patch. Regards, Pierre signature.asc Description: Digital signature
Bug#581779: xtables-addons: FTBFS: /lib/modules/2.6.32.12-dsa-ia32/build: No such file or directory.
On Sat, May 15, 2010 at 10:02:09PM +0200, Kurt Roeckx wrote: Source: xtables-addons Version: 1.26-1 Severity: serious [...] /usr/bin/make -C extensions clean make[1]: Entering directory `/build/buildd-xtables-addons_1.26-1-i386-Fgk0n0/xtables-addons-1.26/extensions' rm -rf .libs _libs if [ -n /lib/modules/2.6.32.12-dsa-ia32/build ]; then /usr/bin/make -C /lib/modules/2.6.32.12-dsa-ia32/build M=/build/buildd-xtables-addons_1.26-1-i386-Fgk0n0/xtables-addons-1.26/extensions clean; fi; make: Entering an unknown directory make: *** /lib/modules/2.6.32.12-dsa-ia32/build: No such file or directory. Stop. Hi Kurt, It seems your build environment is not complete: you must have the kernel headers installed for your current (running) kernel. This creates a link /lib/modules/`uname -r`/build pointing to where the sources are installed. This link is created either by installing the proper linux-headers-$version package, or by running make install in the kernel sources if you are using a custom kernel. Cheers, Pierre make: Leaving an unknown directory make[1]: *** [clean_modules] Error 2 make[1]: Leaving directory `/build/buildd-xtables-addons_1.26-1-i386-Fgk0n0/xtables-addons-1.26/extensions' make: *** [install] Error 2 dpkg-buildpackage: error: /usr/bin/fakeroot debian/rules binary-arch gave error exit status 2 A full build log can be found at: http://buildd.debian.org/build.php?arch=i386pkg=xtables-addonsver=1.26-1 Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#581779: xtables-addons: FTBFS: /lib/modules/2.6.32.12-dsa-ia32/build: No such file or directory.
On Sun, May 16, 2010 at 11:40:52AM +0200, Kurt Roeckx wrote: On Sun, May 16, 2010 at 09:31:56AM +0200, Pierre Chifflier wrote: On Sat, May 15, 2010 at 10:02:09PM +0200, Kurt Roeckx wrote: Source: xtables-addons Version: 1.26-1 Severity: serious [...] /usr/bin/make -C extensions clean make[1]: Entering directory `/build/buildd-xtables-addons_1.26-1-i386-Fgk0n0/xtables-addons-1.26/extensions' rm -rf .libs _libs if [ -n /lib/modules/2.6.32.12-dsa-ia32/build ]; then /usr/bin/make -C /lib/modules/2.6.32.12-dsa-ia32/build M=/build/buildd-xtables-addons_1.26-1-i386-Fgk0n0/xtables-addons-1.26/extensions clean; fi; make: Entering an unknown directory make: *** /lib/modules/2.6.32.12-dsa-ia32/build: No such file or directory. Stop. Hi Kurt, It seems your build environment is not complete: you must have the kernel headers installed for your current (running) kernel. This creates a link /lib/modules/`uname -r`/build pointing to where the sources are installed. This link is created either by installing the proper linux-headers-$version package, or by running make install in the kernel sources if you are using a custom kernel. If you need linux-headers-$version to build, you should build-depend on that in your package. Sure - would a dependency on 'linux-headers' be enough to keep the possibility of using custom kernels (created using make-kpkg) ? I think the linux-headers-$customversion also provides linux-headers, but I wasn't sure. Note that this won't fix this problem: we need to depend on the exact headers of the running version, not any linux-headers package (and I don't know how to represent that in a dependency). That said, module-assistant should take care of this using the 'm-a prepare' command. Did you use something like: module-assistant prepare module-assistant auto-install xtables-addons ? Note that your package is targetting unstable, so you should probably build for that version and not what random version the buildd is currenly running. I'd prefer not to - restricting a source package to only one version would render it pretty useless imho. Having pre-built packages could be a good thing though. Cheers, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#571748: NMU
Hi. I've just done an NMU for the DELAYED-2 queue of this fix. Pierre, are you still interested in this package? I ask this because there's another patch in other bug report. I'd be happy to be the (a) (Co-)Maintainer if it's ok to you. Hi Marco, Thanks for the upload (and patch). I'm still interested in gromit, it's just that I haven't much time these days .. I'd be happy to co-maintain the package with you. If you want, I can wait for the NMU to be accepted, then re-upload a version adding you to the Uploaders field (I think it's the way to co-maintain packages according to [0]) ? Regards, Pierre [0] http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Uploaders signature.asc Description: Digital signature
Bug#570277: Let's be cool to each other, huh?!
On Sun, Feb 28, 2010 at 06:48:27PM -0300, Gustavo Franco wrote: Hi Pierre, I understand you may be busy, but Jakub wrote a patch for this bug. You've submitted without acknowledging the work. Thank you both for contributing to Debian! Oh, that was not my intention. Sorry, and thank you Jakub for your contribution. Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#571365: FTBFS
Hi Lucas, It seems the problem is on your buildd: [~] uname -a Linux piche2 2.6.32-trunk-amd64 #1 SMP Sun Jan 10 22:40:40 UTC 2010 x86_64 GNU/Linux [~] apt-cache policy libpreludedb0 libpreludedb0: Installed: 1.0.0~rc1-1 Candidate: 1.0.0~rc1-1 Version table: *** 1.0.0~rc1-1 0 500 http://ftp2.fr.debian.org sid/main Packages 100 /var/lib/dpkg/status Can you try a rebuild ? Thanks, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#568106: programs belong in /usr/bin/
On Sun, Feb 21, 2010 at 11:57:52AM +0100, Stefano Zacchiroli wrote: On Sun, Feb 21, 2010 at 11:39:43AM +0100, Martin Pitt wrote: It's not a question of how many versions are supported in a current release, since on upgrades people will have more than one major version installed. But since this package only depends on libpq5 (client side), I suspect that it will work with any major version, so /usr/bin/ seems appropriate. I just wanted to make sure that it isn't server specific and forgot a dependency. However, then a -server-dev-8.4 build dependency seems wrong. What does it need that for? I didn't do the packaging :-), so I really don't know. Copying back the bug log so that the maintainer get notified. If he does not reply, I'll investigate why it is there and if it is really needed. Stephano, I am the maintainer for pgtap, and I already replied to this thread :) The -server-dev-8.4 dependency is there because the package Makefile is using pg_config --pgxs, which includes file /usr/lib/postgresql/8.4/lib/pgxs/src/makefiles/pgxs.mk This file belongs to postgresql-server-dev-8.4 I'm just a bit lost on what actions to take .. Should I - change the name to a versioned name? - move everything to /usr/bin ? - if move binary files, should I also move ./usr/share/postgresql/8.4/contrib/pgtap.sql and ./usr/share/postgresql/8.4/contrib/uninstall_pgtap.sql to /usr/share/something ? Regards, Pierre signature.asc Description: Digital signature
Bug#568106: programs belong in /usr/bin/
Hi all, I'm adding David (pgTAP author) in CC: of this discussion. David: this is about finding if binaries (pg_prove and pg_tapgen) should be stored in /usr/bin (if it is common to all postgresql versions) or in /usr/lib/postgresql/*/bin if it is version-specific. The complete discussion can be found here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568106 If it's version specific, I think I should add the version to the name of the binary package. BR, Pierre On Fri, Feb 19, 2010 at 10:48:25PM +0100, Martin Pitt wrote: Hello all, Stefano Zacchiroli [2010-02-19 18:59 +0100]: On Tue, Feb 09, 2010 at 10:08:50PM +1100, Ben Finney wrote: The attached patch addresses this bug, by declaring the ‘/usr/bin/’ directory and installing the programs into the correct location. Actually, I'm not sure the patch is the right one. My doubts come from the fact that postgresql binaries are usually installed under /usr/lib/postgresql/*/bin/ and then have symlinks under /usr/bin/ which pass through /usr/share/postgresql-common/pg_wrapper . Are you sure that pg_prove and pg_tagpen should not have the same fate? Can please the maintainer comment on that? I'm a bit confused by pgtap on first sight. It builds against a particular server version (8.4), but does not itself have a versioned package name, and only links/depends on libpq5, no server. * Is pgtap client side only, in other words, does it work with several server versions? In that case, binaries should go to /usr/bin, as Peter and Ben suggested. * If this is a server-side extension, i. e. is linked against a particular server version and won't work with any other, then the binary should have a versioned name, and we need to manage the binaries through pg_wrapper. Please see /usr/share/doc/postgresql-common/architecture.html for some more details about how this is designed. Thanks, and have a good weekend, Martin P.S. Just don't let you confuse with Use appropriate ‘debian/dirs’ file for single-package source. Using an explicit package name, such as debian/pgtap.dirs is just fine, and causes less confusion if you ever add a second binary package. -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#563646: xtables-addons-source: package unusable
On Mon, Jan 04, 2010 at 11:12:16AM +0100, Modesto Alexandre wrote: Package: xtables-addons-source Version: 1.19-3 Severity: grave Justification: renders package unusable After apt-get upgrade on my debian testing, i have this message : iptables: match ipp2p has version libxtables.so.2, but libxtables.so.4 is required. Hi, You have probably upgraded xtables-addons-source and xtables-addons-common without rebuilding the package (using module-assistant). Can you confirm that ? I could add a Conflict: line, yet I'm not sure this will make transitions easier. Regards, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#552301: xtables-addons-source: package ships /lib/modules/$(uname -r)/modules.dep.bin
On Sun, Oct 25, 2009 at 12:05:46PM +0100, Michael Prokop wrote: Package: xtables-addons-source Version: 1.19-1 Severity: grave Justification: renders package unusable Note: choosing severity grave as I think it renders the package unusable, please feel free to downgrade if you think that it won't affect all users. Hi Michael, I can't reproduce this behavior: # m-a -k /usr/src/linux-headers-2.6.30-2-686 -l 2.6.30-2-686 build xtables-addons # dpkg -c /usr/src/xtables-addons-modules-2.6.30-2-686_1.19-1+2.6.30-8_i386.deb |grep 'modules\.' # (up to date sid) So maybe something has changed in the 2.6.31 build system ? Could you check that this also happens after removing /usr/src/modules/xtables-addons and retrying ? This could be caused by the previous (pre-1.19) build system of xtables-addons Anyway, I think I'll add commands to ensure this files are removed from the binary module. Regards, Pierre Problem: # apt-get install xtables-addons-modules-2.6.31-grml [...] Unpacking xtables-addons-modules-2.6.31-grml (from .../xtables-addons-modules-2.6.31-grml_1.19-1+grml.03_i386.deb) ... dpkg: error processing /var/cache/apt/archives/xtables-addons-modules-2.6.31-grml_1.19-1+grml.03_i386.deb (--unpack): trying to overwrite '/lib/modules/2.6.31-grml/modules.dep.bin', which is also in package linux-image-2.6.31-grml 0:grml.03 dpkg-deb: subprocess paste killed by signal (Broken pipe) Errors were encountered while processing: /var/cache/apt/archives/xtables-addons-modules-2.6.31-grml_1.19-1+grml.03_i386.deb [...] Reason: # dpkg -c xtables-addons-modules-2.6.31-grml_1.19-1+grml.03_i386.deb [...] -rw-r--r-- root/root 3778 2009-10-23 12:31 ./lib/modules/2.6.31-grml/modules.dep.bin -rw-r--r-- root/root 2049 2009-10-23 12:31 ./lib/modules/2.6.31-grml/modules.alias.bin -rw-r--r-- root/root 2230 2009-10-23 12:31 ./lib/modules/2.6.31-grml/modules.dep -rw-r--r-- root/root 949 2009-10-23 12:31 ./lib/modules/2.6.31-grml/modules.symbols.bin -rw-r--r-- root/root 846 2009-10-23 12:31 ./lib/modules/2.6.31-grml/modules.symbols -rw-r--r-- root/root 1104 2009-10-23 12:31 ./lib/modules/2.6.31-grml/modules.alias The xtables-addons-modules-2.6.31-grml package was built running: # m-a -k /path/to/linux-2.6.31.5 -k 2.6.31-grml build xtables-addons Solution: Do not ship any modules.* files through the main /lib/modules/$(uname -r)/ directory. regards, -mika- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#548752: 0.72.2 reorder search.constant Error during the database updateDuplicate entry
severity 548752 important thanks On Mon, Sep 28, 2009 at 11:50:22AM -0400, David Gibson wrote: Package: glpi Version: 0.72.2-1 Severity: grave Justification: renders package unusable When upgrading to from 0.72-1 to 0.72.2-1, I'm prompted to let dbconfig-common update the database. If I let it, the next time I access glpi, it prompts to update the database. The result is an error: 0.72.2 reorder search.constant Error during the database updateDuplicate entry '11-34-0' for key 'display' If I say no to the dbconfig-common, I get the same prompt from glpi to update the database. This time it is successful. Hi, This seems related to some changes in GLPI configuration after the first installation (before the upgrade), since an install + upgrade on a fresh install succeeds: dell1:~# dpkg -i glpi_0.72-1_all.deb Selecting previously deselected package glpi. (Reading database ... 161232 files and directories currently installed.) Unpacking glpi (from glpi_0.72-1_all.deb) ... Setting up glpi (0.72-1) ... dbconfig-common: writing config to /etc/dbconfig-common/glpi.conf Creating config file /etc/dbconfig-common/glpi.conf with new version Creating config file /etc/glpi/config/config_db.php with new version granting access to database glpi for g...@localhost: success. verifying access for g...@localhost: success. creating database glpi: success. verifying database glpi exists: success. populating database via sql... done. dbconfig-common: flushing administrative password Reloading web server config: apache2 dell1:~# dpkg -i glpi_0.72.2-1_all.deb (Reading database ... 162669 files and directories currently installed.) Preparing to replace glpi 0.72-1 (using glpi_0.72.2-1_all.deb) ... Unpacking replacement glpi ... Setting up glpi (0.72.2-1) ... Installing new version of config file /etc/glpi/config/define.php ... dbconfig-common: writing config to /etc/dbconfig-common/glpi.conf creating database backup in /var/cache/dbconfig-common/backups/glpi_0.72-1.mysql. applying upgrade sql for 0.72-1 - 0.72.1. applying upgrade sql for 0.72-1 - 0.72.2. dbconfig-common: flushing administrative password Reloading web server config: apache2. I'll contact GLPI to see if the ugrade script is wrong and find a fix. In the meantime, I'll downgrading the severity to important as the upgrade is still possible using the interface. Regards, Pierre -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (700, 'stable'), (650, 'testing'), (600, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages glpi depends on: ii apache22.2.13-2 Apache HTTP Server metapackage ii apache2-mpm-prefork [h 2.2.13-2 Apache HTTP Server - traditional n ii dbconfig-common1.8.41common framework for packaging dat ii debconf [debconf-2.0] 1.5.24Debian configuration management sy ii libapache2-mod-php55.2.10.dfsg.1-2.2 server-side, HTML-embedded scripti ii php5 5.2.10.dfsg.1-2.2 server-side, HTML-embedded scripti ii php5-mysql 5.2.10.dfsg.1-2.2 MySQL module for php5 glpi recommends no packages. glpi suggests no packages. -- debconf information: glpi/mysql/admin-pass: (password omitted) glpi/app-password-confirm: (password omitted) glpi/password-confirm: (password omitted) glpi/mysql/app-pass: (password omitted) glpi/remote/newhost: glpi/dbconfig-remove: glpi/internal/reconfiguring: false glpi/remove-error: abort * glpi/dbconfig-upgrade: true glpi/webserver: apache, apache-ssl, apache-perl, apache2 glpi/db/app-user: glpi glpi/db/dbname: glpi glpi/dbconfig-reinstall: false glpi/mysql/method: unix socket glpi/upgrade-backup: true * glpi/configuration: glpi/database-type: mysql glpi/remote/port: glpi/internal/skip-preseed: false glpi/passwords-do-not-match: glpi/install-error: abort glpi/missing-db-package-error: abort glpi/remote/host: * glpi/dbconfig-install: true glpi/purge: false glpi/upgrade-error: abort glpi/mysql/admin-user: root -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#529841: nufw: FTBFS against gnutls26 = 2.7.x
On Fri, Aug 14, 2009 at 11:01:53PM +0100, peter green wrote: tags 529841 +patch thanks Patch is attached (gzipped because of size) , the changes are * fixed mysql build-depends * fixed gnutls detection in configure.ac (the existing detection system seemed to rely on a autotools template that didn't exist so I replaced it with a simple call to pkg-config) * regenerated autotools stuff using supplied autogen.sh (this accounts for the bulk of the patch :( ) * some minor tweaks to debian/rules to fix a couple of libtool related build issues I ran into (one unrepresentable changes to source and one file not found error) Hi, Thanks for your patch. In fact, I should have added the 'pending' tag since some time: the bug is fixed in the upstream git, I was just waiting for a new release. I'll backport the correct fix (using the PKG_CHECK_MODULES macro) and merge your changes on debian/rules etc :) Thanks, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531735: SA35311: OCS Inventory NG systemid SQL Injection Vulnerability
On Wednesday 17 June 2009 05:27:49 James Andrewartha wrote: Pierre, The bug in download.php is still there in lenny, why did you close the bug? Hi James, I closed the bug because the advisory [1] stated 1.02 while Lenny version is 1.01. Additionally, this injection does not work here: http://xxx.xxx.xxx.xxx/ocsreports/download.php?n=1dl=2o=3v=4%27union+all+select+concat(id, %27:%27,passwd)+from+operators%23 And returns an empty file. However, I agree this needs further investigation to check if 1.01 is vulnerable too. Do you have some working example ? I'll check on my side if the code is similar in 1.01 and 1.02 Cheers, Pierre [1] http://archives.neohapsis.com/archives/bugtraq/2009-06/0009.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531735: SA35311: OCS Inventory NG systemid SQL Injection Vulnerability
On Wednesday 17 June 2009 15:25:57 Giuseppe Iuculano wrote: Hi Pierre, Pierre Chifflier ha scritto: I closed the bug because the advisory [1] stated 1.02 while Lenny version is 1.01. This doesn't imply that 1.01 isn't affected. I fully agree, but you should quote correctly : --8- Additionally, this injection does not work here: http://xxx.xxx.xxx.xxx/ocsreports/download.php?n=1dl=2o=3v=4%27union+all+select+concat(id, %27:%27,passwd)+from+operators%23 --8- Apparently, the default Lenny install is not vulnerable (due to magic_quotes on or something like that). I'm looking to backport the fix in 1.01 anyway. BR, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#523059: pyqt4-dev-tools: version 4.4.4-5 breaks pyuic4
Package: pyqt4-dev-tools Version: 4.4.4-5 Severity: grave Justification: pyuic4 does not work anymore Hi, After upgrading pyqt4-dev-tools (and python-qt4 etc.) from 4.4.4-4 to 4.4.4-5 (which should be a minor upgrade), pyuic4 stopped working. Error: pyuic4 -o auth_ui.py auth.ui An unexpected error occurred. Check that you are using the latest version of PyQt and send an error report to supp...@riverbankcomputing.com, including the following information: * your version of PyQt (4.4.4) * the UI file that caused this error * the debug output of pyuic4 (use the -d flag when calling pyuic4) Here is the complete traceback: pyuic4 -d -o auth_ui.py auth.ui Traceback (most recent call last): File /usr/bin/pyuic4, line 73, in module options.indent, options.pyqt3_wrapper) File /usr/bin/pyuic4, line 28, in generateUi uic.compileUi(uifname, pyfile, execute, indent, pyqt3_wrapper) File /usr/lib/pymodules/python2.5/PyQt4/uic/__init__.py, line 66, in compileUi winfo = compiler.UICompiler().compileUi(uifile, pyfile) File /usr/lib/pymodules/python2.5/PyQt4/uic/Compiler/compiler.py, line 15, in __init__ CompilerCreatorPolicy()) File /usr/lib/pymodules/python2.5/PyQt4/uic/uiparser.py, line 88, in __init__ self.factory = QObjectCreator(creatorPolicy) File /usr/lib/pymodules/python2.5/PyQt4/uic/objcreator.py, line 57, in __init__ raise WidgetPluginError, %s: %s % (e.__class__, str(e)) WidgetPluginError: type 'exceptions.KeyError': 'pluginType' Cheers, Pierre -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages pyqt4-dev-tools depends on: ii libc6 2.9-7 GNU C Library: Shared libraries ii libgcc1 1:4.3.3-5 GCC support library ii libqt4-xml4.4.3-2Qt 4 XML module ii libqtcore44.4.3-2Qt 4 core module ii libqtgui4 4.4.3-2Qt 4 GUI module ii libstdc++64.3.3-5The GNU Standard C++ Library v3 ii python2.5.4-2An interactive high-level object-o ii python-qt44.4.4-5Python bindings for Qt4 pyqt4-dev-tools recommends no packages. pyqt4-dev-tools suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#349003: wzdftpd pidfile issues and more...
On Wed, Jan 28, 2009 at 08:04:20PM +0100, Andreas Henriksson wrote: Hello! I had a really quick look and there seems to be several issues. Next after parsing the command line options, the server forks and kills off the parent (in wzdftpd/wzd_main.c line 402). This leaves no room for returning a proper error/exit code if something in the startup process fails. Hi, This is right, the first process forks and exits (so it does not get the return code). Suggestions accepted for a better way. The server doesn't seem to have any support for writing a pidfile on it's own. Instead the start-stop-daemon feature is used in the init.d This is wrong grep pid_file /etc/wzdftpd/wzd.cfg pid_file = /var/run/wzdftpd/wzdftpd.pid wzdftpd can manage the pid file itself. script. There seems to be several issues here: First the path to the pidfile is not consistently used (/var/run/$NAME.pid v. /var/run/$NAME/$NAME.pid). ok, this is a bug. The second issue being, can start-stop-daemon really write a useful pidfile when the process it starts will terminate right away? The pidfile should contain the child pid, not the parent pid, since the child is the actual server here. Yes. I'll see if using the internal pid_file feature fix all these problems, and upload a new version. The third issue is that this setup relies on debians default configuration of a /var/run on persistant storage, since the /var/run/wzdftpd/ directory is (only) created in the postinst instead of the init.d script. Ubuntu has switched the default and as suspected that bug has been fixed there. You can get the patch from http://patches.ubuntu.com/w/wzdftpd/wzdftpd_0.8.3-5.1ubuntu1.patch which will also fix up a dependency issue (postgresql vs postgresql-client). ok, I will fix this as well Popcon tells me there are only 28 people with this package installed and 3 recently using it. Maybe we should consider removal? I'd prefer not. Cheers, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#512660: ocsinventory-server cannot work 'cause many files are missing
severity 512660 normal tags 512660 +wontfix thanks On Thu, Jan 22, 2009 at 05:33:59PM +0100, root wrote: Package: ocsinventory-server Version: 1.01-6 Severity: grave Justification: renders package unusable After installing ocsinventory-server, it doesn't work, because while the database has been created, there is no tables inside it. The indications given in /usr/share/doc/ocsinventory-server/README.Debian are mainly wrong : [...] Post-installation notes --- Please note that after first installation, or after an upgrade, it's recommended to call http://localhost/ocsreports/install.php ; please also note that this particular page is restricted to localhost in /etc/ocsinventory/ocsreports.conf. For security reasons, this script is protected by an apache authentication, using /etc/ocsinventory/htpasswd.setup install.php isn't a part of the package, /etc/ocsinventory/dbconfig.inc.php isn't a part of the package It seems you have missed the way ocs inventory works: -server is the *Communication Server* only -reports is the web interface Basically, both are required. They are separate packages because they can be installed on different hosts. install.php is part of ocsinventory-reports there isn't any ocsreports location or directory created by the package, the only configured are the locations ocsinventory and ocsinterface so it's impossible to call http://localhost/ocsreports/install.php after installation ocsreports/install.php It seems that those file are parts of ocsinventory-reports, but there is no dependency # apt-cache show ocsinventory-server | grep reports Recommends: ocsinventory-reports -- System Information: Debian Release: 4.0 Versions of packages ocsinventory-server recommends: pn ocsinventory-reports none (no description available) .. which you have willingly not installed. As said above, it is not a strict dependency because it is not required to be on the same host. I have therefore downgraded the bug report severity to normal. I'll wait for your confirmation that installing all packages make ocs works, and close the bug. Cheers, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#503330: please allow websvn updates into stable and testing
Hi,
These two updates occurs after a discussion with websvn upstream, to
validate the corrections. Security problem is described at:
http://www.gulftech.org/?node=researcharticle_id=00132-10202008
(I haven't found any related CVE, but a Secunia advisory:
http://secunia.com/advisories/32338/
)
The first upload is for stable:
Please allow websvn 1.61-21 into stable, it contains a security fix:
* Security: fix potential PHP code execution due to unsafe use of
preg_replace (Closes: #503330)
The fix is to remove the offending code (which was useless) with quilt
patch 40_unsafe_preg_replace.diff (attached).
Other parts of the advisory (directory transversal and XSS) were not
found in this version.
The second upload is for both unstable and testing:
Please allow websvn 2.0-4 to enter testing, it contains fixes for the
same security advisory, but for different problems:
* Security: fix potential Cross Site Scripting and Directory
transveral issues (Closes: #503330)
Problems are fixed in quilt patches 10_security_dir_transversal.patch
and 11_security_css.patch (attached). preg_replace affected code was removed in
2.x branch.
Cheers,
Pierre
Index: websvn-1.61/include/utils.inc
===
--- websvn-1.61.orig/include/utils.inc 2008-11-12 13:04:16.0 +0100
+++ websvn-1.61/include/utils.inc 2008-11-12 13:04:23.0 +0100
@@ -87,11 +87,6 @@
a href=\mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/a,
$ret);
- // Replace any usernames
- $ret = preg_replace(#\[:nom:([^\]]*)\]#e,
- username(0, trim(\\\1\)),
- $ret);
-
return ($ret);
}
@@ -185,4 +180,4 @@
// Stick them together
return $spaces.$s;
}
-?
\ No newline at end of file
+?
Index: websvn-2.0/rss.php
===
--- websvn-2.0.orig/rss.php 2008-11-12 13:10:56.0 +0100
+++ websvn-2.0/rss.php 2008-11-12 13:11:20.0 +0100
@@ -67,7 +67,7 @@
// Cachename reflecting full path to and rev for rssfeed. Must end with xml to work
$cachename = strtr(getFullURL($listurl), :/\\?, );
-$cachename = $locwebsvnreal.DIRECTORY_SEPARATOR.cache[EMAIL PROTECTED]rev]._rssfeed.xml;
+$cachename = $locwebsvnreal.DIRECTORY_SEPARATOR.'cache'.DIRECTORY_SEPARATOR.$cachename.$rev.'_rssfeed.xml';
$rss = new UniversalFeedCreator();
$rss-useCached(RSS2.0, $cachename);
Index: websvn-2.0/include/setup.php
===
--- websvn-2.0.orig/include/setup.php 2008-11-12 13:12:10.0 +0100
+++ websvn-2.0/include/setup.php 2008-11-12 13:12:26.0 +0100
@@ -314,7 +314,7 @@
$vars['lang_code'] = $userLang;
-$url = getParameterisedSelfUrl(true);
+$url = '?'.buildQuery($_GET + $_POST);
$vars[lang_form] = form action=\$url\ method=\post\ id=\langform\;
$vars[lang_select] = select name=\langchoice\ onchange=\javascript:this.form.submit();\;
Index: websvn-2.0/include/utils.php
===
--- websvn-2.0.orig/include/utils.php 2008-11-12 13:12:14.0 +0100
+++ websvn-2.0/include/utils.php 2008-11-12 13:12:26.0 +0100
@@ -304,43 +304,6 @@
// }}}
-// {{{ getParameterisedSelfUrl
-//
-// Get the relative URL (PHP_SELF) with GET and POST data
-
-function getParameterisedSelfUrl($params = true)
-{
- global $config;
-
- $url = null;
-
- if ($config-multiViews)
- {
- // Get rid of the file's name
- $url = preg_replace('/\.php/', '', $_SERVER['PHP_SELF'], 1);
- }
- else
- {
- $url = basename($_SERVER['PHP_SELF']);
-
- // Sometimes the .php isn't on the end. Damn strange...
- if (strchr($url, '.') === false)
- $url .= '.php';
- }
-
- if ($params)
- {
- $arr = $_GET + $_POST;
- # XXX: the point of HTTP POST is that URIs have a set size limit, so POST
- # data is typically too large to bother with; why include it?
- $url .= '?'.buildQuery($arr);
- }
-
- return $url;
-}
-
-// }}}
-
// {{{ getUserLanguage
function getUserLanguage($languages, $default, $userchoice)
signature.asc
Description: Digital signature
Bug#496071: Please allow glpi updates (etch, testing)
On Sun, Nov 09, 2008 at 12:39:10AM +0100, Philipp Kern wrote: On Fri, Nov 07, 2008 at 11:13:57AM +0100, Pierre Chifflier wrote: Please allow glpi 0.68.2-1etch0.2 (etch) and 0.70.2-2 (testing) updates, They close a RC bug by updating a file to a version covered by a DFSG-free license (CC-SA 2.0 = LGPLv3). The author of the file has agreed to change the license after a discussion, which is a very good news :) A licence switch to LGPL with an additional paragraph with Rights and obligations identical to the CC-SA 2.0 version (including a pointer to French law), well... Well, The problem is that the license change occurred after some releases, so there are many additional functions and bug fixes between the 2 versions. I had to update the file, since downgrading the LGPL one is fairly difficult (and not really useful). So I'd advise to update the file. Changelog: * Replace domxml-php5-php5.php by a LGPL version (Closes: #496071) * Urgency high because of RC bug Should be ok for Lenny but I'd want a functional diff (i.e. without the indentation changes) for Etch from the file in stable. Are there changes to the API? (Shouldn't be the case as it's a PHP4 emulation layer but well...) Files with the CC-SA 2.0 were the same in the 3 versions (etch, lenny, sid). As said before, a plain diff is not easy to extract - and not really relevant. If updating the file is not possible (due to the changes), it is possible to remove the lib/phpcas directory without affecting too much the application (the only lost feature would be SSO login using CAS), but removing a feature is not really something we want between 2 stable upgrades, I guess .. Cheers, Pierre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504374: pgdesigner: Does not save the Dimentions of the Columns
severity 504374 normal tag 504374 +upstream thanks Hi, I'm downgrading bug severity according to http://www.debian.org/Bugs/Developer#severities The bug, even if annoying, does not introduce security problems or render the application unusable. Please, do not raise severity without reasons, it won't help treating the problem faster (remember a grave bug makes the package unsuitable for release). Cheers, Pierre On Mon, Nov 03, 2008 at 02:17:59AM -0600, Josue Abarca wrote: Package: pgdesigner Version: 1.2.8-1 Severity: grave Justification: causes non-serious data loss Pgdesigner doesn't save the dimentions (Dim) of the columns. In fact it saves the dimentions in the .ini file, but when you open the file, they are set to 0, always. Cheers, -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=es_GT.UTF-8, LC_CTYPE=es_GT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages pgdesigner depends on: ii gambas2-gb-compress 2.8.2-1The Gambas compression component ii gambas2-gb-compress-bzlib22.8.2-1The Gambas bzlib2 component ii gambas2-gb-compress-zlib 2.8.2-1The Gambas zlib compression compon ii gambas2-gb-db 2.8.2-1Gambas database access common libr ii gambas2-gb-db-postgresql 2.8.2-1The PostgreSQL driver for the Gamb ii gambas2-gb-form 2.8.2-1A gambas native form component ii gambas2-gb-pdf2.8.2-1The Gambas pdf component ii gambas2-gb-qt 2.8.2-1The Gambas Qt GUI component ii gambas2-gb-qt-ext 2.8.2-1The Gambas extended Qt GUI compone ii gambas2-gb-qt-kde 2.8.2-1The Gambas KDE component ii gambas2-gb-qt-kde-html2.8.2-1The Gambas KHTML component ii gambas2-gb-settings 2.8.2-1Gambas utilities class ii gambas2-gb-xml2.8.2-1Gambas XML component ii gambas2-runtime 2.8.2-1The Gambas runtime pgdesigner recommends no packages. pgdesigner suggests no packages. -- no debconf information -- Josué M. Abarca S. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#503330: upstream patch
On Mon, Nov 03, 2008 at 12:40:26PM +0100, Thijs Kinkhorst wrote: Hi, It seems that the following are upstream's handling of the issue. I haven't checked them out in detail yet so can't vouch for their completeness. Thanks for the links. It seems indeed that there is some activity on the commits list. I'll look at the patches and merge that ASAP. Cheers, Pierre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#503330: Multiple Vulnerabilities (xss, insecure file handling and code execution)
On Fri, Oct 24, 2008 at 10:27:09PM +0200, Florian Weimer wrote: * Luca Bruno: A full disclosure bulletin has been posted today, reporting various security vulnerabilities in websvn. Thanks, I'm not sure if the source is in our public monitoring. The remote code execution should only affect etch version, while at a first glance the others are also still open in lenny/sid. I think the code execution can only be exploited if you can commit to the repository, so this vulnerability is not critical. Hi, That looks serious indeed, and it affects versions from both testing and unstable. There are 3 different kind of problems: - Cross Site Scripting (unsafe usage of the PHP_SELF server variable within the getParameterisedSelfUrl() function) - File handling issues in the RSS functionality - PHP Code Execution (only in 1.x branch): unsafe use of preg_replace evaluation when parsing anchor tags and the like Unfortunately, upstream is not responsive :/ I have tried to contact Tim Armes, and the developer list. The problems are affecting several parts of the code, and I am not sure what the correct solution could be. Help on the subject would be very appreciated ! Pierre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#501882: bug #501882
severity 501882 normal retitle 501882 pgsnap: relative path does not work thanks Indeed, pgsnap does not actually work with relative paths. I'm contacting upstream about that. I consider this more as a lack of documentation (which I will fix shortly) than a critical bug, so I'm setting the priority to normal. Regards, Pierre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#502134: bug 502134
reassign 502134 python-matplotlib retitle 502134 matplotlib: undefined symbol: __gxx_personality_v0 thanks Reassigning bug, since it is not related to NuLog, and easily reproduced on a clean Lenny install: # aptitude install python-matplotlib $ python Python 2.5.2 (r252:60911, Sep 29 2008, 21:15:13) [GCC 4.3.2] on linux2 Type help, copyright, credits or license for more information. from matplotlib.figure import Figure Traceback (most recent call last): File stdin, line 1, in module File /usr/lib/python2.5/site-packages/matplotlib/figure.py, line 22, in module from axes import Axes, SubplotBase, subplot_class_factory File /usr/lib/python2.5/site-packages/matplotlib/axes.py, line 11, in module import matplotlib.axis as maxis File /usr/lib/python2.5/site-packages/matplotlib/axis.py, line 13, in module import matplotlib.text as mtext File /usr/lib/python2.5/site-packages/matplotlib/text.py, line 19, in module import matplotlib.nxutils as nxutils ImportError: /usr/lib/python2.5/site-packages/matplotlib/nxutils.so: undefined symbol: __gxx_personality_v0 This problem seems to happen when C and C++ files are linked using gcc (instead of g++, or gcc -lstdc++). Cheers, Pierre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#417142: NMU for websvn
On Wed, Aug 27, 2008 at 04:10:06PM +0200, Thijs Kinkhorst wrote: Hi Pierre, This RC bug has now been open for two weeks. I'm uploading an NMU to the delayed-5 queue according to the attached patch. I hope this helps to keep websvn in good shape in lenny. Hi Thijs, I'm merging your patch and asking for a freeze exception so it can reach lenny in time. Thanks ! Pierre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#487212: import python-sepolgen fails (dash is forbidden in a python module name)
Package: python-sepolgen Version: 1.0.11-3 Severity: grave Justification: renders package unusable Hi, Package python-sepolgen should create a module named differently, since the dash (-) is forbidden in Python modules names. [~] python Python 2.5.2 (r252:60911, May 28 2008, 19:19:25) [GCC 4.2.4 (Debian 4.2.4-1)] on linux2 Type help, copyright, credits or license for more information. import python-sepolgen File stdin, line 1 import python-sepolgen ^ SyntaxError: invalid syntax See this mail: http://mail.python.org/pipermail/python-bugs-list/2004-March/022272.html And the Python documentation: http://docs.python.org/ref/import.html http://docs.python.org/ref/identifiers.html A module name is an identifier, which contains no dash. BTW, this also breaks the audit2why and audit2allow tools Regards, Pierre -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.25-2-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages python-sepolgen depends on: ii python2.5.2-1An interactive high-level object-o ii python-support0.8.1 automated rebuilding support for P python-sepolgen recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#477020: 477020
On Sat, Apr 26, 2008 at 02:23:08AM +0200, Lucas Nussbaum wrote: severity 477020 serious thanks At first, I thought the build failure was caused by gcc 4.3, so I downgraded the severity. The real cause was a missing build dependency on pkg-config. I'm uploading a fixed package. Regards, Pierre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#476173: Cloning for the unresolved part
On Tue, Apr 15, 2008 at 12:06:57PM +0200, Adeodato Simó wrote: clone 476173 -1 retitle -1 nuauth-utils: needs rebuid on each python transition severity -1 important thanks Can you explain to me why you reopen this bug, while the package has been re-uploaded ? The new package _is_ linked to python 2.5. BTW, I would appreciate some more useful information than just a RC bug + a reopen Pierre
Bug#465085: reassign bug
reassign 465085 libprelude tags 465085 +pending thanks The problem is caused by the libgnutls transition: libprelude is build against libgnutls13 (2.0.4), while the new prelude-manager is build against libgnutls26 (2.2.1). I'll upload a new libprelude package to trigger the rebuild (it fixes the problem here). Thanks for reporting, Pierre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#449197: nuapplet - FTBFS: cmake: command not found
tag 449197 +pending thanks Package is ready for upload, just waiting for ftp-master to be repaired. Regards, Pierre On Sun, Nov 04, 2007 at 01:02:20AM +0100, Bastian Blank wrote: Package: nuapplet Version: 2.0-1 Severity: serious There was an error while trying to autobuild your package: Automatic build of nuapplet_2.0-1 on debian-31.osdl.marist.edu by sbuild/s390 98 [...] [ -d release ] || mkdir release; \ cd release cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_VERBOSE_MAKEFILE=0 -DCMAKE_INSTALL_PREFIX=/usr .. make /bin/sh: line 1: cmake: command not found make[1]: *** [release] Error 127 make[1]: Leaving directory `/build/buildd/nuapplet-2.0' make: *** [build-stamp] Error 2 dpkg-buildpackage: failure: debian/rules build gave error exit status 2 ** Build finished at 20071103-1921 FAILED [dpkg-buildpackage died] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#446192: CVE-2007-5300 possible arbitrary code execution
On Thu, Oct 11, 2007 at 01:27:17AM +0200, Nico Golde wrote:
Package: wzdftpd
Version: 0.5.2-1.1sarge2
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for wzdftpd.
CVE-2007-5300[0]:
| Off-by-one error in the do_login_loop function in
| libwzd-core/wzd_login.c in wzdftpd 0.8.2 and earlier allows remote
| attackers to cause a denial of service (daemon crash) via a long USER
| command that triggers a stack-based buffer overflow. NOTE: some of
| these details are obtained from third party information.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5300
Hi,
The login system has changed a lot since 0.5.2. At the first look, I
believe the exploit will not work for 0.5.2, or not the same way.
The real problem was caused by a memset with a wrong length, which was
introduced on recent versions (which means etch, testing and unstable
are impacted). Sarge version does not have this problem.
The only fixable thing is a possible off-by-one in do_login_loop (patch
attached).
I'm also working on patches for other versions as well (feel free to NMU
if you want).
Regards,
Pierre
--- src/wzd_ClientThread.c.orig 2007-10-12 09:58:25.0 +0200
+++ src/wzd_ClientThread.c 2007-10-12 10:02:37.0 +0200
@@ -3267,7 +3267,7 @@
while (1) {
/* wait response */
-ret = (context-read_fct)(context-controlfd,buffer,BUFFER_LEN,0,HARD_XFER_TIMEOUT,context);
+ret = (context-read_fct)(context-controlfd,buffer,BUFFER_LEN-1,0,HARD_XFER_TIMEOUT,context);
if (ret == 0) {
out_err(LEVEL_FLOOD,Connection closed or timeout (socket %d)\n,context-controlfd);
Bug#438183: no action?
On Sun, Sep 09, 2007 at 10:39:34PM +0300, Nick Shaforostoff wrote: is it so hard to upload fixed vesrion of a package? Bug is currently under resolution. Sorry for the delay. Pierre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#427973: still conflicting files ...
On Fri, Aug 10, 2007 at 10:50:29AM +0200, Michael Ablassmeier wrote: found 427973 2.2.3-1 thanks hi, nuauth and nuauth-extra *still* have conflicting files: Unpacking nuauth-extra (from .../nuauth-extra_2.2.3-1_amd64.deb) ... dpkg: error processing /var/cache/apt/archives/nuauth-extra_2.2.3-1_amd64.deb (--unpack): trying to overwrite `/usr/lib/nuauth/modules/libsystem.a', which is also in package nuauth Errors were encountered while processing: /var/cache/apt/archives/nuauth-extra_2.2.3-1_amd64.deb E: Sub-process /usr/bin/dpkg returned an error code (1) reopening this bug. Hum, I think I have found the problem: the files in upstream svn were not fixed, while the debian package was .. thus, every new release was reintroducing the bug. It will be fixed soon. Regards, Pierre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#429344: severity 429344 wishlist
severity 429344 wishlist tags 429344 +upstream thanks GLPI does actually not use PHPMailer, it only includes a patched copy (so the bug is not RC). As explained in the previous mail, a change is in progress in the upstream release. Regards, Pierre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#429192: pending upload
tag 429192 +pending tag 429344 +pending thanks The problem has been discussed with upstream. Actually, the library is not used, so GLPI is not really vulnerable. A new version has been released including the fix, and has been uploaded to my sponsor (it will be uploaded ASAP). A discussion is in progress with the upstream authors to remove the copy of PHPMailer. Regards, Pierre -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#416402: wzdftpd-mod-avahi: unusuable
On Tue, Mar 27, 2007 at 07:09:42PM +0200, Marc Dequènes wrote: Package: wzdftpd-mod-avahi Version: 0.8.1-1 Severity: serious Coin, wzdftpd start, then crash 2s later with the following message: wzdftpd: libwzd_avahi.c:182: publish_reply: Assertion `g == ctx-group' failed. Pan, You did not specify which version of avahi libs, which environment, configuration or whatever.Ater installation and configuration, the module works here: Mar 28 13:53:25 Assigning default service name. Mar 28 13:53:25 Module zeroconf loaded Mar 28 13:53:25 Process 2304 ok Mar 28 13:53:25 wzdftpd x86_64-linux-gnu mt 0.8.1 started (build 20061215) Mar 28 13:53:25 Waiting for connections (main) Mar 28 13:53:25 Successfully started avahi loop. Debian unstable, amd64: ii libavahi-client3 0.6.16-5 Avahi client library ii libavahi-common-data 0.6.16-5 Avahi common data files Can you please give more details about your installation, and logs if relevant ? Regards, Pierre
Bug#403080: wzdftpd: Crashes right after start with *** glibc detected *** free(): invalid pointer
On Thu, Dec 14, 2006 at 03:45:27PM +0100, Frederik Reiß wrote: It looks like that /var/run/wzdftpd/ is not created or deleted during or after the package installation. After creating /var/run/wzdftpd/ manualy everything works fine. Thanks for your help. I'll fix this in the next upload, along with the new upstream version. Regards, Pierre
Bug#372531: Update of wzdftpd 0.5.2-1.1sarge1 for 3.1r3
On Tue, Jul 04, 2006 at 02:30:10PM +0200, Julien Danjou wrote:
Hello,
The fix for DSA-1006-1 on wzdftpd broke dependencies as explained in bug
report #372531.
We would like to see this bug fixed in the next stable point-release.
Would it be possible to the security team to fix this package or maybe to the
maintainer to upload a new and fixed version of its package?
Please, keep us in touch, since we plan to point-release ASAP.
Hi,
Since the debian/control files uses only depends like:
wzdftpd (= ${Source-Version})
a simple rebuild should fix the problem.
Q: Should I build the package myself or maybe the security team can do
it ?
Regards,
Pierre
signature.asc
Description: Digital signature
Bug#372531: found 372531 in 0.5.2-1.1sarge1, notfound 372531 in 0.7.2-2
tags 372531 sarge found 372531 0.5.2-1.1sarge1 notfound 372531 0.7.2-2 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
