Bug#868609: le FTBFS with latest ncurses
On 23 August 2017 at 14:56, Alexander V. Lukyanov <l...@netis.ru> wrote: > On Fri, Aug 18, 2017 at 12:39:00PM +0200, Raphael Geissert wrote: >> Do you plan to make a new release with the fixes? or should I grab the >> patches from github? > > 1.16.5 has been released. Awesome, thanks. I'll take care of the upload. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Bug#868609: le FTBFS with latest ncurses
Alexander, Do you plan to make a new release with the fixes? or should I grab the patches from github? I'd like to fix this some time soon to get le back in testing. Thanks in advance. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Bug#849382: [apt] Every package on the system gets silently upgraded to backports. The result is severe system breakage, malfunctioning and data loss.
Hi, As discussed via IRC, this could be a case of https://bugs.debian.org/838920 in unattended-upgrades. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Bug#802811: libqt5x11extras5: causes konsole to segfault in libX11 on startup
Hi Lisandro! On Tue, 27 Oct 2015 15:30:42 -0300 Lisandro Damián Nicanor Pérez Meyer <perezme...@gmail.com> wrote: > Hi everyone! We possibly have two issues here. > > The first one is the reported one, which should be fixed. > > Now the second one might most probably be because qtx11extras migrated to > testing when it shouldn't have. This is the first time it happens for us. Doesn't that sound like there's a missing dependency, somewhere? It sounds like a person using a testing-unstable mix would also be affected. /me who also got hit by it -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Bug#796495: yubiserver: multiple vulnerabilities, affecting old/stable?
Package: yubiserver Severity: grave Version: 0.5-2 Tags: security Hi, the following vulnerabilities were published for yubiserver. CVE-2015-0843[0]: Buffer overflows due to misuse of sprintf CVE-2015-0842[1]: SQL injection issues (potential auth bypass) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-0843 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0843 [1] https://security-tracker.debian.org/tracker/CVE-2015-0842 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0842 N.b. this bug is meant to track the fixing of the vulnerabilities in stable (and oldstable, if it applies). Please refer to the following page to learn how to prepare a stable security update: https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Bug#780624: libmpeg2-4: introduces new symbols
Package: libmpeg2-4 Version: 0.5.1-6 Severity: serious Hi, Between wheezy and jessie libmpeg2-4 introduced at least one new symbol, mpeg2_guess_aspect, without even including a shlibs or symbols files. The result being that some applications using libmpeg2-4 that use the new symbols, perhaps directly, perhaps picked up?, do not have a proper versioned dependency on libmpeg2-4. One such package is gstreamer1.0-plugins-ugly, though there might be others. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775673: texlive-bin: CVE-2015-0973: overflow in the embedded libpng
Source: texlive-bin Version: 2014.20140926.35254-5 Severity: grave Tags: security Hi, The embedded copy of libpng is vulnerable to CVE-2015-0973[1], a different bug than the one you fixed for #773824. When fixing this bug please mention the CVE id so that it is easier to do some cross-referencing. Thanks in advance. [1]http://article.gmane.org/gmane.comp.security.oss.general/15382 Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772221: byobu: bashism in /bin/sh script
Control: severity -1 minor Hi, Please ignore the part of sourced script with arguments, as it is a false positive in this case. Apologies. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772233: bashism in /bin/sh script
Control: tag -1 patch Attached patch should do it. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.netIndex: gnunet-0.10.1-2/src/gns/gnunet-gns-proxy-setup-ca === --- gnunet-0.10.1-2/src/gns/gnunet-gns-proxy-setup-ca +++ gnunet-0.10.1-2/src/gns/gnunet-gns-proxy-setup-ca @@ -7,9 +7,9 @@ options='' while getopts c: opt; do case $opt in c) + options=$options -c $OPTARG - options+=-c $OPTARG ;; \?) echo Invalid option: -$OPTARG 2 exit 1 @@ -38,16 +38,16 @@ for f in ~/.mozilla/firefox/*.default do if [ -d $f ]; then echo Importing CA info Firefox $f +certutil -D -n GNS Proxy CA -d ~/.mozilla/firefox/*.default /dev/null 21 -certutil -D -n GNS Proxy CA -d ~/.mozilla/firefox/*.default /dev/null 21 certutil -A -n GNS Proxy CA -t CT,, -d ~/.mozilla/firefox/*.default $GNSCERT fi done if [ -d ~/.pki/nssdb ]; then echo Importing CA into Chrome + certutil -D -n GNS Proxy CA -d ~/.pki/nssdb /dev/null 21 - certutil -D -n GNS Proxy CA -d ~/.pki/nssdb /dev/null 21 certutil -A -n GNS Proxy CA -t CT,, -d ~/.pki/nssdb $GNSCERT fi Index: gnunet-0.10.1-2/contrib/gnunet-gns-import.sh === --- gnunet-0.10.1-2/contrib/gnunet-gns-import.sh +++ gnunet-0.10.1-2/contrib/gnunet-gns-import.sh @@ -25,9 +25,9 @@ while getopts c: opt; do case $opt in c) + options=$options -c $OPTARG - options+=-c $OPTARG ;; \?) echo Invalid option: -$OPTARG 2 exit 1
Bug#772217: cmtk: bashism in /bin/sh script
Package: cmtk Severity: serious Version: 3.2.2-1 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/lib/cmtk/bin/groupwise_reformat line 48 (alternative test command ([[ foo ]] should be [ foo ])): while [[ $1 =~ ^- ]]; do possible bashism in ./usr/lib/cmtk/bin/groupwise_reformat line 49 (should be VAR=${VAR}foo): reformatOptions+=$1 possible bashism in ./usr/lib/cmtk/bin/groupwise_reformat line 92 ('((' should be '$(('): ((++idx)) possible bashism in ./usr/lib/cmtk/bin/groupwise_reformat line 106 (alternative test command ([[ foo ]] should be [ foo ])): if [[ ${line} =~ ^\} ]]; then possible bashism in ./usr/lib/cmtk/bin/groupwise_reformat line 126 (alternative test command ([[ foo ]] should be [ foo ])): if [[ ${line} =~ target ]]; then possible bashism in ./usr/lib/cmtk/bin/cmtk_functions.sh line 35 (should be '.', not 'source'): source ${CMTK_BINARY_DIR}/cmtk_locking_procmail.sh possible bashism in ./usr/lib/cmtk/bin/cmtk_functions.sh line 37 (should be '.', not 'source'): source ${CMTK_BINARY_DIR}/cmtk_locking.sh possible bashism in ./usr/lib/cmtk/bin/correct_dwi_distortion_and_motion line 124 (should be 'b = a'): if [ ${bX} == ${b0FwdCorr} ]; then Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772219: cluster-glue: bashism in /bin/sh script
Package: cluster-glue Severity: serious Version: 1.0.12~rc1+hg2777-1.2 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/sbin/hb_report line 1219 ($BASH_SOMETHING): [ ${BASH_VERSINFO[0]} = 4 ]; then possible bashism in ./usr/sbin/hb_report line 1219 (bash arrays, ${name[0|*|@]}): [ ${BASH_VERSINFO[0]} = 4 ]; then possible bashism in ./usr/sbin/hb_report line 1221 (BASH(_SOMETHING)=): BASH_XTRACEFD=3 possible bashism in ./usr/lib/stonith/plugins/external/ippower9258 line 72 ( here string): $LOG_ERROR Received Challenge = $challenge. possible bashism in ./usr/lib/stonith/plugins/external/ippower9258 line 73 ( here string): $LOG_ERROR Sent postdata = $postdata. Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772221: byobu: bashism in /bin/sh script
Package: byobu Severity: serious Version: 5.87-1 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/bin/byobu-launch line 66 (sleep only takes one integer): sleep 0.1 possible bashism in ./usr/bin/byobu-janitor line 122 (sourced script with arguments): printf [ -r $BYOBU_CONFIG_DIR/prompt ] . $BYOBU_CONFIG_DIR/prompt #byobu-prompt#\n $HOME/.bashrc possible bashism in ./usr/bin/byobu-janitor line 126 (sourced script with arguments): printf [ -r $BYOBU_CONFIG_DIR/prompt ] . $BYOBU_CONFIG_DIR/prompt #byobu-prompt#\n $HOME/.bashrc possible bashism in ./usr/bin/byobu-janitor line 130 (sourced script with arguments): [ -r $BYOBU_CONFIG_DIR/prompt ] || printf [ -r ${BYOBU_PREFIX}/share/${PKG}/profiles/bashrc ] . ${BYOBU_PREFIX}/share/${PKG}/profiles/bashrc #byobu-prompt#\n $BYOBU_CONFIG_DIR/prompt possible bashism in ./usr/bin/byobu-enable-prompt line 31 (sourced script with arguments): printf [ -r $prompt ] . $prompt #byobu-prompt#\n $HOME/.bashrc possible bashism in ./usr/lib/byobu/hostname line 32 (sleep only takes one integer): sleep 0.02 possible bashism in ./usr/lib/byobu/include/toggle-utf8 line 42 (sourced script with arguments): tmux send-keys export BYOBU_CHARMAP=$BYOBU_CHARMAP ; . ~/.bashrc \; send-keys Enter possible bashism in ./usr/lib/byobu/include/shutil line 222 (sleep only takes one integer): sleep 0.02 possible bashism in ./usr/lib/byobu/ip_address line 46 (sleep only takes one integer): sleep 0.02 possible bashism in ./usr/lib/byobu/ip_address line 65 (sleep only takes one integer): sleep 0.02 possible bashism in ./usr/lib/byobu/ip_address line 70 (sleep only takes one integer): sleep 0.02 possible bashism in ./usr/lib/byobu/ec2_cost line 41 (sleep only takes one integer): sleep 0.02 possible bashism in ./usr/lib/byobu/ec2_cost line 45 (sleep only takes one integer): sleep 0.02 Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772225: couchdb: bashism in /bin/sh script
Package: couchdb Severity: serious Version: 1.4.0-3+b1 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/bin/couchdb line 301 ('$[' should be '$(('): count=$[count+1] Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772239: git-remote-gcrypt: bashism in /bin/sh script
Package: git-remote-gcrypt Severity: serious Version: 0.20130908-7 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/bin/git-remote-gcrypt line 102 (setvar 'foo' 'bar' should be eval 'foo='$bar''): setvar $1 $f_append_tmp_$2 possible bashism in ./usr/bin/git-remote-gcrypt line 117 (setvar 'foo' 'bar' should be eval 'foo='$bar''): setvar $1 ${f_ret#$Newline} possible bashism in ./usr/bin/git-remote-gcrypt line 135 (setvar 'foo' 'bar' should be eval 'foo='$bar''): setvar $1 ${f_ret%$Newline} possible bashism in ./usr/bin/git-remote-gcrypt line 418 (setvar 'foo' 'bar' should be eval 'foo='$bar''): setvar $1 $good_sig possible bashism in ./usr/bin/git-remote-gcrypt line 419 (setvar 'foo' 'bar' should be eval 'foo='$bar''): setvar $2 $signers_ possible bashism in ./usr/bin/git-remote-gcrypt line 462 (setvar 'foo' 'bar' should be eval 'foo='$bar''): setvar $1 $good_sig possible bashism in ./usr/bin/git-remote-gcrypt line 463 (setvar 'foo' 'bar' should be eval 'foo='$bar''): setvar $2 $signers_ possible bashism in ./usr/bin/git-remote-gcrypt line 636 (setvar 'foo' 'bar' should be eval 'foo='$bar''): setvar $1 $r_del_list Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772233: gnunet: bashism in /bin/sh script
Package: gnunet Severity: serious Version: 0.10.1-2 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/bin/gnunet-gns-import line 29 (should be VAR=${VAR}foo): options+=-c $OPTARG possible bashism in ./usr/bin/gnunet-gns-proxy-setup-ca line 11 (should be VAR=${VAR}foo): options+=-c $OPTARG possible bashism in ./usr/bin/gnunet-gns-proxy-setup-ca line 42 (should be word 21): certutil -D -n GNS Proxy CA -d ~/.mozilla/firefox/*.default /dev/null 21 possible bashism in ./usr/bin/gnunet-gns-proxy-setup-ca line 49 (should be word 21): certutil -D -n GNS Proxy CA -d ~/.pki/nssdb /dev/null 21 Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772250: fbb: bashism in /bin/sh script
Package: fbb Severity: serious Version: 7.05f-2 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/sbin/fbb line 244 (bash arrays, ${name[0|*|@]}): printf %-2s %-2s 1 %-6s 250 2 1 10 00/15 XUWYL %s\n\ $NB ${NB_CH[$NB]} ${PORT_NAME[$NB]} ${PORT_FREQ[$NB]} possible bashism in ./usr/sbin/fbb line 280 (bash arrays, ${name[0|*|@]}): echo Port $NB on axport ${PORT_NAME[$NB]} (${NB_CH[$NB]} channels) Freq=${PORT_FREQ[$NB]} Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772256: ferret-vis: bashism in /bin/sh script
Package: ferret-vis Severity: serious Version: 6.9-1 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/bin/Fgo line 59 (should be 'b = a'): if [ -z ${option} ] || [ ${option} == -d ]; then possible bashism in ./usr/bin/Fgo line 64 (should be 'b = a'): elif [ ${option} == -l ]; then possible bashism in ./usr/bin/Fgo line 66 (should be 'b = a'): elif [ ${option} == -m ] || [ ${option} == -more ]; then possible bashism in ./usr/bin/Finstall line 24 (read with option other than -r): read -p Is that correct and acceptable (y/n) [y] ans possible bashism in ./usr/bin/Finstall line 36 (read with option other than -r): read -p FER_DIR -- fer_dir possible bashism in ./usr/bin/Finstall line 65 (read with option other than -r): read -p Is that correct and acceptable (y/n) [y] ans possible bashism in ./usr/bin/Finstall line 76 (read with option other than -r): read -p FER_DSETS -- fer_dsets possible bashism in ./usr/bin/Finstall line 103 (read with option other than -r): read -p desired ferret_paths location -- ferpaths_dir possible bashism in ./usr/bin/Finstall line 119 (read with option other than -r): read -p Rename and create new? (n/y) [n] ans possible bashism in ./usr/bin/Finstall line 123 (read with option other than -r): read -p Select a different directory? (y/n) [y] ans possible bashism in ./usr/bin/Finstall line 153 (read with option other than -r): read -p ferret_paths link to create? (c/s/n) [n] -- ans possible bashism in ./usr/bin/Finstall line 280 (read with option other than -r): read -p 'fer_executables.tar.gz' location -- ferexec_dir possible bashism in ./usr/bin/Finstall line 384 (read with option other than -r): read -p (1, 2, 3, q, x) -- choice possible bashism in ./usr/share/ferret-vis/bin/install_ferret_links line 11 (read with option other than -r): read -p Install (i), remove (r), or quit (q)? activity Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772262: dnssec-trigger: bashism in /bin/sh script
Package: dnssec-trigger Severity: serious Version: 0.13~svn685-2 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./etc/NetworkManager/dispatcher.d/01-dnssec-trigger line 73 (should be word 21): dnssec-trigger-control submit $global_nameservers /dev/null possible bashism in ./etc/NetworkManager/dispatcher.d/01-dnssec-trigger line 86 (should be word 21): unbound-control forward_remove +i $domain /dev/null possible bashism in ./etc/NetworkManager/dispatcher.d/01-dnssec-trigger line 88 (should be word 21): unbound-control forward_remove $domain /dev/null possible bashism in ./etc/NetworkManager/dispatcher.d/01-dnssec-trigger line 90 (should be word 21): unbound-control flush_zone $domain /dev/null possible bashism in ./etc/NetworkManager/dispatcher.d/01-dnssec-trigger line 91 (should be word 21): unbound-control flush_requestlist /dev/null possible bashism in ./etc/NetworkManager/dispatcher.d/01-dnssec-trigger line 97 (should be word 21): rm -f $conn_zones_file /dev/null possible bashism in ./etc/NetworkManager/dispatcher.d/01-dnssec-trigger line 105 (should be word 21): unbound-control forward_add +i $domain $nameservers /dev/null possible bashism in ./etc/NetworkManager/dispatcher.d/01-dnssec-trigger line 107 (should be word 21): unbound-control forward_add $domain $nameservers /dev/null possible bashism in ./etc/NetworkManager/dispatcher.d/01-dnssec-trigger line 109 (should be word 21): unbound-control flush_zone $domain /dev/null possible bashism in ./etc/NetworkManager/dispatcher.d/01-dnssec-trigger line 110 (should be word 21): unbound-control flush_requestlist /dev/null Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772325: libmbim-utils: bashism in /bin/sh script
Package: libmbim-utils Severity: serious Version: 1.10.0-2 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/bin/mbim-network line 53 (should be 'b = a'): if [ $1 == --help ]; then possible bashism in ./usr/bin/mbim-network line 56 (should be 'b = a'): elif [ $1 == --version ]; then Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772347: xbmc: bashism in /bin/sh script
Package: xbmc Severity: serious Version: 2:13.2+dfsg1-4 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/bin/xbmc line 81 (should be word 21): if which systemd-coredumpctl /dev/null; then possible bashism in ./usr/bin/xbmc line 82 (should be word 21): systemd-coredumpctl dump -o core xbmc.bin /dev/null Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772365: simpleburn: bashism in /bin/sh script
be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772376: tau: bashism in /bin/sh script
that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772410: scilab: bashism in /bin/sh script
Package: scilab Severity: serious Version: 5.5.1-4 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/bin/scinotes line 53 (exit|return with negative status code): exit -1 possible bashism in ./usr/bin/scinotes line 817 (should be 'b = a'): if test $(pwd) == /; then possible bashism in ./usr/bin/xcos line 53 (exit|return with negative status code): exit -1 possible bashism in ./usr/bin/xcos line 817 (should be 'b = a'): if test $(pwd) == /; then possible bashism in ./usr/bin/scilab line 53 (exit|return with negative status code): exit -1 possible bashism in ./usr/bin/scilab line 817 (should be 'b = a'): if test $(pwd) == /; then possible bashism in ./usr/bin/scilab-adv-cli line 53 (exit|return with negative status code): exit -1 possible bashism in ./usr/bin/scilab-adv-cli line 817 (should be 'b = a'): if test $(pwd) == /; then Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772188: avis: bashism in /bin/sh script
Package: avis Severity: serious Version: 1.2.2-3 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/sbin/avisd line 24 ($'...' should be $(printf '...')): local NL=$'\x0a' Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772195: 389-ds-base: bashism in /bin/sh script
/monitor line 140 (should be 'b = a'): if [ $ldapi == on ] [ $openldap == yes ]; then possible bashism in ./usr/sbin/monitor line 141 (should be 'b = a'): if [ $protocol == LDAPI ] || [ $protocol == ]; then possible bashism in ./usr/sbin/monitor line 142 (should be 'b = a'): if [ $(id -u) == 0 ] [ $autobind == on ]; then possible bashism in ./usr/sbin/monitor line 143 (should be 'b = a'): if [ $error == yes ]; then possible bashism in ./usr/sbin/monitor line 148 (should be 'b = a'): if [ $error == yes ]; then possible bashism in ./usr/sbin/monitor line 160 (should be 'b = a'): if [ $protocol == LDAP ] || [ $protocol == ]; then possible bashism in ./usr/sbin/monitor line 161 (should be 'b = a'): if [ $error == yes ]; then possible bashism in ./usr/sbin/monitor line 164 (should be 'b = a'): if [ $openldap == yes ]; then possible bashism in ./usr/sbin/start-dirsrv line 67 (should be 'b = a'): if [ -d /lib/systemd/system ] [ $(id -u) == 0 ];then possible bashism in ./etc/init.d/dirsrv line 121 (sleep only takes one integer): sleep 0.5 Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#772191: armagetronad-dedicated: bashism in /bin/sh script
Package: armagetronad-dedicated Severity: serious Version: 0.2.8.3.2-2 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a bashism. checkbashisms' output: possible bashism in ./usr/games/armagetronad-dedicated line 33 (bash arrays, ${name[0|*|@]}): OLDESTSTART=${STARTDATE_LOG[1]} possible bashism in ./usr/games/armagetronad-dedicated line 47 (bash arrays, ${name[0|*|@]}): STARTDATE_LOG[$f]=${STARTDATE_LOG[$next]} possible bashism in ./usr/games/armagetronad-dedicated line 49 (bash arrays, H[0]): STARTDATE_LOG[10]=${STARTDATE} Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763148: Re: Bug#763148: Prevent migration to jessie
On Sunday 05 October 2014 22:48:17 Andreas Cadhalpun wrote: When and how was this decision made, if apparently not even all release team members were aware of that? I refrained myself from making this comment on the previous debian-devel thread, but now I consider it necessary to be said: given your apparent lack of understanding of the situation and way of communicating it only makes me wonder on the ability to work with you as the maintainer of such a security- sensitive package that ffmpeg is. I truly hope you understand the implications of such an impediment. Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#694143: php5-ffmpeg: FTBFS because of deprecated functions
Hi, On 29 April 2014 12:44, Andreas Cadhalpun andreas.cadhal...@googlemail.com wrote: On 28.04.2014 23:37, Mikael Nordfeldth wrote: [...] I'm wondering if this package should be back in jessie, because upstream seems to be dead since 2009 and even with these patches it fails to build with FFmpeg2.2/libav10, that are coming to Debian now [3][4]: [...] I think, what this package needs is a new upstream. Yes, on a second thought I think I'm better just going to ask for its removal. If either of you (or anyone else fwiw) is willing to actively maintain it, I could offer some time every once and then to sponsor the package. Will be filing the removal request later today. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#745836: wget: certificate revocation is not checked
Control: severity -1 wishlist Control: tags -1 security On 25 April 2014 19:46, Vincent Lefevre vinc...@vinc17.net wrote: Package: wget Version: 1.15-1 Severity: grave Tags: security Justification: user security hole Certificate revocation is not checked: wget downloads [...] It is not a bug, it is a missing feature. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#694143: php5-ffmpeg: FTBFS because of deprecated functions
Hi, On Monday 28 April 2014 23:37:52 Mikael Nordfeldth wrote: Hello, I would like to present a patch which will help build 'php5-ffmpeg' against libav-0.9, after passing a hurdle which is not handled by the patch. The hurdle is that 'libavutil-dev' has the header file 'time.h': $ apt-file search libavutil/time.h libavutil-dev: /usr/include/libavutil/time.h [...] The include path /usr/include/libavutil is added when the build scripts configure ffmpeg-php, so the time.h references in various system libraries get pointed to the _wrong_ time.h. Ah! That explains! The missing declaration of time_t was puzzling me. Thanks, I will take a look at the other bugs to get the package back in shape. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#743883: Is it realy fixed?
On 11 April 2014 08:40, Jerzy Sobczyk j.sobc...@elka.pw.edu.pl wrote: [...] After a while I have discovered that upgrading openssl package is not enough! It is necessary to upgrade also packages (may be too many): All users are urged to upgrade their openssl packages (*especially libssl1.0.0*) and restart applications as soon as possible. [emphasis is mine] We did mention it. -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#734238: Patch for CVE-2013-6045
Salut Mathieu, On 7 April 2014 10:16, Mathieu Malaterre ma...@debian.org wrote: Here is the dpatch version (thanks to http://matrixhasu.altervista.org/?view=use_dpatch). Raphaël do you have the time to produce a 1.3+dfsg-4.8 ? I can find some time to do it and release a revision to the DSA to fix the regression. I assume that the patch also works as-is in squeeze. If you have a few minutes and you can prepare the packages yourself it'd be of great help. Just make sure you target squeeze-security, wheezy-security, you follow the versioning schema, set urgency=high, make no other change and upload to security-master.d.o. Can you do that? Thanks. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#741561: No longer ship cacert certificates
Control: severity -1 important Control: tag -1 moreinfo Hi, On Thursday 13 March 2014 22:16:29 Klaus Ethgen wrote: [...] More over, it opens security holes to such systems as it is not possible anymore to be sure that a certificate is valid. Any tool that doesn't ask for confirmation or that doesn't require a special parameter to connect to any server for which it can not verify the validity of the certificate should be fixed. Don't hesitate to file a bug report against those tools. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#741299: freetype: CVE-2014-2240, CVE-2014-2241: stack OOB read/write, DoS
Source: freetype Version: 2.5.1-1 Severity: grave Tags: patch Hi, Two vulnerabilities have been identified in freetype in the recently contributed CFF rasterizer code. Please refer to the references for the details. From what I understood from the bug report, CVE-2014-2240 is the stack OOB read/write, while CVE-2014-2241 is the DoS caused by the assert. References: http://openwall.com/lists/oss-security/2014/03/10/2 http://sourceforge.net/projects/freetype/files/freetype2/2.5.3/ https://savannah.nongnu.org/bugs/?41697 https://bugzilla.redhat.com/show_bug.cgi?id=1074646 Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#731860: libtar: CVE-2013-4420: directory traversal when extracting archives
On 13 February 2014 19:23, Magnus Holmgren holmg...@debian.org wrote: tisdagen den 11 februari 2014 11.26.15 skrev du: On 9 February 2014 22:08, Magnus Holmgren mag...@kibibyte.se wrote: The first if should be a while, shouldn't it? Otherwise we'll only skip over the first ../ if file_name starts with ../../, if I'm not mistaken. That's handled by the while loop right after the if. Attached test case contains an entry called ../../../empty-file tar tf should print a warning message and list the full path, while libtar should simply print it as 'empty-file'. Yes, an odd number of .. will yield the desired result, but the even ..s will be missed. Ah, yes, indeed. Nice catch. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#731860: libtar: CVE-2013-4420: directory traversal when extracting archives
Hi, On 9 February 2014 22:08, Magnus Holmgren mag...@kibibyte.se wrote: The first if should be a while, shouldn't it? Otherwise we'll only skip over the first ../ if file_name starts with ../../, if I'm not mistaken. That's handled by the while loop right after the if. Attached test case contains an entry called ../../../empty-file tar tf should print a warning message and list the full path, while libtar should simply print it as 'empty-file'. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net triple-double-dot.tar Description: Unix tar archive
Bug#734238: Fix for CVE-2013-6045 breaks decoding of chroma-subsampled images
Hi, For further reference, this is the change made with segfault1.dpatch I'm not sure how it is that openjpeg even works with that image, as there are some parts of the code that really assume that all components have at least the number of blocks of the first component. Possibly making it write to memory outside the allocated buffer. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732963: ssh fails with OpenSSL version mismatch. Built against 1000105f, you have 10001060
forcemerge 732940 732963 affects 732940 libssl1.0.0 thanks On 23 December 2013 09:54, Evgeni Golov evg...@debian.org wrote: [...] with the recent libssl upgrade, my openssh client stoped working. e.g.: % ssh pinky.die-welt.net OpenSSL version mismatch. Built against 1000105f, you have 10001060 Known bug in openssh. Merging. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732966: [openssl] Update to openssl 1.0.1e-5 renders X unusable
reassign 732966 openssh forcemerge 732940 732966 thanks On 23 December 2013 10:04, Ferdinand Thommes de...@siduction.org wrote: [...] Starting OpenBSD Secure Shell server: sshdOpenSSL version mismatch. Built against 1000105f, you have 10001060 same in X-session errors: OpenSSL version mismatch. Built against 1000105f, you have 10001060 That's openssh. If there's anything else that's breaking your DM or something else then it might be another bug in a different package, but not in openssl. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732144: Bug#731357: opu: package librsvg/2.26.3-2
Hi again, Found another case where it didn't work as expected. Updated, attached, patch should do it. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net Index: librsvg-2.26.3/rsvg-image.c === --- librsvg-2.26.3.orig/rsvg-image.c 2013-12-20 14:28:57.731991069 +0100 +++ librsvg-2.26.3/rsvg-image.c 2013-12-20 14:38:59.384692376 +0100 @@ -325,22 +325,7 @@ rsvg_acquire_vfs_resource (const char *f file = g_file_new_for_uri (filename); -if (!(res = g_file_load_contents (file, NULL, data, size, NULL, error))) { -if (base_uri != NULL) { -GFile *base; - -rsvg_free_error (error); - -g_object_unref (file); - -base = g_file_new_for_uri (base_uri); -file = g_file_resolve_relative_path (base, filename); -g_object_unref (base); - -res = g_file_load_contents (file, NULL, data, size, NULL, error); -} -} - +res = g_file_load_contents (file, NULL, data, size, NULL, error); g_object_unref (file); if (res) { @@ -356,23 +341,136 @@ rsvg_acquire_vfs_resource (const char *f } #endif +/* Partial origin-based policy, based on the one implemented in f01aded72c38f0e1 */ +gboolean +_rsvg_acquire_xlink_allow_load (const char *href, const char *base_uri, GError ** err) +{ +char *base_scheme = NULL, *href_scheme = NULL; + +if (base_uri) +base_scheme = g_uri_parse_scheme (base_uri); +if (href) +href_scheme = g_uri_parse_scheme (href); + +/* Not a valid URI */ +if (href_scheme == NULL) +goto deny; + +/* Allow loads of data: from any location */ +if (g_str_equal (href_scheme, data)) +goto allow; + +/* no valid base URI */ +if (base_scheme == NULL) +goto deny; + +/* Deny loads from differing URI schemes */ +if (href_scheme == NULL || !g_str_equal (href_scheme, base_scheme)) +goto deny; + +/* resource: is allowed to load anything from other resources */ +if (g_str_equal (href_scheme, resource)) +goto allow; + +/* Non-file: isn't allowed to load anything */ +if (!g_str_equal (href_scheme, file)) +goto deny; + +/* no local-file policy is applied here */ + +allow: +free(base_scheme); +free(href_scheme); +return TRUE; + +deny: +free(base_scheme); +free(href_scheme); +g_set_error (err, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, + File may not link to URI \%s\, href); +return FALSE; +} + GByteArray * _rsvg_acquire_xlink_href_resource (const char *href, const char *base_uri, GError ** err) { GByteArray *arr = NULL; +char *base_scheme = NULL, *href_scheme = NULL; +char *href_uri = NULL; +#ifndef HAVE_GIO +/* to be used ONLY for the policy check */ +GString *href_uri_str = NULL; +#endif if (!(href *href)) return NULL; -if (!strncmp (href, data:, 5)) +if (base_uri) +base_scheme = g_uri_parse_scheme (base_uri); +if (href) +href_scheme = g_uri_parse_scheme (href); + +if (href_scheme g_str_equal (href_scheme, data)) arr = rsvg_acquire_base64_resource (href, NULL); +if (arr) +goto done; -if (!arr) +#ifdef HAVE_GIO +/* if href is not a URI already, turn it into one based on base_uri */ +if (href_scheme == NULL) { +GFile *file, *base, *parentless_base; +base = g_file_new_for_uri (base_uri); +/* now strip the file name: */ +parentless_base = g_file_get_parent (base); +file = g_file_resolve_relative_path (parentless_base, href); + +g_object_unref (base); +g_object_unref (parentless_base); +href_uri = g_file_get_uri(file); +g_object_unref (file); +} else { +href_uri = strdup (href); +if (!href_uri) /* FIXME: better handling failure */ +goto done; +} +#else +if (href_scheme == NULL) { +href_uri_str = g_string_new(href); +if (base_scheme) { +/* try to turn href into a uri */ +g_string_prepend (href_uri_str, ://); +g_string_prepend (href_uri_str, base_scheme); +/* no need to free, as href_scheme is NULL, remember? */ +href_scheme = strdup (base_scheme); +if (!href_scheme) /* FIXME: better handling failure */ +goto done; +} else +goto done; +} else { +href_uri_str = g_string_new(href); +} +href_uri = href_uri_str-str; +#endif + +if (!_rsvg_acquire_xlink_allow_load(href_uri, base_uri, err)) +goto done; + +#ifdef HAVE_GIO +arr = rsvg_acquire_vfs_resource (href_uri, base_uri, NULL); +#else +/* href must be a path for fopen() to work */ +if (g_str_equal (href_scheme, file)) arr = rsvg_acquire_file_resource (href, base_uri, NULL); +#endif + +done: +free(href_scheme); +free
Bug#732144: Bug#731357: opu: package librsvg/2.26.3-2
Control: tag 732144 patch Attached patch should correctly handle URIs and non-URIs. I've tested it with a few applications using relative and absolute paths, and URIs. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net Index: librsvg-2.26.3/rsvg-image.c === --- librsvg-2.26.3.orig/rsvg-image.c 2013-12-19 11:47:57.499003067 +0100 +++ librsvg-2.26.3/rsvg-image.c 2013-12-19 12:20:32.046140515 +0100 @@ -325,22 +325,7 @@ rsvg_acquire_vfs_resource (const char *f file = g_file_new_for_uri (filename); -if (!(res = g_file_load_contents (file, NULL, data, size, NULL, error))) { -if (base_uri != NULL) { -GFile *base; - -rsvg_free_error (error); - -g_object_unref (file); - -base = g_file_new_for_uri (base_uri); -file = g_file_resolve_relative_path (base, filename); -g_object_unref (base); - -res = g_file_load_contents (file, NULL, data, size, NULL, error); -} -} - +res = g_file_load_contents (file, NULL, data, size, NULL, error); g_object_unref (file); if (res) { @@ -356,23 +341,137 @@ rsvg_acquire_vfs_resource (const char *f } #endif +/* Partial origin-based policy, based on the one implemented in f01aded72c38f0e1 */ +gboolean +_rsvg_acquire_xlink_allow_load (const char *href, const char *base_uri, GError ** err) +{ +char *base_scheme = NULL, *href_scheme = NULL; + +if (base_uri) +base_scheme = g_uri_parse_scheme (base_uri); +if (href) +href_scheme = g_uri_parse_scheme (href); + +/* Not a valid URI */ +if (href_scheme == NULL) +goto deny; + +/* Allow loads of data: from any location */ +if (g_str_equal (href_scheme, data)) +goto allow; + +/* no valid base URI */ +if (base_scheme == NULL) +goto deny; + +/* Deny loads from differing URI schemes */ +if (href_scheme == NULL || !g_str_equal (href_scheme, base_scheme)) +goto deny; + +/* resource: is allowed to load anything from other resources */ +if (g_str_equal (href_scheme, resource)) +goto allow; + +/* Non-file: isn't allowed to load anything */ +if (!g_str_equal (href_scheme, file)) +goto deny; + +/* no local-file policy is applied here */ + +allow: +free(base_scheme); +free(href_scheme); +return TRUE; + +deny: +free(base_scheme); +free(href_scheme); +g_set_error (err, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, + File may not link to URI \%s\, href); +return FALSE; +} + GByteArray * _rsvg_acquire_xlink_href_resource (const char *href, const char *base_uri, GError ** err) { GByteArray *arr = NULL; +char *base_scheme = NULL, *href_scheme = NULL; +char *href_uri = NULL; +#ifndef HAVE_GIO +/* to be used ONLY for the policy check */ +GString *href_uri_str = NULL; +#endif if (!(href *href)) return NULL; -if (!strncmp (href, data:, 5)) +if (base_uri) +base_scheme = g_uri_parse_scheme (base_uri); +if (href) +href_scheme = g_uri_parse_scheme (href); + +if (href_scheme g_str_equal (href_scheme, data)) arr = rsvg_acquire_base64_resource (href, NULL); +if (arr) +goto done; -if (!arr) +#ifdef HAVE_GIO +/* if href is not a URI already, turn it into one based on base_uri */ +if (href_scheme == NULL) { +GFile *file, *base, *parentless_base; +base = g_file_new_for_uri (base_uri); +/* now strip the file name: */ +parentless_base = g_file_get_parent (base); +base = g_file_new_for_uri (base_uri); +file = g_file_resolve_relative_path (parentless_base, href); + +g_object_unref (base); +g_object_unref (parentless_base); +href_uri = g_file_get_uri(file); +g_object_unref (file); +} else { +href_uri = strdup (href); +if (!href_uri) /* FIXME: better handling failure */ +goto done; +} +#else +if (href_scheme == NULL) { +href_uri_str = g_string_new(href); +if (base_scheme) { +/* try to turn href into a uri */ +g_string_prepend (href_uri_str, ://); +g_string_prepend (href_uri_str, base_scheme); +/* no need to free, as href_scheme is NULL, remember? */ +href_scheme = strdup (base_scheme); +if (!href_scheme) /* FIXME: better handling failure */ +goto done; +} else +goto done; +} else { +href_uri_str = g_string_new(href); +} +href_uri = href_uri_str-str; +#endif + +if (!_rsvg_acquire_xlink_allow_load(href_uri, base_uri, err)) +goto done; + +#ifdef HAVE_GIO +arr = rsvg_acquire_vfs_resource (href_uri, base_uri, NULL); +#else +/* href must be a path for fopen() to work */ +if (g_str_equal (href_scheme, file
Bug#731860: libtar: CVE-2013-4420: directory traversal when extracting archives
Source: libtar Severity: grave Tags: security Hi, the following vulnerability was published for libtar. CVE-2013-4420[0]: tar_extract_glob and tar_extract_all path prefix directory traversal If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420 http://security-tracker.debian.org/tracker/CVE-2013-4420 Attached is a proposed patch that makes libtar work similarly to tar. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net Index: libtar-1.2.16/lib/decode.c === --- libtar-1.2.16.orig/lib/decode.c 2013-12-09 14:11:03.212344872 +0100 +++ libtar-1.2.16/lib/decode.c 2013-12-09 14:49:19.865470471 +0100 @@ -21,24 +21,54 @@ # include string.h #endif +char * +safer_name_suffix (char const *file_name) +{ + char const *p, *t; + p = t = file_name; + while (*p) + { + if (p[0] == '.' p[0] == p[1] p[2] == '/') + { + p += 3; + t = p; + } + /* advance pointer past the next slash */ + while (*p (p++)[0] != '/'); + } + + if (!*t) + { + t = .; + } + + if (t != file_name) + { + /* TODO: warn somehow that the path was modified */ + } + return (char*)t; +} /* determine full path name */ char * th_get_pathname(TAR *t) { static char filename[MAXPATHLEN]; + char *safer_name; if (t-th_buf.gnu_longname) - return t-th_buf.gnu_longname; + return safer_name_suffix(t-th_buf.gnu_longname); + + safer_name = safer_name_suffix(t-th_buf.name); if (t-th_buf.prefix[0] != '\0') { snprintf(filename, sizeof(filename), %.155s/%.100s, - t-th_buf.prefix, t-th_buf.name); + t-th_buf.prefix, safer_name); return filename; } - snprintf(filename, sizeof(filename), %.100s, t-th_buf.name); + snprintf(filename, sizeof(filename), %.100s, safer_name); return filename; } Index: libtar-1.2.16/lib/extract.c === --- libtar-1.2.16.orig/lib/extract.c 2013-12-09 14:11:03.212344872 +0100 +++ libtar-1.2.16/lib/extract.c 2013-12-09 14:39:22.248955358 +0100 @@ -305,7 +305,7 @@ tar_extract_hardlink(TAR * t, char *real linktgt = lnp[strlen(lnp) + 1]; } else - linktgt = th_get_linkname(t); + linktgt = safer_name_suffix(th_get_linkname(t)); #ifdef DEBUG printf( == extracting: %s (link to %s)\n, filename, linktgt); @@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna #ifdef DEBUG printf( == extracting: %s (symlink to %s)\n, - filename, th_get_linkname(t)); + filename, safer_name_suffix(th_get_linkname(t))); #endif - if (symlink(th_get_linkname(t), filename) == -1) + if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1) { #ifdef DEBUG perror(symlink()); Index: libtar-1.2.16/lib/internal.h === --- libtar-1.2.16.orig/lib/internal.h 2012-05-17 09:34:32.0 +0200 +++ libtar-1.2.16/lib/internal.h 2013-12-09 14:36:57.503866114 +0100 @@ -15,3 +15,4 @@ #include libtar.h +char* safer_name_suffix(char const*);
Bug#731237: openjpeg: CVE-2013-1447 CVE-2013-6045 CVE-2013-6052 CVE-2013-6054
Hi, There are also some other issues that are specific to 1.5.1 (or at least they do not affect 1.3): CVE-2013-6053: information leaks CVE-2013-6887: DoS All the patches will be available as soon as I forward to oss-sec the messages I sent to the distros list. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#730637: gtk+3.0: FTBFS when building with -j8
Source: gtk+3.0 Version: 3.4.2-6 Severity: serious Hi, Building gtk+3.0 from wheezy with -j8 makes it FTBFS: Making all in gtk make[5]: Entering directory `/tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference/gtk' DOC Preparing build DOC Scanning header files DOC Introspecting gobjects .libs/gtk3-scan.o: In function `get_object_types': /tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference/gtk/gtk3-scan.c:249: undefined reference to `g_action_muxer_get_type' /tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference/gtk/gtk3-scan.c:250: undefined reference to `g_action_observable_get_type' /tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference/gtk/gtk3-scan.c:251: undefined reference to `g_action_observer_get_type' /tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference/gtk/gtk3-scan.c:252: undefined reference to `g_simple_action_observer_get_type' /tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference/gtk/gtk3-scan.c:303: undefined reference to `gtk_color_editor_get_type' /tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference/gtk/gtk3-scan.c:304: undefined reference to `gtk_color_plane_get_type' /tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference/gtk/gtk3-scan.c:305: undefined reference to `gtk_color_scale_get_type' /tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference/gtk/gtk3-scan.c:308: undefined reference to `gtk_color_swatch_get_type' /tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference/gtk/gtk3-scan.c:371: undefined reference to `gtk_model_menu_item_get_type' /tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference/gtk/gtk3-scan.c:383: undefined reference to `gtk_press_and_hold_get_type' /tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference/gtk/gtk3-scan.c:458: undefined reference to `gtk_tree_model_ref_count_get_type' collect2: error: ld returned 1 exit status Linking of scanner failed: make[5]: *** [scan-build.stamp] Error 1 make[5]: Leaving directory `/tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference/gtk' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs/reference' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/tmp/buildd/gtk+3.0-3.4.2/debian/build/shared/docs' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/tmp/buildd/gtk+3.0-3.4.2/debian/build/shared' make[1]: *** [all] Error 2 make[1]: Leaving directory `/tmp/buildd/gtk+3.0-3.4.2/debian/build/shared' make: *** [debian/stamp-makefile-build/shared] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 I haven't tried with the version in sid. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692606: Marking as done in recent versions
Hi, On 28 October 2013 08:53, Yves-Alexis Perez cor...@debian.org wrote: Hi, it seems we never actually received the mail for the reassign, please always copy the destination package people so they're actually aware of it. Gah, right. I'm closing the bug with version information so it's correctly tracked as fixed in later versions. I'll coordinate with SRM for uploading a fix to stable. Are you available to test a tentatively fixed package before upload? The change is trivial, but sure. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726578: pwgen: Multiple vulnerabilities in passwords generation
Hi, On 16 October 2013 22:03, Yves-Alexis Perez cor...@debian.org wrote: I'm not too sure how to handle that, especially for stable releases, since it seems major refactoring might be needed to get rid of the weaknesses and bias. I think it's best to write a script that uses makepasswd and is command-line and output-compatible with pwgen. Basically changing everything under the hood without letting others know. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#723716: hplip: CVE-2013-4325
Control: tag -1 patch Control: found -1 3.10.6-2 Hi, Could you also please prepare fixed packages targeting old/stable for a DSA? Once prepared please send the debdiff to team@security.d.o to coordinate their upload and release. Thanks in advance, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#722536: eglibc: CVE-2013-4332
Control: tags -1 + patch Hi, Attached patch applies to eglibc 2.11 and 2.13 (squeeze and wheezy). It is the same as upstream, but with a fixed context. Tested on both releases. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net CVE-2013-4332.patch Description: Binary data
Bug#723103: dieharder: non-free due to $beverage clause?
Package: dieharder Severity: grave Version: 3.31.1-3 X-Debbugs-cc: ftpmas...@debian.org Hi, As per the copyright file[1]: License is granted to build or use the accompanying software: dieharder according to the following standard Gnu General Public License or any later versions, with the one minor Beverage modification listed below. Note that this modification is probably not legally defensible and can be followed really pretty much according to the honor rule. As to my personal preferences in beverages, red wine is great, beer is delightful, and Coca Cola or coffee or tea or even milk acceptable to those who for religious or personal reasons wish to avoid stressing my liver. The Beverage Modification to the GPL Any user of this software shall, upon meeting the primary author(s) of this software for the first time under the appropriate circumstances, offer to buy him or her or them a beverage. This beverage may or may not be alcoholic, depending on the personal ethical and moral views of the offerer. The beverage cost need not exceed one U.S. dollar (although it certainly may at the whim of the offerer:-) and may be accepted or declined with no further obligation on the part of the offerer. It is not necessary to repeat the offer after the first meeting, but it can't hurt... This looks non-free, it turns the program into a beerware. CC'ing ftpmasters so that they can comment and act if necessary. [1]http://ftp-master.metadata.debian.org/changelogs/main/d/dieharder/unstable_copyright Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#694143: [php-maint] Bug#694143: FTBFS against libav 9
Hi, On 9 September 2013 16:43, Moritz Mühlenhoff j...@inutil.org wrote: On Sat, Nov 24, 2012 at 11:46:02AM +0100, Ondřej Surý wrote: severity 694143 wishlist thank you We are in freeze, and the libav9 is not even in unstable, it's by no means an important bug. You might raise the severity once we have released and the transition is planned with release team. In the mean time libav9 was uploaded, could you please look into a fix? I had completely forgotten about this bug *sigh* Will try to give it a shot this week unless somebody beats me to it. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#719462: should this package be removed?
Hi, On 29 August 2013 19:23, Zed Pobre z...@resonant.org wrote: On Thu, Aug 29, 2013 at 04:59:09PM +0200, Moritz Muehlenhoff wrote: I think we should rather update to the current libmodplug in stable/oldstable. [...] Given that all of the changes since Squeeze appear to be bugfixes, I think that there's really very little risk in pushing 0.8.8.4+patches back to both Squeeze and Wheezy (other than that there are likely still undiscovered bugs), but note that there hasn't actually been an official new versioned release with the new fixes yet. I think this would just delay the inevitable, and that players should really split support for non-common formats into packages that are not installed by default. Anyway, since removing support for libmodplug in some players only works around the problem, let's do it this way for now. Note, however, that a few changes are needed to the packaging given that it now uses dpkg-buildflags. I would be building out of Git (which does contain as of yesterday Raphael's patch). Yes, please. For old/stable please also prepare the packages (taking care of the version number so that ugprades from squeeze to wheezy to jessie are possible), targeting the $codename-security archives with a symbolic urgency of high and send the debdiffs to team@security.d.o prior to their upload to the security archive. Thanks in advance. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#719462: should this package be removed?
Hi Zed, Looking at the big picture here it seems like the best way to go with libmodplug is to remove it from old/stable and then re-consider its inclusion in jessie and future releases. MOD and other formats are rarely used yet they are readily available in mainstream audio/video players through gstreamer, vlc, and xine. These players/frameworks expose a lot of code that was most likely not written with security in mind, putting users at risk. What I propose then is to: * modify rdepends so that they no longer use libmodplug * drop the modplug package entirely if no longer used Let me know what you think. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#719462: libmodplug: CVE-2013-4233 CVE-2013-4234
Hi, On 14 August 2013 16:17, Raphael Geissert geiss...@debian.org wrote: Looking at your fix in c4d4e0478, I'd look into fixing it in a way that doesn't imply that integers overflow, as that's undefined behavior and can be optimised away by compilers. None of the instructions can actually decrease j, so j + 1 can never be = 0 if integers don't overflow. Wouldn't it be better to just set a limit to j that is checked while calculating the amount of memory that is needed, and that is lower enough than INT_MAX that performing one more iteration won't overflow it? Attached patch does something like the above and performs a check on the value of i, which I believe can be made to point past the end of the buffer. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net 0001-Don-t-rely-on-the-behaviour-of-signed-integer-overfl.patch Description: Binary data
Bug#712745: Re: [Pkg-puppet-devel] Bug#712745: Bug#7712745: puppet: CVE-2013-3567
Hi again, On 31 July 2013 17:43, Chris Boot c...@tiger-computing.co.uk wrote: This patch isn't part of 2.7.18-5, which is currently in wheezy. We've had to roll our own update internally that includes the patch in order to correctly process reports from other servers. Are you sure that this issue wasn't already present before the security update? After reviewing all the fields I don't see any extra being added or deleted. There is one issue, however, where the report format wasn't bumped to version 3 but this comes from upstream: http://projects.puppetlabs.com/issues/15739 You could check if that is the issue by modifying transaction/report.rb's initialize to @report_format = 3. Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712745: [Pkg-puppet-devel] Bug#712745: Bug#712745: puppet: CVE-2013-3567
Hi Chris, On 20 August 2013 11:22, Chris Boot c...@tiger-computing.co.uk wrote: The issue was causing reports from squeeze machines (running 2.6.2-5+squeeze6/7/8) to be misparsed by the security-patched wheezy version of Puppet, causing invalid reports to be stored to disk and sent to Dashboard. Applying CVE-2013-3567.fixup-for-v3.patch on our Puppet master causes valid reports to be stored on disk and sent to Dashboard with no changes to the slave nodes. Er, that's a weird combination of versions, but in any case with the patch you sent you are downgrading puppet 2.7's report format from version 2 (3 actually) to version 1. I personally don't think this has anything to do with the security update and I'd rather look into the consumer of the reports (puppet dashboard in this case). Temporarily downgrading to the version prior the DSA could allow you to confirm whether this is in fact a regression. -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#719462: libmodplug: CVE-2013-4233 CVE-2013-4234
Hi Konstanty, Looking at your fix in c4d4e0478, I'd look into fixing it in a way that doesn't imply that integers overflow, as that's undefined behavior and can be optimised away by compilers. None of the instructions can actually decrease j, so j + 1 can never be = 0 if integers don't overflow. Wouldn't it be better to just set a limit to j that is checked while calculating the amount of memory that is needed, and that is lower enough than INT_MAX that performing one more iteration won't overflow it? Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712745: Re: [Pkg-puppet-devel] Bug#712745: Bug#7712745: puppet: CVE-2013-3567
Hi Stig, Chris, Stig: Have you been able to check the report? I haven't taken a proper look at it, but I think there's at least one extra field that doesn't correspond to the format version. On 31 July 2013 17:43, Chris Boot c...@tiger-computing.co.uk wrote: On 25/06/13 17:36, Raphael Geissert wrote: On 21 June 2013 17:07, Raphael Geissert geiss...@debian.org wrote: As promised via IRC, attached patch is a version that actually works. And now a patch to be applied on top of it to restore the compatibility of the reports. This patch isn't part of 2.7.18-5, which is currently in wheezy. We've had to roll our own update internally that includes the patch in order to correctly process reports from other servers. Are there any plans to push out a 2.7.18-6 update that includes CVE-2013-3567.fixup-for-v3.patch? Would a source debdiff to do this be welcome? Yes, that would be great and help speed things up. Thanks, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692606: network-manager-strongswan: charon dump on vpn start
On 2 August 2013 12:29, Raphael Geissert geiss...@debian.org wrote: I strongly believe this to be the problem with the plugin initialisation, fixed with c140757221. Oh, and if that's the cause then, this is a bug in the strongswan package, so: reassign 692606 strongswan-nm affects 692606 network-manager-strongswan Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#714409: libgtk-3-0: triggers ci file contains unknown directive `interest-noawait' on install (needs newer dpkg)
Control: severity -1 important Hi, On Sunday 14 July 2013 00:26:09 Michael Biebl wrote: I don't agree with the severity, given that already wheezy (stable) has dpkg 1.16.10 Did you really try to install gtk 3.8 on squeeze? Hmm, no. By looking at the logs it seems it was a machine that had wheezy installed when it was still testing (hence it had dpkg 1.15.something) and hadn't been updated in a while. Strangely enough, apt didn't even propose to upgrade dpkg. So when upgrading dpkg aborted the upgrade due to the interest-noawait and left some bits of perl half broken. Anyway, reverting the severity. Sorry about that. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#714264: CVE-2013-2190: screen unlocked after resuming due to crash
Package: gnome-shell Severity: grave Hi, It was discovered that some times when resuming gnome-shell crashes and the screen lock is no longer active. For further information see: http://mid.gmane.org/51c01cc5.9070...@redhat.com https://bugzilla.gnome.org/show_bug.cgi?id=701974 https://bugzilla.redhat.com/show_bug.cgi?id=954054 Please adjust the affected versions in the BTS as needed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#712745: [Pkg-puppet-devel] Bug#712745: Bug#7712745: puppet: CVE-2013-3567
On 21 June 2013 17:07, Raphael Geissert geiss...@debian.org wrote: As promised via IRC, attached patch is a version that actually works. And now a patch to be applied on top of it to restore the compatibility of the reports. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net CVE-2013-3567.fixup-for-v3.patch Description: Binary data
Bug#712745: Bug#7712745: puppet: CVE-2013-3567
Hi, Upstream provided me with the following gist against 2.6.18 that fixes this vulnerability: https://gist.github.com/stahnma/d7598b49a4abc07845b9 Haven't checked how much backporting is needed. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#711316: [Pkg-phototools-devel] Bug#711316: Bug#711316: darktable: CVE-2013-2126: double free
Hi, On 10 June 2013 13:52, David Bremner brem...@debian.org wrote: It seems like this might be the backported fix (suggesting there was indeed a problem to fix). https://github.com/LibRaw/LibRaw/commit/c14ae36d28e80139b2f31b5d9d7623db3b597a3a Yes, it is. It was in the references I provided when submitting the bug report. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#711317: libkdcraw: CVE-2013-2126: double free
Source: libkdcraw Severity: grave Tags: security patch Hi, There's a double free in the embedded copy of libraw included in your package. If possible, please use the system copy instead. For more info: http://www.openwall.com/lists/oss-security/2013/05/29/7 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710353#17 Could you please prepare fixed packages for oldstable and stable, to be included in point releases? Thanks. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#711316: darktable: CVE-2013-2126: double free
Package: darktable Severity: grave Tags: security patch Hi, There's a double free in the embedded copy of libraw included in your package. If possible, please use the system copy instead. For more info: http://www.openwall.com/lists/oss-security/2013/05/29/7 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710353#17 Could you please prepare fixed packages for stable, to be included in point releases? Thanks. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702775: [Pkg-monitoring-maintainers] Bug#702775: ganglia: limiting security support
Hi Daniel, Although limiting security support is not something that the team usually does, Ganglia is not the first package for which this decision has been made. It is done after a review of the package and its intended use. If you would like to help change the status, please consider reviewing the code, implement standard web security measures and make sure the expected use and its requirements are considered also by upstream and continued during the following releases. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702775: [Pkg-monitoring-maintainers] Bug#702775: ganglia: limiting security support
Hi, On 28 May 2013 10:12, Daniel Pocock dan...@pocock.com.au wrote: Instead of adding the README.Debian.security file proposed in the earlier patch, I could add a README.security file upstream - the security issue is not Debian-specific. However, I will mention in that file that the Debian security team were involved in analyzing the code and a reference to this bug. Feel free to add a security notice upstream, but the README.Debian.security file is to state that the Debian security team is going to provide limited support. As such, it should be kept in Debian. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702775: ganglia: limiting security support
Package: ganglia Version: 3.3.8-1 Severity: grave Tags: security Control: clone -1 -2 Control: reassign -2 src:ganglia-web 3.5.2-1 X-Debbugs-cc: t...@security.debian.org Hi again, Given the recent issues in Ganglia's web frontend and a review of some portions of the code we, as in the security team, have decided to limit ganglia's security support to installations behind a trusted HTTP zone. Any vulnerability that is only relevant when exposing ganglia's web frontend to a non-secure zone will therefore be treated as a non-issue by the security team. They could still be fixed via a SPU, however. As such, please add a README.Debian.security file briefly mentioning the limited security support, effective for the version in wheezy and newer. Thanks in advance. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702736: [pkg-firebird-general] Bug#693210: server crash on prearing an empty query with tracing enabled
Hi, On 10 March 2013 10:38, Salvatore Bonaccorso car...@debian.org wrote: [...] I checked the security-tracker about this[1]. It is marked 'no-dsa' for Squeeze, so I assume this should go trough a stable-proposed-updates upload. [1]: https://security-tracker.debian.org/CVE-2012-5529 Since there's also another issue affecting firebird, this less severe issue could be fixed in the same DSA. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#687334: Please add security queues for armhf and s390x
Hi, Am I missing something, or with the recent changes this bug can be closed now? (i.e. security build queues and buildds are all setup.) Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701897: CVE-2012-5667: buffer overflow with overly long input lines
Hi, The issue can easily be reproduced on an x86_64 system running squeeze with the public reproducer. Valgrind also shows the issue (but beware of the time and memory it takes). Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701897: CVE-2012-5667: buffer overflow with overly long input lines
Package: grep Severity: grave Version: 2.6.3-3 Tags: security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org Hi, the following vulnerability was published for grep. CVE-2012-5667[0]: | Multiple integer overflows in GNU Grep before 2.11 might allow | context-dependent attackers to execute arbitrary code via vectors | involving a long input line that triggers a heap-based buffer | overflow. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5667 http://security-tracker.debian.org/tracker/CVE-2012-5667 Please adjust the affected versions in the BTS as needed. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701549: refdb-clients: bashism in /bin/sh script
Package: refdb-clients Version: 0.9.9-3 Severity: serious User: debian-rele...@lists.debian.org Usertags: goal-dash Hello maintainer, While performing an archive wide checkbashisms (from the 'devscripts' package) check I've found your package containing a /bin/sh script making use of a bashism. checkbashisms' output: possible bashism in ./usr/bin/refdb-backup line 158 (should be word 21): ${refdba} -C listdb /dev/null || \ endScript Error: Unable to access RefDB using client 'refdba'. failed possible bashism in ./usr/bin/refdb-backup line 160 (should be word 21): ${refdbc} -C listdb /dev/null || \ endScript Error: Unable to access RefDB using client 'refdbc'. failed possible bashism in ./usr/bin/refdb-backup line 187 (should be word 21): mkdir ${dirname} /dev/null possible bashism in ./usr/bin/refdb-backup line 193 (should be word 21): ${refdbc} -C getref -d ${db} -t ${format} -o ${reffile} :ID:0 \ /dev/null possible bashism in ./usr/bin/refdb-backup line 199 (should be word 21): ${refdbc} -C getnote -d ${db} -t xnote -o ${notefile} :NID:0 \ /dev/null possible bashism in ./usr/bin/refdb-backup line 206 (should be word 21): mkdir ${styles_directory} /dev/null possible bashism in ./usr/bin/refdb-backup line 217 (should be word 21): ${refdba} -C getstyle -o ${stylefile} ${style} /dev/null possible bashism in ./usr/bin/refdb-backup line 235 (should be word 21): mv -f ${archive} ${backup_dir} /dev/null possible bashism in ./usr/bin/refdb-restore line 133 (should be word 21): tar -tzf ${archive} /dev/null || \ endScript '${archive}' is not a valid archive. failed possible bashism in ./usr/bin/refdb-restore line 137 (should be word 21): ${refdba} -C listdb /dev/null || \ endScript Error: Unable to access RefDB using client 'refdba'. failed possible bashism in ./usr/bin/refdb-restore line 139 (should be word 21): ${refdbc} -C listdb /dev/null || \ endScript Error: Unable to access RefDB using client 'refdbc'. failed possible bashism in ./usr/bin/refdb-restore line 167 (should be word 21): tar -xzf ${archive} ${reffile} /dev/null possible bashism in ./usr/bin/refdb-restore line 171 (should be word 21): refdba -C createdb ${db} /dev/null possible bashism in ./usr/bin/refdb-restore line 176 (should be word 21): refdbc -C addref -d ${db} -t ${format} ${reffile} /dev/null possible bashism in ./usr/bin/refdb-restore line 183 (should be word 21): tar -xzf ${archive} ${notefile} /dev/null possible bashism in ./usr/bin/refdb-restore line 187 (should be word 21): refdbc -C addnote -d ${db} ${notefile} /dev/null possible bashism in ./usr/bin/refdb-restore line 197 (should be word 21): tar -xzf ${archive} ${stylefile} /dev/null possible bashism in ./usr/bin/refdb-restore line 206 (should be word 21): refdba -C addstyle ${stylefile} /dev/null Not using bash (or a Debian Policy conformant shell interpreter which doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. You can find hints about how to fix bashisms at: https://wiki.ubuntu.com/DashAsBinSh Thank you, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701555: lcmaps-plugins-jobrep-admin: bashism in /bin/sh script
Package: lcmaps-plugins-jobrep-admin Version: 1.5.0-2 Severity: serious User: debian-rele...@lists.debian.org Usertags: goal-dash Hello maintainer, While performing an archive wide checkbashisms (from the 'devscripts' package) check I've found your package containing a /bin/sh script making use of a bashism. checkbashisms' output: possible bashism in ./usr/sbin/jobrep-admin line 43 (read with option other than -r): read -s -p Enter database password (root): dbapwd; possible bashism in ./usr/sbin/jobrep-admin line 47 (read with option other than -r): read -s -p Enter database password (root): dbapwd; Not using bash (or a Debian Policy conformant shell interpreter which doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. You can find hints about how to fix bashisms at: https://wiki.ubuntu.com/DashAsBinSh Thank you, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701558: fcitx-bin: bashism in /bin/sh script
Package: fcitx-bin Version: 4.2.7-1 Severity: serious User: debian-rele...@lists.debian.org Usertags: goal-dash Hello maintainer, While performing an archive wide checkbashisms (from the 'devscripts' package) check I've found your package containing a /bin/sh script making use of a bashism. checkbashisms' output: possible bashism in ./usr/bin/fcitx-configtool line 72 (should be word 21): if (kcmshell4 --list 2/dev/null | grep ^kcm_fcitx /dev/null); then possible bashism in ./usr/bin/fcitx-configtool line 82 (should be word 21): if which fcitx-config-gtk /dev/null; then possible bashism in ./usr/bin/fcitx-configtool line 88 (should be word 21): if which fcitx-config-gtk3 /dev/null; then Not using bash (or a Debian Policy conformant shell interpreter which doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. You can find hints about how to fix bashisms at: https://wiki.ubuntu.com/DashAsBinSh Thank you, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#687334: Please add security queues for armhf and s390x
On Thursday 13 September 2012 04:17:03 Philipp Kern wrote: On Tue, Sep 11, 2012 at 03:24:32PM -0500, Raphael Geissert wrote: This is just to keep a record of things that need to be done before the release: * Add security queues for armhf * Add security queues for s390x Of course the sec archive first needs to know about them, so I'm going to file a similar bug against ftp-master.d.o for that. Please ping us when that's done on the security side, because we cannot do anything until that's done. The archive part is done[1], so it's a matter of adding the queues and giving the buildds access to the sec's archive incoming. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687335#12 Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#660488: miredo: diff for NMU version 1.2.3-1.1
tags 660488 + patch thanks Dear maintainer, I've prepared an NMU for miredo (versioned as 1.2.3-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards. Raphael Geissert diff -Nru miredo-1.2.3/debian/changelog miredo-1.2.3/debian/changelog --- miredo-1.2.3/debian/changelog 2010-04-10 04:38:03.0 -0500 +++ miredo-1.2.3/debian/changelog 2012-10-18 18:24:32.0 -0500 @@ -1,3 +1,12 @@ +miredo (1.2.3-1.1) unstable; urgency=low + + * Non-maintainer upload. ++ Based entirely on work by the maintainer. + * Fix build failure with newer automakes (Closes: #660488) + * use_pkglibexec.patch: Use pkglibexec instead of pkglib for PROGRAMS + + -- Raphael Geissert geiss...@debian.org Thu, 18 Oct 2012 18:20:19 -0500 + miredo (1.2.3-1) unstable; urgency=low * New upstream version: diff -Nru miredo-1.2.3/debian/patches/series miredo-1.2.3/debian/patches/series --- miredo-1.2.3/debian/patches/series 1969-12-31 18:00:00.0 -0600 +++ miredo-1.2.3/debian/patches/series 2012-10-18 18:17:15.0 -0500 @@ -0,0 +1 @@ +use_pkglibexec.patch diff -Nru miredo-1.2.3/debian/patches/use_pkglibexec.patch miredo-1.2.3/debian/patches/use_pkglibexec.patch --- miredo-1.2.3/debian/patches/use_pkglibexec.patch 1969-12-31 18:00:00.0 -0600 +++ miredo-1.2.3/debian/patches/use_pkglibexec.patch 2012-10-18 18:18:27.0 -0500 @@ -0,0 +1,40 @@ +From: Rémi Denis-Courmont r...@remlab.net +Date: Fri, 2 Mar 2012 19:17:22 +0200 +http://git.remlab.net/gitweb/?p=miredo-debian.git;a=commit;h=06a57f3c804b78048d13d53dc06a78377f88454b +diff -urpN miredo-1.2.3-1.orig/src/Makefile.am miredo-1.2.3-1/src/Makefile.am +--- miredo-1.2.3-1.orig/src/Makefile.am 2009-07-06 10:56:14.0 -0500 miredo-1.2.3-1/src/Makefile.am 2012-10-18 18:16:31.0 -0500 +@@ -29,10 +29,10 @@ LIBCAP = @LIBCAP@ + AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir) -D_REENTRANT \ + -DLOCALEDIR=\$(localedir)\ -DSYSCONFDIR=\$(sysconfdir)\ \ + -DLOCALSTATEDIR=\$(localstatedir)\ \ +- -DPKGLIBDIR=\$(pkglibdir)\ ++ -DPKGLIBEXECDIR=\$(pkglibexecdir)\ + + sbin_PROGRAMS = miredo miredo-server miredo-checkconf +-pkglib_PROGRAMS = ++pkglibexec_PROGRAMS = + EXTRA_PROGRAMS = privproc + noinst_LTLIBRARIES = libmiredo.la + TESTS = +@@ -59,7 +59,7 @@ miredo_LDADD = ../libtun6/libtun6.la ../ + miredo_privproc_SOURCES = privproc.c privproc.h + miredo_privproc_LDADD = ../libteredo/libteredo.la $(LIBCAP) + if TEREDO_CLIENT +-pkglib_PROGRAMS += miredo-privproc ++pkglibexec_PROGRAMS += miredo-privproc + TESTS += miredo-checkconf + endif + +diff -urpN miredo-1.2.3-1.orig/src/relayd.c miredo-1.2.3-1/src/relayd.c +--- miredo-1.2.3-1.orig/src/relayd.c 2010-04-10 04:19:10.0 -0500 miredo-1.2.3-1/src/relayd.c 2012-10-18 18:16:31.0 -0500 +@@ -217,7 +217,7 @@ create_dynamic_tunnel (const char *ifnam + char ifindex[2 * sizeof (unsigned) + 1]; + snprintf (ifindex, sizeof (ifindex), %X, tun6_getId (tunnel)); + +- static const char path[] = PKGLIBDIR/miredo-privproc; ++ static const char path[] = PKGLIBEXECDIR/miredo-privproc; + switch (fork ()) + { + case -1: diff -Nru miredo-1.2.3/debian/rules miredo-1.2.3/debian/rules --- miredo-1.2.3/debian/rules 2009-12-05 07:04:23.0 -0600 +++ miredo-1.2.3/debian/rules 2012-10-18 18:20:08.0 -0500 @@ -14,6 +14,9 @@ DEB_CONFIGURE_EXTRA_FLAGS += --disable-assert endif +# Work around Debian bug #661983 +DEB_CONFIGURE_LIBEXECDIR = \$${prefix}/lib + # Uho, problem on hppa and m68k pbuilder #ifeq (,$(filter $(DEB_HOST_ARCH_CPU),hppa m68k)) # testsuite is native, would fail if cross-compiling
Bug#690594: tasksel: execution aborted due to compilation errors
Package: tasksel Version: 3.13 Severity: serious Hi, After upgrading from tasksel 2.89, I get the following error: $ tasksel --help Type of arg 1 to each must be hash (not subroutine entry) at /usr/bin/tasksel line 223, near )) Execution of /usr/bin/tasksel aborted due to compilation errors. Seems like you should 'use 5.014' and/or have a versioned Depends on perl-base. Cheers, Raphael Geissert -- System Information: Debian Release: wheezy/sid APT prefers testing Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Versions of packages tasksel depends on: ii apt 0.8.15.10 ii debconf [debconf-2.0] 1.5.38 ii liblocale-gettext-perl 1.05-6 ii tasksel-data3.13 tasksel recommends no packages. tasksel suggests no packages. -- debconf information: tasksel/title: tasksel/desktop: gnome tasksel/first: Laptop, Standard system tasksel/tasks: -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#690632: solarpowerlog: bashism in /bin/sh script
Package: solarpowerlog Version: 0.23a-1 Severity: serious User: debian-rele...@lists.debian.org Usertags: goal-dash Hello maintainer, While performing an archive wide checkbashisms (from the 'devscripts' package) check I've found your package containing a /bin/sh script making use of a bashism. checkbashisms' output: possible bashism in ./etc/init.d/solarpowerlog line 59 (alternative test command ([[ foo ]] should be [ foo ])): [[ ! -e $PIDDIR ]] mkdir -p $PIDDIR chown $USER $PIDDIR possible bashism in ./etc/init.d/solarpowerlog line 63 (alternative test command ([[ foo ]] should be [ foo ])): [[ ! -e $LOGDIR ]] mkdir -p $LOGDIR chown $USER $LOGDIR Not using bash (or a Debian Policy conformant shell interpreter which doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. You can find hints about how to fix bashisms at: https://wiki.ubuntu.com/DashAsBinSh Thank you, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689763: jsxgraph: includes non-free jsmin code
Package: jsxgraph Version: 0.83+svn1872~dfsg-3 Severity: serious Hi, tools/jsmin.py includes the following license clause that makes it non-free: The Software shall be used for Good, not Evil. Cheers, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689764: icinga-web: includes non-free jsmin
Source: icinga-web Version: 1.7.1-4 Severity: serious Hi, lib/phing/classes/phing/tasks/ext/jsmin/JsMin.php includes the following license clause that makes it non-free: The Software shall be used for Good, not Evil. Cheers, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#686174: Your isc-dhcp 4.2.2.dfsg.1-5+wheezy1 upload
Hi again, On Friday 14 September 2012 18:46:48 Raphael Geissert wrote: * Uploads must be coordinated and ACKed by the security team. Unless I'm missing something, it didn't happen this way. I've been pointed out that you talked to Nico about it. Please accept my apologies. Kind regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#686174: Your isc-dhcp 4.2.2.dfsg.1-5+wheezy1 upload
Hi, I'm rejecting your isc-dhcp upload to the security archive for the following reasons: * Uploads must be coordinated and ACKed by the security team. Unless I'm missing something, it didn't happen this way. * Incorrect version numbering. For Wheezy the +debNuX schema will be used. * The testing-security queue is not functional. Any security update for wheezy, during its freeze, must go through testing-proposed-updates if it can't go through sid. Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#687334: Please add security queues for armhf and s390x
Package: buildd.debian.org Severity: serious Control: affects -1 security.debian.org Hi, This is just to keep a record of things that need to be done before the release: * Add security queues for armhf * Add security queues for s390x Of course the sec archive first needs to know about them, so I'm going to file a similar bug against ftp-master.d.o for that. Cheers, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#687335: Support armhf and s390x in the security archive
Package: ftp-master.debian.org Severity: serious Control: affects -1 security.debian.org Hi, This is just to keep a record of things that need to be done before the release: * Add support for the armhf architecture to the security archive * Add support for the s390x architecture to the security archive * Work with the buildd people to give them access to sec's incoming Thanks. Cheers, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#686961: CVE-2012-3549: kfreebsd SCTP DoS
Package: kfreebsd-8 Severity: grave Tags: security Control: clone -1 -2 -3 Control: reassign -2 src:kfreebsd-9 Control: reassign -3 src:kfreebsd-10 Hi, CVE-2012-3549 has been assigned to be a remote DoS (via a NULL pointer dereference in the kernel) vulnerability in FreeBSD's SCTP implementation[1]. [1] http://www.exploit-db.com/exploits/20226/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3549 http://security-tracker.debian.org/tracker/CVE-2012-3549 Please adjust the affected versions in the BTS as needed. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#686454: CVE-2011-5129: xchat buffer overflow
Package: xchat Severity: grave Tags: security Hi, the following vulnerability was published for xchat. CVE-2011-5129[0]: | Heap-based buffer overflow in XChat 2.8.9 and earlier allows remote | attackers to cause a denial of service (crash) and possibly execute | arbitrary code via a long response string. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5129 http://security-tracker.debian.org/tracker/CVE-2011-5129 Please adjust the affected versions in the BTS as needed. -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685192: apt: redirection handling changes in 0.9.4 may break aptitude
One day later than expected... On Tuesday 21 August 2012 10:56:06 Raphael Geissert wrote: If you do consider those cases, then Breaks should probably be used instead. Recommends is not enough even for the scenario where this bug was reproduced: grml - recommends are disabled by default. I haven't tested a squeeze-wheezy upgrade with Breaks, though. Will try to get around it today so that I can report back... It went fine. APT of course had to be deconfigured due to the Breaks, but it was handled just fine. I used a Breaks: apt ( 0.9.4~). Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685192: apt: redirection handling changes in 0.9.4 may break aptitude
H David, On Tuesday 21 August 2012 08:50:34 David Kalnischkies wrote: For clarity: This partial upgrade thing effects not only aptitude, but APT itself and just by extension all front-ends even if the message just talks about how aptitude is unable to handle the internal change in libapt and how it talks to his own http-method shipped in 'apt'. As far as I tested, it doesn't affect APT as long as it isn't a partial upgrade from the experimental version that had a separate libapt-pk4.10. Upgrading apt will also pull in libapt-pkg4.12, and at the time the new packages are unpacked no new http method is started. The next call to APT would already use the new versions of apt and the http method. Am I missing something? And I doubt that a bug containing the words partial upgrade and unofficial sources (which http.debian.net still is, even as a well-recieved mirror of official content) fits very well in the severity grave bucket, but I let it slight for the moment. Just one fact: I have seen more than one mirror, part of the Debian mirrors network, redirect from /debian/ to /pub/linux/debian/ and stuff like that. At the moment there should be none of those in the mirrors list, but users who had picked one of those mirrors before the path was changed would be affected. That said, if you disagree with the severity, feel free to change it. Not sure how common Michael Prokop's scenario is with FAI. He was using a minimal debootstrapped chroot and then upgrading it. I think Depends are a bit hard in that case. It's not only a loop, but libapt-pkg can be used without the method-binaries in a lot of cases, so a Recommends: apt (= ${binary:Version}) feels more appropriated and should trigger an upgrade of 'apt' in this partial upgrade situation as well (as long as the installation of Recommends are not disabled) without negative consequences on the installation order. The only thing not covered by this Recommends is that you can still remove apt from your system and possibly break aptitude (and other packages using the acquire-system from libapt) - for any libapt user this will be equal to the removal of an essential package through, however the specific front-end handles this (apt-get is e.g. very vocal about that). If you do consider those cases, then Breaks should probably be used instead. Recommends is not enough even for the scenario where this bug was reproduced: grml - recommends are disabled by default. I haven't tested a squeeze-wheezy upgrade with Breaks, though. Will try to get around it today so that I can report back... Same case if s/he prefers to disable installation of recommends. And with this back to the initial topic: Adding a recommends, okay? ... because I don't think Recommends is appropriate. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685192: apt: redirection handling changes in 0.9.4 may break aptitude
Package: apt Version: 0.9.4 Severity: grave Control: affects -1 aptitude X-Debbugs-CC: m...@debian.org, debian-rele...@lists.debian.org Hi, Michael Prokop noticed that in some cases an aptitude update would fail with a E: Method gave invalid 200 URI Start message when using http.debian.net. After a lot of confusion and attempts to debug the problem, in a chroot where the issue could be reproduced, I eventually noticed that the versions of apt and libapt-pkg4.12 didn't match: apt: 0.8.15.9 (old version) libapt-pkg4.12: 0.9.7.2 (wheezy) aptitude: 0.6.8-1 (wheezy) The problem: When aptitude uses libapt-pkg to download a file, it starts an instance of the http method that doesn't include the changes made in #668111. This means that it sends the 103 redirection message as usual, but it handles it internally. Given that aptitude uses libapt-pkg4.12, it handles the 103 message in the new fashion and starts a new http process to handle the redirection. Since the first http process is handling the request internally, it eventually sends a 200 URI Start message with the original URI (the one of http.debian.net). By then, libapt-pkg4.12 has already marked such URI as done, removed it from the http:http.debian.net queue, and more importantly: changed the URI of the Itm (pkgAcquire::Queue::QItem). So, when it receives the 200 message it can't even match the URI of the message to a QItem, therefore aborting with the E: Method gave invalid 200 URI Start message error. Why APT still works: The old apt version works just fine because it uses libapt-pkg4.10, which means it handles the redirection internally. According to dpkg -S the libapt-pkg4.10 used by apt is provided by the apt package itself. I.e. it is not a separate package. Note: if it is not obvious enough, this isn't restricted to http.debian.net. Any mirror that sends a redirection could trigger this bug. Now, the easiest way to prevent this kind of conflict would be by adding a Depends: apt = 0.9.4 to libapt-pkg4.12. Not sure how much trouble it would cause to a squeeze-wheezy upgrade, as it would force apt to also be upgraded when upgrading aptitude (upgrading apt already requires upgrading aptitude.) It also introduces a soft dependency loop, but it seems harmless. The alternative way to express it would be by adding a Breaks: apt ( 0.9.4) to libapt-pkg4.12. I think this last form would cause more noise during the upgrade. Introducing a new redirection code (104?) would probably cause more trouble at this point than handling the problem via the dependencies system. Toughts? Sorry for not noticing it before. Somehow I knew I should have bumped the redirection code :-/ Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
On Thursday 31 May 2012 11:33:19 Christoph Anton Mitterer wrote: I therefore propose the following changes, which should be also ok for the apache folks: a) Add these type definitions back to mime.types No, they don't even describe .php files correctly. There should really be no application/x-httpd-* entry in mime.types. Perhaps .php and others should be added back as text/x-php and a NEWS entry added. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#580540: softgun: FTBFS in non-linux architectures: config.mk:24: *** Unknown architecture. Stop.
On Sunday 13 May 2012 11:26:19 Steve McIntyre wrote: On Thu, May 06, 2010 at 12:06:03PM -0500, Raphael Geissert wrote: Please remember that kfreebsd-i386 and kfreebsd-amd64 are now release architectures and failure to build on those is considered release critical. Not if they've never built there, only if there's a regression. Downgrading to important instead. Er, $ rmadison -a kfreebsd-i386,kfreebsd-amd64 softgun softgun | 0.16-2.1 | squeeze | kfreebsd-amd64, kfreebsd-i386 softgun | 0.16-2.1 | wheezy | kfreebsd-amd64, kfreebsd-i386 ... -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#667226: kgb: diff for NMU version 1.0b4+ds-13.2
Hi, Thanks for the patch and the NMU. As a minor nitpick you should probably consider giving the patch file a more descriptive name, like missing-unistdh.patch :) Anyway, it's not worth another upload just to change that. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#663206: vpnc: does not install anymore - shebang missing from install scripts
reopen 663206 thanks Hi, Upgrading dpkg does workaround the bug, but it is an unintentional side effect. Maintainer scripts must have a shebang as per section 6.1 of policy. (thanks to James McCoy for finding the proper reference :) Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#663382: cupt: missing depends on apt?
Package: cupt Version: 2.4.0 Severity: serious Hi, After removing apt with cupt, cupt is useless: # cupt install apt Building the package cache... E: unable to open file '//var/lib/apt/extended_states': No such file or directory E: error while parsing extended states E: error while creating package cache E: error performing command 'install' # cupt update E: unable to open file '//var/lib/apt/extended_states': No such file or directory E: error while parsing extended states E: error while creating package cache E: error performing command 'update' Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#663382: cupt: missing depends on apt?
Hi, On Saturday 10 March 2012 15:23:52 Eugene V. Lyubimkin wrote: Cupt does not need apt for the work, but it needs an extended states file (for reading and writing). In unusual setups where apt is not installed at all, you can easily override the path of the file. For example, putting dir::state::extendedstates /var/lib/cupt/extended_states; to /etc/cupt/cupt.conf and then 'touch /var/lib/cupt/extended_states' should make cupt happy. I thus downgraded severity a bit. TBH, I disagree with downgrading the severity. Like with many kinds of bugs, you can work around them, but that doesn't mean the impact is lower. In my case I had to download apt by hand to re-install it with dpkg because cupt coulnd't help me at all. I also wonder if you shouldn't be at least recommending one of the download methods... Regardless of the Cupt-side fixes, I would say it's an error for apt to delete these kind of files even on purge, and a serious error if its deleted by a simple removal (you didn't specify the command so I can't guess was your case 'remove' or 'purge'). You may want to file a bug on apt about this. I purged apt. APT's postrm runs rm -rf on /var/cache/apt and /var/lib/apt. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#661197: CVE-2012-0270: buffer overflows
Package: csound Severity: grave Tags: security Hi, Two vulnerabilities have been found in csound. Please refer to the following page for more information: http://secunia.com/secunia_research/2012-3/ Regards, Raphael Geissert -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651705: le: FTBFS in unstable configure: error: cannot make curses work
Hi, On Sunday 11 December 2011 08:08:25 peter green wrote: le FTFBS in current testing and unstable, this was initially seen on the armhf and s390x buildds but I have reproduced it locally on amd64 Thanks for your report and work. Although I haven't confirmed the build failure (haven't tried at all) the reasoning looks correct. For the next version I've already had to fiddle with auto* and run autoreconf, so I'll see how that plays with multiarch. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#647849: ca-certificates: removal of signet.pl's CAs
Package: ca-certificates Severity: grave Version: 20080809 Hi, During a review of signet.pl's CAs in ca-certficiates, I've found several issues that prompt me to remove them from all the current releases of ca- certificates. * signet_ca1_pem.crt notAfter=Sep 23 13:18:17 2011 GMT [EXPIRED] NO CRL NO OCSP Bits=1024 * signet_ca2_pem.crt notAfter=Apr 18 12:53:07 2017 GMT NO OCSP CRL=http://www.signet.pl/repozytorium/crl/pca2.crl Last Update: Jan 4 11:39:13 2007 GMT Next Update: Jan 4 11:44:13 2008 GMT [EXPIRED] Bits=2048 * signet_ca3_pem.crt notAfter=Apr 28 10:50:55 2008 GMT [EXPIRED] NO CRL NO OCSP Bits=2048 * signet_ocspklasa2_pem.crt notAfter=Apr 18 12:53:07 2017 GMT CRL=http://www.signet.pl/repozytorium/crl/klasa2.crl Last Update: Jan 4 10:36:58 2007 GMT Next Update: Jan 5 10:36:58 2007 GMT [EXPIRED] NO OCSP Bits=1024 * signet_ocspklasa3_pem.crt notAfter=Apr 28 10:50:55 2008 GMT [EXPIRED] CRL=http://www.signet.pl/kwalifikowane/repozytorium/crl/klasa3.crl Last Update: Jun 30 10:56:24 2006 GMT Next Update: Jul 1 10:56:24 2006 GMT [EXPIRED] NO OCSP Bits=1024 * signet_pca2_pem.crt notAfter=Sep 21 15:42:19 2026 GMT CRL=http://www.signet.pl/repozytorium/rootca/rootca.crl Last Update: Jan 4 12:27:13 2007 GMT Next Update: Jan 5 12:32:13 2008 GMT [EXPIRED] NO OCSP Bits=2048 * signet_pca3_pem.crt notAfter=Sep 21 15:42:19 2026 GMT CRL=http://www.signet.pl/repozytorium/rootca/rootca.crl Last Update: Jan 4 12:27:13 2007 GMT Next Update: Jan 5 12:32:13 2008 GMT [EXPIRED] NO OCSP Bits=2048 * signet_rootca_pem.crt notAfter=Sep 21 15:42:19 2026 GMT NO CRL NO OCSP Bits=2048 * signet_tsa1_pem.crt notAfter=Sep 23 11:18:17 2011 GMT [EXPIRED] CRL=http://www.signet.pl/repozytorium/crl/klasa1.crl Last Update: Aug 1 09:38:22 2006 GMT Next Update: Aug 3 09:38:22 2006 GMT [EXPIRED] NO OCSP Bits=1024 Additionally, I have found no trace of them after a quick search. signet.pl's website only contains one root CA, which was never included in Debian. Unless there's a well-founded argument against its removal, I plan to remove them from lenny, squeeze, and sid. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#637057: [php-maint] Bug#637057: Installing php5-idn makes apache2 segfault (if using the php5 module)
severity 637057 normal thanks On Monday 08 August 2011 02:09:26 Raphaël Hertzog wrote: Further inspection seems to indicate that it must not be loaded at the same time as php5-intl... since loading it without loading php5-intl works. Yes, intl is meant to replace idn and to make it backwards-compatible a couple of functions are exported under the same name, causing the conflict. This package has been removed from unstable, but maybe we should do in stable what we did in unstable: - update the libphp-simplepie dependency to php5-intl That's up to whoever is behind libphp-simplepie. -idn also provided a few other functions which -intl doesn't. - make php5-intl conflict with php5-idn No. It's a runtime conflict and therefore policy's don't add a Breaks/Conflict recommendation applies. However, the conflict was meant to be handled by the extensions manager, but that's another story... Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org