Processed: Add fdroidcl to the affects

2017-07-25 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> affects 867358 src:fdroidcl
Bug #867358 [src:linux] mips/mipsel: mips-linux-gnu-gccgo-7: waitid: bad address
Added indication that 867358 affects src:fdroidcl
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
867358: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867358
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

CONFIG_CGROUPS_BPF in kernel 4.9

2017-07-25 Thread Joe.Ghalam 
Hi Ben,
Would you please share your thoughts on the possibility of back-porting support 
for CGROUPS_BPF and related code from kernel 4.10 to kernel 4.9 for Debian 
Stretch?
Thanks,
Joe

Bug#869681: firmware-linux: again missing i915 firmware for Thinkpad X61

2017-07-25 Thread Thorsten Glaser 
Package: firmware-linux
Version: 20161130-3
Severity: normal

Processing triggers for initramfs-tools (0.130) ...
update-initramfs: Generating /boot/initrd.img-4.11.0-2-amd64
W: Possible missing firmware /lib/firmware/i915/kbl_huc_ver02_00_1810.bin for 
module i915
W: Possible missing firmware /lib/firmware/i915/bxt_huc_ver01_07_1398.bin for 
module i915
W: Possible missing firmware /lib/firmware/i915/skl_huc_ver01_07_1398.bin for 
module i915


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages firmware-linux depends on:
ii  firmware-linux-free 3.4
ii  firmware-linux-nonfree  20161130-3

Versions of packages firmware-linux recommends:
pn  amd64-microcode  
ii  intel-microcode  3.20170707.1

firmware-linux suggests no packages.

-- no debconf information

Bug#869670: Depends: linux-headers-4.11.0-2-common ... but it is not going to be installed

2017-07-25 Thread 積丹尼 Dan Jacobson 
Package: linux-headers-4.11.0-2-amd64
Version: 4.11.11-1

The following packages have unmet dependencies:
 linux-headers-4.11.0-2-amd64 : Depends: linux-headers-4.11.0-2-common (= 
4.11.11-1+b1) but it is not going to be installed

Bug#869613: libreoffice write crashes (Debian 9)

2017-07-25 Thread Aaron Valdes 
Thanks Rene,

I installed Debian 9 AMD64 on my Asus Laptop the other day.  libreoffice writer 
(lowriter) did not crash on that system.

Aaron

On Tue, 25 Jul 2017 07:10:45 +0200 Rene Engelhard  wrote:
> severity 869613 grave
> reassign 869613 src:linux
> forcemerge 865866 869613 
> affects 869613 libreoffice-writer
> thanks
> 
> Hi,
> 
> On Mon, Jul 24, 2017 at 11:23:33PM -0400, Aaron Valdes wrote:
> > Thread 1 "soffice.bin" received signal SIGSEGV, Segmentation fault.
> > 0xa72a8975 in _expand_stack_to(unsigned char*) () from 
> > /usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so
> > #0  0xa72a8975 in _expand_stack_to(unsigned char*) () at 
> > /usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so
> > #1  0xa72ab184 in os::Linux::manually_expand_stack(JavaThread*, unsigned 
> > char*) () at /usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so
> > #2  0xa72b56c8 in os::create_main_thread(JavaThread*) () at 
> > /usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so
> > #3  0xa73f7ede in Threads::create_vm(JavaVMInitArgs*, bool*) () at 
> > /usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so
> > #4  0xa70a4645 in JNI_CreateJavaVM () at 
> > /usr/lib/jvm/java-8-openjdk-i386/jre/lib/i386/server/libjvm.so
> > #5  0xb232f9a1 in  () at /usr/lib/libreoffice/program/libjvmfwklo.so
> > #6  0xb2341bf4 in jfw_startVM(JavaInfo const*, JavaVMOption*, long, 
> > JavaVM_**, JNIEnv_**) () at /usr/lib/libreoffice/program/libjvmfwklo.so
> 
> Aha. So it's the known regression in the kernel breaking Java. I guessed that 
> at first,
> though you claiming it works without -gtk2 was puzzling me...
> 
> Wouldn't have happened on amd64...
> 
> Regards,
> 
> Rene
> 
>

Processed: retitle 869639 to firmware-brcm80211: BroadPwn vulnerability CVE-2017-9417

2017-07-25 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> # correct CVE in subject
> retitle 869639 firmware-brcm80211: BroadPwn vulnerability CVE-2017-9417
Bug #869639 [firmware-brcm80211] firmware-brcm80211: BroadPwn vulnerability 
CVE-2017-8386
Changed Bug title to 'firmware-brcm80211: BroadPwn vulnerability CVE-2017-9417' 
from 'firmware-brcm80211: BroadPwn vulnerability CVE-2017-8386'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
869639: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869639
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#869640: starting rpc-svcgssd.service fails

2017-07-25 Thread Andreas Schindler 

Package: nfs-common 1:1.3.4-2.1, nfs-kernel-server 1:1.3.4-2.1
Debian-Version: 9.1, Kernel 4.9.0-3-amd64
Hardware: Dell PowerEdge R630, 2 Sockets, 2x8Cores, 265 GByte Memory

Symptom: starting rpc-svcgssd.service fails with non-standard Kerberos 
principal


Involved packages:
libnfs8:amd641.11.0-2amd64
libnfsidmap2:amd64   0.25-5.1amd64
nfs-common   1:1.3.4-2.1 amd64
nfs-kernel-server1:1.3.4-2.1 amd64
libgssrpc4:amd64 1.15-1  amd64
libtirpc1:amd64  0.2.5-1.2   amd64
rpcbind  0.2.3-0.6   amd64

Bug Log:
Jul 20 13:37:42 hiyo rpc.svcgssd[10625]: ERROR: GSS-API: error in 
gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code 
may provide more information) -
Jul 20 13:37:42 hiyo rpc.svcgssd[10625]: unable to obtain root (machine) 
credentials
Jul 20 13:37:42 hiyo rpc.svcgssd[10625]: do you have a keytab entry for 
nfs/@ in /etc/krb5.keytab?
Jul 20 13:37:42 hiyo systemd[1]: rpc-svcgssd.service: Control process 
exited, code=exited status=1
Jul 20 13:37:42 hiyo systemd[1]: Failed to start RPC security service 
for NFS server.

-- Subject: Unit rpc-svcgssd.service has failed

This is perfectly correct, due to /etc/krb5.keytab has no principal 
nfs/hiyo.zit.biophys.mpg...@bpcental.biophy.mpg.de


A Solution would be to use the -p or -n options for the rpc.svcgssd daemon.

These are the constraints:

1.) If nfs-kernel-server is not installed, rpc.svcgssd should not be 
started - it's used by the nfs server only, not by nfs clients


2.) However: rpc.svcgssd is part of packet nfs-common (incl. nfs 
client). Why? shouldn't is be part of nfs-kernel-server?


3.) If everything is intended as currently distributed, why place
 the configuration parameter RPCSVCGSSDOPTS in
 /etc/default/nfs-kernel-server?

4.) Under these circumstances it should be placed in
 /etc/default/nfs-common.

5.) The contents of the 2 /etc/default/nfs-* files are evaluated by the 
service nfs-config.service into /run/sysconfig/nfs-utils, which result 
the looks like:


 PIPEFS_MOUNTPOINT=/run/rpc_pipefs
 RPCNFSDARGS=" 8"
 RPCMOUNTDARGS="--manage-gids"
 STATDARGS=""
 RPCSVCGSSDARGS="-n"

6.) However, the systemd unit file in 
/lib/systemd/system/rpc-svcgssd.service imports a variable SVCGSSDARGS, 
where /run/sysconfig/nfs-utils defines RPCSVCGSSDARGS (with RPC prefix).

This renders the config parameter useless because it never draws.

 [Unit]
 Description=RPC security service for NFS server
 DefaultDependencies=no
 Requires=run-rpc_pipefs.mount
 After=run-rpc_pipefs.mount local-fs.target
 PartOf=nfs-server.service
 PartOf=nfs-utils.service

 After=gssproxy.service
 ConditionPathExists=|!/run/gssproxy.pid
 ConditionPathExists=|!/proc/net/rpc/use-gss-proxy
 ConditionPathExists=/etc/krb5.keytab

 Wants=nfs-config.service
 After=nfs-config.service

 [Service]
 EnvironmentFile=-/run/sysconfig/nfs-utils
 Type=forking
 ExecStart=/usr/sbin/rpc.svcgssd $SVCGSSDARGS

My suggestion for these issues:

- Move rpc.svcgssd service  to the nfs-kernel-server package,
   so it doesn't get started if the nfs server isn't installed
- Make sure /lib/systemd/system/rpc-svcgssd.service imports/uses
   the correct variables from /run/sysconfig/nfs-utils

Best
Andreas Schindler
--
Dr.-Ing. Andreas Schindler
Leiter Zentrale IT
Max-Planck-Institut für Biophysik
andreas.schind...@biophys.mpg.de
Max-von-Laue-Str. 3, 60438 Frankfurt, Tel: +49 69 6303 4555



smime.p7s
Description: S/MIME Cryptographic Signature

Bug#869639: correct to CVE-2017-9417, and link

2017-07-25 Thread Mark Robinson 

https://nvd.nist.gov/vuln/detail/CVE-2017-9417

Bug#869639: firmware-brcm80211: BroadPwn vulnerability CVE-2017-8386

2017-07-25 Thread Mark Robinson 
Package: firmware-brcm80211
Version: 0.43
Severity: critical
Tags: security upstream
Justification: root security hole

Dear Maintainer,

CVE-2017-8386 "BroadPwn" has been around for a while.

It seems Debian ships the relevant firmware in this package.

Could I impose on you to ensure that all is as it should be?

Many thanks.
Mark

https://nvd.nist.gov/vuln/detail/CVE-2017-8386
https://security-tracker.debian.org/tracker/CVE-2017-9417
https://packages.debian.org/search?keywords=firmware-brcm80211
http://boosterok.com/blog/broadpwn/

-- System Information:
Debian Release: 8.9
  APT prefers testing
  APT policy: (1000, 'testing'), (1000, 'stable'), (1000, 'oldstable'), (500, 
'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)