Re: matrixssl

[Chris Lamb]

Brian May wrote:

> Ok, so looks like I should be able to add the following line:
> 
> matrixssl   1.8.8-1 2016-09-08  Not supported in 
> Debian LTS (https://lists.debian.org/debian-lts/2016/09/msg00030.html)
> 
> To security-support-ended.deb7 and push to
> ssh://git.debian.org/git/collab-maint/debian-security-support.git

Yes :)

> Do I need to ask anybody before doing so?

No. With my FD hat on, I went ahead and did this. :)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: graphicsmagick packaging

[Chris Lamb]

[Not sure why I am being CC'd here?]

> Is this just me? Or has graphicsmagick really been packaged without
> debian/patches/*?

Very likely; wheezy is old and the source/format wasn't universally adopted
overnight. :)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

graphicsmagick packaging

[Brian May]

Hello,

Is this just me? Or has graphicsmagick really been packaged without
debian/patches/*?

⌁ [brian:~/tree/debian/debian-lts/wheezy/graphicsmagick] % dget 
http://security.debian.org/debian-security/pool/updates/main/g/graphicsmagick/graphicsmagick_1.3.16-1.1+deb7u3.dsc
dget: retrieving 
http://security.debian.org/debian-security/pool/updates/main/g/graphicsmagick/graphicsmagick_1.3.16-1.1+deb7u3.dsc
  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
100  2642  100  26420 0   1385  0  0:00:01  0:00:01 --:--:--  1385
dget: retrieving 
http://security.debian.org/debian-security/pool/updates/main/g/graphicsmagick/graphicsmagick_1.3.16.orig.tar.gz
  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
100 8531k  100 8531k0 0   190k  0  0:00:44  0:00:44 --:--:--  379k
dget: retrieving 
http://security.debian.org/debian-security/pool/updates/main/g/graphicsmagick/graphicsmagick_1.3.16-1.1+deb7u3.diff.gz
  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
100  228k  100  228k0 0   270k  0 --:--:-- --:--:-- --:--:--  270k
graphicsmagick_1.3.16-1.1+deb7u3.dsc:
  Good signature found
   validating graphicsmagick_1.3.16.orig.tar.gz
   validating graphicsmagick_1.3.16-1.1+deb7u3.diff.gz
All files validated successfully.
dpkg-source: info: extracting graphicsmagick in graphicsmagick-1.3.16
dpkg-source: info: unpacking graphicsmagick_1.3.16.orig.tar.gz
dpkg-source: info: applying graphicsmagick_1.3.16-1.1+deb7u3.diff.gz
dpkg-source: info: upstream files that have been modified: 
 graphicsmagick-1.3.16/.pc/.quilt_patches
 graphicsmagick-1.3.16/.pc/.quilt_series
 graphicsmagick-1.3.16/.pc/.version
 graphicsmagick-1.3.16/.pc/CVE-2016-5240.patch/magick/render.c
 graphicsmagick-1.3.16/.pc/CVE-2016-5241.patch/magick/render.c
 graphicsmagick-1.3.16/.pc/applied-patches
 graphicsmagick-1.3.16/PerlMagick/Makefile.PL
 graphicsmagick-1.3.16/coders/gif.c
 graphicsmagick-1.3.16/coders/locale.c
 graphicsmagick-1.3.16/coders/mvg.c
 graphicsmagick-1.3.16/coders/png.c
 graphicsmagick-1.3.16/coders/svg.c
 graphicsmagick-1.3.16/config/delegates.mgk.in
 graphicsmagick-1.3.16/magick/GraphicsMagick-config.1
 graphicsmagick-1.3.16/magick/GraphicsMagick-config.in
 graphicsmagick-1.3.16/magick/blob.c
 graphicsmagick-1.3.16/magick/color_lookup.c
 graphicsmagick-1.3.16/magick/command.c
 graphicsmagick-1.3.16/magick/delegate.c
 graphicsmagick-1.3.16/magick/effect.c
 graphicsmagick-1.3.16/magick/image.c
 graphicsmagick-1.3.16/magick/locale_c.h
 graphicsmagick-1.3.16/magick/log.c
 graphicsmagick-1.3.16/magick/module.c
 graphicsmagick-1.3.16/magick/nt_feature.c
 graphicsmagick-1.3.16/magick/render.c
 graphicsmagick-1.3.16/magick/static.c
 graphicsmagick-1.3.16/magick/type.c
 graphicsmagick-1.3.16/magick/utility.c
 graphicsmagick-1.3.16/magick/utility.h
⌁ [brian:~/tree/debian/debian-lts/wheezy/graphicsmagick] % cd 
graphicsmagick-1.3.16 
⌁ [brian:~/tree … ezy/graphicsmagick/graphicsmagick-1.3.16] % quilt pop
Patch CVE-2016-5241.patch does not remove cleanly (refresh it or enforce with 
-f)


Just trying to see if I can fix this now using the files under .pc as a
reference. I notice that the package doesn't have the
debian/source/format file however I don't think this explains the
missing debian/patches directory. Currently got to the stage where quilt
is happy, but dpkg-source isn't. dpkg-source reports fuzz in the patch,
and quilt refresh says there are no changes to the patch.

⌁ [brian:~/tree … ezy/graphicsmagick/graphicsmagick-1.3.16] 2 % quilt pop -a
Removing patch CVE-2016-5241.patch
Restoring magick/render.c

Removing patch CVE-2016-5240.patch
Restoring magick/render.c

No patches applied
⌁ [brian:~/tree … ezy/graphicsmagick/graphicsmagick-1.3.16] % quilt push ; 
quilt refresh
Applying patch CVE-2016-5240.patch
patching file magick/render.c

Now at patch CVE-2016-5240.patch
Patch CVE-2016-5240.patch is unchanged
⌁ [brian:~/tree … ezy/graphicsmagick/graphicsmagick-1.3.16] % quilt push ; 
quilt refresh
Applying patch CVE-2016-5241.patch
patching file magick/render.c

Now at patch CVE-2016-5241.patch
Patch CVE-2016-5241.patch is unchanged

[...]

dpkg-source: info: using source format '3.0 (quilt)'
diff: standard output: Broken pipe
diff: standard output: Broken pipe
diff: standard output: Broken pipe
diff: standard output: Broken pipe
diff: standard output: Broken pipe
dpkg-source: info: building graphicsmagick using existing 
./graphicsmagick_1.3.16.orig.tar.gz
patching file magick/render.c
Hunk #1 succeeded at 1484 (offset -35 lines).
Hunk #2 succeeded at 1496 (offset -35 lines).
Hunk #3 succeeded at 2388 (offset -86 lines).
Hunk #4 FAILED at 2504.
1 out of 4 hunks FAILED
dpkg-source: info: 

wireshark security update for Wheezy LTS

[Bálint Réczey]

Hi,

I have prepared an update for wireshark in Wheezy.

Please see the diff to previous version attached. A practically
identical changeset has been already accepted to jessie-security.

Changes:
 wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u4) wheezy-security; urgency=medium
 .
   * security fixes from Wireshark 2.0.6:
 - The H.225 dissector could crash (CVE-2016-7176)
 - The Catapult DCT2000 dissector could crash (CVE-2016-7177)
 - The UMTS FP dissector could crash (CVE-2016-7178)
 - The Catapult DCT2000  dissector could crash (CVE-2016-7179)
 - The IPMI trace dissector could crash (CVE-2016-7180)

I plan uploading the package tomorrow around noon UTC.

Cheers,
Balint


diff -Nru wireshark-1.12.1+g01b65bf/debian/changelog wireshark-1.12.1+g01b65bf/debian/changelog
--- wireshark-1.12.1+g01b65bf/debian/changelog	2016-08-14 16:20:37.0 +0200
+++ wireshark-1.12.1+g01b65bf/debian/changelog	2016-09-20 18:05:25.0 +0200
@@ -1,3 +1,14 @@
+wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u4) wheezy-security; urgency=medium
+
+  * security fixes from Wireshark 2.0.6:
+- The H.225 dissector could crash (CVE-2016-7176)
+- The Catapult DCT2000 dissector could crash (CVE-2016-7177)
+- The UMTS FP dissector could crash (CVE-2016-7178)
+- The Catapult DCT2000  dissector could crash (CVE-2016-7179)
+- The IPMI trace dissector could crash (CVE-2016-7180)
+
+ -- Balint Reczey   Tue, 20 Sep 2016 18:05:16 +0200
+
 wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u3) wheezy-security; urgency=medium
 
   * security fixes from Wireshark 1.12.13:
diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch
--- wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch	1970-01-01 01:00:00.0 +0100
+++ wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch	2016-09-20 18:04:38.0 +0200
@@ -0,0 +1,695 @@
+From 8b20fac0cdcbeb0266caf5307600e1e1f4912b99 Mon Sep 17 00:00:00 2001
+From: Guy Harris 
+Date: Tue, 2 Aug 2016 20:39:34 -0700
+Subject: [PATCH 127/131] Don't snprintf() into a string with one of the
+ arguments being the same string.
+
+That doesn't work - you could be writing into the string from which
+you're reading.
+
+Conflicts:
+	asn1/h225/h225.cnf
+	epan/dissectors/packet-h225.c
+
+Bug: 12700
+
+Change-Id: I2fc6416e0613791dcd37ef70dbf00aae159008de
+Reviewed-on: https://code.wireshark.org/review/16852
+Reviewed-by: Guy Harris 
+Reviewed-on: https://code.wireshark.org/review/17800
+Reviewed-by: Balint Reczey 
+---
+ asn1/h225/h225.cnf|  58 +--
+ epan/dissectors/packet-h225.c | 168 +++---
+ 2 files changed, 127 insertions(+), 99 deletions(-)
+
+diff --git a/asn1/h225/h225.cnf b/asn1/h225/h225.cnf
+index 2bece14..a6ad36b 100644
+--- a/asn1/h225/h225.cnf
 b/asn1/h225/h225.cnf
+@@ -274,8 +274,12 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber
+ 		dissect_h245_FastStart_OLC(value_tvb, %(ACTX)s->pinfo, tree, codec_str);
+ 	}
+ 
+-/* Add to packet info */
+-g_snprintf(h225_pi->frame_label, 50, "%%s %%s", h225_pi->frame_label, codec_str);
++  /* Add to packet info */
++  {
++char temp[50];
++g_snprintf(temp, 50, "%%s %%s", h225_pi->frame_label, codec_str);
++g_strlcpy(h225_pi->frame_label, temp, 50);
++  }
+ 
+ 	contains_faststart = TRUE;
+ 	h225_pi->is_faststart = TRUE;
+@@ -362,10 +366,12 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber
+ #.FN_FTR Progress-UUIE
+   /* Add to packet info */
+   h225_pi->cs_type = H225_PROGRESS;
+-  if (contains_faststart == TRUE )
+-g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, ""), h225_pi->frame_label);
+-  else
+-g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, ""));
++  if (contains_faststart) {
++char temp[50];
++g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, ""), h225_pi->frame_label);
++g_strlcpy(h225_pi->frame_label, temp, 50);
++  } else
++g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, ""));
+ #.END
+ #
+ #.FN_FTR SetupAcknowledge-UUIE
+@@ -389,28 +395,34 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber
+ #.FN_FTR Setup-UUIE
+   /* Add to packet info */
+   h225_pi->cs_type = H225_SETUP;
+-  if (contains_faststart == TRUE )
+-  g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, 

Wheezy update of firefox-esr?

[Chris Lamb]

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of firefox-esr:
https://security-tracker.debian.org/tracker/source-package/firefox-esr

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of firefox-esr updates
for the LTS releases. (In case we don't get any answer for months,
we may also take it as an opt-out, too.)

Thank you very much.

Chris Lamb,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Accepted unadf 0.7.11a-3+deb7u1 (source amd64) into oldstable

[Chris Lamb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 21 Sep 2016 03:27:21 +0100
Source: unadf
Binary: unadf
Architecture: source amd64
Version: 0.7.11a-3+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian QA Group 
Changed-By: Chris Lamb 
Description: 
 unadf  - Extract files from an Amiga Disk File dump (.adf)
Closes: 838248
Changes: 
 unadf (0.7.11a-3+deb7u1) wheezy-security; urgency=high
 .
   * CVE-2016-1243: Fix stack buffer overflow caused by blindly trusting on
 pathname lengths of archived files. Stack allocated buffer sysbuf was
 filled with sprintf() without any bounds checking in extracTree() function.
 (Closes: #838248)
 .
   * CVE-2016-1244: Correct execution of unsanitized input. Shell command used
 for creating directory paths was constructed by oncatenating names of
 archived files to the end of the command string. (Closes: #838248)
Checksums-Sha1: 
 615aee980f21ef85ed80098407ab76a0a8036a85 1700 unadf_0.7.11a-3+deb7u1.dsc
 63c05f97302ff67f5d7ff2d9e33f9a66196f9578 209458 unadf_0.7.11a.orig.tar.gz
 040ce52a550612474ac0d8e3af5169429e6b48ad 21762 
unadf_0.7.11a-3+deb7u1.debian.tar.gz
 4bd6b2041f4d1c7431ae20503b2a335168f1ace0 119676 
unadf_0.7.11a-3+deb7u1_amd64.deb
Checksums-Sha256: 
 db4a5a7defcec018da390d90f58710ba0d5f59f33b16450e0407f3d2866c1576 1700 
unadf_0.7.11a-3+deb7u1.dsc
 fa9e0e34b1b0f4f4287905a3d485e3bba498451af98d6c12be87ab3a2b436471 209458 
unadf_0.7.11a.orig.tar.gz
 ed723ed04624b6337d42e47ce40217bc218c7be64098fe0ba316b5d01a91a841 21762 
unadf_0.7.11a-3+deb7u1.debian.tar.gz
 7f415e272a7105734f7102bd8ceb42c2700672d41803a2aadf213490edcd5336 119676 
unadf_0.7.11a-3+deb7u1_amd64.deb
Files: 
 613e73c52d252e3e0fd426c8c8f320bd 1700 utils optional unadf_0.7.11a-3+deb7u1.dsc
 63c21eeb61e1473d8dd214e0b39cb819 209458 utils optional 
unadf_0.7.11a.orig.tar.gz
 32c3c4f104526bbea523dfbbd942dd9b 21762 utils optional 
unadf_0.7.11a-3+deb7u1.debian.tar.gz
 a601b5f46efde3fe46553db1372646a6 119676 utils optional 
unadf_0.7.11a-3+deb7u1_amd64.deb

-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJX4fzCAAoJEB6VPifUMR5Yi3sP/2KLZIcRXBxGEcl9gQqWPtqo
v8goh1o4qGXTkPyxuLEt4CHCadEFUa5xlMFlvXu8HYklFqXAxlNHJqEWwDqNvTmH
6Vvsy4/CsCKVEVhjbbhw1uIulJ1NqKmZ2weHrEJLmQnbFs98heqWktqKuCU5qu5z
eAes9BJzE644Ag6PxNrp4s8LB/ZPUHQCzKdeXQT0vbV30s5OiB5PXH7OUc+3gQfC
vZJtTQ/5qE7JYkI0oyffe6G2hLDbzy4tWyUuKaATXyMwGgB2Y90W8wQHcYX+0AFJ
p/Nm1cL46cwzl0xpg0A0gRDoS9VKwy4yVkTWGLRChw8wbSWn7Qze/DET82/fyuco
d53/9HydBtgAEwrOHCcdxafGJ90Hv1uUXWAPcysnJMif43XC1JcfzrAJu86IaIW0
BkHH3MKj1EcH0WqC3O7MQ96iTi6z0LAcThSN8J7+yxEPqrU/iLQXMhQciMgsrgJd
+VO4plwn1ETD7MYWLWuRGLoiTGv6lRVrj3XTTobtDhbr3ZTGrOwVX7XPwhf57HQ2
7YgE5UKH2veKmU9btWBmPPsdevNCSQe9cDEg6Ief8OalfjqDNDqqc+YfShZPQZVP
WgrhWMunGMzG6rF8umICNJ2KbwW6g0TflY+LqM0SevBi/ZK8wTE+Elvmns9iW3T+
T0y4cq4UOuVTm1qfdHHW
=NX4b
-END PGP SIGNATURE-