Re: matrixssl
Brian May wrote: > Ok, so looks like I should be able to add the following line: > > matrixssl 1.8.8-1 2016-09-08 Not supported in > Debian LTS (https://lists.debian.org/debian-lts/2016/09/msg00030.html) > > To security-support-ended.deb7 and push to > ssh://git.debian.org/git/collab-maint/debian-security-support.git Yes :) > Do I need to ask anybody before doing so? No. With my FD hat on, I went ahead and did this. :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: graphicsmagick packaging
[Not sure why I am being CC'd here?] > Is this just me? Or has graphicsmagick really been packaged without > debian/patches/*? Very likely; wheezy is old and the source/format wasn't universally adopted overnight. :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
graphicsmagick packaging
Hello, Is this just me? Or has graphicsmagick really been packaged without debian/patches/*? ⌁ [brian:~/tree/debian/debian-lts/wheezy/graphicsmagick] % dget http://security.debian.org/debian-security/pool/updates/main/g/graphicsmagick/graphicsmagick_1.3.16-1.1+deb7u3.dsc dget: retrieving http://security.debian.org/debian-security/pool/updates/main/g/graphicsmagick/graphicsmagick_1.3.16-1.1+deb7u3.dsc % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 2642 100 26420 0 1385 0 0:00:01 0:00:01 --:--:-- 1385 dget: retrieving http://security.debian.org/debian-security/pool/updates/main/g/graphicsmagick/graphicsmagick_1.3.16.orig.tar.gz % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 8531k 100 8531k0 0 190k 0 0:00:44 0:00:44 --:--:-- 379k dget: retrieving http://security.debian.org/debian-security/pool/updates/main/g/graphicsmagick/graphicsmagick_1.3.16-1.1+deb7u3.diff.gz % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 228k 100 228k0 0 270k 0 --:--:-- --:--:-- --:--:-- 270k graphicsmagick_1.3.16-1.1+deb7u3.dsc: Good signature found validating graphicsmagick_1.3.16.orig.tar.gz validating graphicsmagick_1.3.16-1.1+deb7u3.diff.gz All files validated successfully. dpkg-source: info: extracting graphicsmagick in graphicsmagick-1.3.16 dpkg-source: info: unpacking graphicsmagick_1.3.16.orig.tar.gz dpkg-source: info: applying graphicsmagick_1.3.16-1.1+deb7u3.diff.gz dpkg-source: info: upstream files that have been modified: graphicsmagick-1.3.16/.pc/.quilt_patches graphicsmagick-1.3.16/.pc/.quilt_series graphicsmagick-1.3.16/.pc/.version graphicsmagick-1.3.16/.pc/CVE-2016-5240.patch/magick/render.c graphicsmagick-1.3.16/.pc/CVE-2016-5241.patch/magick/render.c graphicsmagick-1.3.16/.pc/applied-patches graphicsmagick-1.3.16/PerlMagick/Makefile.PL graphicsmagick-1.3.16/coders/gif.c graphicsmagick-1.3.16/coders/locale.c graphicsmagick-1.3.16/coders/mvg.c graphicsmagick-1.3.16/coders/png.c graphicsmagick-1.3.16/coders/svg.c graphicsmagick-1.3.16/config/delegates.mgk.in graphicsmagick-1.3.16/magick/GraphicsMagick-config.1 graphicsmagick-1.3.16/magick/GraphicsMagick-config.in graphicsmagick-1.3.16/magick/blob.c graphicsmagick-1.3.16/magick/color_lookup.c graphicsmagick-1.3.16/magick/command.c graphicsmagick-1.3.16/magick/delegate.c graphicsmagick-1.3.16/magick/effect.c graphicsmagick-1.3.16/magick/image.c graphicsmagick-1.3.16/magick/locale_c.h graphicsmagick-1.3.16/magick/log.c graphicsmagick-1.3.16/magick/module.c graphicsmagick-1.3.16/magick/nt_feature.c graphicsmagick-1.3.16/magick/render.c graphicsmagick-1.3.16/magick/static.c graphicsmagick-1.3.16/magick/type.c graphicsmagick-1.3.16/magick/utility.c graphicsmagick-1.3.16/magick/utility.h ⌁ [brian:~/tree/debian/debian-lts/wheezy/graphicsmagick] % cd graphicsmagick-1.3.16 ⌁ [brian:~/tree … ezy/graphicsmagick/graphicsmagick-1.3.16] % quilt pop Patch CVE-2016-5241.patch does not remove cleanly (refresh it or enforce with -f) Just trying to see if I can fix this now using the files under .pc as a reference. I notice that the package doesn't have the debian/source/format file however I don't think this explains the missing debian/patches directory. Currently got to the stage where quilt is happy, but dpkg-source isn't. dpkg-source reports fuzz in the patch, and quilt refresh says there are no changes to the patch. ⌁ [brian:~/tree … ezy/graphicsmagick/graphicsmagick-1.3.16] 2 % quilt pop -a Removing patch CVE-2016-5241.patch Restoring magick/render.c Removing patch CVE-2016-5240.patch Restoring magick/render.c No patches applied ⌁ [brian:~/tree … ezy/graphicsmagick/graphicsmagick-1.3.16] % quilt push ; quilt refresh Applying patch CVE-2016-5240.patch patching file magick/render.c Now at patch CVE-2016-5240.patch Patch CVE-2016-5240.patch is unchanged ⌁ [brian:~/tree … ezy/graphicsmagick/graphicsmagick-1.3.16] % quilt push ; quilt refresh Applying patch CVE-2016-5241.patch patching file magick/render.c Now at patch CVE-2016-5241.patch Patch CVE-2016-5241.patch is unchanged [...] dpkg-source: info: using source format '3.0 (quilt)' diff: standard output: Broken pipe diff: standard output: Broken pipe diff: standard output: Broken pipe diff: standard output: Broken pipe diff: standard output: Broken pipe dpkg-source: info: building graphicsmagick using existing ./graphicsmagick_1.3.16.orig.tar.gz patching file magick/render.c Hunk #1 succeeded at 1484 (offset -35 lines). Hunk #2 succeeded at 1496 (offset -35 lines). Hunk #3 succeeded at 2388 (offset -86 lines). Hunk #4 FAILED at 2504. 1 out of 4 hunks FAILED dpkg-source: info:
wireshark security update for Wheezy LTS
Hi, I have prepared an update for wireshark in Wheezy. Please see the diff to previous version attached. A practically identical changeset has been already accepted to jessie-security. Changes: wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u4) wheezy-security; urgency=medium . * security fixes from Wireshark 2.0.6: - The H.225 dissector could crash (CVE-2016-7176) - The Catapult DCT2000 dissector could crash (CVE-2016-7177) - The UMTS FP dissector could crash (CVE-2016-7178) - The Catapult DCT2000 dissector could crash (CVE-2016-7179) - The IPMI trace dissector could crash (CVE-2016-7180) I plan uploading the package tomorrow around noon UTC. Cheers, Balint diff -Nru wireshark-1.12.1+g01b65bf/debian/changelog wireshark-1.12.1+g01b65bf/debian/changelog --- wireshark-1.12.1+g01b65bf/debian/changelog 2016-08-14 16:20:37.0 +0200 +++ wireshark-1.12.1+g01b65bf/debian/changelog 2016-09-20 18:05:25.0 +0200 @@ -1,3 +1,14 @@ +wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u4) wheezy-security; urgency=medium + + * security fixes from Wireshark 2.0.6: +- The H.225 dissector could crash (CVE-2016-7176) +- The Catapult DCT2000 dissector could crash (CVE-2016-7177) +- The UMTS FP dissector could crash (CVE-2016-7178) +- The Catapult DCT2000 dissector could crash (CVE-2016-7179) +- The IPMI trace dissector could crash (CVE-2016-7180) + + -- Balint ReczeyTue, 20 Sep 2016 18:05:16 +0200 + wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u3) wheezy-security; urgency=medium * security fixes from Wireshark 1.12.13: diff -Nru wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch --- wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch 1970-01-01 01:00:00.0 +0100 +++ wireshark-1.12.1+g01b65bf/debian/patches/127_2.0.6_Don-t-snprintf-into-a-string-with-one-of-the-argumen.patch 2016-09-20 18:04:38.0 +0200 @@ -0,0 +1,695 @@ +From 8b20fac0cdcbeb0266caf5307600e1e1f4912b99 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Tue, 2 Aug 2016 20:39:34 -0700 +Subject: [PATCH 127/131] Don't snprintf() into a string with one of the + arguments being the same string. + +That doesn't work - you could be writing into the string from which +you're reading. + +Conflicts: + asn1/h225/h225.cnf + epan/dissectors/packet-h225.c + +Bug: 12700 + +Change-Id: I2fc6416e0613791dcd37ef70dbf00aae159008de +Reviewed-on: https://code.wireshark.org/review/16852 +Reviewed-by: Guy Harris +Reviewed-on: https://code.wireshark.org/review/17800 +Reviewed-by: Balint Reczey +--- + asn1/h225/h225.cnf| 58 +-- + epan/dissectors/packet-h225.c | 168 +++--- + 2 files changed, 127 insertions(+), 99 deletions(-) + +diff --git a/asn1/h225/h225.cnf b/asn1/h225/h225.cnf +index 2bece14..a6ad36b 100644 +--- a/asn1/h225/h225.cnf b/asn1/h225/h225.cnf +@@ -274,8 +274,12 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber + dissect_h245_FastStart_OLC(value_tvb, %(ACTX)s->pinfo, tree, codec_str); + } + +-/* Add to packet info */ +-g_snprintf(h225_pi->frame_label, 50, "%%s %%s", h225_pi->frame_label, codec_str); ++ /* Add to packet info */ ++ { ++char temp[50]; ++g_snprintf(temp, 50, "%%s %%s", h225_pi->frame_label, codec_str); ++g_strlcpy(h225_pi->frame_label, temp, 50); ++ } + + contains_faststart = TRUE; + h225_pi->is_faststart = TRUE; +@@ -362,10 +366,12 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber + #.FN_FTR Progress-UUIE + /* Add to packet info */ + h225_pi->cs_type = H225_PROGRESS; +- if (contains_faststart == TRUE ) +-g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, ""), h225_pi->frame_label); +- else +-g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "")); ++ if (contains_faststart) { ++char temp[50]; ++g_snprintf(temp, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, ""), h225_pi->frame_label); ++g_strlcpy(h225_pi->frame_label, temp, 50); ++ } else ++g_snprintf(h225_pi->frame_label, 50, "%s", val_to_str(h225_pi->cs_type, T_h323_message_body_vals, "")); + #.END + # + #.FN_FTR SetupAcknowledge-UUIE +@@ -389,28 +395,34 @@ IsupNumber/nationalStandardPartyNumber isupNationalStandardPartyNumber + #.FN_FTR Setup-UUIE + /* Add to packet info */ + h225_pi->cs_type = H225_SETUP; +- if (contains_faststart == TRUE ) +- g_snprintf(h225_pi->frame_label, 50, "%s OLC (%s)", val_to_str(h225_pi->cs_type,
Wheezy update of firefox-esr?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of firefox-esr: https://security-tracker.debian.org/tracker/source-package/firefox-esr Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of firefox-esr updates for the LTS releases. (In case we don't get any answer for months, we may also take it as an opt-out, too.) Thank you very much. Chris Lamb, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Accepted unadf 0.7.11a-3+deb7u1 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 21 Sep 2016 03:27:21 +0100 Source: unadf Binary: unadf Architecture: source amd64 Version: 0.7.11a-3+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Debian QA GroupChanged-By: Chris Lamb Description: unadf - Extract files from an Amiga Disk File dump (.adf) Closes: 838248 Changes: unadf (0.7.11a-3+deb7u1) wheezy-security; urgency=high . * CVE-2016-1243: Fix stack buffer overflow caused by blindly trusting on pathname lengths of archived files. Stack allocated buffer sysbuf was filled with sprintf() without any bounds checking in extracTree() function. (Closes: #838248) . * CVE-2016-1244: Correct execution of unsanitized input. Shell command used for creating directory paths was constructed by oncatenating names of archived files to the end of the command string. (Closes: #838248) Checksums-Sha1: 615aee980f21ef85ed80098407ab76a0a8036a85 1700 unadf_0.7.11a-3+deb7u1.dsc 63c05f97302ff67f5d7ff2d9e33f9a66196f9578 209458 unadf_0.7.11a.orig.tar.gz 040ce52a550612474ac0d8e3af5169429e6b48ad 21762 unadf_0.7.11a-3+deb7u1.debian.tar.gz 4bd6b2041f4d1c7431ae20503b2a335168f1ace0 119676 unadf_0.7.11a-3+deb7u1_amd64.deb Checksums-Sha256: db4a5a7defcec018da390d90f58710ba0d5f59f33b16450e0407f3d2866c1576 1700 unadf_0.7.11a-3+deb7u1.dsc fa9e0e34b1b0f4f4287905a3d485e3bba498451af98d6c12be87ab3a2b436471 209458 unadf_0.7.11a.orig.tar.gz ed723ed04624b6337d42e47ce40217bc218c7be64098fe0ba316b5d01a91a841 21762 unadf_0.7.11a-3+deb7u1.debian.tar.gz 7f415e272a7105734f7102bd8ceb42c2700672d41803a2aadf213490edcd5336 119676 unadf_0.7.11a-3+deb7u1_amd64.deb Files: 613e73c52d252e3e0fd426c8c8f320bd 1700 utils optional unadf_0.7.11a-3+deb7u1.dsc 63c21eeb61e1473d8dd214e0b39cb819 209458 utils optional unadf_0.7.11a.orig.tar.gz 32c3c4f104526bbea523dfbbd942dd9b 21762 utils optional unadf_0.7.11a-3+deb7u1.debian.tar.gz a601b5f46efde3fe46553db1372646a6 119676 utils optional unadf_0.7.11a-3+deb7u1_amd64.deb -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJX4fzCAAoJEB6VPifUMR5Yi3sP/2KLZIcRXBxGEcl9gQqWPtqo v8goh1o4qGXTkPyxuLEt4CHCadEFUa5xlMFlvXu8HYklFqXAxlNHJqEWwDqNvTmH 6Vvsy4/CsCKVEVhjbbhw1uIulJ1NqKmZ2weHrEJLmQnbFs98heqWktqKuCU5qu5z eAes9BJzE644Ag6PxNrp4s8LB/ZPUHQCzKdeXQT0vbV30s5OiB5PXH7OUc+3gQfC vZJtTQ/5qE7JYkI0oyffe6G2hLDbzy4tWyUuKaATXyMwGgB2Y90W8wQHcYX+0AFJ p/Nm1cL46cwzl0xpg0A0gRDoS9VKwy4yVkTWGLRChw8wbSWn7Qze/DET82/fyuco d53/9HydBtgAEwrOHCcdxafGJ90Hv1uUXWAPcysnJMif43XC1JcfzrAJu86IaIW0 BkHH3MKj1EcH0WqC3O7MQ96iTi6z0LAcThSN8J7+yxEPqrU/iLQXMhQciMgsrgJd +VO4plwn1ETD7MYWLWuRGLoiTGv6lRVrj3XTTobtDhbr3ZTGrOwVX7XPwhf57HQ2 7YgE5UKH2veKmU9btWBmPPsdevNCSQe9cDEg6Ief8OalfjqDNDqqc+YfShZPQZVP WgrhWMunGMzG6rF8umICNJ2KbwW6g0TflY+LqM0SevBi/ZK8wTE+Elvmns9iW3T+ T0y4cq4UOuVTm1qfdHHW =NX4b -END PGP SIGNATURE-