Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On 29/11/2022 11:14, Yadd wrote: On 29/11/2022 10:56, Yadd wrote: On 28/11/2022 22:11, Paul Gevers wrote: Hi Yadd, On Sat, 26 Nov 2022 13:01:22 + Adam D Barratt wrote: The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: node-minimatch Version: 3.0.4+~3.0.3-1+deb11u1 Explanation: improve protection against regular expression-based denial of service [CVE-2022-3517] The upload breaks [1] the autopkgtest of node-glob. Can you have a look? Paul [...] Hi, the problem is in this part of minimatch.js patch: @@ -280,7 +306,7 @@ if (pattern === '') return '' var re = '' - var hasMagic = !!options.nocase + var hasMagic = false var escaping = false // ? => one single character var patternListStack = [] We should apply this patch: https://github.com/isaacs/minimatch/commit/e4cd4346 I'm going to prepare a new upload Here is a new debdiff: * this cleans CVE-2022-3517 patch (package*.json changes not needed) * this includes regressions fixes from 3.0.6 and 3.0.7 To help, I built a cumulative debdiff (u1 + u2), easier to read. Do I have to open a new BTS ? Cheers, Yadd Of course, verified with node-glob, all is OK now
Bug#1023731: BioC Packages are now clean (one exception with RC bug filed) (Was: Bug#1023731: Any idea why debci picks old versions)
Hi again, Am Mon, Nov 28, 2022 at 09:32:13PM +0100 schrieb Andreas Tille: > So you want to say, the fact that the current debci results that are > listed on the r-bioc-biocgenerics page are based on packages that are > replaced in unstable and the current packages that are fixed are not > listed with recent debci results, is due to a bug in britney? > > Thanks for the manual triggers, hope this will help here This has definitely helped to clean-up the debci related excuses from false positives. Now there is only one remaining one which is a real problem which I have reported upstream (see bug #1025045). If r-bioc-structuralvariantannotation would be removed from testing I do not see any blocker for the transition any more. The good news is that ftpmaster accepted all preconditions right in time, so I was able to upload all missings this morning. IMHO this is a good sign for me, that the current strategy "do the transition right in unstable and see what new preconditions are needed when doing so" is not really a blocker in the current case. Please let me know if you think this is not the case. Kind regards Andreas. -- http://fam-tille.de
Processed: Re: Bug#1024876: transition: coq 8.16.1
Processing control commands: > tags -1 confirmed Bug #1024876 [release.debian.org] transition: coq 8.16.1 Added tag(s) confirmed. -- 1024876: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024876 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1024876: transition: coq 8.16.1
Control: tags -1 confirmed Hi Julien On 2022-11-27 12:06:07 +0100, julien.pu...@gmail.com wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > X-Debbugs-Cc: jpu...@debian.org > X-Debbugs-Cc: Debian OCaml Maintainers > > > A new upstream version of Coq is out ; it requires rebuilding all > depending packages (see below). > > I'm waiting for the "go!" signal to upload coq 8.16.1-1. Please go ahead Cheers > > Cheers, > > J.Puydt > > > PS: the upgrade path: > > nmu aac-tactics_8.16.0-1+b1 . ANY . -m 'Rebuild because of upload of > coq=8.16.1-1' > dw aac-tactics_8.16.0-1+b1 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-bignums_8.16.0-1+b1 . ANY . -m 'Rebuild because of upload of > coq=8.16.1-1' > dw coq-bignums_8.16.0-1+b1 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-dpdgraph_1.0+8.16-1+b1 . ANY . -m 'Rebuild because of upload > of coq=8.16.1-1' > dw coq-dpdgraph_1.0+8.16-1+b1 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-elpi_1.16.0-1+b1 . ANY . -m 'Rebuild because of upload of > coq=8.16.1-1' > dw coq-elpi_1.16.0-1+b1 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-ext-lib_0.11.7-1+b2 . ANY . -m 'Rebuild because of upload of > coq=8.16.1-1' > dw coq-ext-lib_0.11.7-1+b2 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-hammer_1.3.2+8.16-1+b1 . ANY . -m 'Rebuild because of upload > of coq=8.16.1-1' > dw coq-hammer_1.3.2+8.16-1+b1 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-hott_8.16-1+b2 . ANY . -m 'Rebuild because of upload of > coq=8.16.1-1' > dw coq-hott_8.16-1+b2 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-libhyps_2.0.6-1+b2 . ANY . -m 'Rebuild because of upload of > coq=8.16.1-1' > dw coq-libhyps_2.0.6-1+b2 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-menhirlib_20220210+ds-3+b1 . ANY . -m 'Rebuild because of > upload of coq=8.16.1-1' > dw coq-menhirlib_20220210+ds-3+b1 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-record-update_0.3.1-1+b3 . ANY . -m 'Rebuild because of upload > of coq=8.16.1-1' > dw coq-record-update_0.3.1-1+b3 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-reduction-effects_0.1.4-2+b1 . ANY . -m 'Rebuild because of > upload of coq=8.16.1-1' > dw coq-reduction-effects_0.1.4-2+b1 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-stdpp_1.8.0-2+b1 . ANY . -m 'Rebuild because of upload of > coq=8.16.1-1' > dw coq-stdpp_1.8.0-2+b1 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-unicoq_1.6-8.16-1+b1 . ANY . -m 'Rebuild because of upload of > coq=8.16.1-1' > dw coq-unicoq_1.6-8.16-1+b1 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-unimath_20220816-1+b3 . ANY . -m 'Rebuild because of upload of > coq=8.16.1-1' > dw coq-unimath_20220816-1+b3 . ANY . -m 'coq >= 8.16.1-1' > nmu flocq_4.1.0-2+b2 . ANY . -m 'Rebuild because of upload of > coq=8.16.1-1' > dw flocq_4.1.0-2+b2 . ANY . -m 'coq >= 8.16.1-1' > nmu ott_0.32+ds-2+b3 . ANY . -m 'Rebuild because of upload of > coq=8.16.1-1' > dw ott_0.32+ds-2+b3 . ANY . -m 'coq >= 8.16.1-1' > nmu paramcoq_1.1.3+coq8.16-2+b1 . ANY . -m 'Rebuild because of upload > of coq=8.16.1-1' > dw paramcoq_1.1.3+coq8.16-2+b1 . ANY . -m 'coq >= 8.16.1-1' > nmu ssreflect_1.15.0-1+b2 . ANY . -m 'Rebuild because of upload of > coq=8.16.1-1' > dw ssreflect_1.15.0-1+b2 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-deriving_0.1.0-1+b3 . ANY . -m 'Rebuild because of upload of > ssreflect=1.15.0-1+b2 coq=8.16.1-1' > dw coq-deriving_0.1.0-1+b3 . ANY . -m 'ssreflect >= 1.15.0-1+b2' > dw coq-deriving_0.1.0-1+b3 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-equations_1.3-8.16-1+b1 . ANY . -m 'Rebuild because of upload > of coq=8.16.1-1 coq-hott=8.16-1+b2' > dw coq-equations_1.3-8.16-1+b1 . ANY . -m 'coq >= 8.16.1-1' > dw coq-equations_1.3-8.16-1+b1 . ANY . -m 'coq-hott >= 8.16-1+b2' > nmu coq-gappa_1.5.2-4+b1 . ANY . -m 'Rebuild because of upload of > flocq=4.1.0-2+b2 coq=8.16.1-1' > dw coq-gappa_1.5.2-4+b1 . ANY . -m 'flocq >= 4.1.0-2+b2' > dw coq-gappa_1.5.2-4+b1 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-hierarchy-builder_1.4.0-2+b3 . ANY . -m 'Rebuild because of > upload of coq-elpi=1.16.0-1+b1 coq=8.16.1-1' > dw coq-hierarchy-builder_1.4.0-2+b3 . ANY . -m 'coq-elpi >= 1.16.0- > 1+b1' > dw coq-hierarchy-builder_1.4.0-2+b3 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-iris_4.0.0-2+b1 . ANY . -m 'Rebuild because of upload of coq- > stdpp=1.8.0-2+b1 coq=8.16.1-1' > dw coq-iris_4.0.0-2+b1 . ANY . -m 'coq-stdpp >= 1.8.0-2+b1' > dw coq-iris_4.0.0-2+b1 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-math-classes_8.15.0-3+b2 . ANY . -m 'Rebuild because of upload > of coq-bignums=8.16.0-1+b1 coq=8.16.1-1' > dw coq-math-classes_8.15.0-3+b2 . ANY . -m 'coq-bignums >= 8.16.0- > 1+b1' > dw coq-math-classes_8.15.0-3+b2 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-mtac2_1.4+8.16-1+b1 . ANY . -m 'Rebuild because of upload of > coq-unicoq=1.6-8.16-1+b1 coq=8.16.1-1' > dw coq-mtac2_1.4+8.16-1+b1 . ANY . -m 'coq-unicoq >= 1.6-8.16-1+b1' > dw coq-mtac2_1.4+8.16-1+b1 . ANY . -m 'coq >= 8.16.1-1' > nmu coq-reglang_1.1.3-1+b3 . ANY . -m 'Rebuild because of upload of > ssreflect=1.15.0-1+b2
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On 28/11/2022 22:11, Paul Gevers wrote: Hi Yadd, On Sat, 26 Nov 2022 13:01:22 + Adam D Barratt wrote: The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: node-minimatch Version: 3.0.4+~3.0.3-1+deb11u1 Explanation: improve protection against regular expression-based denial of service [CVE-2022-3517] The upload breaks [1] the autopkgtest of node-glob. Can you have a look? Paul [1] https://ci.debian.net/packages/n/node-glob/stable/amd64/ 4 failing 1) test/nocase-nomagic.js nocase, nomagic should be equivalent: Error: should be equivalent + expected - actual -[] +[ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" + "/tmp/A" + "/tmp/a" +] at test/nocase-nomagic.js:98:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processSimple2 (/usr/share/nodejs/glob/glob.js:688:12) at /usr/share/nodejs/glob/glob.js:676:10 at Glob._stat2 (/usr/share/nodejs/glob/glob.js:772:12) at lstatcb_ (/usr/share/nodejs/glob/glob.js:764:12) at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) 2) test/nocase-nomagic.js nocase, nomagic should be equivalent: Error: should be equivalent + expected - actual -[] +[ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" + "/tmp/A" + "/tmp/a" +] at test/nocase-nomagic.js:108:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processSimple2 (/usr/share/nodejs/glob/glob.js:688:12) at /usr/share/nodejs/glob/glob.js:676:10 at Glob._stat2 (/usr/share/nodejs/glob/glob.js:772:12) at lstatcb_ (/usr/share/nodejs/glob/glob.js:764:12) at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) 3) test/nocase-nomagic.js nocase, with some magic should be equivalent: Error: should be equivalent + expected - actual [ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" "/tmp/A" "/tmp/a" ] at test/nocase-nomagic.js:137:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processReaddir2 (/usr/share/nodejs/glob/glob.js:434:12) at /usr/share/nodejs/glob/glob.js:371:17 at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) at Glob._readdirEntries (/usr/share/nodejs/glob/glob.js:578:10) at /usr/share/nodejs/glob/glob.js:555:12 at test/nocase-nomagic.js:62:9 4) test/nocase-nomagic.js nocase, with some magic should be equivalent: Error: should be equivalent + expected - actual [ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" "/tmp/A" "/tmp/a" ] at test/nocase-nomagic.js:147:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processReaddir2 (/usr/share/nodejs/glob/glob.js:434:12) at /usr/share/nodejs/glob/glob.js:371:17 at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) at Glob._readdirEntries (/usr/share/nodejs/glob/glob.js:578:10) at /usr/share/nodejs/glob/glob.js:555:12 at test/nocase-nomagic.js:62:9 Hi, the problem is in this part of minimatch.js patch: @@ -280,7 +306,7 @@ if (pattern === '') return '' var re = '' - var hasMagic = !!options.nocase + var hasMagic = false var escaping = false // ? => one single character var patternListStack = [] We should apply this patch: https://github.com/isaacs/minimatch/commit/e4cd4346 I'm going to prepare a new upload
Bug#1025055: transition: qtwebengine-opensource-src
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear Release team, This is a mini-transition that requires binNMU of just two packages: angelfish and qtwebview-opensource-src. It is a new Qt WebEngine patch release with security fixes, and additionally I switched it to build with Python 3. The updated package is currently available in experimental. I want to wait a couple more days to collect feedback, and then I will be able to upload it to unstable. Ben file: title = "qtwebengine-opensource-src"; is_affected = .depends ~ "qtwebengine-abi-5-15-10" | .depends ~ "qtwebengine-abi-5-15-11"; is_good = .depends ~ "qtwebengine-abi-5-15-11"; is_bad = .depends ~ "qtwebengine-abi-5-15-10"; -- Dmitry Shachnev signature.asc Description: PGP signature
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: Anton Gladky We'd like to update the numerical library stack in time for the new stable release. Affected libraries are hypre2.25.0 -> 2.26.0 petsc/slepc3.17 -> 3.18 sundials 5.8.0 -> 6.4.1 Autotransitions are already generated: https://release.debian.org/transitions/html/auto-hypre.html https://release.debian.org/transitions/html/auto-petsc.html https://release.debian.org/transitions/html/auto-slepc.html https://release.debian.org/transitions/html/auto-sundials.html Most of the dependent packages are under our control (Debian Science Team), octave is the main one outside our team. Updates have built fine in experimental and dependent packages are building successfully against them. Anton Gladky will upload the sundials update. Ben file: title = "numerical library transition: hypre / petsc / slepc / sundials"; is_affected = .depends ~ "libpetsc-real3.17" | .depends ~ "libpetsc-real3.18"; is_good = .depends ~ "libpetsc-real3.18"; is_bad = .depends ~ "libpetsc-real3.17"; etc
Bug#1023787: transition: liblxqt
Hi ChangZhuo, On 29-11-2022 06:29, ChangZhuo Chen (陳昌倬) wrote: Please help to migrate libfm-qt in new queue [0] so that we can prepare the migration. That's not under our control. You'll need to talk to ftp-master (typically a note with explanation on IRC helps). Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1025083: bullseye-pu: package omnievents/1:2.6.2-5.1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: guilherme@gmail.com [ Reason ] This is not a regression, but a discovered bug. omnievents enables CORBA applications to communicate through asynchronous broadcast channels rather than direct method calls. omnievents-doc is a package that can be installed as a suggestion of omnievents containing the documentation of package, but which cannot be fully used due to broken symlink. [ Impact ] If not approved, the package documentation cannot be used in its entirety. [ Tests ] The package has been tested in stable, testing and unstable versions. Tests using pipuparts were made using '--fail-on-broken-symlinks' option and after the correction the problem was no longer found. The command used in the test was: # piuparts --fail-on-broken-symlinks omnievents-doc_2.6.2-5.1+deb11u1_all.deb [ Risks ] This is a trivial change, no risks. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The fix was made in the debian/control file by adding the 'libjs-jquery' dependency to the 'omnievents-doc' package. Please, see the debdiff. [ Other info ] No more information. diff -Nru omnievents-2.6.2/debian/changelog omnievents-2.6.2/debian/changelog --- omnievents-2.6.2/debian/changelog 2021-01-09 07:59:32.0 -0300 +++ omnievents-2.6.2/debian/changelog 2022-11-28 17:20:30.0 -0300 @@ -1,3 +1,12 @@ +omnievents (1:2.6.2-5.1+deb11u1) bullseye; urgency=medium + + * debian/control: Added 'libjs-jquery' as a dependency of 'omnievents-doc' +to fix broken symlinks that prevent reading part of the documentation. +. +Closes: #989339 + + -- Guilherme de Paula Xavier Segundo Mon, 28 Nov 2022 17:20:30 -0300 + omnievents (1:2.6.2-5.1) unstable; urgency=medium * Non maintainer upload by the Reproducible Builds team. diff -Nru omnievents-2.6.2/debian/control omnievents-2.6.2/debian/control --- omnievents-2.6.2/debian/control 2016-07-23 17:11:03.0 -0300 +++ omnievents-2.6.2/debian/control 2022-11-28 17:20:30.0 -0300 @@ -45,7 +45,8 @@ Package: omnievents-doc Architecture: all Section: doc -Depends: ${misc:Depends} +Depends: ${misc:Depends}, + libjs-jquery Description: omniORB event service documentation This package contains omniEvents manual and doxygen generated documentation. .
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Control: tags -1 confirmed Hi Drew On 2022-11-29 12:16:55 +0100, Drew Parsons wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > X-Debbugs-Cc: Anton Gladky > > We'd like to update the numerical library stack in time for the new > stable release. > > Affected libraries are > > hypre2.25.0 -> 2.26.0 > petsc/slepc3.17 -> 3.18 > sundials 5.8.0 -> 6.4.1 > > Autotransitions are already generated: > https://release.debian.org/transitions/html/auto-hypre.html > https://release.debian.org/transitions/html/auto-petsc.html > https://release.debian.org/transitions/html/auto-slepc.html > https://release.debian.org/transitions/html/auto-sundials.html > > Most of the dependent packages are under our control > (Debian Science Team), octave is the main one outside our team. > > Updates have built fine in experimental and dependent > packages are building successfully against them. > > Anton Gladky will upload the sundials update. Please go ahead Cheers -- Sebastian Ramacher
Processed: Re: Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Processing control commands: > tags -1 confirmed Bug #1025056 [release.debian.org] transition: numerical library transition: hypre / petsc / slepc / sundials Added tag(s) confirmed. -- 1025056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025056 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1023205: request to backport memtest86
Fabio Fantoni writes... > I didn't think about that. I thought new upstream releases are only > done for special packages which otherwise have no security support > like Firefox or PHP > > But I'll do that now. This bug is #1023205 but I note there has been no response so far. I would like to be able to use the new 6.00-1 version in stable as the existing version there does not work on many systems, modern but also even those 5+ years old. I think there is a good argument for including in a stable update, but either way can we get a decision and have it available in stable proposed updates or backports soon? Thanks, -- Matt Taggart m...@lackof.org
Bug#1002956: New debdiff
On Sat, 06 Aug 2022 19:09:05 +0100 "Adam D. Barratt" wrote: > + * Stop moving mv /etc/rabbitmq/rabbitmq.conf > /etc/rabbitmq/rabbitmq-env.conf. > > This could do with an explanation as to _why_ this move should not be > happening. I believe this is https://bugs.debian.org/943699 > + if ! [ -e /var/lib/rabbitmq/.erlang.cookie ] ; then > + OLD_UMASK=$(umask) > + umask 077; openssl rand -base64 -out > /var/lib/rabbitmq/.erlang.cookie 42 > + umask ${OLD_UMASK} > + else > + # This matches an Erlang generated cookie file: 20 upper case > chars > + if grep -q -E '^[A-Z]{20}$' /var/lib/rabbitmq/.erlang.cookie > ; then > + OLD_UMASK=$(umask) > + umask 077; openssl rand -base64 -out > /var/lib/rabbitmq/.erlang.cookie 42 > + umask ${OLD_UMASK} > + if [ ""$(ps --no-headers -o comm 1) = "systemd" ] ; > then > + if systemctl is-active --quiet > rabbitmq-server.service ; then > + systemctl restart > rabbitmq-server.service > [...] > +Since 3.9.8-3, the rabbitmq-server node will use openssl to generate a > +cryptographically-secure cookie during first installation, mitigating > +this vulnerability. > + > +Servers which installed a prior version, and are upgrading to 3.9.8-3 > +or higher, ARE STILL VULNERABLE, as the package will not regenerate > +the secret if it exists already. This is because the secret is > +designed to be shared between nodes in a cluster, and thus > +regenerating it would break existing clusters. > > This seems to be inaccurate. The latter block quoted above specifically > *does* regenerate an existing secret if it deems it to be not "good > enough", so far as I can tell? The README.debian changes are out of date with the code, yes. The warnings in README.debian, I believe, date from when that documentation was a compromise solution, rather than fixing existing weak magic cookies. Since the code now does address those, the README should be updated accordingly. The changelog might also merit a warning that this may break clustered installs which share a weak magic cookie, similar to the note in the initial mail of https://bugs.debian.org/1004513 - Alex
Bug#1025137: bullseye-pu: package g810-led/0.4.2-1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Dear release team, g810-led has a security issue in stable; it leaves /dev/input/eventXX device nodes world-readable and writable (CVE-2022-46338). The issue is marked no-dsa, but I would like to provide a fix in the next point-release. The fix is already in unstable (0.4.2-3). The attached debdiff fixes the issue by patching the udev rules file: the affected device nodes have their mode set to 660 instead of 666, and uaccess is used to provide access to the user at the console. I own relevant hardware and have verified the fix myself on a multi-user system. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Stephen diff -Nru g810-led-0.4.2/debian/changelog g810-led-0.4.2/debian/changelog --- g810-led-0.4.2/debian/changelog 2020-05-23 20:33:29.0 +0200 +++ g810-led-0.4.2/debian/changelog 2022-11-30 08:24:25.0 +0100 @@ -1,3 +1,11 @@ +g810-led (0.4.2-1+deb11u1) bullseye; urgency=medium + + * Control device access with uaccess instead of making everything +world-writable. Thanks to Xavi Drudis Ferran for the report! +Closes:#1024998. (CVE-2022-46338.) + + -- Stephen Kitt Wed, 30 Nov 2022 08:24:25 +0100 + g810-led (0.4.2-1) unstable; urgency=medium * New upstream release. diff -Nru g810-led-0.4.2/debian/patches/device-permissions.patch g810-led-0.4.2/debian/patches/device-permissions.patch --- g810-led-0.4.2/debian/patches/device-permissions.patch 1970-01-01 01:00:00.0 +0100 +++ g810-led-0.4.2/debian/patches/device-permissions.patch 2022-11-30 08:23:44.0 +0100 @@ -0,0 +1,74 @@ +commit e2b486fd1bc21e0b784e1b4c959770772dfced24 +Author: Stephen Kitt +Date: Mon Nov 28 21:05:05 2022 +0100 + +Rely on uaccess to control device access + +The udev rules currently make supported device nodes world-readable +and writable, which means that any process on the system can read +traffic from keyboards including passwords etc. To avoid this, while +still allowing the "controlling" user to run g810-led without being +root, this patch adds a uaccess tag; this ensures that the user at the +console has write access to the devices. The mode is also changed to +660 to ensure that existing device nodes are fixed on upgrade. + +Thanks to Xavi Drudis Ferran for bringing this to my attention. + +Fixes: #293 +Signed-off-by: Stephen Kitt + +diff --git a/udev/g810-led.rules b/udev/g810-led.rules +index 90b743b..ea05726 100644 +--- a/udev/g810-led.rules b/udev/g810-led.rules +@@ -1,25 +1,25 @@ +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c336", MODE="666" RUN+="/usr/bin/g213-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c330", MODE="666" RUN+="/usr/bin/g410-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33a", MODE="666" RUN+="/usr/bin/g413-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c342", MODE="666" RUN+="/usr/bin/g512-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33c", MODE="666" RUN+="/usr/bin/g513-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c333", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c338", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c331", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c337", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33f", MODE="666" RUN+="/usr/bin/g815-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c32b", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c335", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c339", MODE="666" RUN+="/usr/bin/gpro-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c336", MODE="666" RUN+="/usr/bin/g213-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d",