Bug#1006599: transition: capnproto

2022-02-27 Thread Tom Lee 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: deb...@tomlee.co tmanc...@debian.org
Severity: normal

Hi,

Requesting a transition for capnproto 0.9.1. It's in experimental and there
is
an auto transition page here:

https://release.debian.org/transitions/html/auto-capnproto.html

clickhouse is the only reverse dependency that FTBFS but it was already
broken
prior to the 0.8.0 transition due to issues unrelated to the capnproto
package:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996130

clickhouse was removed from testing in 2021 because of this issue and there
has been no movement since. Since it's not likely to be fixed soon and we're
again receiving requests for new capnproto packaging we'd like to proceed
with the transition.

Let me know if I can provide any further details.

Ben file:

title = "capnproto";
is_affected = .depends ~ "libcapnp-0.8.0" | .depends ~ "libcapnp-0.9.1";
is_good = .depends ~ "libcapnp-0.9.1";
is_bad = .depends ~ "libcapnp-0.8.0";

-- 
*Tom Lee */ http://tomlee.co / @tglee

Bug#995636: transition: openssl

2022-02-27 Thread Sebastian Andrzej Siewior 
On 2022-02-14 15:01:34 [+0100], To Sebastian Ramacher wrote:
> On 2022-02-01 21:11:11 [+0100], Sebastian Ramacher wrote:
> > > Could you please update this transition request?  It's open for four
> > > months and no visible response.
> > 
> > Kurt mention some 100 packages failing to build. I only see a handfull
> > of bugs filed. So what's the status on those build failures?
> 
> So new logs probably…

Gathered new logs and finally processed them \o/. The list at
   
https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-openssl-de...@lists.alioth.debian.org=ftbfs-3.0

has been updated accordingly. I added bugs for packages for FTBFS which
existed without new openssl (say due new gcc, old debhelper, …). I was
not able to build a few packages (25) because the build dependency could
not have been satisfied at the time.

Sebastian

Bug#1006551: bullseye-pu: package tiff/4.2.0-1+deb11u1

2022-02-27 Thread GCS 
Package: release.debian.org
User: release.debian@packages.debian.org
Tags: bullseye
Severity: normal

Hi RMs,

A security update of tiff for issues not warrant a DSA but still would
be good to have fixed.
Work done by Thorsten Alteholz that I've double checked. Debdiff is attached.

Thanks for consideration,
Laszlo/GCS
diff -Nru tiff-4.2.0/debian/changelog tiff-4.2.0/debian/changelog
--- tiff-4.2.0/debian/changelog	2020-12-21 15:06:46.0 +0100
+++ tiff-4.2.0/debian/changelog	2022-02-27 17:02:02.0 +0100
@@ -1,3 +1,20 @@
+tiff (4.2.0-1+deb11u1) bullseye; urgency=high
+
+  [ Thorsten Alteholz  ]
+  * CVE-2022-22844
+out-of-bounds read in _TIFFmemcpy in certain situations involving a
+custom tag and 0x0200 as the second word of the DE field.
+  * CVE-2022-0562
+Null source pointer passed as an argument to memcpy() function within
+TIFFReadDirectory(). This could result in a Denial of Service via
+crafted TIFF files.
+  * CVE-2022-0561
+Null source pointer passed as an argument to memcpy() function within
+TIFFFetchStripThing(). This could result in a Denial of Service via
+crafted TIFF files.
+
+ -- Laszlo Boszormenyi (GCS)   Sun, 27 Feb 2022 17:02:02 +0100
+
 tiff (4.2.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru tiff-4.2.0/debian/patches/CVE-2022-0561.patch tiff-4.2.0/debian/patches/CVE-2022-0561.patch
--- tiff-4.2.0/debian/patches/CVE-2022-0561.patch	1970-01-01 01:00:00.0 +0100
+++ tiff-4.2.0/debian/patches/CVE-2022-0561.patch	2022-02-27 16:57:51.0 +0100
@@ -0,0 +1,26 @@
+From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Sun, 6 Feb 2022 13:08:38 +0100
+Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+Index: tiff-4.2.0/libtiff/tif_dirread.c
+===
+--- tiff-4.2.0.orig/libtiff/tif_dirread.c	2022-02-22 23:56:43.727328819 +0100
 tiff-4.2.0/libtiff/tif_dirread.c	2022-02-22 23:56:43.727328819 +0100
+@@ -5765,8 +5765,9 @@
+ 			_TIFFfree(data);
+ 			return(0);
+ 		}
+-_TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+-_TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
++if( dir->tdir_count )
++_TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64));
++_TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64));
+ 		_TIFFfree(data);
+ 		data=resizeddata;
+ 	}
diff -Nru tiff-4.2.0/debian/patches/CVE-2022-0562.patch tiff-4.2.0/debian/patches/CVE-2022-0562.patch
--- tiff-4.2.0/debian/patches/CVE-2022-0562.patch	1970-01-01 01:00:00.0 +0100
+++ tiff-4.2.0/debian/patches/CVE-2022-0562.patch	2022-02-27 16:57:51.0 +0100
@@ -0,0 +1,24 @@
+From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Sat, 5 Feb 2022 20:36:41 +0100
+Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: tiff-4.2.0/libtiff/tif_dirread.c
+===
+--- tiff-4.2.0.orig/libtiff/tif_dirread.c	2022-02-22 23:56:49.919326843 +0100
 tiff-4.2.0/libtiff/tif_dirread.c	2022-02-22 23:56:49.915326845 +0100
+@@ -4173,7 +4173,8 @@
+ goto bad;
+ }
+ 
+-memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++if (old_extrasamples > 0)
++memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+ _TIFFsetShortArray(>tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+ _TIFFfree(new_sampleinfo);
+ }
diff -Nru tiff-4.2.0/debian/patches/CVE-2022-22844.patch tiff-4.2.0/debian/patches/CVE-2022-22844.patch
--- tiff-4.2.0/debian/patches/CVE-2022-22844.patch	1970-01-01 01:00:00.0 +0100
+++ tiff-4.2.0/debian/patches/CVE-2022-22844.patch	2022-02-27 16:57:51.0 +0100
@@ -0,0 +1,45 @@
+From 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001
+From: 4ugustus 
+Date: Tue, 25 Jan 2022 16:25:28 +
+Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
+ count is required (fixes #355)
+
+---
+ tools/tiffset.c | 16 +---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+Index: tiff-4.2.0/tools/tiffset.c
+===
+--- tiff-4.2.0.orig/tools/tiffset.c	2022-02-22 23:56:54.187325478 +0100

Bug#1006550: buster-pu: package tiff/4.1.0+git191117-2~deb10u4

2022-02-27 Thread GCS 
Package: release.debian.org
User: release.debian@packages.debian.org
Tags: buster
Severity: normal

Hi RMs,

A security update of tiff for issues not warrant a DSA but still would
be good to have fixed.
Work done by Thorsten Alteholz that I've double checked. Debdiff is attached.

Thanks for consideration,
Laszlo/GCS
diff -Nru tiff-4.1.0+git191117/debian/changelog tiff-4.1.0+git191117/debian/changelog
--- tiff-4.1.0+git191117/debian/changelog	2021-10-31 09:31:11.0 +0100
+++ tiff-4.1.0+git191117/debian/changelog	2022-02-27 17:01:41.0 +0100
@@ -1,3 +1,20 @@
+tiff (4.1.0+git191117-2~deb10u4) buster; urgency=high
+
+  [ Thorsten Alteholz  ]
+  * CVE-2022-22844
+out-of-bounds read in _TIFFmemcpy in certain situations involving a 
+custom tag and 0x0200 as the second word of the DE field.
+  * CVE-2022-0562
+Null source pointer passed as an argument to memcpy() function within 
+TIFFReadDirectory(). This could result in a Denial of Service via
+crafted TIFF files.
+  * CVE-2022-0561
+Null source pointer passed as an argument to memcpy() function within 
+TIFFFetchStripThing(). This could result in a Denial of Service via 
+crafted TIFF files.
+
+ -- Laszlo Boszormenyi (GCS)   Sun, 27 Feb 2022 17:01:41 +0100
+
 tiff (4.1.0+git191117-2~deb10u3) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch	1970-01-01 01:00:00.0 +0100
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-0561.patch	2022-02-27 16:58:38.0 +0100
@@ -0,0 +1,26 @@
+From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Sun, 6 Feb 2022 13:08:38 +0100
+Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+Index: tiff-4.1.0+git191117/libtiff/tif_dirread.c
+===
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c	2022-02-22 23:44:35.619605527 +0100
 tiff-4.1.0+git191117/libtiff/tif_dirread.c	2022-02-22 23:46:28.843560813 +0100
+@@ -5682,8 +5682,9 @@
+ 			_TIFFfree(data);
+ 			return(0);
+ 		}
+-_TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+-_TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
++if( dir->tdir_count )
++_TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64));
++_TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64));
+ 		_TIFFfree(data);
+ 		data=resizeddata;
+ 	}
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch	1970-01-01 01:00:00.0 +0100
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-0562.patch	2022-02-27 16:58:38.0 +0100
@@ -0,0 +1,24 @@
+From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Sat, 5 Feb 2022 20:36:41 +0100
+Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+---
+ libtiff/tif_dirread.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: tiff-4.1.0+git191117/libtiff/tif_dirread.c
+===
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c	2022-02-22 23:46:41.891555692 +0100
 tiff-4.1.0+git191117/libtiff/tif_dirread.c	2022-02-22 23:48:35.983511234 +0100
+@@ -4126,7 +4126,8 @@
+ goto bad;
+ }
+ 
+-memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++if (old_extrasamples > 0)
++memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+ _TIFFsetShortArray(>tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+ _TIFFfree(new_sampleinfo);
+ }
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch	1970-01-01 01:00:00.0 +0100
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch	2022-02-27 16:58:38.0 +0100
@@ -0,0 +1,45 @@
+From 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001
+From: 4ugustus 
+Date: Tue, 25 Jan 2022 16:25:28 +
+Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
+ count is required (fixes #355)
+
+---
+

Processed: block 1004831 with 1004829 1004830

2022-02-27 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> block 1004831 with 1004829 1004830
Bug #1004831 [release.debian.org] transition: ffmpeg
1004831 was blocked by: 1004805 1005897 1004800 1004594 1004584 1004770 1004623 
1004630 1004581 1004795 1004785 1004574 1004828 1004768 1004787 1004797 1004637 
1004777 1004807 1004779 1004809 1004596 1004789 1004799 1004639 1004813 1004597 
1004587 1004600 1004823 1004628 1004776 1004579 1004806 1004796 1004636 1004801 
1004784 1004570 1004802 1004794 1004771 1004634 1004772 1004791 1004792 1004631 
1004585 1004774 1004632 1004595 1004782 1004804 1004718 1004613 1004763 1004573 
1004622 1004816 1004624 1004610 1004760 1004640 1004769 1004825 1004820 1004814 
1004778 1004626 1004808 1004720 1004788 1004767 1004812 1004811 1004638 1004766 
1004616 1004627 1004821 1004822 1004629 1004721 1004722 1004578 1004598 1004810 
1004815 1004803 1004620 1004625 1004633 1004819 1004793 1004783 1004719 1004817 
1004762 1004612 1004642 1004826 1004764 1004641
1004831 was not blocking any bugs.
Added blocking bug(s) of 1004831: 1004830 and 1004829
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1004831: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004831
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1004915: transition: ruby2.7-rm

2022-02-27 Thread Antonio Terceiro 
On Thu, Feb 24, 2022 at 08:56:49AM +0100, Paul Gevers wrote:
> Hi Antonio,
> 
> Thanks for taking care.
> 
> On 24-02-2022 02:43, Antonio Terceiro wrote:
> > > diaspora-installer can just be removed, it's already on the autoremoval
> > > list.
> > 
> > also fails without the new ruby-defaults.
> 
> I'm not seeing that. The 2022-02-24 01:38:19 UTC reference run on amd64
> passed.

Yes. I investigated this today and it is an issue that makes
diaspora-installer incompatible with ruby3.0:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006547

The fix for that is probably non-trivial, so IMO we should remove
diaspora-installer from testing to let the transition complete.

Yesterday I also uploaded NMUs for all remaining packages that are in
testing.
https://release.debian.org/transitions/html/ruby3.0-default.html is now
empty when one checks "ignore packages that are not in testing".



signature.asc
Description: PGP signature