Bug#1059427: bullseye-pu: package haproxy/2.2.9-2+deb11u6

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: hapr...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:haproxy

Hi,

For ELTS I was fixing haproxy's CVES CVE-2023-40225 and CVE-2023-45539,
and I also like to fix those for stable and oldstable.

CC'ing the security team, in case they want to issue an DSA instead.

The changes can also be found on the LTS repository:
https://salsa.debian.org/lts-team/packages/haproxy

[ Tests ]
I've tested the fixes manually, using netcat to inject
problematic http requests and confirm that the patched
version rejects the malicous requests. (using nginx and
also netcat as http server.)

(Being verbose here to document the tests for later reference ;-))

haproxy is listening on port 8080

e.g for CVE-2023-40225:
echo 'GET /index.nginx-debian.html# HTTP/1.0' | netcat localhost 8080
must be rejected with 400 Bad Request
and without the "#" accepted.

for CVE-2023-45539, nginx is stopped, and netcat listens on port 80:
echo 'GET / HTTP/.1.1
host: whatever
content-length:
' | netcat localhost 8080

If the request is accepted (and forwarded to the listening netcat),
haproxy is vulnerable. If a "400 Bad request" ist thrown, without
netcat receiving something, haproxy is not vulnerable.

(haproxy is running on port 8080)

[ Risks ]
Upstream patch, applied cleanly.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Debdiff attached.

I'v uploaded the package to o-s-p-u already.

Cheers,
-- 
tobi
diff -Nru haproxy-2.2.9/debian/changelog haproxy-2.2.9/debian/changelog
--- haproxy-2.2.9/debian/changelog  2023-04-10 16:18:09.0 +0200
+++ haproxy-2.2.9/debian/changelog  2023-12-25 09:46:44.0 +0100
@@ -1,3 +1,13 @@
+haproxy (2.2.9-2+deb11u6) bullseye; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Import upstream patch for CVE-2023-40225, forwarding malformed
+Content-Length Headers. Closes: #1043502.
+  * Import upstream patch for CVE-2023-45539, accepting invalid requests
+containing '#' as part of the URI component.
+
+ -- Tobias Frost   Mon, 25 Dec 2023 09:46:44 +0100
+
 haproxy (2.2.9-2+deb11u5) bullseye-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru haproxy-2.2.9/debian/.gitlab-ci.yml 
haproxy-2.2.9/debian/.gitlab-ci.yml
--- haproxy-2.2.9/debian/.gitlab-ci.yml 1970-01-01 01:00:00.0 +0100
+++ haproxy-2.2.9/debian/.gitlab-ci.yml 2023-12-25 09:46:44.0 +0100
@@ -0,0 +1,7 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+  - 
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bullseye'
diff -Nru haproxy-2.2.9/debian/patches/CVE-2023-40225.patch 
haproxy-2.2.9/debian/patches/CVE-2023-40225.patch
--- haproxy-2.2.9/debian/patches/CVE-2023-40225.patch   1970-01-01 
01:00:00.0 +0100
+++ haproxy-2.2.9/debian/patches/CVE-2023-40225.patch   2023-12-25 
09:46:44.0 +0100
@@ -0,0 +1,257 @@
+Description: CVE-2023-40225 - http: reject any empty content-length header 
value 
+ The content-length header parser has its dedicated function, in order
+ to take extreme care about invalid, unparsable, or conflicting values.
+ But there's a corner case in it, by which it stops comparing values
+ when reaching the end of the header. This has for a side effect that
+ an empty value or a value that ends with a comma does not deserve
+ further analysis, and it acts as if the header was absent.
+ .
+ While this is not necessarily a problem for the value ending with a
+ comma as it will be cause a header folding and will disappear, it is a
+ problem for the first isolated empty header because this one will not
+ be recontructed when next ones are seen, and will be passed as-is to the
+ backend server. A vulnerable HTTP/1 server hosted behind haproxy that
+ would just use this first value as "0" and ignore the valid one would
+ then not be protected by haproxy and could be attacked this way, taking
+ the payload for an extra request.
+ .
+ In field the risk depends on the server. Most commonly used servers
+ already have safe content-length parsers, but users relying on haproxy
+ to protect a known-vulnerable server might be at risk (and the risk of
+ a bug even in a reputable server should never be dismissed).
+ .
+ A configuration-based work-around consists in adding the following rule
+ in the frontend, to explicitly reject requests featuring an empty
+ content-length header that would have not be folded into an existing
+ one:
+ .
+ http-request deny if { hdr_len(content-length) 0 }
+ .
+ The real fix consists in adjusting the parser so that it always expects a
+ value at the beginning 

Bug#1059426: bookworm-pu: package haproxy/2.6.12-1+deb12u1

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: hapr...@packages.debian.org
X-Debbugs-Cc: t...@security.debian.org
Control: affects -1 + src:haproxy

Hi,

For ELTS I was fixing haproxy's CVES CVE-2023-40225 and CVE-2023-45539,
and I also like to fix those for stable and oldstable.

CC'ing the security team, in case they want to issue an DSA instead.

The changes can also be found on the LTS repository:
https://salsa.debian.org/lts-team/packages/haproxy

[ Tests ]
I've tested the fixes manually, using netcat to inject
problematic http requests and confirm that the patched
version rejects the malicous requests. (using nginx and
also netcat as http server.)

(Being verbose here to document the tests for later reference ;-))

haproxy is listening on port 8080

e.g for CVE-2023-40225:
echo 'GET /index.nginx-debian.html# HTTP/1.0' | netcat localhost 8080
must be rejected with 400 Bad Request
and without the "#" accepted.

for CVE-2023-45539, nginx is stopped, and netcat listens on port 80:
echo 'GET / HTTP/.1.1
host: whatever
content-length:
' | netcat localhost 8080

If the request is accepted (and forwarded to the listening netcat),
haproxy is vulnerable. If a "400 Bad request" ist thrown, without
netcat receiving something, haproxy is not vulnerable.

(haproxy is running on port 8080)

[ Risks ]
Upstream patch, applied cleanly. 

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Debdiff attached.

I'v uploaded the package to s-p-u already.
diff -Nru haproxy-2.6.12/debian/changelog haproxy-2.6.12/debian/changelog
--- haproxy-2.6.12/debian/changelog 2023-04-01 11:05:57.0 +0200
+++ haproxy-2.6.12/debian/changelog 2023-12-25 10:03:03.0 +0100
@@ -1,3 +1,13 @@
+haproxy (2.6.12-1+deb12u1) bookworm; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Import upstream patch for CVE-2023-40225, forwarding malformed
+Content-Length Headers. Closes: #1043502.
+  * Import upstream patch for CVE-2023-45539, accepting invalid requests
+containing '#' as part of the URI component.
+
+ -- Tobias Frost   Mon, 25 Dec 2023 10:03:03 +0100
+
 haproxy (2.6.12-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru haproxy-2.6.12/debian/.gitlab-ci.yml 
haproxy-2.6.12/debian/.gitlab-ci.yml
--- haproxy-2.6.12/debian/.gitlab-ci.yml1970-01-01 01:00:00.0 
+0100
+++ haproxy-2.6.12/debian/.gitlab-ci.yml2023-12-25 10:03:03.0 
+0100
@@ -0,0 +1,7 @@
+---
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+  - 
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bookworm'
diff -Nru haproxy-2.6.12/debian/patches/CVE-2023-40225.patch 
haproxy-2.6.12/debian/patches/CVE-2023-40225.patch
--- haproxy-2.6.12/debian/patches/CVE-2023-40225.patch  1970-01-01 
01:00:00.0 +0100
+++ haproxy-2.6.12/debian/patches/CVE-2023-40225.patch  2023-12-25 
10:03:03.0 +0100
@@ -0,0 +1,257 @@
+Description: CVE-2023-40225 - http: reject any empty content-length header 
value 
+ The content-length header parser has its dedicated function, in order
+ to take extreme care about invalid, unparsable, or conflicting values.
+ But there's a corner case in it, by which it stops comparing values
+ when reaching the end of the header. This has for a side effect that
+ an empty value or a value that ends with a comma does not deserve
+ further analysis, and it acts as if the header was absent.
+ .
+ While this is not necessarily a problem for the value ending with a
+ comma as it will be cause a header folding and will disappear, it is a
+ problem for the first isolated empty header because this one will not
+ be recontructed when next ones are seen, and will be passed as-is to the
+ backend server. A vulnerable HTTP/1 server hosted behind haproxy that
+ would just use this first value as "0" and ignore the valid one would
+ then not be protected by haproxy and could be attacked this way, taking
+ the payload for an extra request.
+ .
+ In field the risk depends on the server. Most commonly used servers
+ already have safe content-length parsers, but users relying on haproxy
+ to protect a known-vulnerable server might be at risk (and the risk of
+ a bug even in a reputable server should never be dismissed).
+ .
+ A configuration-based work-around consists in adding the following rule
+ in the frontend, to explicitly reject requests featuring an empty
+ content-length header that would have not be folded into an existing
+ one:
+ .
+ http-request deny if { hdr_len(content-length) 0 }
+ .
+ The real fix consists in adjusting the parser so that it always expects a
+ value at the beginning of the header or aft

Bug#1057327: bookworm-pu: package amanda/3.5.1-11+deb12u1

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ama...@packages.debian.org
Control: affects -1 + src:amanda

This upload fixes CVE-2023-30577, a backup-user-to-root
vulnerability.

After fixing this CVE already for unstable (NMU pending, ETA Friday),
buster and stretch, I'd also like to fix it for bookworm
and bullseye.

The patch is taken from upstream [1] and has been merged already there.
Package test suite is still happy.

[1] https://github.com/zmanda/amanda/pull/228

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable
  (as said, pending NMU)

I've uploaded the package already to the s-p-u queue.

-- 
Cheers,
tobi
diff -Nru amanda-3.5.1/debian/changelog amanda-3.5.1/debian/changelog
--- amanda-3.5.1/debian/changelog	2023-03-21 18:35:47.0 +0100
+++ amanda-3.5.1/debian/changelog	2023-12-03 14:17:07.0 +0100
@@ -1,3 +1,10 @@
+amanda (1:3.5.1-11+deb12u1) bookworm; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Apply upstream fix for CVE-2023-30577 (Closes: #1055253)
+
+ -- Tobias Frost   Sun, 03 Dec 2023 14:17:07 +0100
+
 amanda (1:3.5.1-11) unstable; urgency=medium
 
   * d/p/49-fix-CVE-2022-37705_part_2: 48-fix-CVE-2022-37705 broken one use
diff -Nru amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch
--- amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch	1970-01-01 01:00:00.0 +0100
+++ amanda-3.5.1/debian/patches/57-CVE-2023-30577.patch	2023-12-03 13:55:48.0 +0100
@@ -0,0 +1,83 @@
+Description: CVE-2023-30577 - Local privilege escalation.
+Origin: https://github.com/zmanda/amanda/pull/228
+Bug: https://github.com/zmanda/amanda/security/advisories/GHSA-crrw-v393-h5q3
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055253
+--- a/client-src/runtar.c
 b/client-src/runtar.c
+@@ -39,6 +39,11 @@
+ #include "amutil.h"
+ #include "conffile.h"
+ #include "client_util.h"
++#include 
++
++static const char *whitelisted_args[] = {"--blocking-factor", "--file", "--directory", "--exclude", "--transform", "--listed-incremental", "--newer", "--exclude-from", "--files-from", NULL};
++
++bool check_whitelist(char* option);
+ 
+ int main(int argc, char **argv);
+ 
+@@ -49,6 +54,7 @@
+ {
+ #ifdef GNUTAR
+ int i;
++char **j;
+ char *e;
+ char *dbf;
+ char *cmdline;
+@@ -182,20 +188,23 @@
+ 		g_str_has_prefix(argv[i],"--verbose")) {
+ 		/* Accept theses options */
+ 		good_option++;
+-	} else if (g_str_has_prefix(argv[i],"--blocking-factor") ||
+-		g_str_has_prefix(argv[i],"--file") ||
+-		g_str_has_prefix(argv[i],"--directory") ||
+-		g_str_has_prefix(argv[i],"--exclude") ||
+-		g_str_has_prefix(argv[i],"--transform") ||
+-		g_str_has_prefix(argv[i],"--listed-incremental") ||
+-		g_str_has_prefix(argv[i],"--newer") ||
+-		g_str_has_prefix(argv[i],"--exclude-from") ||
+-		g_str_has_prefix(argv[i],"--files-from")) {
++	} else if (check_whitelist(argv[i])) {
+ 		if (strchr(argv[i], '=')) {
+ 		good_option++;
+ 		} else {
+ 		/* Accept theses options with the following argument */
+ 		good_option += 2;
++
++/* Whitelisting only the allowed arguments*/
++for(j=whitelisted_args; *j; j++) {
++if (strcmp(argv[i], *j) == 0) {
++break;
++}
++}
++
++if (!*j) {
++good_option = 0; // not allowing arguments absent in the whitelist
++}
+ 		}
+ } else if (argv[i][0] != '-') {
+ 		good_option++;
+@@ -239,3 +248,23 @@
+ return 1;
+ #endif
+ }
++
++bool
++check_whitelist(
++gchar* option)
++{
++bool result = TRUE;
++char** i;
++
++for(i=whitelisted_args; *i; i++) {
++if (g_str_has_prefix(option, *i)) {
++break;
++}
++}
++
++if (!*i) {
++result = FALSE; // not allowing arguments absent in the whitelist
++}
++
++return result;
++}
diff -Nru amanda-3.5.1/debian/patches/series amanda-3.5.1/debian/patches/series
--- amanda-3.5.1/debian/patches/series	2023-03-21 18:35:47.0 +0100
+++ amanda-3.5.1/debian/patches/series	2023-12-03 14:09:19.0 +0100
@@ -49,3 +49,4 @@
 50-fix-CVE-2022-37704
 52-fix-CVE-2022-37704_part_2
 56-fix-CVE-2022-37703
+57-CVE-2023-30577.patch


signature.asc
Description: PGP signature

Bug#1057221: bullseye-pu: package opendkim/2.11.0~beta2-4+deb11u1

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: opend...@packages.debian.org
Control: affects -1 + src:opendkim

(The same as #1056732, this time targeting oldstable)

After sponsoring the maintainer David Bürgin I've offered them to tackle
s-p-u and o-s-p-u, addressing CVE-2022-48521. (Details: RFS #1056285)

Before the upload, stable and sid were at the same version, 
namely 2.11.0~beta2-8, so the patch could been applied as is,
without changes needed. Additional changes, not suitable for s-p-u
have been dropped.

The patch is authored by David Bürgin and they confirm that they have
tested the patch and it indeeds fix the issue (quote from #1056285#19):

> Hello Tobi,
> 
> > A question to that: Can you elaborate a bit on the testing you have
> > done to verify that this patch indeed fixes the vulnerability?
> > (Asking, becasue unfortunatly there is not lot of information available
> > e.g from the upstream issue and upstream seems to be generally very
> > silent…

> I developed the upstream patch, and so did do the necessary testing
> locally. You can simply prepare a crafted message containing some
> Authentication-Results headers and then see if the right ones get
> deleted.

(I've uploaded the package to the s-p-u queue already.)

debdiff attached.
diff -Nru opendkim-2.11.0~beta2/debian/changelog opendkim-2.11.0~beta2/debian/changelog
--- opendkim-2.11.0~beta2/debian/changelog	2020-10-12 15:15:30.0 +0200
+++ opendkim-2.11.0~beta2/debian/changelog	2023-12-01 19:17:01.0 +0100
@@ -1,3 +1,13 @@
+opendkim (2.11.0~beta2-4+deb11u1) bullseye; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+
+  [ David Bürgin ]
+  * Add patch "rev-ares-deletion.patch" for CVE-2022-48521:
+Delete Authentication-Results headers in reverse (Closes: #1041107).
+
+ -- Tobias Frost   Fri, 01 Dec 2023 19:17:01 +0100
+
 opendkim (2.11.0~beta2-4) unstable; urgency=medium
 
   * Update debhelper-compat to compatibility level 13.
diff -Nru opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch
--- opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch	1970-01-01 01:00:00.0 +0100
+++ opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch	2023-12-01 19:11:21.0 +0100
@@ -0,0 +1,33 @@
+Description: Delete Authentication-Results headers in reverse (CVE-2022-48521)
+Author: David Bürgin 
+Bug: https://github.com/trusteddomainproject/OpenDKIM/pull/189
+
+--- a/opendkim/opendkim.c
 b/opendkim/opendkim.c
+@@ -13651,9 +13651,16 @@
+ 			return SMFIS_TEMPFAIL;
+ 		}
+ 
+-		c = 0;
++		c = 1;
++
+ 		for (hdr = dfc->mctx_hqhead; hdr != NULL; hdr = hdr->hdr_next)
+ 		{
++			if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0)
++c++;
++		}
++
++		for (hdr = dfc->mctx_hqtail; hdr != NULL; hdr = hdr->hdr_prev)
++		{
+ 			memset(ares, '\0', sizeof(struct authres));
+ 
+ 			if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0)
+@@ -13664,7 +13671,7 @@
+ char *slash;
+ 
+ /* remember index */
+-c++;
++c--;
+ 
+ /* parse the header */
+ arstat = ares_parse((u_char *) hdr->hdr_val,
diff -Nru opendkim-2.11.0~beta2/debian/patches/series opendkim-2.11.0~beta2/debian/patches/series
--- opendkim-2.11.0~beta2/debian/patches/series	2020-07-24 10:48:27.0 +0200
+++ opendkim-2.11.0~beta2/debian/patches/series	2023-12-01 19:14:10.0 +0100
@@ -4,3 +4,4 @@
 fix-miltertest-eom-check-smtpreply.patch
 fix-genzone-subdomains.patch
 suppress-brackets-syslog.patch
+rev-ares-deletion.patch


signature.asc
Description: PGP signature

Bug#1056732: bookworm-pu: package opendkim/2.11.0~beta2-8+deb12u1

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: opend...@packages.debian.org
Control: affects -1 + src:opendkim

After sponsoring the maintainer David Bürgin I've offered them to tackle
s-p-u and o-s-p-u, addressing CVE-2022-48521. (Details: RFS #1056285)

Before the upload, stable and sid were at the same version, 
namely 2.11.0~beta2-8, so the patch could been applied as is,
without changes needed. Additional changes, not suitable for s-p-u
have been dropped.

The patch is authored by David Bürgin and they confirm that they have
tested the patch and it indeeds fix the issue (quote from #1056285#19):

> Hello Tobi,
> 
> > A question to that: Can you elaborate a bit on the testing you have
> > done to verify that this patch indeed fixes the vulnerability?
> > (Asking, becasue unfortunatly there is not lot of information available
> > e.g from the upstream issue and upstream seems to be generally very
> > silent…

> I developed the upstream patch, and so did do the necessary testing
> locally. You can simply prepare a crafted message containing some
> Authentication-Results headers and then see if the right ones get
> deleted.

(I've uploaded the package to the s-p-u queue already.)

debdiff attached.

-- 
Cheers,
tobi
diff -Nru opendkim-2.11.0~beta2/debian/changelog opendkim-2.11.0~beta2/debian/changelog
--- opendkim-2.11.0~beta2/debian/changelog	2022-12-20 09:10:44.0 +0100
+++ opendkim-2.11.0~beta2/debian/changelog	2023-11-25 17:19:13.0 +0100
@@ -1,3 +1,13 @@
+opendkim (2.11.0~beta2-8+deb12u1) bookworm; urgency=medium
+
+  * Non-Maintainer upload by the security team.
+
+  [ David Bürgin ]
+  * Add patch "rev-ares-deletion.patch" for CVE-2022-48521:
+Delete Authentication-Results headers in reverse (Closes: #1041107).
+
+ -- Tobias Frost   Sat, 25 Nov 2023 17:19:13 +0100
+
 opendkim (2.11.0~beta2-8) unstable; urgency=medium
 
   [ David Bürgin ]
diff -Nru opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch
--- opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch	1970-01-01 01:00:00.0 +0100
+++ opendkim-2.11.0~beta2/debian/patches/rev-ares-deletion.patch	2023-11-25 17:19:13.0 +0100
@@ -0,0 +1,33 @@
+Description: Delete Authentication-Results headers in reverse (CVE-2022-48521)
+Author: David Bürgin 
+Bug: https://github.com/trusteddomainproject/OpenDKIM/pull/189
+
+--- a/opendkim/opendkim.c
 b/opendkim/opendkim.c
+@@ -13651,9 +13651,16 @@
+ 			return SMFIS_TEMPFAIL;
+ 		}
+ 
+-		c = 0;
++		c = 1;
++
+ 		for (hdr = dfc->mctx_hqhead; hdr != NULL; hdr = hdr->hdr_next)
+ 		{
++			if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0)
++c++;
++		}
++
++		for (hdr = dfc->mctx_hqtail; hdr != NULL; hdr = hdr->hdr_prev)
++		{
+ 			memset(ares, '\0', sizeof(struct authres));
+ 
+ 			if (strcasecmp(hdr->hdr_hdr, AUTHRESULTSHDR) == 0)
+@@ -13664,7 +13671,7 @@
+ char *slash;
+ 
+ /* remember index */
+-c++;
++c--;
+ 
+ /* parse the header */
+ arstat = ares_parse((u_char *) hdr->hdr_val,
diff -Nru opendkim-2.11.0~beta2/debian/patches/series opendkim-2.11.0~beta2/debian/patches/series
--- opendkim-2.11.0~beta2/debian/patches/series	2022-12-12 14:41:20.0 +0100
+++ opendkim-2.11.0~beta2/debian/patches/series	2023-11-25 17:19:13.0 +0100
@@ -12,3 +12,4 @@
 conf_refcnt.patch
 lua-5.3.patch
 fix-RSA_Sign-call.patch
+rev-ares-deletion.patch


signature.asc
Description: PGP signature

Bug#1054915: bookworm-pu: package freerdp2/2.11.2+dfsg1-1~deb12u1

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: freer...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:freerdp2

I'm asking for pre-approval to update freerdp2 from 2.10.0 to 
2.11.2.

The changes from 2.10.0 to 2.11.2 are mainly targeting security
fixes (12 CVE's, see security tracker [1] for details),

[1] https://security-tracker.debian.org/tracker/source-package/freerdp2

upstream changelog is at
https://github.com/FreeRDP/FreeRDP/blob/stable-2.0/ChangeLog
all commits are:
https://github.com/FreeRDP/FreeRDP/compare/2.10.0...2.11.2

When working on the LTS updates, I've been in contact in contact with the
maintainer and one of the upstream maintainer and checked with them
about feasbility and e.g confirmed that the new upstream version is ABI
compatible. I've tested reverse dependencies (remmina, vinagre,
gnome-connections) against a Windows 10 RDP host and confirmed packages
are still working. 

Backporting the fixes is of course possible, but bears a significant
risk for regression, therefor I would prefer to use the new upstream
version, given also that upstream changes are only a few and fixing
also a few bugs that would be nice to be fixed.

As far as I understood it, the maintainers would also prefer the new
version over patching the one in stable. (They are in CC, so can
intervene if I got that wrong…)

If this is a viable route, please let me know and I will prepare a
debdiff for a the real approval.

-- 
Cheers,
tobi

Bug#1051552: bookworm-pu: package timg/1.4.5-1+deb12u1

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@packages.debian.org
Control: affects -1 + src:timg


[ Reason ]

Fixing CVE-2023-40968 (buffer overflow vulnerability)


[ Risks ]
Patch is trivial, taken from uptream; local testing done.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
diff -Nru timg-1.4.5/debian/changelog timg-1.4.5/debian/changelog
--- timg-1.4.5/debian/changelog 2022-11-30 20:09:18.0 +0100
+++ timg-1.4.5/debian/changelog 2023-09-09 19:07:01.0 +0200
@@ -1,3 +1,9 @@
+timg (1.4.5-1+deb12u1) bookworm; urgency=medium
+
+  * Cherry-pick upstream fix for CVE-2023-40968 (Closes: #1051231)
+
+ -- Tobias Frost   Sat, 09 Sep 2023 19:07:01 +0200
+
 timg (1.4.5-1) unstable; urgency=medium
 
   [ Tobias Frost ]
diff -Nru timg-1.4.5/debian/patches/CVE-2023-40968.patch 
timg-1.4.5/debian/patches/CVE-2023-40968.patch
--- timg-1.4.5/debian/patches/CVE-2023-40968.patch  1970-01-01 
01:00:00.0 +0100
+++ timg-1.4.5/debian/patches/CVE-2023-40968.patch  2023-09-09 
19:07:01.0 +0200
@@ -0,0 +1,23 @@
+Description: CVE-2023-40968 buffer overflow vulnerability
+Origin: 
https://github.com/hzeller/timg/commit/2e9414e668144bbe0afc074dac17b74ef4acfdcf 
+Bug: https://github.com/hzeller/timg/issues/115
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051231
+--- a/src/unicode-block-canvas.cc
 b/src/unicode-block-canvas.cc
+@@ -417,13 +417,14 @@
++ SCREEN_END_OF_LINE_LEN);  // Finishing a 
line.
+ 
+ // Depending on even/odd situation, we might need one extra row.
+-const size_t new_backing = width * (height + 1) * sizeof(rgba_t);
++// For quarter, we have one extra possible pixel wider.
++const size_t new_backing = (width + 1) * (height + 1) * sizeof(rgba_t);
+ if (new_backing > backing_buffer_size_) {
+ backing_buffer_  = (rgba_t *)realloc(backing_buffer_, 
new_backing);
+ backing_buffer_size_ = new_backing;
+ }
+ 
+-const size_t new_empty = width * sizeof(rgba_t);
++const size_t new_empty = (width + 1) * sizeof(rgba_t);
+ if (new_empty > empty_line_size_) {
+ empty_line_  = (rgba_t *)realloc(empty_line_, new_empty);
+ empty_line_size_ = new_empty;
diff -Nru timg-1.4.5/debian/patches/series timg-1.4.5/debian/patches/series
--- timg-1.4.5/debian/patches/series2022-11-30 19:52:10.0 +0100
+++ timg-1.4.5/debian/patches/series2023-09-09 19:07:01.0 +0200
@@ -1 +1,2 @@
 use-system-qui.patch
+CVE-2023-40968.patch

Bug#1040865: bullseye-pu: package yajl/2.1.0-3+deb11u2

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: y...@packages.debian.org
Control: affects -1 + src:yajl

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: y...@packages.debian.org
Control: affects -1 + src:yajl

Previous o-s-p-u upload was #1040137; two additional CVEs have
been fixed since then and the fix for CVE-2023-33460 has been found
to be incomplete.

This upload is part of fixing yajl for every release. So far sid, buster
(DLA-3492), stretch and jessie (ELA-892-1) has been targeted.
bookworm s-p-u is pending, see #1040863

CVE-2017-16516

When a crafted JSON file is supplied to yajl, the process might
crash with a SIGABRT in the yajl_string_decode function in
yajl_encode.c. This results potentially in a denial of service.

CVE-2022-24795

The 1.x branch and the 2.x branch of `yajl` contain an integer overflow
which leads to subsequent heap memory corruption when dealing with large
(~2GB) inputs.

CVE-2023-33460

There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function,
which potentially cause out-of-memory in server and cause crash.


[ Risks ]
Required changes are minimal, see debdiff. Package testsuite passes.

[ Checklist ]
  [x *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable


For unstable, the fixes are in 2.1.0-5. I have already uploaded to the s-p-u 
queue.
diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog
--- yajl-2.1.0/debian/changelog 2023-07-02 13:31:39.0 +0200
+++ yajl-2.1.0/debian/changelog 2023-07-11 19:55:30.0 +0200
@@ -1,3 +1,15 @@
+yajl (2.1.0-3+deb11u2) bullseye; urgency=medium
+
+  [Tobias Frost]
+  * Non-maintainer upload.
+  * Cherry pick John's CVE fixes from 2.1.0-4 and 2.1.0-5
+
+  [John Stamp]
+  * Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036)
+  * The patch for CVE-2023-33460 turned out to be incomplete. Fix that. 
(Closes: #1039984)
+
+ -- Tobias Frost   Tue, 11 Jul 2023 19:55:30 +0200
+
 yajl (2.1.0-3+deb11u1) bullseye; urgency=medium
 
   * Non-maintainer upload.
diff -Nru yajl-2.1.0/debian/patches/CVE-2017-16516.patch 
yajl-2.1.0/debian/patches/CVE-2017-16516.patch
--- yajl-2.1.0/debian/patches/CVE-2017-16516.patch  1970-01-01 
01:00:00.0 +0100
+++ yajl-2.1.0/debian/patches/CVE-2017-16516.patch  2023-07-10 
19:32:01.0 +0200
@@ -0,0 +1,22 @@
+Description: Fix for CVE-2017-16516
+ Potential buffer overread: A JSON file can cause denial of service.
+Origin: 
https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/248
+---
+ src/yajl_encode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/yajl_encode.c
 b/src/yajl_encode.c
+@@ -139,8 +139,8 @@
+ end+=3;
+ /* check if this is a surrogate */
+ if ((codepoint & 0xFC00) == 0xD800) {
+-end++;
+-if (str[end] == '\\' && str[end + 1] == 'u') {
++if (end + 2 < len && str[end + 1] == '\\' && str[end 
+ 2] == 'u') {
++end++;
+ unsigned int surrogate = 0;
+ hexToDigit(, str + end + 2);
+ codepoint =
diff -Nru yajl-2.1.0/debian/patches/CVE-2022-24795.patch 
yajl-2.1.0/debian/patches/CVE-2022-24795.patch
--- yajl-2.1.0/debian/patches/CVE-2022-24795.patch  1970-01-01 
01:00:00.0 +0100
+++ yajl-2.1.0/debian/patches/CVE-2022-24795.patch  2023-07-10 
19:32:01.0 +0200
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2022-24795
+ An integer overflow will lead to heap memory corruption with large (~2GB) 
inputs.
+Origin: 
https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/239
+---
+ src/yajl_buf.c | 12 +++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/src/yajl_buf.c
 b/src/yajl_buf.c
+@@ -45,7 +45,17 @@
+ 
+ need = buf->len;
+ 
+-while (want >= (need - buf->used)) need <<= 1;
++if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) 
{
++/* We cannot allocate more memory than SIZE_MAX. */
++abort();
++}
++while (want >= (need - buf->used)) {
++if (need >= (size_t)((size_t)(-1)<<1)>>1) {
++/* need would overflow. */
++abort();
++}
++need <<= 1;
++}
+ 
+ if

Bug#1040863: bookworm-pu: package yajl/2.1.0-3+deb12u2

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: y...@packages.debian.org
Control: affects -1 + src:yajl

Previous s-p-u upload was #1040136, two additional CVEs have
been fixed since then and the fix for CVE-2023-33460 has been found
to be incomplete.

This upload is part of fixing yajl for every release. So far sid, buster
(DLA-3492), stretch and jessie (ELA-892-1) has been targeted.

CVE-2017-16516

When a crafted JSON file is supplied to yajl, the process might
crash with a SIGABRT in the yajl_string_decode function in
yajl_encode.c. This results potentially in a denial of service.

CVE-2022-24795

The 1.x branch and the 2.x branch of `yajl` contain an integer overflow
which leads to subsequent heap memory corruption when dealing with large
(~2GB) inputs.

CVE-2023-33460

There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function,
which potentially cause out-of-memory in server and cause crash.


[ Risks ]
Required changes are minimal, see debdiff. Package testsuite passes.

[ Checklist ]
  [x *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable


For unstable, the fixes are in 2.1.0-5. I have already uploaded to the s-p-u 
queue.
diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog
--- yajl-2.1.0/debian/changelog 2023-07-01 14:55:44.0 +0200
+++ yajl-2.1.0/debian/changelog 2023-07-10 18:06:21.0 +0200
@@ -1,3 +1,15 @@
+yajl (2.1.0-3+deb12u2) bookworm; urgency=medium
+
+  [Tobias Frost]
+  * Non-maintainer upload.
+  * Cherry pick John's CVE fixes from 2.1.0-4 and 2.1.0-5
+
+  [John Stamp]
+  * Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036)
+  * The patch for CVE-2023-33460 turned out to be incomplete. Fix that. 
(Closes: #1039984)
+
+ -- Tobias Frost   Mon, 10 Jul 2023 18:06:21 +0200
+
 yajl (2.1.0-3+deb12u1) bookworm; urgency=medium
 
   * Non-maintainer upload.
diff -Nru yajl-2.1.0/debian/patches/CVE-2017-16516.patch 
yajl-2.1.0/debian/patches/CVE-2017-16516.patch
--- yajl-2.1.0/debian/patches/CVE-2017-16516.patch  1970-01-01 
01:00:00.0 +0100
+++ yajl-2.1.0/debian/patches/CVE-2017-16516.patch  2023-07-10 
18:06:21.0 +0200
@@ -0,0 +1,22 @@
+Description: Fix for CVE-2017-16516
+ Potential buffer overread: A JSON file can cause denial of service.
+Origin: 
https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/248
+---
+ src/yajl_encode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/yajl_encode.c
 b/src/yajl_encode.c
+@@ -139,8 +139,8 @@
+ end+=3;
+ /* check if this is a surrogate */
+ if ((codepoint & 0xFC00) == 0xD800) {
+-end++;
+-if (str[end] == '\\' && str[end + 1] == 'u') {
++if (end + 2 < len && str[end + 1] == '\\' && str[end 
+ 2] == 'u') {
++end++;
+ unsigned int surrogate = 0;
+ hexToDigit(, str + end + 2);
+ codepoint =
diff -Nru yajl-2.1.0/debian/patches/CVE-2022-24795.patch 
yajl-2.1.0/debian/patches/CVE-2022-24795.patch
--- yajl-2.1.0/debian/patches/CVE-2022-24795.patch  1970-01-01 
01:00:00.0 +0100
+++ yajl-2.1.0/debian/patches/CVE-2022-24795.patch  2023-07-10 
18:06:21.0 +0200
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2022-24795
+ An integer overflow will lead to heap memory corruption with large (~2GB) 
inputs.
+Origin: 
https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/239
+---
+ src/yajl_buf.c | 12 +++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/src/yajl_buf.c
 b/src/yajl_buf.c
+@@ -45,7 +45,17 @@
+ 
+ need = buf->len;
+ 
+-while (want >= (need - buf->used)) need <<= 1;
++if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) 
{
++/* We cannot allocate more memory than SIZE_MAX. */
++abort();
++}
++while (want >= (need - buf->used)) {
++if (need >= (size_t)((size_t)(-1)<<1)>>1) {
++/* need would overflow. */
++abort();
++}
++need <<= 1;
++}
+ 
+ if (need != buf->len) {
+ buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
diff -Nru yajl-2.1.0/debian/patches/CVE-2023-33460.patch 
yajl-2.1.0/debian/patches/CVE-2023-33460.patch
--- yajl-2.1.0

Bug#1040858: nmu: libnginx-mod-http-modsecurity_1.0.3-1+b1

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu
X-Debbugs-Cc: libnginx-mod-http-modsecur...@packages.debian.org, Ervin Hegedüs 

Control: affects -1 + src:libnginx-mod-http-modsecurity
Control: block 1040799 by -1

nmu libnginx-mod-http-modsecurity_1.0.3-1+b3 . ANY . unstable . -m "rebuild 
against pcre2 (Closes: #1037226)"

The situation is explained in more details in #1040799, but the gist
is that src:libnginx-mod-http-modsecurity is currently compiled against "old" 
PCRE3 instead
of "new" PCRE2, and thus is broken in unstable, testing and stable..

This were the events that lead to the issue:

- nginx uploaded with OLD PCRE
- libnginx-mod-http-modsecurity entered NEW and had been accepted
- it uses the OLD PCRE, as it is compiled against libmodsecurity3, which uses 
PCRE at that time
- nginx uploaded with NEW PCRE2
- modsecurity uploaded with PCRE2

Situation:
nginx -> PCRE2
modsecurity -> PCRE2
libnginx-mod-http-modsecurity -> OLD PCRE

--> a binnmu will rectify that.

As Adam said in #1040799, this needs to be fixed first in unstable, this is
why I'm filing this bug. ("b3" is required to ensure that unstable is newr than 
stable)

--
tobi

Bug#1040799: nmu: libnginx-mod-http-modsecurity_1.0.3-1+b1

[Tobias Frost]

( sent to early) please do a binnmu for bookworm:

nmu libnginx-mod-http-modsecurity_1.0.3-1+b1 . ANY . bookworm . -m "rebuild 
against pcre2 (Closes: #1037226)" 


and for unstable:

nmu libnginx-mod-http-modsecurity_1.0.3-1+b1 . ANY . unstable . -m "rebuild 
against pcre2 (Closes: #1037226)" 

> Regards,
> 
> Adam
> 
> 
> 

Bug#1040799: nmu: libnginx-mod-http-modsecurity_1.0.3-1+b1

[Tobias Frost]

On Mon, 10 Jul 2023 21:08:14 +0100 "Adam D. Barratt"  
wrote:
> Control: tags -1 + bookworm moreinfo
> 
> On Mon, 2023-07-10 at 21:55 +0200, Ervin Hegedüs wrote:
> > nmu libnginx-mod-http-modsecurity_1.0.3-1+b1 . ANY . bookworm . -m
> > "Closes: 1037226"
> 
> *Please* include information in binNMU requests that allows us to
> identify the actual problem without having to dig around. As an
> additional note, the text in the "message" argument (-m) is copied
> verbatim into changelogs, which will then be visible to users and
> anyone else viewing the changelog. It needs to be more descriptive than
> a bug number.
> 
> The BTS metadata for #1037226 indicates that it also affects unstable
> and testing. Is that correct? If so, it needs to be fixed there first.
> If not, please explain why unstable is not affected despite having
> exactly the same package version.
> 

I was in contact with Ervin and suggested him to file the binnmu -- for stable 
*and* for unstable to get #1037226 fixed.

the mentioned pr is related to a new nginx version and orthogonal to the 
problem in said bug report, beside that the the pr improves the packaging in 
that aspect. for now a rebuild suffices also for unstable.

summary of  #1037226:

That lead to the issue:

- nginx uploaded with OLD PCRE
- libnginx-mod-http-modsecurity entered NEW and had been accepted
- it uses the OLD PCRE, as it is compiled against libmodsecurity3, which uses 
PCRE at that time
- nginx uploaded with NEW PCRE2
- modsecurity uploaded with PCRE2

Situation:
nginx -> PCRE2
modsecurity -> PCRE2
libnginx-mod-http-modsecurity -> OLD PCRE

--> a binnmu will rectify that.

please do a binnmu for bookworm:

nmu libnginx-mod-http-modsecurity_1.0.3-1+b1 . ANY . bookworm . -m "rebuild 
against pcre2 (Closes: #1037226)" 



> Regards,
> 
> Adam
> 
> 
> 

Bug#1040137: bullseye-pu: package yajl/2.1.0-3+deb11u1

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: y...@packages.debian.org
Control: affects -1 + src:yajl

[ Reason ]
This upload is part of fixing yajl for every release. So far sid, bookworm
(#1040136), buster (DLA-3478), stretch and jessie (ELA-888-1) has been
targeted.

[ Tests ]
Package has a test suite which passes. Additionally it has been
manually verified using asan that the memory leak is indeed fixed.

[ Risks ]
Required changes are minimal, see debdiff.

[ Checklist ]
  [x *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

(I've already uploaded the package to s-p-u)

-- 
tobi

Bug#1040136: bookworm-pu: package yajl/2.1.0-3+deb12u1

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: y...@packages.debian.org
Control: affects -1 + src:yajl

This upload fixes CVE-2023-33460, a memory leak issue that
can cause a crash/DoS.

[ Reason ]
This upload is part of fixing yajl for every release. So far sid, buster
(DLA-3478), stretch and jessie (ELA-888-1) has been targeted.

[ Tests ]
Package has a test suite which passes. Additionally it has been
manually verified using asan that the memory leak is indeed fixed.

[ Risks ]
Required changes are minimal, see debdiff.

[ Checklist ]
  [x *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

(I've already upload the package to s-p-u)

-- 
tobi
diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog
--- yajl-2.1.0/debian/changelog 2018-10-03 00:51:58.0 +0200
+++ yajl-2.1.0/debian/changelog 2023-07-01 14:55:44.0 +0200
@@ -1,3 +1,11 @@
+yajl (2.1.0-3+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Import upstream patch for CVE-2023-33460. (Closes: #1039984)
+  * Fix d/control Homepage field (Closes: #1040034)
+
+ -- Tobias Frost   Sat, 01 Jul 2023 14:55:44 +0200
+
 yajl (2.1.0-3) unstable; urgency=medium
 
   [ Jelmer Vernooij ]
diff -Nru yajl-2.1.0/debian/control yajl-2.1.0/debian/control
--- yajl-2.1.0/debian/control   2018-10-02 23:59:41.0 +0200
+++ yajl-2.1.0/debian/control   2023-07-01 14:45:57.0 +0200
@@ -5,7 +5,7 @@
 Build-Depends: debhelper (>= 11), cmake, doxygen
 Standards-Version: 4.2.1
 Rules-Requires-Root: no
-Homepage: http://lloyd.github.com/yajl/
+Homepage: https://lloyd.github.io/yajl/
 Vcs-Browser: https://github.com/jstamp/yajl
 Vcs-Git: https://github.com/jstamp/yajl.git
 
diff -Nru yajl-2.1.0/debian/patches/CVE-2023-33460.patch 
yajl-2.1.0/debian/patches/CVE-2023-33460.patch
--- yajl-2.1.0/debian/patches/CVE-2023-33460.patch  1970-01-01 
01:00:00.0 +0100
+++ yajl-2.1.0/debian/patches/CVE-2023-33460.patch  2023-07-01 
14:51:32.0 +0200
@@ -0,0 +1,21 @@
+Description: Fix for CVE-2023-33460a
+ Memory leak in yajl 2.1.0 with use of yajl_tree_parse function
+Origin: 
https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984
+Bug: https://github.com/lloyd/yajl/issues/250
+---
+ src/yajl_tree.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/src/yajl_tree.c
 b/src/yajl_tree.c
+@@ -445,6 +445,9 @@
+  YA_FREE(&(handle->alloc), internal_err_str);
+ }
+ yajl_free (handle);
++  //If the requested memory is not released in time, it will cause memory 
leakage
++  if(ctx.root)
++   yajl_tree_free(ctx.root);
+ return NULL;
+ }
+ 
diff -Nru yajl-2.1.0/debian/patches/series yajl-2.1.0/debian/patches/series
--- yajl-2.1.0/debian/patches/series2015-09-25 14:44:02.0 +0200
+++ yajl-2.1.0/debian/patches/series2023-07-01 14:37:45.0 +0200
@@ -1,2 +1,3 @@
 dynamically-link-tools.patch
 multiarch.patch
+CVE-2023-33460.patch

Bug#1036709: unblock: libsepol/3.4-2.1

[Tobias Frost]

On Wed, 24 May 2023 16:52:06 +0200 Tobias Frost 
wrote:
> Please unblock package libsepol
> 
> It fixes #1031798, inaccurate copyright file.
> 
> No other changes done.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> [ Other info ]
> The package has been uploaded to DELAYED/2, ETA May 26th 2023, ~16:45

It is now in unstable.

> 
> unblock libsepol/3.4-2.1
> 

Bug#1036711: unblock: camping/2.3-1.1

[Tobias Frost]

On Wed, 24 May 2023 17:55:48 +0200 Tobias Frost 
wrote:

> Please unblock package camping
> 
> It fixes a broken symlink to a font. (#861040)
> This had been fixed already earlier, (2.1.580-1.1)
> but that NMU has not been incoroporated in the package and lost.
> The nmu is using the original patch from the BTS.
> 
> [ Checklist ]
>   [X] all changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in testing
> 
> [ Other info ]
> The package has been uploaded to DELAYED/2, ETA May 26th, 18:00 CET

It is now in unstable.
 
> 
> unblock camping/2.3-1.1

Bug#1036709: unblock: libsepol/3.4-2.1

[Tobias Frost]

Forgot to add the debdiff… 
diff -Nru libsepol-3.4/debian/changelog libsepol-3.4/debian/changelog
--- libsepol-3.4/debian/changelog	2022-06-15 09:56:48.0 +0200
+++ libsepol-3.4/debian/changelog	2023-05-24 16:43:03.0 +0200
@@ -1,3 +1,10 @@
+libsepol (3.4-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix "Inaccurate copyright file" (Closes: #1031798)
+
+ -- Tobias Frost   Wed, 24 May 2023 16:43:03 +0200
+
 libsepol (3.4-2) unstable; urgency=medium
 
   * fix validation of user declarations in modules, patch proposed upstream
diff -Nru libsepol-3.4/debian/copyright libsepol-3.4/debian/copyright
--- libsepol-3.4/debian/copyright	2022-06-15 09:56:48.0 +0200
+++ libsepol-3.4/debian/copyright	2023-05-24 16:36:19.0 +0200
@@ -1,49 +1,83 @@
-This is the Debian package for libsepol, and it is built from sources
-obtained from http://userspace.selinuxproject.org/releases/current/devel/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Comment:
+ This is the Debian package for libsepol.
+ .
+ This package was debianized by Russell Coker  on
+ Fri, 20 Aug 2004 17:26:18 +1000.
+Source: https://github.com/SELinuxProject/selinux/wiki/Releases
 
-
-
-This package was debianized by Russell Coker  on
-Fri, 20 Aug 2004 17:26:18 +1000.
-
-libsepol is
+Files: *
+Copyright: libsepol is
  Copyright (C) 2003, 2004 Stephen Smalley 
  Copyright (C) 2003-2007  Red Hat, Inc.
  Copyright (C) 2004, 2005 Trusted Computer Solutions, Inc.
- Copyright (C) 2003-2008  Tresys Technology, LLC
-
-
+ Copyright (C) 2003-2008, 2011 Tresys Technology, LLC
+ Copyright (C) 2017 Mellanox Techonolgies Inc.
+ Copyright (c) 2008 NEC Corporation
+License: LGPL-2.1+
 This library is free software; you can redistribute it and/or
 modify it under the terms of the GNU Lesser General Public
 License as published by the Free Software Foundation; either
 version 2.1 of the License, or (at your option) any later version.
-
+ .
 This library is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 Lesser General Public License for more details.
-
+ .
 You should have received a copy of the GNU Lesser General Public
 License along with this library; if not, write to the Free Software
 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
-On Debian GNU/Linux systems, the complete text of the Lesser GNU General
-Public License can be found in `/usr/share/common-licenses/LGPL'.
-
- This package is maintained by Manoj Srivastava .
-
- The Debian specific changes are © 2005-2008, Manoj Srivastava
- , and distributed under the terms of the GNU
- General Public License, version 2.
-
-
-On Debian GNU/Linux systems, the complete text of the GNU General
-Public License can be found in `/usr/share/common-licenses/GPL'.
-
+Comment:
+ On Debian GNU/Linux systems, the complete text of the Lesser GNU General
+ Public License version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'.
+
+Files: cil/test/unit/CuTest.*
+Copyright: (c) 2003 Asim Jalis
+License: Zlib
+ This software is provided 'as-is', without any express or implied
+ warranty. In no event will the authors be held liable for any damages
+ arising from the use of this software.
+ .
+ Permission is granted to anyone to use this software for any purpose,
+ including commercial applications, and to alter it and redistribute it
+ freely, subject to the following restrictions:
+ .
+ 1. The origin of this software must not be misrepresented; you must not
+ claim that you wrote the original software. If you use this software in
+ a product, an acknowledgment in the product documentation would be
+ appreciated but is not required.
+ .
+ 2. Altered source versions must be plainly marked as such, and must not
+ be misrepresented as being the original software.
+ .
+ 3. This notice may not be removed or altered from any source
+ distribution.
+
+Files: debian/*
+Copyright: © 2005-2008, Manoj Srivastava 
+ 2012-2022  Laurent Bigonville 
+ 2011-2018  Russell Coker 
+License: GPL-2
+The Debian specific changes are distributed under the terms of the
+GNU General Public License, version 2.
+ .
 A copy of the GNU General Public License is also available at
 http://www.gnu.org/copyleft/gpl.html>.  You may also obtain
 it by writing to the Free Software Foundation, Inc., 51 Franklin
 St, Fifth Floor, Boston, MA 02110-1301 USA
-
-Manoj Srivastava 
-arch-tag: d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27
+Comment:
+ On Debian GNU/Linux systems, the complete text of the GNU General
+ Public License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
+
+Files: man/*man8/chkcon.8
+   man/man8/genpolusers.8
+Copyright: (c) 1997 Manoj Srivastava 
+License: GPL-2+
+This is free documentation; you can

Bug#1036711: unblock: camping/2.3-1.1

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: camp...@packages.debian.org
Control: affects -1 + src:camping

Please unblock package camping

It fixes a broken symlink to a font. (#861040)
This had been fixed already earlier, (2.1.580-1.1)
but that NMU has not been incoroporated in the package and lost.
The nmu is using the original patch from the BTS.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
The package has been uploaded to DELAYED/2, ETA May 26th, 18:00 CET


unblock camping/2.3-1.1
diff -Nru camping-2.3/debian/changelog camping-2.3/debian/changelog
--- camping-2.3/debian/changelog2023-01-31 16:26:42.0 +0100
+++ camping-2.3/debian/changelog2023-05-24 17:43:23.0 +0200
@@ -1,3 +1,10 @@
+camping (2.3-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix broken font symlink (Closes: #861040)
+
+ -- Tobias Frost   Wed, 24 May 2023 17:43:23 +0200
+
 camping (2.3-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru camping-2.3/debian/rules camping-2.3/debian/rules
--- camping-2.3/debian/rules2023-01-31 16:26:42.0 +0100
+++ camping-2.3/debian/rules2023-05-24 17:38:44.0 +0200
@@ -43,7 +43,7 @@
ln -s /usr/share/fonts/truetype/lato/Lato-Light.ttf 
debian/camping/usr/share/doc/camping/rdoc/fonts/
ln -s /usr/share/fonts/truetype/lato/Lato-LightItalic.ttf 
debian/camping/usr/share/doc/camping/rdoc/fonts/
ln -s /usr/share/fonts/truetype/lato/Lato-Regular.ttf 
debian/camping/usr/share/doc/camping/rdoc/fonts/
-   ln -s /usr/share/fonts/truetype/lato/Lato-RegularItalic.ttf 
debian/camping/usr/share/doc/camping/rdoc/fonts/
+   ln -s /usr/share/fonts/truetype/lato/Lato-Italic.ttf 
debian/camping/usr/share/doc/camping/rdoc/fonts/Lato-RegularItalic.ttf
 
 override_dh_auto_clean:
dh_auto_clean


signature.asc
Description: PGP signature

Bug#1036709: unblock: libsepol/3.4-2.1

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libse...@packages.debian.org
Control: affects -1 + src:libsepol

Please unblock package libsepol

It fixes #1031798, inaccurate copyright file.

No other changes done.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
The package has been uploaded to DELAYED/2, ETA May 26th 2023, ~16:45

unblock libsepol/3.4-2.1


-- 
tobi


signature.asc
Description: PGP signature

Bug#1036598: unblock: opencascade/7.6.3+dfsg1-7

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: opencasc...@packages.debian.org
Control: affects -1 + src:opencascade

Please unblock package opencascade

The upload fixes:
 #1036581 occt-draw: broken symlink: /usr/bin/occt-draw -> occt-draw-7.5

Its a targeted fix, only repairing the symlink. See debdiff.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock opencascade/7.6.3+dfsg1-7
diff -Nru opencascade-7.6.3+dfsg1/debian/changelog 
opencascade-7.6.3+dfsg1/debian/changelog
--- opencascade-7.6.3+dfsg1/debian/changelog2023-05-14 11:37:53.0 
+0200
+++ opencascade-7.6.3+dfsg1/debian/changelog2023-05-23 09:45:56.0 
+0200
@@ -1,3 +1,10 @@
+opencascade (7.6.3+dfsg1-7) unstable; urgency=medium
+
+  * Update broken symlink /usr/bin/occt-draw to new version
+ occt-draw-7.6" (Closes: #1036581)
+
+ -- Tobias Frost   Tue, 23 May 2023 09:45:56 +0200
+
 opencascade (7.6.3+dfsg1-6) unstable; urgency=medium
 
   * Let libocct-data-exchange-dev Conflicts: with liboce-modeling-
diff -Nru opencascade-7.6.3+dfsg1/debian/occt-draw.links 
opencascade-7.6.3+dfsg1/debian/occt-draw.links
--- opencascade-7.6.3+dfsg1/debian/occt-draw.links  2022-07-31 
14:33:23.0 +0200
+++ opencascade-7.6.3+dfsg1/debian/occt-draw.links  2023-05-23 
08:13:21.0 +0200
@@ -1 +1 @@
-/usr/bin/occt-draw-7.5 /usr/bin/occt-draw
+/usr/bin/occt-draw-7.6 /usr/bin/occt-draw

Bug#1036045: unblock: opencascade/7.6.3+dfsg1-6

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: opencasc...@packages.debian.org
Control: affects -1 + src:opencascade

Please unblock package opencascade

Helmut Grohne reported in #1035009 a missing Conflict: on several
package, leading in certtain circumstances to installation errors.
(Details in the bug)

Additionally, this upload fixes two lintian *errors*:
(E: depends-on-obsolete-package), suggestiong renaming two Depends:
 libfreetype6-dev with libfreetype-dev
 libgl1-mesa-dev with libgl-dev

[ Risks ]
Changes are trivial

piuparts is happy as well
(CI: https://salsa.debian.org/science-team/opencascade/-/pipelines/527866,
 piuparts job: 
https://salsa.debian.org/science-team/opencascade/-/jobs/4214165)


[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock opencascade/7.6.3+dfsg1-6

-- 
Cheers,
tobi

Bug#1035821: unblock: retroarch-assets/1.7.6+git20221024+dfsg-3

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: retroarch-ass...@packages.debian.org
Control: affects -1 + src:retroarch-assets

Please unblock package retroarch-assets

The upload fixes #1035793, a missing depdency on fonts-droid-fallback

[ Tests ]
Manual test that symlink is no longer dangling and a piuparts run.

[ Risks ]
Trivial fix

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock retroarch-assets/1.7.6+git20221024+dfsg-3


Cheers,
-- 
tobi
diff -Nru retroarch-assets-1.7.6+git20221024+dfsg/debian/changelog 
retroarch-assets-1.7.6+git20221024+dfsg/debian/changelog
--- retroarch-assets-1.7.6+git20221024+dfsg/debian/changelog2023-01-12 
20:48:03.0 +0100
+++ retroarch-assets-1.7.6+git20221024+dfsg/debian/changelog2023-05-09 
17:19:28.0 +0200
@@ -1,3 +1,10 @@
+retroarch-assets (1.7.6+git20221024+dfsg-3) unstable; urgency=medium
+
+  * Team upload.
+  * Add Depends: fonts-droid-fallback (Closes: #1035793)
+
+ -- Tobias Frost   Tue, 09 May 2023 17:19:28 +0200
+
 retroarch-assets (1.7.6+git20221024+dfsg-2) unstable; urgency=low
 
   * Update Vcs-* pointers to libretro subproject
diff -Nru retroarch-assets-1.7.6+git20221024+dfsg/debian/control 
retroarch-assets-1.7.6+git20221024+dfsg/debian/control
--- retroarch-assets-1.7.6+git20221024+dfsg/debian/control  2023-01-12 
20:48:03.0 +0100
+++ retroarch-assets-1.7.6+git20221024+dfsg/debian/control  2023-05-09 
17:19:16.0 +0200
@@ -18,6 +18,7 @@
 Multi-Arch: foreign
 Depends: ${shlibs:Depends}, ${misc:Depends},
fonts-dejavu-core,
+   fonts-droid-fallback,
fonts-noto-extra,
fonts-roboto-unhinted
 Description: RetroArch assets for Ozone, GLUI, RGUI and XMB

Bug#1035335: unblock: solarpowerlog/0.25-1

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: solarpower...@packages.debian.org
Control: affects -1 + src:solarpowerlog

Please unblock package solarpowerlog

[ Reason ]

A problem has been reported to me, that the a valid HTML
writer configuration are rejected by solarpowerlog. This is
a regression in 0.25.

A similar problem exists with the DBWriter, the example
configurations are using a differnt field for the password,
so configurations using a password will be rejected too.


[ Impact ]
Parts of solarpowerlog are not usable.

[ Tests ]
Manual tests.

[ Risks ]
Package is a leaf package, code change is small

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock solarpowerlog/0.25-1
diff -Nru solarpowerlog-0.25/debian/changelog 
solarpowerlog-0.25/debian/changelog
--- solarpowerlog-0.25/debian/changelog 2022-01-07 14:20:10.0 +0100
+++ solarpowerlog-0.25/debian/changelog 2023-05-01 10:00:20.0 +0200
@@ -1,3 +1,9 @@
+solarpowerlog (0.25-2) unstable; urgency=medium
+
+  * Cherry-pick fixes for broken htmlwriter and dbfilter. (Closes: #1035333)
+
+ -- Tobias Frost   Mon, 01 May 2023 10:00:20 +0200
+
 solarpowerlog (0.25-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru solarpowerlog-0.25/debian/patches/fix_dbwriter.patch 
solarpowerlog-0.25/debian/patches/fix_dbwriter.patch
--- solarpowerlog-0.25/debian/patches/fix_dbwriter.patch1970-01-01 
01:00:00.0 +0100
+++ solarpowerlog-0.25/debian/patches/fix_dbwriter.patch2023-05-01 
09:41:37.0 +0200
@@ -0,0 +1,48 @@
+commit e77389f3b88794b2ba57624052195e3b399cc1a2
+Author: Tobias Frost 
+Date:   Mon May 1 09:31:47 2023 +0200
+
+[DBWriter] Bugfix: Use db_password (instead db_passwd) for password 
configuration
+
+(to be aligned with the examples)
+
+diff --git a/src/DataFilters/DBWriter/CDBWriterFilter.cpp 
b/src/DataFilters/DBWriter/CDBWriterFilter.cpp
+index 6e3e141..4242a6b 100644
+--- a/src/DataFilters/DBWriter/CDBWriterFilter.cpp
 b/src/DataFilters/DBWriter/CDBWriterFilter.cpp
+@@ -193,7 +193,7 @@ bool CDBWriterFilter::CheckConfig()
+ fail = true;
+ }
+ if (_cfg_cache_db_passwd.empty()) {
+-_missing_req_parameter(logger, _cfg_cache_db_type, "db_passwd");
++_missing_req_parameter(logger, _cfg_cache_db_type, "db_password");
+ fail = true;
+ }
+ if (_cfg_cache_db_database.empty()) {
+@@ -231,7 +231,7 @@ bool CDBWriterFilter::CheckConfig()
+ }
+ 
+ if (_cfg_cache_db_passwd.empty()) {
+-_missing_req_parameter(logger, _cfg_cache_db_type, "db_passwd");
++_missing_req_parameter(logger, _cfg_cache_db_type, "db_password");
+ fail = true;
+ }
+ if (_cfg_cache_db_database.empty()) {
+@@ -270,7 +270,7 @@ bool CDBWriterFilter::CheckConfig()
+ }
+ 
+ if (!_cfg_cache_db_passwd.empty()) {
+-_wrong_parameter(logger, _cfg_cache_db_type, "db_passwd");
++_wrong_parameter(logger, _cfg_cache_db_type, "db_password");
+ fail = true;
+ }
+ 
+@@ -701,7 +701,7 @@ CConfigCentral* 
CDBWriterFilter::getConfigCentralObject(CConfigCentral* parent)
+  _cfg_cache_db_mode, std::string(""))
+ ("db_user", Description_DBWriter_db_user,
+ _cfg_cache_db_user, std::string(""))
+-("db_passwd", Description_DBWriter_db_passwd,
++("db_password", Description_DBWriter_db_passwd,
+ _cfg_cache_db_passwd, std::string(""))
+ ("db_database", Description_DBWriter_db_database,
+ _cfg_cache_db_database, std::string(""))
diff -Nru solarpowerlog-0.25/debian/patches/fix_htmlwriter.patch 
solarpowerlog-0.25/debian/patches/fix_htmlwriter.patch
--- solarpowerlog-0.25/debian/patches/fix_htmlwriter.patch  1970-01-01 
01:00:00.0 +0100
+++ solarpowerlog-0.25/debian/patches/fix_htmlwriter.patch  2023-05-01 
09:41:37.0 +0200
@@ -0,0 +1,19 @@
+commit e4bd00f13656ff8815e52f23a59daff46271d646
+Author: Tobias Frost 
+Date:   Mon May 1 09:26:31 2023 +0200
+
+[HTMLWriter] Bugfix: Logic error in rejected valid configuration.
+
+diff --git a/src/DataFilters/HTMLWriter/CHTMLWriter.cpp 
b/src/DataFilters/HTMLWriter/CHTMLWriter.cpp
+index 192fe05..2c7ab54 100644
+--- a/src/DataFilters/HTMLWriter/CHTMLWriter.cpp
 b/src/DataFilters/HTMLWriter/CHTMLWriter.cpp
+@@ -219,7 +219,7 @@ bool CHTMLWriter::CheckConfig()
+ 
+   std::auto_ptr cc(getConfigCentralObject(NULL));
+ 
+-  bool fail = cc->CheckConfig(logger, configurationpath);
++  bool fail = !cc->CheckConfig(logger, 
configurationpath);(cc->

Bug#1033947: unblock: widelands/2:1.1-3

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: widela...@packages.debian.org
Control: affects -1 + src:widelands

Please unblock package widelands

The upload fixes the version constraint in widelands-data.maintscript for
symlink_to_dir.

The original version constraint was 1:21-2~, the last version that had
the directory. However, the symlink_to_dir was only introduced in
2:1.0-3, so if a user upgraded from a version later than 1:21-2~,
the migration would not be triggered as maintscript would believe
it is not needed anymore.

In such cases the game would crash as reported in #1033879.

(Please provide enough (but not too much) information to help
the release team to judge the request efficiently. E.g. by
filling in the sections below.)

[ Risks ]
The game is a leaf package.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock widelands/2:1.1-3

Cheers,
-- 
tobi
diff -Nru widelands-1.1/debian/changelog widelands-1.1/debian/changelog
--- widelands-1.1/debian/changelog  2022-12-27 23:29:29.0 +0100
+++ widelands-1.1/debian/changelog  2023-04-04 16:15:53.0 +0200
@@ -1,3 +1,10 @@
+widelands (2:1.1-3) unstable; urgency=medium
+
+  * Team upload.
+  * Fix version constraint in dir_to_symlink. (Closes: #1033879)
+
+ -- Tobias Frost   Tue, 04 Apr 2023 16:15:53 +0200
+
 widelands (2:1.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru widelands-1.1/debian/widelands-data.maintscript 
widelands-1.1/debian/widelands-data.maintscript
--- widelands-1.1/debian/widelands-data.maintscript 2022-12-27 
23:29:29.0 +0100
+++ widelands-1.1/debian/widelands-data.maintscript 2023-04-04 
16:15:49.0 +0200
@@ -1,2 +1 @@
-dir_to_symlink /usr/share/games/widelands/data/i18n/fonts/Culmus 
../../../../../fonts/truetype/culmus-fancy 1:21-2~
-
+dir_to_symlink /usr/share/games/widelands/data/i18n/fonts/Culmus 
../../../../../fonts/truetype/culmus-fancy 2:1.1-3~

Bug#1033946: unblock: unknown-horizons/2019.1-6

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: unknown-horiz...@packages.debian.org
Control: affects -1 + src:unknown-horizons

Please unblock package unknown-horizons

This updates fixes #1033833: the package font-unifont
dropped shipping unifont.ttf last summer, and this breaks
unknown-horizons/2019.1-5 as the symlink to the font is no
longer valid and the game fails to load.

The update fixes the symlink to the otf font, which works
with the game as well.

[ Impact ]
Game would be broken.

[ Risks ]
This game is a leaf package.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock unknown-horizons/2019.1-6
diff -Nru unknown-horizons-2019.1/debian/changelog 
unknown-horizons-2019.1/debian/changelog
--- unknown-horizons-2019.1/debian/changelog2022-08-28 13:16:18.0 
+0200
+++ unknown-horizons-2019.1/debian/changelog2023-04-03 19:23:41.0 
+0200
@@ -1,3 +1,11 @@
+unknown-horizons (2019.1-6) unstable; urgency=medium
+
+  * Team upload.
+  * add d/clean: enable building twice from source tree, delete created files.
+  * Replace link to unifont.ttf with unifont.otf. (Closes: #1033833)
+
+ -- Tobias Frost   Mon, 03 Apr 2023 19:23:41 +0200
+
 unknown-horizons (2019.1-5) unstable; urgency=medium
 
   * Team upload.
diff -Nru unknown-horizons-2019.1/debian/clean 
unknown-horizons-2019.1/debian/clean
--- unknown-horizons-2019.1/debian/clean1970-01-01 01:00:00.0 
+0100
+++ unknown-horizons-2019.1/debian/clean2023-04-03 19:08:30.0 
+0200
@@ -0,0 +1,6 @@
+content/gfx/atlas/*png
+.cache/
+content/actionsets.json
+content/tilesets.json
+UnknownHorizons.egg-info/
+content/atlas.sql
diff -Nru unknown-horizons-2019.1/debian/links 
unknown-horizons-2019.1/debian/links
--- unknown-horizons-2019.1/debian/links2022-08-27 15:26:54.0 
+0200
+++ unknown-horizons-2019.1/debian/links2023-04-03 19:13:03.0 
+0200
@@ -1 +1 @@
-/usr/share/fonts/truetype/unifont/unifont.ttf 
/usr/share/unknown-horizons/content/fonts/Unifont.ttf
+/usr/share/fonts/opentype/unifont/unifont.otf 
/usr/share/unknown-horizons/content/fonts/Unifont.ttf

Bug#1031948: bullseye-pu: package libgit2/1.1.0+dfsg.1-4+deb11u1

[Tobias Frost]

On Sat, Apr 01, 2023 at 08:13:23PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2023-02-25 at 21:16 +0100, Tobias Frost wrote:
> > After fixing CVE-2023-22742 for LTS and ELTS, I'd like to see
> > this CVE also fixed in stable, for consistency.
> > 
> > The CVE is an inproper ssh certificate validation vulnerabilty,
> > which allows man-in-the-middle attacks.
> > 
> 
> +libgit2 (1.1.0+dfsg.1-4+deb11u1) bullseye-security; urgency=high
> 
> That wants to just be "bullseye".
> 
> + This is a backport of the upstream fix to the Debian stretch version.
> 
> Presumably that comment could also do with an update.
> 
> Please go ahead.

Thanks for the review. Fixed and uploaded!

-- 
tobi

Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1

[Tobias Frost]

On Fri, Mar 17, 2023 at 09:15:36PM +0100, Salvatore Bonaccorso wrote:
> Yes this is correct, you do not need to mention it. I just wanted to
> make double sure it's as well on the radar (and have not checked if
> you have uploaded with -v to incude the intermediate changelog entries
> as well).

I think I've forgotten that part…
So please reject my upload and I'll fix that…
--
tobi

Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1

[Tobias Frost]

Am 17. März 2023 19:18:50 UTC schrieb Salvatore Bonaccorso :
>
>On Thu, Mar 16, 2023 at 04:06:29PM +0100, Tobias Frost wrote:
>> Package: release.debian.org
>> Severity: normal
>> Tags: bullseye
>> User: release.debian@packages.debian.org
>> Usertags: pu
>> X-Debbugs-Cc: intel-microc...@packages.debian.org, Salvatore Bonaccorso 
>> 
>> Control: affects -1 + src:intel-microcode
>> 
>> (Please refer to #1032847#12 for security team's feedback
>> that this should go through SPU.)
>> 
>> The upload updates intel microcodes to target (See #1031334)
>>- INTEL-SA-00700: CVE-2022-21216
>>- INTEL-SA-00730: CVE-2022-33972
>>- INTEL-SA-00738: CVE-2022-33196
>>- INTEL-SA-00767: CVE-2022-38090
>> 
>> the CVEs are information disclosure via local access vulnerbilities and
>> potential privilege escalations.
>
>Note that speaking of fixed CVEs, for bullseye and older with the
>upload CVE-2022-21233 get fixed as well (this one was as well not
>warranting a DSA, it is as well SGX releated).

yes, this CVE is fixed in  3.20220809.1, which is part of this update. 
to make sure i don't miss it: i thought i do not need to repeat the cve in 
d/changelog if it is mentioned in earlier d/changelog entries, right?

>Regards,
>Salvatore

Bug#1033079: bullseye-pu: package intel-microcode/3.20230214.1~deb11u1

[Tobias Frost]

65b, pf_mask 0xbf, 2022-08-26, rev 0x7002503, size 29696
+sig 0x000606a6, pf_mask 0x87, 2022-10-09, rev 0xd000389, size 296960
+sig 0x000606c1, pf_mask 0x10, 2022-09-23, rev 0x1000211, size 289792
+sig 0x000706a1, pf_mask 0x01, 2022-09-16, rev 0x003e, size 75776
+sig 0x000706a8, pf_mask 0x01, 2022-09-20, rev 0x0022, size 76800
+sig 0x000706e5, pf_mask 0x80, 2022-08-31, rev 0x00b8, size 113664
+sig 0x000806a1, pf_mask 0x10, 2022-09-07, rev 0x0032, size 34816
+sig 0x00090672, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136
+sig 0x00090675, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136
+sig 0x000906a3, pf_mask 0x80, 2023-01-11, rev 0x0429, size 218112
+sig 0x000906a4, pf_mask 0x80, 2023-01-11, rev 0x0429, size 218112
+sig 0x000906c0, pf_mask 0x01, 2022-09-02, rev 0x2424, size 20480
+sig 0x000a0671, pf_mask 0x02, 2022-08-31, rev 0x0057, size 103424
+sig 0x000b0671, pf_mask 0x32, 2022-12-19, rev 0x0112, size 207872
+sig 0x000b06f2, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136
+sig 0x000b06f5, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136
+
+ -- Tobias Frost   Tue, 14 Mar 2023 19:17:02 +0100
+
+intel-microcode (3.20221108.1) unstable; urgency=medium
+
+  * New upstream microcode datafile 20221108
+* New Microcodes:
+  sig 0x000606c1, pf_mask 0x10, 2022-08-07, rev 0x1000201, size 286720
+  sig 0x000b0671, pf_mask 0x32, 2022-09-07, rev 0x010e, size 204800
+* Updated Microcodes:
+  sig 0x000706e5, pf_mask 0x80, 2022-08-02, rev 0x00b6, size 113664
+  sig 0x000806c1, pf_mask 0x80, 2022-06-28, rev 0x00a6, size 110592
+  sig 0x000806d1, pf_mask 0xc2, 2022-06-28, rev 0x0042, size 102400
+  sig 0x000806ec, pf_mask 0x94, 2022-07-31, rev 0x00f4, size 105472
+  sig 0x00090661, pf_mask 0x01, 2022-07-15, rev 0x0017, size 20480
+  sig 0x00090672, pf_mask 0x07, 2022-09-19, rev 0x0026, size 218112
+  sig 0x00090675, pf_mask 0x07, 2022-09-19, rev 0x0026
+  sig 0x000b06f2, pf_mask 0x07, 2022-09-19, rev 0x0026
+  sig 0x000b06f5, pf_mask 0x07, 2022-09-19, rev 0x0026
+  sig 0x000906a3, pf_mask 0x80, 2022-09-19, rev 0x0424, size 217088
+  sig 0x000906a4, pf_mask 0x80, 2022-09-19, rev 0x0424
+  sig 0x000906ed, pf_mask 0x22, 2022-07-31, rev 0x00f4, size 104448
+  sig 0x000a0652, pf_mask 0x20, 2022-07-31, rev 0x00f4, size 96256
+  sig 0x000a0653, pf_mask 0x22, 2022-07-31, rev 0x00f4, size 97280
+  sig 0x000a0655, pf_mask 0x22, 2022-07-31, rev 0x00f4, size 96256
+  sig 0x000a0660, pf_mask 0x80, 2022-07-31, rev 0x00f4, size 97280
+  sig 0x000a0661, pf_mask 0x80, 2022-07-31, rev 0x00f4, size 96256
+  sig 0x000a0671, pf_mask 0x02, 2022-08-02, rev 0x0056, size 103424
+
+ -- Henrique de Moraes Holschuh   Sat, 03 Dec 2022 17:21:08 
-0300
+
+intel-microcode (3.20220809.1) unstable; urgency=medium
+
+  * New upstream microcode datafile 20220809
+* Fixes INTEL-SA-00657, CVE-2022-21233
+  Stale data from APIC leaks SGX memory (AEPIC leak)
+* Fixes unspecified errata (functional issues) on Xeon Scalable
+* Updated Microcodes:
+  sig 0x00050653, pf_mask 0x97, 2022-03-14, rev 0x100015e, size 34816
+  sig 0x00050654, pf_mask 0xb7, 2022-03-08, rev 0x2006e05, size 44032
+  sig 0x000606a6, pf_mask 0x87, 2022-04-07, rev 0xd000375, size 293888
+  sig 0x000706a1, pf_mask 0x01, 2022-03-23, rev 0x003c, size 75776
+  sig 0x000706a8, pf_mask 0x01, 2022-03-23, rev 0x0020, size 75776
+  sig 0x000706e5, pf_mask 0x80, 2022-03-17, rev 0x00b2, size 112640
+  sig 0x000806c2, pf_mask 0xc2, 2022-03-19, rev 0x0028, size 97280
+  sig 0x000806d1, pf_mask 0xc2, 2022-03-28, rev 0x0040, size 102400
+  sig 0x00090672, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
+  sig 0x00090675, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
+  sig 0x000906a3, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
+  sig 0x000906a4, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
+  sig 0x000a0671, pf_mask 0x02, 2022-03-17, rev 0x0054, size 103424
+  sig 0x000b06f2, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
+  sig 0x000b06f5, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
+  * source: update symlinks to reflect id of the latest release, 20220809
+
+ -- Henrique de Moraes Holschuh   Fri, 19 Aug 2022 14:21:20 
-0300
+
 intel-microcode (3.20220510.1~deb11u1) bullseye-security; urgency=medium
 
   * Backport to Debian bullseye (no relevant changes)
Binary files 
/tmp/gbnDrf7LzN/intel-microcode-3.20220510.1~deb11u1/intel-ucode/06-55-03 and 
/tmp/mQ6OQnU49L/intel-microcode-3.20230214.1~deb11u1/intel-ucode/06-55-03 differ
Binary files 
/tmp/gbnDrf7LzN/intel-microcode-3.20220510.1~deb11u1/intel-ucode/06-55-04 and 
/tmp/mQ6OQnU49L/intel-microcode-3.20230214.1~deb11u1/intel-ucode/06-55-04 differ
Binary files 
/tmp/gbnDrf7LzN/intel-microcode-3.20220510.1~deb11u1/intel-ucode/06-55-06 and 
/tmp/mQ6OQnU49L/intel-microcode-3.20230214.1~deb11u1/intel-ucode/06-55

Bug#1032847: unblock: intel-microcode/3.20230214.1

[Tobias Frost]

Control: tag -1 -moreinfo
> 
> On Sun, Mar 12, 2023 at 06:56:21PM +0100, Tobias Frost wrote:
> > I've uploaded intel-microcode to DELAYED/5, ETA will be Mar 17 ~18:00 CET
> > Please unblock package intel-microcode once it hits unstable.
> 
> Please remove the moreinfo tag from this bug when it's ready to review.

It's now in unstable.

-- 
tobi

Bug#1032847: unblock: intel-microcode/3.20230214.1

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: intel-microc...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:intel-microcode

I've uploaded intel-microcode to DELAYED/5, ETA will be Mar 17 ~18:00 CET
Please unblock package intel-microcode once it hits unstable.

The upload updates intel microcodes to target (See #1031334)
   - INTEL-SA-00700: CVE-2022-21216
   - INTEL-SA-00730: CVE-2022-33972
   - INTEL-SA-00738: CVE-2022-33196
   - INTEL-SA-00767: CVE-2022-38090

the CVEs are information disclosure via local access vulnerbilities and
potential privilege escalations.

I plan to provide updated packages for bullseye (security team in CC).
As well as LTS (buster) and ELTS (stretch an jessie) as part of the freexian 
LTS/ELTS project)

To keep the fixes consistent, I'd like to let them flow from sid -> jessie…

[ Tests ]
I've tested that the package works on Intel hardware that I have access to.


[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock intel-microcode/3.20230214.1

-- 
tobi
diff -Nru intel-microcode-3.20221108.2/debian/changelog 
intel-microcode-3.20230214.1/debian/changelog
--- intel-microcode-3.20221108.2/debian/changelog   2023-02-17 
01:12:52.0 +0100
+++ intel-microcode-3.20230214.1/debian/changelog   2023-03-12 
18:16:50.0 +0100
@@ -1,3 +1,52 @@
+intel-microcode (3.20230214.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * New upstream microcode datafile 20230214
+- Includes Fixes for: (Closes: #1031334)
+   - INTEL-SA-00700: CVE-2022-21216
+   - INTEL-SA-00730: CVE-2022-33972
+   - INTEL-SA-00738: CVE-2022-33196
+   - INTEL-SA-00767: CVE-2022-38090
+  * New Microcodes:
+sig 0x000806f4, pf_mask 0x10, 2022-12-19, rev 0x2c000170
+sig 0x000806f4, pf_mask 0x87, 2022-12-27, rev 0x2b000181
+sig 0x000806f5, pf_mask 0x10, 2022-12-19, rev 0x2c000170
+sig 0x000806f5, pf_mask 0x87, 2022-12-27, rev 0x2b000181
+sig 0x000806f6, pf_mask 0x10, 2022-12-19, rev 0x2c000170
+sig 0x000806f6, pf_mask 0x87, 2022-12-27, rev 0x2b000181
+sig 0x000806f7, pf_mask 0x87, 2022-12-27, rev 0x2b000181
+sig 0x000806f8, pf_mask 0x10, 2022-12-19, rev 0x2c000170
+sig 0x000806f8, pf_mask 0x10, 2022-12-19, rev 0x2c000170, size 600064
+sig 0x000806f8, pf_mask 0x87, 2022-12-27, rev 0x2b000181
+sig 0x000806f8, pf_mask 0x87, 2022-12-27, rev 0x2b000181, size 561152
+sig 0x000b06a2, pf_mask 0xc0, 2022-12-08, rev 0x410e
+sig 0x000b06a2, pf_mask 0xc0, 2022-12-08, rev 0x410e, size 212992
+sig 0x000b06a3, pf_mask 0xc0, 2022-12-08, rev 0x410e
+  * Updated Microcodes:
+sig 0x00050653, pf_mask 0x97, 2022-08-30, rev 0x1000161, size 36864
+sig 0x00050656, pf_mask 0xbf, 2022-08-26, rev 0x4003303, size 37888
+sig 0x00050657, pf_mask 0xbf, 2022-08-26, rev 0x5003303, size 37888
+sig 0x0005065b, pf_mask 0xbf, 2022-08-26, rev 0x7002503, size 29696
+sig 0x000606a6, pf_mask 0x87, 2022-10-09, rev 0xd000389, size 296960
+sig 0x000606c1, pf_mask 0x10, 2022-09-23, rev 0x1000211, size 289792
+sig 0x000706a1, pf_mask 0x01, 2022-09-16, rev 0x003e, size 75776
+sig 0x000706a8, pf_mask 0x01, 2022-09-20, rev 0x0022, size 76800
+sig 0x000706e5, pf_mask 0x80, 2022-08-31, rev 0x00b8, size 113664
+sig 0x000806a1, pf_mask 0x10, 2022-09-07, rev 0x0032, size 34816
+sig 0x00090672, pf_mask 0x07, 2023-01-04, rev 0x002c
+sig 0x00090672, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136
+sig 0x00090675, pf_mask 0x07, 2023-01-04, rev 0x002c
+sig 0x000906a3, pf_mask 0x80, 2023-01-11, rev 0x0429
+sig 0x000906a3, pf_mask 0x80, 2023-01-11, rev 0x0429, size 218112
+sig 0x000906a4, pf_mask 0x80, 2023-01-11, rev 0x0429
+sig 0x000906c0, pf_mask 0x01, 2022-09-02, rev 0x2424, size 20480
+sig 0x000a0671, pf_mask 0x02, 2022-08-31, rev 0x0057, size 103424
+sig 0x000b0671, pf_mask 0x32, 2022-12-19, rev 0x0112, size 207872
+sig 0x000b06f2, pf_mask 0x07, 2023-01-04, rev 0x002c
+sig 0x000b06f5, pf_mask 0x07, 2023-01-04, rev 0x002c
+
+ -- Tobias Frost   Sun, 12 Mar 2023 18:16:50 +0100
+
 intel-microcode (3.20221108.2) unstable; urgency=medium
 
   * Move source and binary from non-free/admin to non-free-firmware/admin
Binary files /tmp/qNbFv9J1ty/intel-microcode-3.20221108.2/intel-ucode/06-55-03 
and /tmp/Ekjb2KZejs/intel-microcode-3.20230214.1/intel-ucode/06-55-03 differ
Binary files /tmp/qNbFv9J1ty/intel-microcode-3.20221108.2/intel-ucode/06-55-06 
and /tmp/Ekjb2KZejs/intel-microcode-3.20230214.1/intel-ucode/06-55-06 differ
Binary files /tmp/qNbFv9J1ty/intel-microcode-3.20221108.2/intel-ucode/06-55-07 
and /tmp/Ekjb2KZejs/intel-microcode-3.20230214.1/intel-ucode/06-55-07 differ
Binary files /tmp/qNbFv9J1ty/intel-microcode-3.20221108.2/intel-ucode/06-55

Bug#1031948: bullseye-pu: package libgit2/1.1.0+dfsg.1-4+deb11u1

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libg...@packages.debian.org
Control: affects -1 + src:libgit2

After fixing CVE-2023-22742 for LTS and ELTS, I'd like to see
this CVE also fixed in stable, for consistency.

The CVE is an inproper ssh certificate validation vulnerabilty,
which allows man-in-the-middle attacks.

[ Tests ]
I've manually tested the patch (checking if git poperations still
work using the ssh transport.

Autopkgtests are green too.

[ Risks ]
Manual tests and test suite works ok.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
The change is a backport of the upstream fix:
https://github.com/libgit2/libgit2/commit/cd6f679af401eda1f172402006ef8265f8bd58ea
diff -Nru libgit2-1.1.0+dfsg.1/debian/changelog 
libgit2-1.1.0+dfsg.1/debian/changelog
--- libgit2-1.1.0+dfsg.1/debian/changelog   2021-01-06 18:28:58.0 
+0100
+++ libgit2-1.1.0+dfsg.1/debian/changelog   2023-02-24 16:11:52.0 
+0100
@@ -1,3 +1,10 @@
+libgit2 (1.1.0+dfsg.1-4+deb11u1) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Backport patch for CVE-2023-22742 (Closes: #1029368)
+
+ -- Tobias Frost   Fri, 24 Feb 2023 16:11:52 +0100
+
 libgit2 (1.1.0+dfsg.1-4) unstable; urgency=medium
 
   * Source-only upload for migration.
diff -Nru libgit2-1.1.0+dfsg.1/debian/patches/CVE-2023-22742.patch 
libgit2-1.1.0+dfsg.1/debian/patches/CVE-2023-22742.patch
--- libgit2-1.1.0+dfsg.1/debian/patches/CVE-2023-22742.patch1970-01-01 
01:00:00.0 +0100
+++ libgit2-1.1.0+dfsg.1/debian/patches/CVE-2023-22742.patch2023-02-24 
16:11:52.0 +0100
@@ -0,0 +1,523 @@
+Description: CVE-2023-22742 - fails to verify SSH keys by default
+ CVE-Description: libgit2 is a cross-platform, linkable library
+ implementation of Git. When using an SSH remote with the optional libssh2
+ backend, libgit2 does not perform certificate checking by default. Prior
+ versions of libgit2 require the caller to set the `certificate_check` field of
+ libgit2's `git_remote_callbacks` structure - if a certificate check callback 
is
+ not set, libgit2 does not perform any certificate checking. This means that by
+ default - without configuring a certificate check callback, clients will not
+ perform validation on the server SSH keys and may be subject to a
+ man-in-the-middle attack. 
+ This is a backport of the upstream fix to the Debian stretch version.
+Origin: https://github.com/libgit2/libgit2/pull/6449
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029368
+Forwarded: 
+Last-Update: 2023-02-21 
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/transports/ssh.c
 b/src/transports/ssh.c
+@@ -475,15 +475,122 @@
+   return 0;
+ }
+ 
++
++#define KNOWN_HOSTS_FILE ".ssh/known_hosts"
++
++/*
++ * Load the known_hosts file.
++ *
++ * Returns success but leaves the output NULL if we couldn't find the file.
++ */
++static int load_known_hosts(LIBSSH2_KNOWNHOSTS **hosts, LIBSSH2_SESSION 
*session)
++{
++  git_buf path = GIT_BUF_INIT;
++  LIBSSH2_KNOWNHOSTS *known_hosts = NULL;
++  int error;
++  char *home = getenv("HOME");
++
++  assert(hosts);
++
++  if (!home)
++  return GIT_ENOTFOUND;
++
++
++
++  if ((error = git_buf_join(, '/', home, KNOWN_HOSTS_FILE)) < 0)
++  goto out;
++
++  if ((known_hosts = libssh2_knownhost_init(session)) == NULL) {
++  ssh_error(session, "error initializing known hosts");
++  error = -1;
++  goto out;
++  }
++
++  /*
++   * Try to read the file and consider not finding it as not trusting the
++   * host rather than an error.
++   */
++  error = libssh2_knownhost_readfile(known_hosts, path.ptr, 
LIBSSH2_KNOWNHOST_FILE_OPENSSH);
++  if (error == LIBSSH2_ERROR_FILE)
++  error = 0;
++  if (error < 0)
++  ssh_error(session, "error reading known_hosts");
++
++out:
++  *hosts = known_hosts;
++
++  git_buf_free();
++
++  return error;
++}
++
++static const char *hostkey_type_to_string(int type)
++{
++  switch (type) {
++  case LIBSSH2_KNOWNHOST_KEY_SSHRSA:
++  return "ssh-rsa";
++  case LIBSSH2_KNOWNHOST_KEY_SSHDSS:
++  return "ssh-dss";
++#ifdef LIBSSH2_KNOWNHOST_KEY_ECDSA_256
++  case LIBSSH2_KNOWNHOST_KEY_ECDSA_256:
++  return "ecdsa-sha2-nistp256";
++  case LIBSSH2_KNOWNHOST_KEY_ECDSA_384:
++  return "ecdsa-sha2-nistp384";
++  case LIBSSH2_KNOWNHOST_KEY_ECDSA_521:
++  return "ecdsa-sha2-nistp521";
++#endif
++#ifdef LIBSS

Bug#1031879: unblock: gnome-shell-pomodoro/0.22.1-1 (Preapproval)

[Tobias Frost]

Hi Sebastian
> 
> Please go ahead.
> 
Thanks, I've uploaded it to unstable.

-- 
tobi

Bug#1031879: unblock: gnome-shell-pomodoro/0.22.1-1 (Preapproval)

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: gnome-shell-pomod...@packages.debian.org
Control: affects -1 + src:gnome-shell-pomodoro

Please unblock package gnome-shell-pomodoro

There is currently an nasty bug in this gnome-shell extension
which makes the overlay non-exitable, basically make the user
stuck at a kind of lock screen until the pomodoro break timer
runs out (e.g 10 minutes)

Debian bug is #1031528

Upstream bug is: https://github.com/gnome-pomodoro/gnome-pomodoro/issues/635

It is fixed in upstream version 0.22.1-1

Unfortunatly it is not easy to isolate the required patch (I tried and broke
more stuff), as important internal parts have been refactored and bits of those
refactorings are needed, so that I came to the conclusion it would be less
risky to use the new minor upstream release.

Upstream changes are NOT massive:

Release version 0.22.1:

* Close screen overlay by hitting Esc key - a failsafe method
* Don't open screen overlay while a video call app is fullscreen
* Fixed screen overlays timer label getting ellipsized
* Fixed screen overlay being over screensaver animation
* Add --reset commandline option

Upstream diff between the two version:
https://github.com/gnome-pomodoro/gnome-pomodoro/compare/0.22.0...0.22.1

The package is a leaf package, so the risk to break other stuff
is not huge.

unblock gnome-shell-pomodoro/0.22.1-1

Please let me know if this would be OK and then I'll prepare a debdiff
(I don't anticipate the need to change something in the packaging itself)

Cheers,
--
tobi

Bug#1020303: bullseye-pu: package modsecurity-apache/2.9.3-3+deb11u2

[Tobias Frost]

Package: release.debian.org
Followup-For: Bug #1020303

Dear stable release team,

Yesterday I've uploaded fixed versions of modsecurity-apache to buster / 
stretch as part of
the Debian LTS/ELTS project. (DLA-3283-1 / ELA-77-9-1)

Since this bug (#1023303) has been opened, the issue Alberto wanted to 
addressed has been
assigned CVE-2022-48279.

An additinal vulnerability has been identified as well, CVE-2023-24021, which 
is also fixed
by this proposed upload.

I'd like to see these fixes also in stable, therefore the attached debdiff 
fixes both issues.

To make sure that there is no misunderstanding: The change in
modsecurity-apache does NOT affect stable's modsecurity-crs at all, there is no
incompatiblity here (only a newer modsecurity-crs needs this fixes to work
properly)

[ Reason ]
Fixing CVE-2022-48279 and CVE-2023-24021 also in stable.

[ Impact ]

CVE-2022-48279

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were
incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is
related to CVE-2022-39956 but can be considered independent changes to the
ModSecurity (C language) codebase.

CVE-2023-24021

Incorrect handling of null-bytes in file uploads in ModSecurity before 2.9.7
may allow for Web Application Firewall bypasses and buffer overflows on the Web
Application Firewall when executing rules reading the FILES_TMP_CONTENT
collection


[ Tests ]

The changes were checked with the modsecurity-crs test suite on
a bullseye, buster and stretch VM.

The have been reviewed by Ervin (package maintainer, modsecurity-crs upstream)
and Ervin also conducted tests.


[ Risks ]

IMHO Risk is low:
- The patches are from the upstream puill requests
- significant testing effort has been done.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Other info ]

Note that the description of CVE-2023-24021 on e.g mitre / security tracker is
outdated, the updated text quoted is currently pending to be updated by mitre,
as I've received updates from the discoveres of the vulnerability only after I 
have
filed the CVE last week.


--
tobi
diff -Nru modsecurity-apache-2.9.3/debian/changelog modsecurity-apache-2.9.3/debian/changelog
--- modsecurity-apache-2.9.3/debian/changelog	2021-12-01 16:04:02.0 +0100
+++ modsecurity-apache-2.9.3/debian/changelog	2023-01-27 10:09:29.0 +0100
@@ -1,7 +1,20 @@
+modsecurity-apache (2.9.3-3+deb11u2) bullseye; urgency=medium
+
+  * Non-maintainer upload by the LTS security team.
+
+  [ Ervin Hegedus ]
+  * Fix CVE-2022-48279: Added multipart_part_headers.patch
+
+  [ Tobias Frost ]
+  * Fix CVE-2023-24021, cherry-picking upstream commit. (Closes: #1029329)
+  * Fix typo in CVE number in 2.9.3-3+deb11u1 entry. (s/--/-/)
+
+ -- Tobias Frost   Fri, 27 Jan 2023 10:09:29 +0100
+
 modsecurity-apache (2.9.3-3+deb11u1) bullseye-security; urgency=high
 
   * Added json_depth_limit.patch
-Fixes CVE--2021-42717
+Fixes CVE-2021-42717
 
  -- Ervin Hegedus   Wed, 01 Dec 2021 16:04:02 +0100
 
diff -Nru modsecurity-apache-2.9.3/debian/patches/CVE-2023-24021_FILES_TMP_CONTENT.patch modsecurity-apache-2.9.3/debian/patches/CVE-2023-24021_FILES_TMP_CONTENT.patch
--- modsecurity-apache-2.9.3/debian/patches/CVE-2023-24021_FILES_TMP_CONTENT.patch	1970-01-01 01:00:00.0 +0100
+++ modsecurity-apache-2.9.3/debian/patches/CVE-2023-24021_FILES_TMP_CONTENT.patch	2023-01-27 10:03:33.0 +0100
@@ -0,0 +1,59 @@
+Description: CVE-2023-24021 FILES_TMP_CONTENT may sometimes lack complete content
+Origin: https://github.com/SpiderLabs/ModSecurity/pull/2857
+Bug-Debian: https://bugs.debian.org/1029329
+From 4324f0ac59f8225aa44bc5034df60dbeccd1d334 Mon Sep 17 00:00:00 2001
+From: Martin Vierula 
+Date: Wed, 4 Jan 2023 11:34:11 -0800
+Subject: [PATCH] Fix: FILES_TMP_CONTENT may sometimes lack complete content
+--- a/apache2/re_variables.c
 b/apache2/re_variables.c
+@@ -1164,6 +1164,7 @@
+ FILE *file;
+ size_t nread;
+ char *full_content = NULL;
++char *full_content_tmp_ptr = NULL;
+ size_t total_lenght = 0;
+ msre_var *rvar = NULL;
+ 
+@@ -1173,19 +1174,23 @@
+ continue;
+ }
+ 
++full_content = (char *)apr_pcalloc(mptmp, (sizeof(char)*parts[i]->length) + 1);
++if (full_content == NULL) {
++if (msr->txcfg->debuglog_level >= 3) {
++msr_log(msr, 3, "Variable FILES_TMP_CONTENT will not be created, not " \
++"enough memory available.");
++}
++goto files_tmp_content_not_enough_mem;
++}
++full_content_tmp_ptr = full_content;
++
+ 

Bug#1029217: bullseye-pu: package libapreq2/2.13-7~deb11u1

[Tobias Frost]

On Thu, Jan 19, 2023 at 09:08:20PM +0100, Salvatore Bonaccorso wrote:
> Hi Tobi,
> 
> Small formal review:
> 
> On Thu, Jan 19, 2023 at 08:52:37PM +0100, Tobias Frost wrote:
> > forgot to attach the diff
> > 
> 
> > diff -Nru libapreq2-2.13/debian/changelog libapreq2-2.13/debian/changelog
> > --- libapreq2-2.13/debian/changelog 2019-09-18 09:12:54.0 +0200
> > +++ libapreq2-2.13/debian/changelog 2023-01-19 20:25:21.0 +0100
> > @@ -1,3 +1,10 @@
> > +libapreq2 (2.13-7~deb11u1) UNRELEASED; urgency=high
> 
> The version number should be 2.13-7+deb11u1 in this case. Don't forget
> to set target distribution as well to 'bullseye'.

Thanks for taking a look! I've fixed it in salsa [1].

[1] https://salsa.debian.org/debian/libapreq2/-/tree/debian/bullseye
 
> Regards,
> Salvatore

Bug#1029217: bullseye-pu: package libapreq2/2.13-7~deb11u1

[Tobias Frost]

forgot to attach the diff

diff -Nru libapreq2-2.13/debian/changelog libapreq2-2.13/debian/changelog
--- libapreq2-2.13/debian/changelog	2019-09-18 09:12:54.0 +0200
+++ libapreq2-2.13/debian/changelog	2023-01-19 20:25:21.0 +0100
@@ -1,3 +1,10 @@
+libapreq2 (2.13-7~deb11u1) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Backport fix for CVE-2022-22728. (Closes: #1018191)
+
+ -- Tobias Frost   Thu, 19 Jan 2023 20:25:21 +0100
+
 libapreq2 (2.13-7) unstable; urgency=high
 
   * Source-only upload.
diff -Nru libapreq2-2.13/debian/patches/10-CVE-2022-22728_1of4.patch libapreq2-2.13/debian/patches/10-CVE-2022-22728_1of4.patch
--- libapreq2-2.13/debian/patches/10-CVE-2022-22728_1of4.patch	1970-01-01 01:00:00.0 +0100
+++ libapreq2-2.13/debian/patches/10-CVE-2022-22728_1of4.patch	2023-01-19 20:24:24.0 +0100
@@ -0,0 +1,385 @@
+Description: CVE-2022-22728 -- multipart form parse memory corruption
+ A flaw in Apache libapreq2 versions 2.16 and earlier could cause a
+ buffer overflow while processing multipart form uploads. A remote
+ attacker could send a request causing a process crash which could lead
+ to a denial of service attack.
+ This is #1 of 4 patches, see also https://www.openwall.com/lists/oss-security/2023/01/02/2
+Origin: https://svn.apache.org/viewvc?view=revision=1894937
+Bug-Debian: https://bugs.debian.org/1018191
+Reviewed-by: Tobias Frost 
+Last-Update: 2023-01-13 
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/library/parser_header.c
 b/library/parser_header.c
+@@ -39,7 +39,10 @@
+ HDR_GAP,
+ HDR_VALUE,
+ HDR_NEWLINE,
+-HDR_CONTINUE,
++HDR_CONTLINE,
++HDR_WANTLINE,
++HDR_NEXTLINE,
++HDR_LASTLINE,
+ HDR_COMPLETE,
+ HDR_ERROR
+ }   status;
+@@ -59,16 +62,17 @@
+ apreq_value_t *v;
+ apr_bucket *e, *f;
+ apr_status_t s;
+-struct iovec vec[APREQ_DEFAULT_NELTS], *iov, *end;
+-apr_array_header_t arr;
++struct iovec vec[APREQ_DEFAULT_NELTS], *iov;
++apr_array_header_t arr, *a = 
+ char *dest;
+ const char *data;
+ apr_size_t dlen;
++int i;
+ 
+ if (nlen == 0)
+ return APR_EBADARG;
+ 
+-param = apreq_param_make(pool, NULL, nlen, NULL, vlen - 1); /*drop (CR)LF */
++param = apreq_param_make(pool, NULL, nlen, NULL, vlen);
+ *(const apreq_value_t **) = >v;
+ 
+ arr.pool = pool;
+@@ -80,67 +84,78 @@
+ e = APR_BRIGADE_FIRST(bb);
+ 
+ /* store name in a temporary iovec array */
+-
+ while (nlen > 0) {
+ apr_size_t len;
+-end = apr_array_push();
+-s = apr_bucket_read(e, (const char **)>iov_base,
++
++if (a->nelts == a->nalloc) {
++a = apr_array_make(pool, arr.nalloc * 2, sizeof(struct iovec));
++memcpy(a->elts, arr.elts, arr.nelts * sizeof(struct iovec));
++a->nelts = arr.nelts;
++}
++iov = (struct iovec *)apr_array_push(a);
++
++assert(e != APR_BRIGADE_SENTINEL(bb));
++s = apr_bucket_read(e, (const char **)>iov_base,
+ , APR_BLOCK_READ);
+ if (s != APR_SUCCESS)
+ return s;
++iov->iov_len = len;
+ 
+ assert(nlen >= len);
+-end->iov_len = len;
+ nlen -= len;
+ 
+ e = APR_BUCKET_NEXT(e);
+ }
+ 
+ /* skip gap */
+-
+ while (glen > 0) {
++assert(e != APR_BRIGADE_SENTINEL(bb));
+ s = apr_bucket_read(e, , , APR_BLOCK_READ);
+ if (s != APR_SUCCESS)
+ return s;
+ 
+ assert(glen >= dlen);
+ glen -= dlen;
++
+ e = APR_BUCKET_NEXT(e);
+ }
+ 
+ /* copy value */
+-assert(vlen > 0);
+ dest = v->data;
+ while (vlen > 0) {
++apr_size_t off;
+ 
++assert(e != APR_BRIGADE_SENTINEL(bb));
+ s = apr_bucket_read(e, , , APR_BLOCK_READ);
+ if (s != APR_SUCCESS)
+ return s;
+ 
+-memcpy(dest, data, dlen);
+-dest += dlen;
+-assert(vlen >= dlen);
+-vlen -= dlen;
++for (off = 0; off < dlen; ++off) {
++const char ch = data[off];
++if (ch == '\r' || ch == '\n') {
++/* skip continuation CRLF(s) */
++continue;
++}
++assert(vlen > 0);
++*dest = ch;
++++dest;
++--vlen;
++}
++
+ e = APR_BUCKET_NEXT(e);
+ }
+-
+-assert(dest[-1] == '\n');
+-
+-if (dest[-2] == '\r')
+---dest;
+-
+-dest[-1] = 0;
+-v->dlen = (dest - v->data) - 1;
++v->dlen = dest - v->data;
++*dest++ = 0;
+ 
+ /* write name */
+ v->name = dest;
+-iov = (struct iovec *)arr.elts;
+-
+-while (iov <= end) {
++for (i = 0; i < a->nelts; ++i) {
++iov = (struct iovec *)a->elts + i;

Bug#1029217: bullseye-pu: package libapreq2/2.13-7~deb11u1

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libapr...@packages.debian.org, Salvatore Bonaccorso 

Control: affects -1 + src:libapreq2

I've uploaded prepared an security update of libapreq2 for LTS and ELTS.
The proposed upload fixes the CVE also for bullseye.

CVE-2022-22728:

A flaw in Apache libapreq2 versions 2.16 and earlier could cause a buffer
overflow while processing multipart form uploads. A remote attacker could send
a request causing a process crash which could lead to a denial of service
attack.

I've conducted tests with e.g the reverse dependency rapache 
(libapache2-mod-r-base)

--
tobi

Bug#1027746: transition: log4cxx

[Tobias Frost]

Hi Sebastian,

thanks for the go ahead! 

On Wed, 4 Jan 2023 19:42:13 +0100 Sebastian Ramacher  
wrote:
> Control: tags -1 confirmed
> 
> Please go ahead.

Uploaded to unstable and it has been built on all archs already… :)
I guess it is ready to schedule the binNMUs :)

-- 
Cheers,
tobi

Re: SONAME bumps (transitions) always via experimental

[Tobias Frost]

On Thu, Jan 05, 2023 at 02:29:42PM +0100, Sebastian Ramacher wrote:
> 
> From recent memory and assuming there are no issues with d/copyright,
> binary-NEW uploads to experimental have been processed swiftly.

This is also my experience that binary-NEW uploads for
library SONAME bumps are handled very fast, (also) in experimental.
(Some time ago sponsored such a package, at is was even accepted within an hour 
:))

-- 
tobi

Bug#1027746: transition: log4cxx

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: log4...@packages.debian.org
Control: affects -1 + src:log4cxx

Hi,

I'm currently preparing for log4cxx13 -> log4cxx15 transition.
(SO_NAME 14 had been skipped by upstream)

All it's r-depends builds fine, and there are only three, I anticipate
a smooth transition:

R-Dependees are:
solarpowerlog ✔
ros-rosconsole ✔
ros-ros-comm ✔

(zookeeper is B-D on log4cxx, however it is not using it, #1027732)


Waiting for the green light from you ;-)

-- 
tobi

Bug#1025700: bullseye-pu: package virglrenderer/0.8.2-5+deb11u1

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Gert Wollny 

(CC'ing Gert Wollny  as maintainer of virglrenderer so he is 
aware)

[ Reason ]

I'm currently preparing a security update for virglrenderer for LTS
and figured out that there is one of the fixed CVEs is not adressed in bullseye
yet.

The CVE fixed is CVE-2022-0135: (#1009073)

To have this CVE also fixed in bullseye, I'm asking for permission to upload a
targeted fix for the next stable point release.

The changes are on this branch:
https://salsa.debian.org/debian/virglrenderer/-/tree/debian/bullseye
namely adding this patch:
https://salsa.debian.org/debian/virglrenderer/-/blob/debian/bullseye/debian/patches/CVE-2022-0135.patch


[ Impact ]
The description of CVE-2022-0135 is:
 An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer
 (virglrenderer). This flaw allows a malicious guest to create a specially
 crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading to a
 denial of service or possible code execution.

[ Tests ]

Upstream provides a unit-text which covers this CVE.

[ Risks ]

The patch is taken from upstream:
https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

-- 
tobi
diff -Nru virglrenderer-0.8.2/debian/changelog 
virglrenderer-0.8.2/debian/changelog
--- virglrenderer-0.8.2/debian/changelog2020-12-07 13:38:41.0 
+0100
+++ virglrenderer-0.8.2/debian/changelog2022-12-07 17:24:59.0 
+0100
@@ -1,3 +1,10 @@
+virglrenderer (0.8.2-5+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * Cherry-pick upstream fix for CVE-2022-0135. (Closes: #1009073)
+
+ -- Tobias Frost   Wed, 07 Dec 2022 17:24:59 +0100
+
 virglrenderer (0.8.2-5) unstable; urgency=medium
 
   [ Christian Ehrhardt ]
diff -Nru virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch 
virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch
--- virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch  1970-01-01 
01:00:00.0 +0100
+++ virglrenderer-0.8.2/debian/patches/CVE-2022-0135.patch  2022-12-07 
17:24:59.0 +0100
@@ -0,0 +1,83 @@
+Description: CVE-2022-0135
+ An out-of-bounds write issue was found in the VirGL virtual OpenGL
+ renderer (virglrenderer). This flaw allows a malicious guest to create a
+ specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl,
+ leading to a denial of service or possible code execution.  
+Origin: 
https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009073
+Last-Update: 2022-12-05 
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/vrend_renderer.c
 b/src/vrend_renderer.c
+@@ -7097,8 +7097,11 @@
+   info->box->height) * elsize;
+   if (res->target == GL_TEXTURE_3D ||
+   res->target == GL_TEXTURE_2D_ARRAY ||
++  res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
+   res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+   send_size *= info->box->depth;
++  else if (need_temp && info->box->depth != 1)
++ return EINVAL;
+ 
+   if (need_temp) {
+  data = malloc(send_size);
+--- a/tests/test_fuzzer_formats.c
 b/tests/test_fuzzer_formats.c
+@@ -958,6 +958,48 @@
+ virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
+ }
+ 
++/* Test adapted from yaojun8558...@gmail.com:
++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
++*/
++static void test_vrend_3d_resource_overflow() {
++
++struct virgl_renderer_resource_create_args resource;
++resource.handle = 0x4c474572;
++resource.target = PIPE_TEXTURE_2D_ARRAY;
++resource.format = VIRGL_FORMAT_Z24X8_UNORM;
++resource.nr_samples = 2;
++resource.last_level = 0;
++resource.array_size = 3;
++resource.bind = VIRGL_BIND_SAMPLER_VIEW;
++resource.depth = 1;
++resource.width = 8;
++resource.height = 4;
++resource.flags = 0;
++
++virgl_renderer_resource_create(, NULL, 0);
++virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
++
++uint32_t size = 0x400;
++uint32_t cmd[size];
++int i = 0;
++cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
++cmd[i++] = resource.handle;
++cmd[i++] = 0; // level
++cmd[i++] = 0; // usage
++cmd[i++] = 0; // stride
++cmd[i++] = 0; // layer_stride
++cmd[i++] = 0; // x
++cmd[i++] = 0; // y
++cmd[i++] = 0; // z
++cmd[i++] = 8; // w
++cmd[i++] 

Bug#1019416: Prusa-Slicer and wxwidget3.2 (Transition: wxwidgets3.2)

[Tobias Frost]

control: block -1 by 1023365

FWWIW, wxwidget 3.2 breaks at least prusa-slicer (#1022234, #1023365). 
Upstream explictily says it does not (yet) support wxwidgets 3.2. [1]

Just mentioning here, as it *builds* fine against wxwigets3.0, but does
not work (instant crashes). 

Prusa-Slicer is for many people owning a 3D printer a very important package,
it would be a pitty if bookworm have it…

Is there a possiblity to keep wx3.0 for bookworm?

Cheers,
-- 
tobi





signature.asc
Description: PGP signature

Bug#1023263: bullseye-pu: package clickhouse/18.16.1+ds-4+deb10u1

[Tobias Frost]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

Hi Release-Team,

[ Reason ]

I'm currently preparing a security update for clickhouse for LTS.
As the versions are quite similar, I've also prepared an update for bullseye,
even if the issues are marked "minor".

The CVE's are:
CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305
(Details on them are in #1008216)

I've checked with the security team and they indicated that this
might be something for stable-proposed-updates.

The changes are on this branch:
https://salsa.debian.org/debian/ClickHouse/-/commits/debian/bullseye

[ Impact ]

The assement in #1008216 is:
By triggering the vulnerabilities, an attacker can crash the ClickHouse server,
leak memory contents or even cause remote code execution.

[ Tests ]

The package has an extensive test suite. I've also locally briefly
tested the package.

[ Risks ]

The change is cherry-picked from upstream fix. Upstream has moved
along source files and restructued things, but the affected code
is the same. The upstream fix mentioned below also contains other
fixes, introduced in later -- no in Debian -- versions.
Upstream fix: https://github.com/ClickHouse/ClickHouse/pull/27136
Patch used: 
https://salsa.debian.org/debian/ClickHouse/-/blob/debian/bullseye/debian/patches/CVE-2021-4238x-and-4330x.patch

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable
  The NMU fixing this is currently in DELAYED. ETA Nov 5 ~13:00)

[ Changes ]

See patch.
(The remaining change is to salsa-ci configuration, to be able to utilize
the CI for testbuilds.)

[ Other info ]


Cheers,
-- 
tobi
diff -Nru clickhouse-18.16.1+ds/debian/changelog 
clickhouse-18.16.1+ds/debian/changelog
--- clickhouse-18.16.1+ds/debian/changelog  2020-12-03 20:45:03.0 
+0100
+++ clickhouse-18.16.1+ds/debian/changelog  2022-10-31 17:33:32.0 
+0100
@@ -1,3 +1,12 @@
+clickhouse (18.16.1+ds-7.2+deb11u1) bullseye-security; urgency=medium
+
+  * Non-maintainer upload by the Security Team.
+  * Add Salsa CI config for bullseye.
+  * Fix CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305
+(Closes: #1008216)
+
+ -- Tobias Frost   Mon, 31 Oct 2022 17:33:32 +0100
+
 clickhouse (18.16.1+ds-7.2) unstable; urgency=medium
 
   [Balint Reczey]
diff -Nru clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch 
clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch
--- clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch 
1970-01-01 01:00:00.0 +0100
+++ clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch 
2022-10-31 17:25:21.0 +0100
@@ -0,0 +1,134 @@
+Description: Fix for CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, 
CVE-2021-43305
+ Cherry pick relevant parts from upstream PR, adapted to version in Debian.
+Origin: https://github.com/ClickHouse/ClickHouse/pull/27136
+Bug-Debian: https://bugs.debian.org/1008216
+Forwarded: no
+Applied-Upstream: yes, https://github.com/ClickHouse/ClickHouse/pull/27136
+Last-Update: 2022-10-30 
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/dbms/src/IO/LZ4_decompress_faster.cpp
 b/dbms/src/IO/LZ4_decompress_faster.cpp
+@@ -342,13 +342,16 @@
+ 
+ 
+ template 
+-void NO_INLINE decompressImpl(
++bool NO_INLINE decompressImpl(
+  const char * const source,
+  char * const dest,
++ size_t source_size,
+  size_t dest_size)
+ {
+ const UInt8 * ip = (UInt8 *)source;
+ UInt8 * op = (UInt8 *)dest;
++const UInt8 * const input_end = ip + source_size;
++UInt8 * const output_begin = op;
+ UInt8 * const output_end = op + dest_size;
+ 
+ while (1)
+@@ -387,13 +390,19 @@
+ /// output: xyzHello, w
+ ///  ^-op (we will overwrite excessive bytes on next 
iteration)
+ 
+-wildCopy(op, ip, copy_end);/// Here we can write up 
to copy_amount - 1 bytes after buffer.
++{
++auto * target = std::min(copy_end, output_end);
++wildCopy(op, ip, target);/// Here we can write 
up to copy_amount - 1 bytes after buffer.
++
++if (target == output_end)
++return true;
++}
+ 
+ ip += length;
+ op = copy_end;
+ 
+-if (copy_end >= output_end)
+-return;
++if (unlikely(ip > input_end))
++return false;
+ 
+ /// Get match offset.
+ 
+@@ -401,6 +410,9 @@
+ ip += 2;
+ const UInt8 * match = op - offset;
+ 
++if (unlikely(match < output_begin))
++return false;
++
+ /// Get match length.
+ 
+ length = token & 0x0F;
+@@ -441,7 +453,10 @@
+ 
+ copy(op, match);   /// copy_amount + copy_amount - 1 - 4 

Bug#1019722: nmu: openmpi_4.1.0-10

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu
X-Debbugs-Cc: 1019...@bugs.debian.org

nmu openmpi_4.1.0-10 . ANY . unstable . -m "Rebuild with fixed dh-fotran-mod 
(See #1019050)""

As reported in #1019721, openmpi is affected by #1019050, so a rebuild should 
fix that.

-- 
tobi

Bug#1018190: nmu: deal.ii_9.4.0-1+b1

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Now that pmix has been reverted, deal.ii can be rebuilt against opencascade 
7.6.3, to
make it installable again.

Please add an additional
  Dep-Wait on pmix > 4.2.0+really.4.1.2-1~

as pmix for mips64el is not yet built (it seems to run out of memory on this 
arch)

nmu deal.ii_9.4.0-1+b1 . ANY . unstable . -m "rebuild against opencascade 7.6.3"

-- 
Thanks
tobi

Re: libpmix2: symbol lookup error: /usr/lib/x86_64-linux-gnu/openmpi/lib/openmpi3/mca_pmix_ext3x.so: undefined symbol: pmix_value_load

[Tobias Frost]

On Tue, 23 Aug 2022 18:01:23 +0200 Drew Parsons  wrote:
> Source: pmix
> Followup-For: Bug #1017356
> Control: reopen -1
> Control: found 1017356 pmix/4.2.0-2
> 
> Adrian's last comments still apply all the same.
> The problem is still there.
> 
> (tests of version 4.2.0-1 in experimental get run in unstable, see
> https://ci.debian.net/packages/m/mpi4py/unstable/amd64/ )
> 
> 

There are many reverse depencies broken due to this issue… 
I was looking into the ABI change and it seems to me that there will be some 
efforts required to update
to compensate for the removed functions.

Maybe it would be a good idea to revert pmix to 4.1.2 ? (e.g 
pmix-4.2.0+really-4.1.2-1) be uploaded and then
do a proper transistion?

CC'in the release team to soliciate their input.

-- 
tobi

Bug#1015254: transition: opencascade

[Tobias Frost]

Hi Sebastian,

netgen has now been fixed. Can you schedule a binNMU for
gmsh, so that gmsh will be installable again? (there is no
sourceful upload needed to make that happen)

Possibly, not sure if really needed, with a Dep-Wait on netgen >=
6.2.2006+really6.2.1905+dfsg-5.1, as some ports have not recompiled netgen yet.

--
Thanks 
tobi

On Tue, Aug 16, 2022 at 09:10:33PM +0200, Sebastian Ramacher wrote:
> On 2022-07-18 14:26:26 +0200, Tobias Frost wrote:
> > Hi Release team,
> > 
> > opencascade has a new release with bumps so name to 7.6 The transition 
> > tracker [1]
> > correctly picked it up already after the upload to experimental.
> > 
> > [1] https://release.debian.org/transitions/html/auto-opencascade.html
> > 
> > This bug is also to help me keeping track of the transistion as it will 
> > need at least
> > one sourceful upload of netgen.
> > 
> > building the reverse depenencies, results are:
> > 
> > Dependency level 2
> > 
> > freecad (sid only)✔  (RC buggy due to other issues)
> > kicad ✔
> > netgen✘  (fixed upstream, #1014964))
> > 
> > With a local built of netgen (patched to just make it compile, not 
> > preserving functionality),
> > I could get also Dependency level 3 to be built:
> > 
> > gmsh_4.5.6+ds1   ✔   (BDs on netgen)
> > 
> > Dependency Level 4:
> >  deal.ii_9.1.1-9  ✔ (BDs on gmsh)
> > 
> > 
> > I'm not sure if I can come up with a proper patch for netgen, but I will 
> > try.
> 
> netgen and reverse depenencies have been removed. This transition is
> done.
> 
> Cheers
> -- 
> Sebastian Ramacher

Bug#1015254: transition: opencascade

[Tobias Frost]

Apperantly it has been done alrasdy, sorry for the noise 
and disregard the previous mail…

--
tobi



Hi Sebastian,

netgen has now been fixed. Can you schedule a binNMU for
gmsh, so that gmsh will be installable again? (there is no
sourceful upload needed to make that happen)

Possibly, not sure if really needed, with a Dep-Wait on netgen >=
6.2.2006+really6.2.1905+dfsg-5.1, as some ports have not recompiled netgen yet.

--
Thanks 
tobi

On Tue, Aug 16, 2022 at 09:10:33PM +0200, Sebastian Ramacher wrote:
> On 2022-07-18 14:26:26 +0200, Tobias Frost wrote:
> > Hi Release team,
> > 
> > opencascade has a new release with bumps so name to 7.6 The transition 
> > tracker [1]
> > correctly picked it up already after the upload to experimental.
> > 
> > [1] https://release.debian.org/transitions/html/auto-opencascade.html
> > 
> > This bug is also to help me keeping track of the transistion as it will 
> > need at least
> > one sourceful upload of netgen.
> > 
> > building the reverse depenencies, results are:
> > 
> > Dependency level 2
> > 
> > freecad (sid only)✔  (RC buggy due to other issues)
> > kicad ✔
> > netgen✘  (fixed upstream, #1014964))
> > 
> > With a local built of netgen (patched to just make it compile, not 
> > preserving functionality),
> > I could get also Dependency level 3 to be built:
> > 
> > gmsh_4.5.6+ds1   ✔   (BDs on netgen)
> > 
> > Dependency Level 4:
> >  deal.ii_9.1.1-9  ✔ (BDs on gmsh)
> > 
> > 
> > I'm not sure if I can come up with a proper patch for netgen, but I will 
> > try.
> 
> netgen and reverse depenencies have been removed. This transition is
> done.
> 
> Cheers
> -- 
> Sebastian Ramacher

Bug#1015254: transition: opencascade

[Tobias Frost]

Hi,

On Mon, Aug 01, 2022 at 08:29:45AM +0100, Graham Inggs wrote:
> Control: tags -1 confirmed
> 
> Hi Tobi
> 
> On Sun, 31 Jul 2022 at 16:51, Tobias Frost  wrote:
> > I've uploading 7.6.3 right now to experimental; as I removed the confirmed 
> > tag, please reACK
> > the "go ahead" -- I've tested that all r-depends that worked before are 
> > still compiling
> 
> reACK

opencascade has now built on all release archs.

I'd suggest to start binNMU freecad

and maybe then proceed to remove netgen together with gmsh and deal.ii 
temporarily from testing.
(the later two need an updated netgen…)

(I'll poked the maintainer of netgen already, but no respons… 
As netgen has a "+really" version without really documenting the reason, I fear 
if I NMU
a newer version I could break stuff…)

-- 
Cheers,
tobi 

Bug#1015254: transition: opencascade

[Tobias Frost]

On Sun, Jul 31, 2022 at 02:02:22PM +0200, Tobias Frost wrote:

(...)

> as NEW will be involved)

Silly me, NEW is not involved...

I've uploading 7.6.3 right now to experimental; as I removed the confirmed tag, 
please reACK
the "go ahead" -- I've tested that all r-depends that worked before are still 
compiling

-- 
tobi

Bug#1015254: transition: opencascade

[Tobias Frost]

Control: tags -1 -confirmed

On Fri, Jul 22, 2022 at 02:42:13PM +0200, Graham Inggs wrote:
> Control: tags -1 confirmed
> 
> Hi Tobi
> 
> On Mon, 18 Jul 2022 at 14:30, Tobias Frost  wrote:
> > opencascade has a new release with bumps so name to 7.6 The transition 
> > tracker [1]
> > correctly picked it up already after the upload to experimental.
> 
> Please go ahead with the upload to unstable.

Upstream has released 7.6.3 in the mean time. This version seems to adress 
several issues,
so I plan to package 7.6.3 first before uploading 7.6.2 to upstream.

I'll update this bug report when ready (as NEW will be involved) and for the 
mean time
remove the "confirmed" tag.

If that does not sound like a good plan to you, please let me know ;-)

-- 
tobi

Bug#1015254: transition: opencascade

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
Control: block 1014964 by -1

Hi Release team,

opencascade has a new release with bumps so name to 7.6 The transition tracker 
[1]
correctly picked it up already after the upload to experimental.

[1] https://release.debian.org/transitions/html/auto-opencascade.html

This bug is also to help me keeping track of the transistion as it will need at 
least
one sourceful upload of netgen.

building the reverse depenencies, results are:

Dependency level 2

freecad (sid only)✔  (RC buggy due to other issues)
kicad ✔
netgen✘  (fixed upstream, #1014964))

With a local built of netgen (patched to just make it compile, not preserving 
functionality),
I could get also Dependency level 3 to be built:

gmsh_4.5.6+ds1   ✔   (BDs on netgen)

Dependency Level 4:
 deal.ii_9.1.1-9  ✔ (BDs on gmsh)


I'm not sure if I can come up with a proper patch for netgen, but I will try.

Cheers,

-- 
tobi

Bug#1012651: transition: log4cxx

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

I'm preparing the transistion for log4cxx from SONAME 12 to SONAME 13.
I have built the r-deps locally with the result indicated below:

 solarpowerlog-- builds fine
 ros-rosconsole   -- builds fine
 zookeeper-- FTBFS, unrelated to log4cxx (#984406)

TL:DR: Should be a small, smooth transition.

Ben file: (The "auto" transistion seems to be right already)

title = "log4cxx";
is_affected = .depends ~ "liblog4cxx12" | .depends ~ "liblog4cxx13";
is_good = .depends ~ "liblog4cxx13";
is_bad = .depends ~ "liblog4cxx12";

--
Waiting for your green light,
tobi 

Bug#1003346: transition: log4cxx

[Tobias Frost]

On Sun, Jan 09, 2022 at 02:46:47PM +0100, Sebastian Ramacher wrote:
> Please go ahead

Done and it seems that all rebuild have been scheduled and completed already!

Thanks especially for that quick turnaround!

Cheers,
-- 
tobi

Bug#1003346: transition: log4cxx

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: ros-roscons...@packages.debian.org,

Hi,

I'm planning to transit liblog4cxx 0.11 -> 0.12.

https://release.debian.org/transitions/html/auto-log4cxx.html
list 3 reverse dependencies. Here is there status in respect to log4cxx:

log4cxx: Uploaded to experimental, all release archs green.

ros-rosconsole:
Needs upload, Patch available (#1001881 -- uploaded to experimental already)

solarpowerlog:
Compile fine with new version.

zookeeper:
Not in testing, already RC-buggy (FTBFS unrelated to transition)

Ben file:

title = "log4cxx";
is_affected = .depends ~ "liblog4cxx11" | .depends ~ "liblog4cxx12";
is_good = .depends ~ "liblog4cxx12";
is_bad = .depends ~ "liblog4cxx11";


Waiting for your green light :)

Cheers,
-- 
tobi

Bug#1002814: nmu: dovecot-antispam_2.0+20171229-1+b8

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Hi,
dovecot-anitspam seems to need a binNMU for the new dovecot version recently 
uploaded...

nmu dovecot-antispam_2.0+20171229-1+b8 . ANY . unstable . -m "rebuild for 
dovecot-abi-2.3.abiv17"

--
tobi

Bug#990027: Bug#990176: RFS: opendmarc/1.4.0~beta1+dfsg-6 -- Milter implementation of DMARC

[Tobias Frost]

Control: tags 990027 -moreinfo

I've just uploaded the package.

Cheers,
tobi

On Tue, Jun 22, 2021 at 08:30:56AM +0200, David Bürgin wrote:
> Package: sponsorship-requests
> Severity: normal
> 
> Dear mentors,
> 
> I am looking for a sponsor for my package "opendmarc":
> 
>  * Package name: opendmarc
>Version : 1.4.0~beta1+dfsg-6
>Upstream Author : The Trusted Domain Project
>  * URL : http://www.trusteddomain.org/opendmarc
>  * License : BSD-2-clause, GPL-3+ with AutoConf exception, 
> BSD-3-clause and SOSL
>  * Vcs : https://salsa.debian.org/kitterman/opendmarc
>Section : mail
> 
> It builds those binary packages:
> 
>   libopendmarc-dev - Headers and development libraries for the OpenDMARC 
> library
>   libopendmarc2 - Library for DMARC validation and reporting
>   opendmarc - Milter implementation of DMARC
> 
> To access further information about this package, please visit the following 
> URL:
> 
>   https://mentors.debian.net/package/opendmarc/
> 
> Alternatively, one can download the package with dget using this command:
> 
>   dget -x 
> https://mentors.debian.net/debian/pool/main/o/opendmarc/opendmarc_1.4.0~beta1+dfsg-6.dsc
> 
> Changes since the last upload:
> 
>  opendmarc (1.4.0~beta1+dfsg-6) unstable; urgency=high
>  .
>* Add patch for CVE-2021-34555 from upstream issue tracker:
>  - Do not dereference NULL in multi-value From headers (Closes: #990001)
> 
> An unblock was pre-approved, for details see:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990027
> 
> Thank you!
> 
> 
> -- 
> David
> 

Bug#989530: RFS: mupdf/1.14.0+ds1-4+deb10u3 [NMU, CVE-2020-16600] -- lightweight PDF viewer

[Tobias Frost]

On Fri, Jun 11, 2021 at 10:44:10PM +0200, Bastian Germann wrote:
> On Mon, 31 May 2021 19:41:53 +0200 Tobias Frost  wrote:
> > The diff looks good, but there are some formalities…
> > 
> > - Can you file an "Stable Proposed Updates" unblock request to get an 
> > approval.
> 
> Approved at #989530.
> 
> > - Possibly you should file an bug for CVE-2020-16600 and
> > close it in the changelog. (That would make it more transparent.)
> 
> Available at #989526.
> 
> > - Please also send a NMU announcement to the package's bts.
> 
> Also available at #989526.
> 

Uploaded! Many thanks Bastian for your contributions!

-- 
tobi


signature.asc
Description: PGP signature

Bug#989681: Bug#989682: RFS: libexplain/1.4.D001-11 [QA] [RC] -- library of system-call-specific strerror repl - development files

[Tobias Frost]

Control: tags 989681 -moreinfo

Uploaded; Thanks Håvard for the fix!

-- 
tobi

Bug#988492: buster-pu: package ircii/20190117-1

[Tobias Frost]

On Sat, 29 May 2021 15:11:30 +0100 "Adam D. Barratt" 
wrote:
> Please go ahead.
> 

Thanks, Adam.

I've just sponsored the uploaded for Håvard.

-- 
Cheers,
tobi

Bug#973645: transition: log4cplus

[Tobias Frost]

Am 3. November 2020 10:35:16 MEZ schrieb Sebastian Ramacher 
:
>Control: forwarded -1
>https://release.debian.org/transitions/html/auto-log4cplus.html
>Control: tags -1 + confirmed
>
>please go ahead with the upload to unstable.
>
>Cheers

Thanks Sebastian!

uploaded and all buildds are happy already.

Bug#973645: transition: log4cplus

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hi release-team,

transition time again :)

This time, log4cplus… 

https://release.debian.org/transitions/html/auto-log4cplus.html
seems to have picked it up correctly.

I've rebuilt the mentioned r-deps already successfully.

isc-kea -- FTBFS in sid currently, but builds fine with the version in VCS
   (FTBFS unrelated to the transition #973641)

openvdb -- builds fine with new version.

Waiting for your green light…

-- 
Cheers,
tobi

Bug#970402: transition: log4cxx

[Tobias Frost]

On Tue, 15 Sep 2020 21:29:50 +0200 Emilio Pozuelo Monfort 
 > > Waiting for the green light from you ;-)
> 
> Go ahead.

the new log4xx 0.11 is now in unstable and has built on all release archs.

(So, I guess the binmnu party can start now ;-) 


Cheers,
-- 
tobi

Bug#970402: transition: log4cxx

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hello release team!

I'm preparing the transition of log4cxx. It's already showing up
on https://release.debian.org/transitions/html/auto-log4cxx.html, so
ben seems to be hapy…

Building r-deps was successful:
ros-rosconsole ✔
solarpowerlog  ✔
zookeeper ✔

Everything looks ready ;-)

Waiting for the green light from you ;-)

Cheers,
-- 
tobi

Bug#956351: transition: opencascade

[Tobias Frost]

On Mon, 27 Apr 2020 21:42:53 +0200 Tobias Frost  wrote:

> The following packages of Dependency level 2 could already be binNMUed:
> gmsh_4.5.6+ds1
> kicad_5.1.5+dfsg1-2

Sorry for the noise, I just realized that that has happened already. 
Read: You are awesome!)

netgen is now in DELAYED/5.

-- 
tobi

Bug#956351: transition: opencascade

[Tobias Frost]

On Sat, Apr 25, 2020 at 02:29:53PM +0200, Emilio Pozuelo Monfort wrote:
> Control: tags -1 confirmed

> Go ahead.

Thanks!

opencascade is now in unstable and all archs have successuflly built.

The following packages of Dependency level 2 could already be binNMUed:
gmsh_4.5.6+ds1
kicad_5.1.5+dfsg1-2

For netgen (the remaining package in Depenency level 2) I will prepare a NMU 
soon.

Cheers,
--
tobi

Bug#956351: transition: opencascade

[Tobias Frost]

Update:

deal.ii -- patch available (unrelated to opencascade, just exposed by it)

freecad -- same as deal.ii. Also patch available. However, due to pyside2 it
will remain RC buggy.
 
So theoretically the transistion would be ready…

Let me know when I can proceed.

-- 
tobi

Bug#956351: transition: opencascade

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Hi Release team,

opencascade has a new release with bumps so name to 7.4 The transition tracker 
[1]
correctly picked it up already after the upload to experimental.

[1] https://release.debian.org/transitions/html/auto-opencascade.html

This bug is also to help me keeping track of the transistion as it might be
that some packages do need patches to build for the new version.

I'm currently building the reverse depenencies, results so far:

Dependency level 2

gmsh_4.5.6+ds1✔
kicad_5.1.5+dfsg1-2   ✔
netgen-6.2.1804+dfsg1 ✘  (patch available)

Dependency level 3

deal.ii_9.1.1-9  ✔ (BDs on gmsh)
freecad (sid only)   ✘ (seems to be #953721)

I will file a bug for netgen and block it with this bugs.

Cheers,

-- 
tobi

Bug#926911: unblock: epsilon/0.7.1-1.1

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package epsilon, the NMU fixes #924650

Debdiff attached.

unblock epsilon/0.7.1-1.1

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru epsilon-0.7.1/debian/changelog epsilon-0.7.1/debian/changelog
--- epsilon-0.7.1/debian/changelog  2015-10-10 17:43:41.0 +0200
+++ epsilon-0.7.1/debian/changelog  2019-04-06 12:38:25.0 +0200
@@ -1,3 +1,10 @@
+epsilon (0.7.1-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Apply patch from BTS to fix, thanks doko for the patch (Closes: #924650)
+
+ -- Tobias Frost   Sat, 06 Apr 2019 12:38:25 +0200
+
 epsilon (0.7.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru epsilon-0.7.1/debian/patches/kernel-4.18-diskstats.diff 
epsilon-0.7.1/debian/patches/kernel-4.18-diskstats.diff
--- epsilon-0.7.1/debian/patches/kernel-4.18-diskstats.diff 1970-01-01 
01:00:00.0 +0100
+++ epsilon-0.7.1/debian/patches/kernel-4.18-diskstats.diff 2019-04-06 
12:16:28.0 +0200
@@ -0,0 +1,13 @@
+--- a/epsilon/scripts/benchmark.py
 b/epsilon/scripts/benchmark.py
+@@ -46,6 +46,10 @@ def parseDiskStatLine(L):
+ appropriate record type (either L{partitionstat} or L{diskstat}).
+ """
+ parts = L.split()
++# https://www.kernel.org/doc/Documentation/ABI/testing/procfs-diskstats
++# ignore new diskstat values
++if len(parts) == 18:
++parts = parts[:-4]
+ device = parts[2]
+ if len(parts) == 7:
+ factory = partitionstat
diff -Nru epsilon-0.7.1/debian/patches/series 
epsilon-0.7.1/debian/patches/series
--- epsilon-0.7.1/debian/patches/series 2015-10-10 17:43:41.0 +0200
+++ epsilon-0.7.1/debian/patches/series 2019-04-06 12:16:28.0 +0200
@@ -1 +1,2 @@
 0001-Gracefully-handle-not-finding-working-directory.patch
+kernel-4.18-diskstats.diff

Bug#926734: unblock: libcaca/0.99.beta19-2.1

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libcaca

The new packages fixes 6 CVE's. (Bug #917807)

Thanks!

unblock libcaca/0.99.beta19-2.1

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libcaca-0.99.beta19/debian/changelog 
libcaca-0.99.beta19/debian/changelog
--- libcaca-0.99.beta19/debian/changelog2014-06-02 22:39:11.0 
+0200
+++ libcaca-0.99.beta19/debian/changelog2019-04-06 22:18:41.0 
+0200
@@ -1,3 +1,12 @@
+libcaca (0.99.beta19-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Cherry-Pick fixes from upstream git repository:
+- CVE-2018-20545, CVE-2018-20546, CVE-2018-20547,CVE-2018-20548 and
+  CVE-2018-20549 (Closes: #917807)
+
+ -- Tobias Frost   Sat, 06 Apr 2019 22:18:41 +0200
+
 libcaca (0.99.beta19-2) unstable; urgency=medium
 
   * debian/patches/100_doxygen.diff: remove deprecated Doxygen variables.
diff -Nru libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch 
libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch
--- libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch 1970-01-01 
01:00:00.0 +0100
+++ libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch 2019-04-06 
21:36:52.0 +0200
@@ -0,0 +1,45 @@
+From 84bd155087b93ab2d8d7cb5b1ac94ecd4cf4f93c Mon Sep 17 00:00:00 2001
+From: Sam Hocevar 
+Date: Sat, 29 Dec 2018 22:13:56 +0100
+Subject: [PATCH] dither: fix integer overflows that were causing a division by
+ zero.
+
+Fixes: #36 (CVE-2018-20544)
+---
+ caca/dither.c | 16 
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/caca/dither.c b/caca/dither.c
+index 04b678e0..c6ebab1b 100644
+--- a/caca/dither.c
 b/caca/dither.c
+@@ -991,10 +991,10 @@ int caca_dither_bitmap(caca_canvas_t *cv, int x, int y, 
int w, int h,
+ /* First get RGB */
+ if(d->antialias)
+ {
+-fromx = (x - x1) * w / deltax;
+-fromy = (y - y1) * h / deltay;
+-tox = (x - x1 + 1) * w / deltax;
+-toy = (y - y1 + 1) * h / deltay;
++fromx = (uint64_t)(x - x1) * w / deltax;
++fromy = (uint64_t)(y - y1) * h / deltay;
++tox = (uint64_t)(x - x1 + 1) * w / deltax;
++toy = (uint64_t)(y - y1 + 1) * h / deltay;
+ 
+ /* We want at least one pixel */
+ if(tox == fromx) tox++;
+@@ -1017,10 +1017,10 @@ int caca_dither_bitmap(caca_canvas_t *cv, int x, int 
y, int w, int h,
+ }
+ else
+ {
+-fromx = (x - x1) * w / deltax;
+-fromy = (y - y1) * h / deltay;
+-tox = (x - x1 + 1) * w / deltax;
+-toy = (y - y1 + 1) * h / deltay;
++fromx = (uint64_t)(x - x1) * w / deltax;
++fromy = (uint64_t)(y - y1) * h / deltay;
++tox = (uint64_t)(x - x1 + 1) * w / deltax;
++toy = (uint64_t)(y - y1 + 1) * h / deltay;
+ 
+ /* tox and toy can overflow the canvas, but they cannot overflow
+  * when averaged with fromx and fromy because these are guaranteed
diff -Nru libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch 
libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch
--- libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch 
1970-01-01 01:00:00.0 +0100
+++ libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch 
2019-04-06 22:08:34.0 +0200
@@ -0,0 +1,34 @@
+Description: img2txt: fix an integer overflow in the BMP loader.
+Origin: 
https://github.com/cacalabs/libcaca/commit/3e52dabe3e64dc50f4422effe364a1457a8a8592
+Forwarded: not-needed
+Applied-Upstream: 
https://github.com/cacalabs/libcaca/commit/3e52dabe3e64dc50f4422effe364a1457a8a8592
+Last-Update: 2019-04-06
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/common-image.h
 b/src/common-image.h
+@@ -1,19 +1,19 @@
+ /*
+  *  Imaging tools for cacaview and img2irc
+- *  Copyright (c) 2003-2012 Sam Hocevar 
+- *All Rights Reserved
++ *  Copyright (c) 2003-2018 Sam Hocevar 
++ *  All Rights Reserved
+  *
+  *  This program is free software. It comes without any warranty, to
+  *  the extent permitted by applicable law. You can redistribute it
+  *  and/or modify it under the terms of the Do What the Fuck You Want
+- *  to Public License, Version 2, as published by Sam Hocevar. See
+- *  http://www.wtfpl.net/ for more details.
++ *  to Public License, Versio

Bug#926580: unblock: amavisd-new/2.11.0-6.1

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package amavisd-new

This diff fixes #882324, diff attached.
(The NMU has been acked by the maintainer)

unblock amavisd-new/2.11.0-6.1

-- 
Cheers,
tobi

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru amavisd-new-2.11.0/debian/changelog 
amavisd-new-2.11.0/debian/changelog
--- amavisd-new-2.11.0/debian/changelog 2019-02-13 07:48:10.0 +0100
+++ amavisd-new-2.11.0/debian/changelog 2019-04-05 18:04:57.0 +0200
@@ -1,3 +1,11 @@
+amavisd-new (1:2.11.0-6.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix to honor "originating" configuration flag, by cherry-picking upstream
+patch. (Closes: #882324)
+
+ -- Tobias Frost   Fri, 05 Apr 2019 18:04:57 +0200
+
 amavisd-new (1:2.11.0-6) unstable; urgency=medium
 
   * Fix start-stop-daemon insecure error. Closes: #921016.
diff -Nru amavisd-new-2.11.0/debian/patches/0010-fix-882324.patch 
amavisd-new-2.11.0/debian/patches/0010-fix-882324.patch
--- amavisd-new-2.11.0/debian/patches/0010-fix-882324.patch 1970-01-01 
01:00:00.0 +0100
+++ amavisd-new-2.11.0/debian/patches/0010-fix-882324.patch 2019-04-05 
17:56:43.0 +0200
@@ -0,0 +1,26 @@
+Description: honor "originating" configuration flag, 
+Origin: 
https://gitlab.com/amavis/amavis/commit/206109d4c21f28dcd2ba3f42a19b7d77e2bbc100.patch
+Date: Wed, 10 Oct 2018 16:34:58 +0200
+Subject: [PATCH] Applied DKIM signing patch (#6)
+Applied-Upstream: Yes
+Last-Update: 2019-04-05
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/amavisd
 b/amavisd
+@@ -22829,6 +22829,7 @@
+ }
+ # load policy banks from the 'client_ipaddr_policy' lookup
+ Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl;
++$msginfo->originating(c('originating'));
+ 
+ $msginfo->client_addr($cl_ip);  # ADDR
+ $msginfo->client_port($cl_port);# PORT
+@@ -34361,6 +34362,7 @@
+ $sig_ind++;
+   }
+   Amavis::load_policy_bank($_,$msginfo) for @bank_names;
++  $msginfo->originating(c('originating'));
+   $msginfo->dkim_signatures_valid(\@signatures_valid)  if @signatures_valid;
+ # if (ll(5) && $sig_ind > 0) {
+ #   # show which header fields are covered by which signature
diff -Nru amavisd-new-2.11.0/debian/patches/series 
amavisd-new-2.11.0/debian/patches/series
--- amavisd-new-2.11.0/debian/patches/series2019-02-03 09:55:48.0 
+0100
+++ amavisd-new-2.11.0/debian/patches/series2019-04-05 17:54:53.0 
+0200
@@ -7,3 +7,4 @@
 90_fix_snmp_subagent_warning
 95_amavisd_helpers_fixes
 0009-Fix-an-unescaped-brace-in-amavisd.patch
+0010-fix-882324.patch

Bug#926480: unblock: tvtime/1.0.11-4

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package tvtime

The patch fixes #924076, a insecure usage of /tmp.

The important part of the debdiff is this:

--- a/src/utils.c
+++ b/src/utils.c
@@ -202,17 +202,11 @@
 }
 }

-/* If we can't use our /tmp directory, put the fifo in $HOME. */
-if( !mkdir_and_force_owner( fifodir, uid, getgid() ) ) {
-if( asprintf( , "%s/.tvtime/tvtimefifo-%s",
-  getenv( "HOME" ), hostname ) < 0 ) {
-fifo = 0;
-}
-} else {
-if( asprintf( , "%s/tvtimefifo-%s", fifodir, hostname ) < 0 ) {
-fifo = 0;
-}
-}
+/* put the fifo in $HOME */
+ if( asprintf( , "%s/.tvtime/tvtimefifo-%s",
+   getenv( "HOME" ), hostname ) < 0 ) {
+ fifo = 0;
+ }
 free( hostname );
 free( fifodir );
 return fifo;

(Sorry for the refreshing of the patches, I realized this just now that
this would not have been necessary)

Debdiff attached.

Cheers,
tobi


unblock tvtime/1.0.11-4

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru tvtime-1.0.11/debian/changelog tvtime-1.0.11/debian/changelog
--- tvtime-1.0.11/debian/changelog  2018-12-10 23:50:07.0 +0100
+++ tvtime-1.0.11/debian/changelog  2019-04-05 20:27:01.0 +0200
@@ -1,3 +1,14 @@
+tvtime (1.0.11-5) unstable; urgency=medium
+
+  * QA upload.
+  * Create repository on salsa.
+  * Refresh patches
+  * Fix "insecure use of /tmp" by only using the fall back to $HOME.
+This is patch 0002-disable-insecure-temp-file.patch
+(Closes: #924076)
+
+ -- Tobias Frost   Fri, 05 Apr 2019 20:27:01 +0200
+
 tvtime (1.0.11-4) unstable; urgency=medium
 
   * QA upload.
diff -Nru tvtime-1.0.11/debian/control tvtime-1.0.11/debian/control
--- tvtime-1.0.11/debian/control2018-12-10 23:50:07.0 +0100
+++ tvtime-1.0.11/debian/control2019-04-05 19:56:54.0 +0200
@@ -22,6 +22,8 @@
  libasound2-dev
 Standards-Version: 3.9.3
 Homepage: https://linuxtv.org/wiki/index.php/Tvtime
+VCS-Browser: https://salsa.debian.org/debian/tvtime
+VCS-Git: https://salsa.debian.org/debian/tvtime.git
 
 Package: tvtime
 Architecture: any
diff -Nru 
tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
 
tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
--- 
tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
2018-12-10 21:35:44.0 +0100
+++ 
tvtime-1.0.11/debian/patches/0001-Fix-warning-implicit-declaration-of-function-minor-m.patch
2019-04-05 19:57:51.0 +0200
@@ -14,8 +14,6 @@
  src/get_media_devices.c | 1 +
  1 file changed, 1 insertion(+)
 
-diff --git a/src/get_media_devices.c b/src/get_media_devices.c
-index 619734ea..453b0677 100644
 --- a/src/get_media_devices.c
 +++ b/src/get_media_devices.c
 @@ -23,6 +23,7 @@
@@ -26,6 +24,3 @@
  #include 
  #include 
  #include 
--- 
-2.11.0
-
diff -Nru tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch 
tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch
--- tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch  
1970-01-01 01:00:00.0 +0100
+++ tvtime-1.0.11/debian/patches/0002-disable-insecure-temp-file.patch  
2019-04-05 20:10:15.0 +0200
@@ -0,0 +1,25 @@
+--- a/src/utils.c
 b/src/utils.c
+@@ -202,17 +202,11 @@
+ }
+ }
+ 
+-/* If we can't use our /tmp directory, put the fifo in $HOME. */
+-if( !mkdir_and_force_owner( fifodir, uid, getgid() ) ) {
+-if( asprintf( , "%s/.tvtime/tvtimefifo-%s",
+-  getenv( "HOME" ), hostname ) < 0 ) {
+-fifo = 0;
+-}
+-} else {
+-if( asprintf( , "%s/tvtimefifo-%s", fifodir, hostname ) < 0 ) {
+-fifo = 0;
+-}
+-}
++/* put the fifo in $HOME */
++if( asprintf( , "%s/.tvtime/tvtimefifo-%s",
++  getenv( "HOME" ), hostname ) < 0 ) {
++fifo = 0;
++}
+ free( hostname );
+ free( fifodir );
+ return fifo;
diff -Nru tvtime-1.0.11/debian/patches/freetype.patch 
tvtime-1.0.11/debian/patches/freetype.patch
--- tvtime-1.0.11/debian/patches/freetype.patch 2018-10-26 17:32:26.0 
+0200
+++ tvtime-1.

Bug#911740: nmu: freeimage_3.17.0+ds1-5+b5

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Hi Release team,

I think that the binNMU for freeimage against libraw19 did not work; the
package has downloaded and installed libraw16 during build, instead of
*19. Can you please check if if needed re-issue the binNMU?

(I did not check whether other packages are affected too.)

Many thanks,

tobi

nmu freeimage_3.17.0+ds1-5+b5 . alpha . unstable . -m "Rebuild against 
libraw19."

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#823991: libpng16-16: generates a ton of noisy warnings

[Tobias Frost]

Control: reassign -1 libwine
Control: retitle -1 libwine: Does not declare a Depends: on libpng

Hi Gianfranceo,

let me reassign this bug to the wine party people, because I think it is a bug
there, at least it should be investigated why the package is using libpng but
not
declaring a Depends on it.

(I already asked for a binNMU in #824006, so it is save to recycle this bug)

--
tobi

Bug#824006: nmu: wine_1.8.1-2

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Seems so that a binNMU is required for wine. (See #823991)

nmu wine_1.8.1-2 . ANY . unstable . -m "Rebuild against libpng1.6."

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#822540: nmu: libapache2-mod-qos_11.25-1

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Maintainer obviously not built on an up-to-date system.

nmu libapache2-mod-qos_11.25-1 . amd64 . -m "Rebuild against libpng1.6"

Dear Sergey,

This bug could have been easily avoided. 

please make sure that you *always* build on an updated system; even better
use tools like pbuilder or sbuild or like to *ensure* that you have the latest
packages installed.

BEST is, of course, to do source-only uploads, which are possible since ~1.5 
years.
See https://wiki.debian.org/SourceOnlyUpload for details.

Thanks!

-- 
tobi


-- System Information:
Debian Release: 8.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.0.5-revert-done (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Bug#822302: nmu: vtk-dicom_0.7.6-1

[Tobias Frost]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

While working on decrufting gdcm I noticed that there is a package in need of
a binnmu -- it still Depends on gdcm 2.4
(gdcm was only lately fixed for hurd, that's why it missed it)

nmu vtk-dicom_0.7.6-1 . hurd-i386 . unstable . -m "Rebuild against gdcm2.6."

Thanks!

--
tobi


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#650601: libpng Package in experimental

[Tobias Frost]

Am Mittwoch, den 06.04.2016, 15:33 + schrieb Gianfranco Costamagna:
> Hi,
> 
> 
> > Ack. :)
> 
> 
> 
> I don't let you change your mind now :)
> uploaded on debomatic-amd64, and on unstable a few seconds ago.
> 
> lets the *fun* start!
> 
> BTW I added me and Tobias in uploaders list, as per private mail
> exchange with the
> current maintainers.
> 
> thanks!
> 
> Gianfranco
> 

Thanks Gianfranco! 
Yeah, up to mooore fun, *cough*.. 
let's take bets how many packages will make it ;-)

(Next, I'll raise the remaining bugs to RC and post an update to
-devel.)

 ...

-- 
tobi

Bug#650601: libpng Package in experimental

[Tobias Frost]

On Sun, 3 Apr 2016 09:55:55 +0200 Gianfranco Costamagna  wrote:
with an ftpmaster *really fast* accept we are
> now in place and ready for the transition.
> 
> I think we are ready for the ack.
> 
> thanks,
> 
> Gianfranco
> 

I agree with Gianfranco, "NOW" would be a great time to start that
adventure... 

Waiting will just increases entropy again, and it is already quite some
work to keep the can-of-worms^W breakages low, as you can see from the
latest NMUs I did..)

Regarding libpng-config, I do not have a complete list, but during the
rebuilds I made a list of affected packages, but I faintly remember
that there were at one-two others. 
They were leafpackages though, so no need to worry for them, IMHO.

afarmagetronad 
openmsx  
neverball 
libapache2-mod-qos 

Also, I'm prepared to dedicated any free time to fix breakages during
the transition..


--
tobi

Bug#650601: libpng Package in experimental

[Tobias Frost]

> Hi Gianfranco,
>
> Of course they can B-D on libpng16-devtools (but requires several sourceful
> uploads during the transition), but than we have that nasty SONAME back in the
> B-depdencies...
> Should we provide also a SONAME-neutral package name here?

Ähm, we have already a Provides: libpng-devtools here, I just didn't see it..
So strike that part above

-- 
tobi

Bug#650601: libpng Package in experimental

[Tobias Frost]

Hi Gianfranco,

I've just got a change to take a look at the new libpng package.
A remark:

- The change that libbpng-dev only recommends libpng16-devtools will cause
some build failures, as several packages needs the devtool to be pulled in but
do not declare a dependency on this.

Of course they can B-D on libpng16-devtools (but requires several sourceful
uploads during the transition), but than we have that nasty SONAME back in the
B-depdencies...
Should we provide also a SONAME-neutral package name here?

I once said that we should check if we could just drop libpng16-devtools'
dependency on libpng-dev... Did you check if that is feasible? In that case we
could retain the dependency on libpng-devtools and it would also not be
necessary to have an libpng-devtools package/provide..


--
tobi

Bug#650601: libpng is going to be NMUed soon.

[Tobias Frost]

On Sat, 26 Mar 2016 00:50:58 +0100 Emilio Pozuelo Monfort  binary-NEW shouldn't be a big deal. Just make sure to upload to
experimental.

OK, then let's follow Gianfrancos proposoal!


Beside that, here's a last report on the rebuilding on my server:
(I need to free up space on the server for other purposes, so I need to
cease the continous rebuilding)

Those are the packages that still fails on my server:

calligra(2.8.5+dfsg-1.3~libpng16)  
caret   (5.6.4~dfsg.1-3.1~libpng16)
fw4spl  (0.9.2-3.1~libpng16)
gnubg   (1.05.000-7.1~libpng16)
libtk-img   (1.4.2+dfsg-2.1~libpng16)
odin(1.8.8-2.1~libpng16)
openvrml(0.18.9-7.1~libpng16)
png++   (0.2.5-1.1~libpng16)
root-system (5.34.19+dfsg-1.3~libpng16)
timidity(2.13.2-40.4~libpng16)
xemacs21(21.4.22-14.1~libpng16)


Those are currently in testing:
- gnubg, FTBFS seems to be #818889, has patch
- libtk-img needs libpng1.6 in sid to be fixed (#741894)
- png++, NMU in DELAYED/5 #819283
- timidity, RC-Buggy #814879, removal on March 31

--
tobi

Bug#650601: libpng is going to be NMUed soon.

[Tobias Frost]

On Wed, 23 Mar 2016 21:58:56 +0100 Gianfranco Costamagna  wrote:
> 
> 1) provide a real libpng-dev and upload on experimental in 7 days
starting now.
> (I'm going to upload on deferred/7 in a few minutes/hours)
> 

Hi Gianfranco,

what bothers me is that having a real libpng-dev package requires us to
go through NEW. 
I'd avoid NEW-processing at this point of time, as its processing is
non-deterministic and might eat up significant amount of time left
until the freeze... And time is running fast.

At the moment no package requires a versioned dependency on libpng-dev
anyway, so IMHI that can be deferred to a later time.
(I believe having a real libpng-dev package is a good idea, so lets go
for it, cleared from NEW via experimental *once* libpng16 is is sid)

At this point of time, I think we're in better control when manually
uploading libpng12 and libpng16 in a coordinated way.


Gianfranco, Emilio: Thoughts?


--
tobi

Bug#650601: Update on libpng's transition status

[Tobias Frost]

Am Sonntag, den 31.01.2016, 17:52 + schrieb Mattia Rizzolo:
> On Sun, Jan 31, 2016 at 05:46:07PM +0100, Tobias Frost wrote:
> > Still FTBFS are, I've put an analysis why so on the titanpad [1],
> > but
> > those are all _not_ libpng related and many of those packages are
> > not
> > in testing. 
> 
> Analysis of what is in testing atm:
> 
> 
> > blender
> 
> notice that blender should be ready for libpng1.6 once the ilmbase
> and
> openexr transition start, so that the experimental version can be
> used
> (which should be fine).
> Actually, Those 2 transitions are way smaller than libpng, and I
> would
> have expected them to be already started... #810568

I just scheduled a build of the experimental version on my server,
and it looks good so far. (It needs experimental B-Ds as well) 

> > criticalmass
> 
> I was able to build this just fine here.
> I also tested it against libpng16 and built a binary depending on it
> just fine.
> I believe there is something fishy on your part here :)

Yes, you're right: It has been building fine also on my server
already.[1], it was an left over from my list; (I had lately problems
with somepackage in conjunction with parallel build and pbuilder --
criticalmass is one of those)

[1] http://libpng.sviech.de/!summary.txt

> > gmsh
> > vtk6
> 
> These 2 at the moment are not buildable because they are several
> levels
> down of the openmpi transition and need other libs to be built first.
> I just believe openmpi needs to be done first before of this.

vtk6 built fine previously with libpn1.6, as well as gmsh.
(For gmsh I still have the old  buildlog: 
https://libpng.sviech.de/old/gmsh.build, for vtk6 they've got
overwritten but there are still the resulting packages at 
https://libpng.sviech.de/libpng16/pool/main/v/vtk6/ )

So, I guess we could ignore this collision?

> > yt 
> 
> yt is going to be autoremoved soon (Feb 9) so this can be ignored.
> 
> > [1] https://titanpad.com/libpng16-transistion
> 
> 
> So if I'm not blind or anything, I belive this transition has no
> actual
> blocker (but other transitions to be done first, though).
> 
> Of course in something so big something will come out during the
> transition, but hey ^^

It would be a miracle, as we see with openmpi.. Knocking wood, though.
But I have the feeling we are in a good position, and at least the next
few weeks I'm able to commit some time to this. 

For the procedure, does it help the case / would it make sense to
upload a libpng16 *without* provding libconfig-dev to sid, to have it
in testing already, when we pull the trigger? (As you know, said
trigger is the Provides: libpng-dev line; without it all the packages
will use libpng12-dev..)

--
tobi

Bug#650601: libpng is ready for transtion

[Tobias Frost]

This time with d-boot in CC...

Forwarding to debian-boot, as requested from Cyril.

Debian-Boot people, please take a look at #650601 -- the libpng16
transition which is now ready to be started. There are a few udebs
affected, which is tested as described below (following a request from
Cyril).

IMHO also the udeb part is ready for the transition, but I'm not in the
d-i topics.

-- 

tobi

On Tue, 26 Jan 2016 22:05:22 +0100 Tobias Frost <t...@debian.org>
wrote:
> Hallo KiBi,
>  
> On Tue, 26 Jan 2016 10:51:11 +0100 Cyril Brulebois <k...@debian.org>
> wrote:
>  
> > Has anyone tested a debian installer build where some packages were
> > built against libpng12-0-udeb and some other against libpng16-16-
> udeb?
> > Does that work? Or are we looking at a giant transition where
> everything
> > must switch to libpng16 at once?
> >  
> > Mraw,
> > KiBi.
>  
> As requested, I performed those build of the d-i, version 20160106: 
>  
> Testmatrix
>  
> A libcairo2-udeb_1.14.6-1.1~libpng16_amd64.udeb
> B libdirectfb-1.2-9-udeb_1.2.10.0-5.2~libpng16_amd64.udeb 
> C libfreetype6-udeb_2.6.1-0.2~libpng16_amd64.udeb
> D libgdk-pixbuf2.0-0-udeb_2.32.3-1.1~libpng16_amd64.udeb
> E libpng16-16-udeb_1.6.20-1.2~libpng16+patched+1_amd64.udeb
> F matchbox-keyboard-udeb_0.1+svn20080916-10.1~libpng16_amd64.udeb
>  
> Two more udeb packages where generated during the mass rebuild on my
> server, bu removed from test-matrix, as they do not Depend: on
libpng:
> libslang2, libdirectfb-bin
>  
> Key x -> libpng16-version used
>     . -> standard version used
>  
>    A B C D E F   result   (comment)
> 1  . . . . . .   builds   "control group"
> 2  x . x . x .   builds     
> 3  . x x . x .   builds
> 4  . . . x x .   builds
> 5  . x . x x x   builds   
> 6  x x x x x x   builds   "target version" 
>  
>  
> Procedure:
> - debuld in debian-installer directory.
> - examination of created debian-installer-images tarball, especially
> the MANIFEST.udebs file for installed udebs (if matches expectations,
> if both libpngs are present
>  
>  
> Let me know if you want to see other combinations tested too (and
> which)
>  
> Thanks
> -- 
> tobi
>  
>  

Update on libpng's transition status

[Tobias Frost]

TL;DL: 
13 FTBFS left, but those are not libpng's fault.
Out of those 13 packages, only 5 are in testing right now. 

(I think that's all I can do from my side for now, so I'l pause the
efforts waiting for the other parties involved.)

Details:

The stats are now, and this is the best we can currently get:

Built: 474
Failed: 13
OK: 461

The progress is due to the NMU's and the fixing of libvigraimpex, so
that its B-Ds became buildable. 

Still FTBFS are, I've put an analysis why so on the titanpad [1], but
those are all _not_ libpng related and many of those packages are not
in testing. 

3depict
blender
calligra
caret
exult
fw4spl
gmsh
libtk-img
odin
openvrml
root-system
xemacs21
vtk6
yt

There are two packages which are started to fail, due to the 
accidential transition-required openmpi upload, #813128:

vtk6 
gmsh

Only those packages are in testing:

blender
criticalmass
gmsh
vtk6 
yt 


[1] https://titanpad.com/libpng16-transistion
 
-- 
tobi

Bug#650601: libpng is ready for transtion

[Tobias Frost]

Forwarding to debian-boot, as requested from Cyril.

Debian-Boot people, please take a look at #650601 -- the libpng16
transition which is now ready to be started. There are a few udebs
affected, which is tested as described below (following a request from
Cyril).

IMHO also the udeb part is ready for the transition, but I'm not in the
d-i topics.

-- 

tobi

On Tue, 26 Jan 2016 22:05:22 +0100 Tobias Frost <t...@debian.org>
wrote:
> Hallo KiBi,
> 
> On Tue, 26 Jan 2016 10:51:11 +0100 Cyril Brulebois <k...@debian.org>
> wrote:
> 
> > Has anyone tested a debian installer build where some packages were
> > built against libpng12-0-udeb and some other against libpng16-16-
> udeb?
> > Does that work? Or are we looking at a giant transition where
> everything
> > must switch to libpng16 at once?
> > 
> > Mraw,
> > KiBi.
> 
> As requested, I performed those build of the d-i, version 20160106: 
> 
> Testmatrix
> 
> A libcairo2-udeb_1.14.6-1.1~libpng16_amd64.udeb
> B libdirectfb-1.2-9-udeb_1.2.10.0-5.2~libpng16_amd64.udeb 
> C libfreetype6-udeb_2.6.1-0.2~libpng16_amd64.udeb
> D libgdk-pixbuf2.0-0-udeb_2.32.3-1.1~libpng16_amd64.udeb
> E libpng16-16-udeb_1.6.20-1.2~libpng16+patched+1_amd64.udeb
> F matchbox-keyboard-udeb_0.1+svn20080916-10.1~libpng16_amd64.udeb
> 
> Two more udeb packages where generated during the mass rebuild on my
> server, bu removed from test-matrix, as they do not Depend: on
libpng:
> libslang2, libdirectfb-bin
> 
> Key x -> libpng16-version used
>     . -> standard version used
> 
>    A B C D E F   result   (comment)
> 1  . . . . . .   builds   "control group"
> 2  x . x . x .   builds     
> 3  . x x . x .   builds
> 4  . . . x x .   builds
> 5  . x . x x x   builds   
> 6  x x x x x x   builds   "target version" 
> 
> 
> Procedure:
> - debuld in debian-installer directory.
> - examination of created debian-installer-images tarball, especially
> the MANIFEST.udebs file for installed udebs (if matches expectations,
> if both libpngs are present
> 
> 
> Let me know if you want to see other combinations tested too (and
> which)
> 
> Thanks
> -- 
> tobi
> 
> 

Re: Bug#650601: libpng is ready for transtion

[Tobias Frost]

> Tobias Frost <t...@debian.org> (2016-01-25):
>> Dear release-team,
>>
>> Now that all NMUs are in DELAYED for all fixables.
>> I think we are ready to throw the switch. 
>
> You haven't answered <20160106232316.ga28...@mraw.org>.
>
> Mraw,
> KiBi.
>

Nobuhiro, Anibal,

this is a question for you:

https://lists.debian.org/debian-devel/2016/01/msg00248.html

{quote}
Speaking of this particular udeb, I've just spotted libpng16-16-udeb has
a Conflicts against libpng12-0-udeb. I'm not sure why, and the changelog
doesn't seem to explain either. libpng16-16 and libpng12-0 seems to be
co-installable, so I'm not sure why their respective udebs shouldn't be.
{/quote}

Re: Bug#650601: libpng is ready for transition

[Tobias Frost]

Am Dienstag, den 26.01.2016, 22:25 + schrieb Gianfranco Costamagna:
> Hi Tobias
> 
> > +libpng1.6 (1.6.20-1.2)
> > unstable; urgency=medium
> 
> Do you want to go on unstable or it is a typo?
> 
> Gianfranco

Typo

Bug#650601: libpng1.6 transistin (Was: Processed: fvwm: diff for NMU version 1:2.6.5.ds-4.1)

[Tobias Frost]

Am Dienstag, den 26.01.2016, 18:07 +0100 schrieb Emilio Pozuelo
Monfort:
> On 26/01/16 17:54, Gianfranco Costamagna wrote:
> > Hi Emilio!
> > 
> > 
> > > Can send another summary with your proposed plan here? Currently
> > > libpng12-dev
> > > provides libpng-dev but libpng16-dev doesn't. Are you going to
> > > switch that? Or
> > > do you plan to build a libpng-dev package from src:libpng1.6?
> > 
> > 
> > sure, the only reason that libpng-dev wasn't provided has been to
> > avoid people building accidentally
> > with libpng16 when uploading on experimental.
> > 
> > IIRC the plan is to upload on unstable with the Provides: libpng-
> > dev line enabled
> > (it is already there, just commented),
> > and the change for the udeb file conflict (ongoing test right now).
> > 
> > I think libpng12-dev will stop providing the libpng-dev at the same
> > time, but I'm not sure
> 
> Either that needs to happen, or a real libpng-dev package needs to be
> built.
> Otherwise if we have libpng12-dev and libpng16-dev providing libpng-
> dev, things
> won't be deterministic.


> > 


(My*) plan'd be to upload (1) libpng12 WITHOUT providing libpng-dev and
(2) libpng16 WITH providing it. 

I'm not sure whats better: if that should happen at the very same time,
or if we should delay (2) until e.g the -12 package arrived at all
archs, to ensure that there will be no point of time where libpng-dev
is provided by two packages or solve any races by delaying the start of
the binnmus until we can ensure that all archs are getting the right
one.

A real libpng-dev package would be actually my* favorite, but this
requires going through NEW and I fear that that would destroy the
momentum we experience now to push this forward. Also, a real libpng-
dev Package could still be introduced later.

-- 
tobi

* Nobuhiro / Anibal should give the definitive direction how the want
to manage their package...

Bug#650601: libpng is ready for transtion

[Tobias Frost]

Hallo KiBi,

On Tue, 26 Jan 2016 10:51:11 +0100 Cyril Brulebois 
wrote:

> Has anyone tested a debian installer build where some packages were
> built against libpng12-0-udeb and some other against libpng16-16-
udeb?
> Does that work? Or are we looking at a giant transition where
everything
> must switch to libpng16 at once?
> 
> Mraw,
> KiBi.

As requested, I performed those build of the d-i, version 20160106: 

Testmatrix

A libcairo2-udeb_1.14.6-1.1~libpng16_amd64.udeb
B libdirectfb-1.2-9-udeb_1.2.10.0-5.2~libpng16_amd64.udeb 
C libfreetype6-udeb_2.6.1-0.2~libpng16_amd64.udeb
D libgdk-pixbuf2.0-0-udeb_2.32.3-1.1~libpng16_amd64.udeb
E libpng16-16-udeb_1.6.20-1.2~libpng16+patched+1_amd64.udeb
F matchbox-keyboard-udeb_0.1+svn20080916-10.1~libpng16_amd64.udeb

Two more udeb packages where generated during the mass rebuild on my
server, bu removed from test-matrix, as they do not Depend: on libpng:
libslang2, libdirectfb-bin

Key x -> libpng16-version used
. -> standard version used

   A B C D E F   result   (comment)
1  . . . . . .   builds   "control group"
2  x . x . x .   builds 
3  . x x . x .   builds
4  . . . x x .   builds
5  . x . x x x   builds   
6  x x x x x x   builds   "target version" 


Procedure:
- debuld in debian-installer directory.
- examination of created debian-installer-images tarball, especially
the MANIFEST.udebs file for installed udebs (if matches expectations,
if both libpngs are present


Let me know if you want to see other combinations tested too (and
which)

Thanks
-- 
tobi

Re: Bug#650601: libpng is ready for transtion

[Tobias Frost]

Am Dienstag, den 26.01.2016, 20:45 +1100 schrieb Aníbal Monsalve
Salazar:
> On Tue, 2016-01-26 10:23:13 +0100, Tobias Frost wrote:
> > > Tobias Frost <t...@debian.org> (2016-01-25):
> > > > Dear release-team,
> > > > 
> > > > Now that all NMUs are in DELAYED for all fixables.
> > > > I think we are ready to throw the switch.
> > > 
> > > You haven't answered <20160106232316.ga28...@mraw.org>.
> > > 
> > > Mraw,
> > > KiBi.
> > > 
> > 
> > Nobuhiro, Anibal,
> > 
> > this is a question for you:
> > 
> > https://lists.debian.org/debian-devel/2016/01/msg00248.html
> > 
> > {quote}
> > Speaking of this particular udeb, I've just spotted libpng16-16-
> > udeb has
> > a Conflicts against libpng12-0-udeb. I'm not sure why, and the
> > changelog
> > doesn't seem to explain either. libpng16-16 and libpng12-0 seems to
> > be
> > co-installable, so I'm not sure why their respective udebs
> > shouldn't be.
> > {/quote}
> 
> The Conflicts against libpng12-0-udeb can be removed.

Hi Anibal,

OK to NMU that or do you want to do the upload yourself?

diff -Nru libpng1.6-1.6.20/debian/changelog libpng1.6-
1.6.20/debian/changelog
--- libpng1.6-1.6.20/debian/changelog   2016-01-24 11:26:12.0
+0100
+++ libpng1.6-1.6.20/debian/changelog   2016-01-26 22:28:29.0
+0100
@@ -1,3 +1,10 @@
+libpng1.6 (1.6.20-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * libpng16-16-udeb should not Conflicts: libpng-12-0
+
+ -- Tobias Frost <t...@debian.org>  Tue, 26 Jan 2016 22:27:21 +0100
+
 libpng1.6 (1.6.20-1.1) experimental; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libpng1.6-1.6.20/debian/control libpng1.6-
1.6.20/debian/control
--- libpng1.6-1.6.20/debian/control 2016-01-24 11:29:17.0
+0100
+++ libpng1.6-1.6.20/debian/control 2016-01-26 22:28:22.0
+0100
@@ -71,7 +71,6 @@
 Priority: extra
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}
-Conflicts: libpng12-0-udeb
 Description: PNG library - minimal runtime library (version 1.6)
  libpng is a library implementing an interface for reading and writing
  PNG (Portable Network Graphics) format files.

libpng is ready for transtion

[Tobias Frost]

Dear release-team,

Now that all NMUs are in DELAYED for all fixables.
I think we are ready to throw the switch. 

Please let us know and assign us the transition slot :)

Please assign a slot.

Here's the actual summary [1]
Built: 474
Failed: 34
OK: 440

The failed ones split up as follow:

NMUs: 12  
Patches: 2  
RC Buggy: 13  
RC as B-D: 4 
RM: 2
(my package: 1)

- The NMUs are uploaded, waiting to enter the archives.
- Also Gianfranco uploaded tons of packages to update the B-D to
libpng-dev. 
- The two patches are submitted to the BTS with a review request. A NMU
will follow...
- The RC Buggy packages are not building in sid as well, no way to
check them without fixing them.
- 4 Packages B-D on libvigraimpex, which is one of the RC packages.
- 2 packages are to be removed
- 1 package is mine, fix in prepration (rbdoom3bfg)


Details:

NMU in DELAYED - 12
==
antigrav
autotrace
ctsim
exult
freeimage
pngnq
literki
libtwin
nagios3
openlayer
scorched3d
xaos

Patch available (review requested):  2

netpbm-free
ghostscript


RC-Buggy in sid: - 13

blender
calligra
caret
criticalmass
fw4spl
libvigraimpex
odin
openvrml
libtk-img
root-system
wine-development
xemacs21
yt


reverse B-Ds libvigraimpex: - 4


===
3depict
enblend-enfuse
gamera
hugin

RM or RM requested: - 2
===
exrtools
celestia


the remaining:
===
rbdoom3bfg
is my package, a patch is almost ready.

[1] http://libpng.sviech.de/!summary.txt
The file in the link will be updated as I rebuild package when uploads
have been done; (manual process)


-- tobi

signature.asc
Description: This is a digitally signed message part

Bug#650601: Processed: fvwm: diff for NMU version 1:2.6.5.ds-4.1

[Tobias Frost]

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hi Emilio and release team
> (sorry for the previous mail and thanks for the untag, I fixed the uploa
> d)
>
> as you have noticed yesterday and today I NMUed the remaining "please
> switch from libpng-{3,12,12-0}-dev to libpng-dev" bugs.
> (around ~30 NMUs that will hit unstable hopefully in 7 days)
>
> there are a couple of packages with a build-dependency on
> libpng-dev | libpng12-dev but I didn't NMU them because I don't think
> they are going to give troubles in the transition context.
>
> Now, we should be left with ~50 packages currently FTBFS, but I think
> for most of them we could easily have patches from Fedora or upstream
> new versions (many of them already have patches on BTS)
>
> This is a list of packages, according to the bug blocking this one.
> pngnq: patch, but should wait for the transition to start
> libtheora: patch
> openmsx: patch (should wait the transition to start)
> calligra: no patch, out of testing, arch linux has the latest version
> and seems to build against libpng16
> libcoyotl: has an RC bug (license issue), no patch
> xcftools: testsuite failure fedora has the latest, maybe they have a pat
> ch
> neverball: patch, but should wait for the transition to start
> openjfx: no patch, but new upstream release
> tucnak: no patch, but new upstream release
> xemacs21: FTBFS against gcc-5
> openlayer: mailed the bug report with a patch (not sure if enough)
> armagetronad: patch? I think it is a matter of changing the configure
> script
> aseprite: should be a matter of a define (new upstream release)
> libpgplot-perl: patch, fixed in git
> mathgl: patch from fedora?
> https://lists.fedoraproject.org/pipermail/scm-commits/2011-December/6932
> 05.html
> abiword: patch, fixed, but failing for another reason now
> nagios3: not in testing, RC buggy
> celestia: RM ROM Dead upstream
> warzone2100: new upstream release: according to google fedora builds
> it fine with new libpng
> netpbm-free: ZLIB_VERSION undeclared, should be trivial to fix
> (missing include), if it isn't still not fixed (mailed the bug report)
> exult: no patch, but new upstream release (snapshot)
> fw4spl: double RC buggy
> rbdoom3bfg: no patch
> exrtools: patch
> libapache2-mod-qos: missing b-d patch
> ifeffit: seems to be failing because of missing b-d, and needs
> probably rebuilds of other build-dependencies, RC buggy
> matplotlib: should be fine now
> pcsx2: probably needs some rebuilds to make build-dependencies installab
> le
> root-system: FTBFS for unrelated reasons? RC buggy
> ctsim: needs some rebuilds to be fixed (e.g. libgdk-pixbuf2.0-dev)
>should be easy to patch
> wine-development: I think no issue, unrelated build failure
> scorched3d: FTBFS, but should be trivial to fix (pointer change)
> libtk-img: FTBFS but fedora has patches
> https://pkgs.fedoraproject.org/cgit/rpms/tkimg.git/tree/
>
>
> so, basically the ~50 FTBFS are now down to 31 (some of them have been
> NMUed while writing this email), and the "no patch" bugs are currently
> only 6, and I suspect some of them even will rebuild fine (probably
> transition related issues).
>
> So, if we exclude the RC buggy packages we are down to really a couple
> of packages, but I think we should start the transition and fix them
> later, specially because the build failures logs are from libpng15 in
> some cases, and it isn't worth the effort to double check them.
>
> Can we have a transition slot if possible, or should we fix something
> more?
>
> Please note: all the NMUs will need 6/7 days to go in unstable.
>
> (there is also a bug against texlive-base to stop using the embedded
> libpng version, but obviously it can't be fixed until the transition
> starts)
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJWoh2BAAoJEPNPCXROn13Z56YP/iOUBrd6wkQl/B+EcbhmiT5F
> aF8DMPoeh8zcKkvsXIjmvwg7XkMz0e/RlrVv1XsgYrnD5jt46N9Su+LZrscAlMFs
> rMOPHaubnhueFLYAxK9nCxJUgPJ6m/abAp1BiNVQsq+kI1MNTECRkxAadtdcND5i
> NlP/BbOJalwbpMWtcVF3SFrrdJmSrwcaSeXPg0coK8uCLt2xw4n1dMTAk2G3zFr4
> F/JlOU2Aqyy6fhK5DeXewgBe1Bd5S/x+q+sy41d4hSQffJF039vk4ng/FzWJpuya
> N6juMLL8RnBs7f/H7MgOXy8mkbo8Pov2jt/NCQqLWN7lLBS6heu5wQWQdtydM24u
> n/KfDpALrJtHOHZLorg0ZUsHCncYqQmPNQJG7uiIosXy45iC2q+EKbU9sD8eKVly
> epXloyUDV0ubphfp9Py0OYARpZCiQqFyUnnojQ47NBpabD6YMHece2fByfAoHJMr
> H/1Vqw9yGWAwa4BJRDdMTWHDhTQH6IZOD/rhCnj4J2ORXJrpL4BVW6QwdKfn33BV
> 4x78LpOneGLe2IxlmMe68wNw+xX+8qXnt3PdIB/fKuOOxsQ45bTc7yKXpjBr6Q0I
> kT7JtUGo0aW940TsW/yPWl3UewjUV89W0VE211HuVFBJNoVV8Z1IzoxJLPpgD35J
> LW1DDVuMLushD6zkFLCr
> =538b
> -END PGP SIGNATURE-
>

Many thanks Gianfranco for the summary!

Regarding the packages requiring libpng-config, I proposed to the maintainers
do another libng16 upload, so that that tool will be pulled in as depdenceny
(Otherwise we'll have the soversion hardcoded again in some B-D; I'd like to
avoid that.)

Please, Anibal & Nobuhiro shout STOP if you do not like this otherwise I'll
NMU my proposal tomorrow evening 

Bug#650601: transition: libpng 1.5

[Tobias Frost]

Dear all,

rebuilt is now complete. 
 
The final stats are:
Built: 463*
Failed: 117
OK: 346

The summary is also here: https://libpng.sviech.de/!summary.txt
On the same server are also the complete buildlogs:
https://libpng.sviech.de/

I will no proceed with the preparations of the MBF announcement.

Tobi



* libreoffice is the only package I did not rebuild

Bug#650601: transition: libpng 1.5

[Tobias Frost]

On Sun, 27 Dec 2015 14:25:29 +0100 Pedretti Fabio <pedretti.fabio@gmail
.com> wrote:
> Hi, I could provide a fast server (16+ xeon cores, 32gb+ ram)
accessible
> via ssh for test rebuild. If it can be useful let me know.
> Il 27/dic/2015 14:08, "Tobias Frost" <t...@debian.org> ha scritto:
> 
> > Hi,
> >
> > Now the stats read:
> > Built: 417
> > Failed: 112
> > OK: 304
> >
> > To get forward, I drafted some MBF announcement on the Titanpad.
Would
> > be cool if some can check it and maybe improve it (writing is not
my
> > strength)
> >
> > https://titanpad.com/libpng16-transistion
> >
> > In the draft propose the following plan:
> >
> > 0. Assess situation (rebuld) -- done
> > 1. MBF announcement
> > 2.  File bugs
> > for packages failing to build or needing updates in the B-Ds
> > 2. Upload
> > libpng1.6 to unstable, providing libpng-dev (after "GO" from the
> > release team)
> > 2a Upload libpng1.2 without providing libpng-dev to
> > unstable
> > 3. Raise severity to RC
> > 4. Prepare patches and NMU them
> > 5. binNMU
> > 6. fix remaining issues to finish transition
> > 7. Remove libpng12 from
> > unstable
> >
> > I'd go to upload 16 package with providing libpng-dev from day 1.
and
> > then in a second step (as it needs to pass NEW) provide libpng-dev
as
> > real package to allow versioned depends later. This second-step
package
> > can be cleared via experimental.
> >
> > Nobuhiro, what do you think? As said, now I'd have time
> > Emilio/Release-Team: The plan sounds OK with you?
> >
> > --
> > To unsubscribe, send mail to 650601-unsubscr...@bugs.debian.org.
> >

Thanks for the offer!
Currently not needed, but in case we'll do another rebuild I willl
contact you!

Tobi

Bug#650601: transition: libpng 1.5

[Tobias Frost]

Hi,

Now the stats read: 
Built: 417
Failed: 112
OK: 304

To get forward, I drafted some MBF announcement on the Titanpad. Would
be cool if some can check it and maybe improve it (writing is not my
strength)

https://titanpad.com/libpng16-transistion

In the draft propose the following plan:

0. Assess situation (rebuld) -- done
1. MBF announcement 
2.  File bugs
for packages failing to build or needing updates in the B-Ds
2. Upload
libpng1.6 to unstable, providing libpng-dev (after "GO" from the
release team)
2a Upload libpng1.2 without providing libpng-dev to
unstable
3. Raise severity to RC
4. Prepare patches and NMU them
5. binNMU
6. fix remaining issues to finish transition
7. Remove libpng12 from
unstable

I'd go to upload 16 package with providing libpng-dev from day 1. and
then in a second step (as it needs to pass NEW) provide libpng-dev as
real package to allow versioned depends later. This second-step package
can be cleared via experimental. 

Nobuhiro, what do you think? As said, now I'd have time 
Emilio/Release-Team: The plan sounds OK with you?

Bug#650601: transition: libpng 1.5

[Tobias Frost]

After building 288 packages some intermediate result:

288 built
85 failed
200 built ok
(3 currently rebuilding due some BD needed to be rebuilt themselves
too)

Short analysis of the build errors are on this titanpad:
https://titanpad.com/libpng16-transistion
I will continue update the pad with new results.

To build the packages, I modified the libpng16 package from
experimental to provides also libpng-dev and libpng12-dev.

--
tobi

Bug#650601: transition: libpng 1.5

[Tobias Frost]

Am Freitag, den 25.12.2015, 20:28 +0100 schrieb Alexandre Detiste:
> 
> There's one game from this list for which nobody should waste time
> on: freecraft.

Noted on the pad*. Thanks Alexandre



* anyone feel free to add such notes to the pad themselves...