Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

2017-01-06 Thread Adam D. Barratt 
Control: tags -1 + pending

On Tue, 2017-01-03 at 12:47 +, Adam D. Barratt wrote:
> On 2017-01-03 12:23, Didier 'OdyX' Raboud wrote:
> > Le mardi, 3 janvier 2017, 12.21:36 h CET Adam D. Barratt a écrit :
> >> You can't immediately re-use the version. Either we can reject the
> >> current package and you can then upload a fixed +deb8u1, or you can
> >> upload +deb8u2 which just adds the fix above.
> > 
> > It does make sense to re-use the same version, doesn't it? If so, 
> > please
> > reject, I'll upload after that.
> 
> There are advantages to both approaches.
> 
> In any case, I've asked dak to reject the current upload. Hopefully it 
> will action that soonish.

Re-uploaded and flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

2017-01-06 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + pending
Bug #849467 [release.debian.org] jessie-pu: package hplip/3.14.6-1+deb8u1
Added tag(s) pending.

-- 
849467: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849467
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

2017-01-03 Thread Adam D. Barratt 

On 2017-01-03 12:23, Didier 'OdyX' Raboud wrote:

Le mardi, 3 janvier 2017, 12.21:36 h CET Adam D. Barratt a écrit :

You can't immediately re-use the version. Either we can reject the
current package and you can then upload a fixed +deb8u1, or you can
upload +deb8u2 which just adds the fix above.


It does make sense to re-use the same version, doesn't it? If so, 
please

reject, I'll upload after that.


There are advantages to both approaches.

In any case, I've asked dak to reject the current upload. Hopefully it 
will action that soonish.


Regards,

Adam

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

2017-01-03 Thread Didier 'OdyX' Raboud 
Le mardi, 3 janvier 2017, 12.21:36 h CET Adam D. Barratt a écrit :
> You can't immediately re-use the version. Either we can reject the 
> current package and you can then upload a fixed +deb8u1, or you can 
> upload +deb8u2 which just adds the fix above.

It does make sense to re-use the same version, doesn't it? If so, please 
reject, I'll upload after that.

-- 
Cheers,
OdyX

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

2017-01-03 Thread Adam D. Barratt 

On 2017-01-03 11:03, Didier 'OdyX' Raboud wrote:

Le lundi, 2 janvier 2017, 18.10:15 h CET Adam D. Barratt a écrit :

Automated post-upload lintian checks caught a new issue:

+E: empty-manual-page usr/share/man/man1/hp-toolbox.1.gz

[...]
Ah yes. I had fixed this in b1b3f529471d15fb97d1c651f3c60901cc67131b, 
see

attached patch.

This is due to new (entirely rightful) restrictions in the buildds (or 
in my

sbuild setup) apparently.


Ah, thanks for the explanation.


So I should cherry-pick that and re-upload


Yes, please.


(re-using the 3.14.6-1+deb8u1 version number ?) ?


You can't immediately re-use the version. Either we can reject the 
current package and you can then upload a fixed +deb8u1, or you can 
upload +deb8u2 which just adds the fix above.


Regards,

Adam

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

2017-01-03 Thread Didier 'OdyX' Raboud 
Le lundi, 2 janvier 2017, 18.10:15 h CET Adam D. Barratt a écrit :
> On Sun, 2017-01-01 at 11:38 +0100, Didier 'OdyX' Raboud wrote:
> > Le samedi, 31 décembre 2016, 17.10:09 h CET Adam D. Barratt a écrit :
> > > Control: tags -1 + confirmed
> > > 
> > > On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote:
> > > > I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue,
> > > > and
> > > > security team members suggested to get it fixed through stable
> > > > updates.
> > > > 
> > > > This bug is a simple 'fetching gpg key from keyservers with a short
> > > > keyid' problem, and upstream's fix is to use the full fingerprint.
> > > 
> > > Please go ahead.
> > 
> > Uploaded, thanks for the confirmation.
> 
> Automated post-upload lintian checks caught a new issue:
> 
> +E: empty-manual-page usr/share/man/man1/hp-toolbox.1.gz
> 
> and indeed:
> 
> adsb@coccia:/srv/mirrors/debian/pool/main/h/hplip$ dpkg-deb -c
> hplip-gui_3.14.6-1_all.deb | grep toolbox.1 -rw-r--r-- root/root   818
> 2014-06-15 07:31 ./usr/share/man/man1/hp-toolbox.1.gz
> adsb@coccia:/srv/mirrors/debian/pool/main/h/hplip$ dpkg-deb -c
> /srv/ftp-master.debian.org/policy/pool/main/h/hplip/hplip-gui_3.14.6-1+deb8
> u1_all.deb | grep toolbox.1 -rw-r--r-- root/root20 2016-12-27 13:48
> ./usr/share/man/man1/hp-toolbox.1.gz
> 
> Any idea what's going on there?

Ah yes. I had fixed this in b1b3f529471d15fb97d1c651f3c60901cc67131b, see 
attached patch.

This is due to new (entirely rightful) restrictions in the buildds (or in my 
sbuild setup) apparently.

So I should cherry-pick that and re-upload (re-using the 3.14.6-1+deb8u1 
version number ?) ?

-- 
Cheers,
OdyX>From b1b3f529471d15fb97d1c651f3c60901cc67131b Mon Sep 17 00:00:00 2001
From: Didier Raboud 
Date: Mon, 3 Oct 2016 11:37:37 +0200
Subject: [PATCH] Export HOME when building the manpages to permit hp-toolbox's
 manpage generation

---
 debian/rules | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian/rules b/debian/rules
index d44f11cbf..1aa626d6f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -167,6 +167,7 @@ override_dh_install:
 	for file in *; do \
 			if readlink $$file | grep ".py"; then \
 PYTHONPATH=../lib/python$(PYTHON_DEFAULT_VERSION)/$(PYTHON_SITENAME)/ \
+HOME=./ \
 LD_LIBRARY_PATH=../lib/$(DEB_HOST_MULTIARCH) python3 ./$$file --help-man > $(CURDIR)/$$file.1 ; \
 			fi; \
 	done \
-- 
2.11.0

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

2017-01-02 Thread Adam D. Barratt 
On Sun, 2017-01-01 at 11:38 +0100, Didier 'OdyX' Raboud wrote:
> Le samedi, 31 décembre 2016, 17.10:09 h CET Adam D. Barratt a écrit :
> > Control: tags -1 + confirmed
> > 
> > On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote:
> > > I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and
> > > security team members suggested to get it fixed through stable updates.
> > > 
> > > This bug is a simple 'fetching gpg key from keyservers with a short
> > > keyid' problem, and upstream's fix is to use the full fingerprint.
> > 
> > Please go ahead.
> 
> Uploaded, thanks for the confirmation.

Automated post-upload lintian checks caught a new issue:

+E: empty-manual-page usr/share/man/man1/hp-toolbox.1.gz

and indeed:

adsb@coccia:/srv/mirrors/debian/pool/main/h/hplip$ dpkg-deb -c 
hplip-gui_3.14.6-1_all.deb | grep toolbox.1
-rw-r--r-- root/root   818 2014-06-15 07:31 
./usr/share/man/man1/hp-toolbox.1.gz
adsb@coccia:/srv/mirrors/debian/pool/main/h/hplip$ dpkg-deb -c 
/srv/ftp-master.debian.org/policy/pool/main/h/hplip/hplip-gui_3.14.6-1+deb8u1_all.deb
 | grep toolbox.1
-rw-r--r-- root/root20 2016-12-27 13:48 
./usr/share/man/man1/hp-toolbox.1.gz

Any idea what's going on there?

Regards,

Adam

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

2017-01-01 Thread Didier 'OdyX' Raboud 
Le samedi, 31 décembre 2016, 17.10:09 h CET Adam D. Barratt a écrit :
> Control: tags -1 + confirmed
> 
> On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote:
> > I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and
> > security team members suggested to get it fixed through stable updates.
> > 
> > This bug is a simple 'fetching gpg key from keyservers with a short
> > keyid' problem, and upstream's fix is to use the full fingerprint.
> 
> Please go ahead.

Uploaded, thanks for the confirmation.

-- 
Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

2016-12-31 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Tue, 2016-12-27 at 14:18 +0100, Didier 'OdyX' Raboud wrote:
> I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and
> security team members suggested to get it fixed through stable updates.
> 
> This bug is a simple 'fetching gpg key from keyservers with a short
> keyid' problem, and upstream's fix is to use the full fingerprint.

Please go ahead.

Regards,

Adam

Processed: Re: Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

2016-12-31 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #849467 [release.debian.org] jessie-pu: package hplip/3.14.6-1+deb8u1
Added tag(s) confirmed.

-- 
849467: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849467
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

2016-12-27 Thread Didier 'OdyX' Raboud 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear RT,

I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and
security team members suggested to get it fixed through stable updates.

This bug is a simple 'fetching gpg key from keyservers with a short
keyid' problem, and upstream's fix is to use the full fingerprint.

The debdiff is attached.

Cheers,
OdyX
diff -Nru hplip-3.14.6/debian/changelog hplip-3.14.6/debian/changelog
--- hplip-3.14.6/debian/changelog   2014-06-15 09:24:19.0 +0200
+++ hplip-3.14.6/debian/changelog   2016-12-27 09:13:54.0 +0100
@@ -1,3 +1,11 @@
+hplip (3.14.6-1+deb8u1) stable; urgency=medium
+
+  * Backport CVE-2015-0839 fix from upstream's 3.15.7: use full gpg key
+fingerprint when fetching key from keyservers
+(Closes: #787353, LP: #1432516)
+
+ -- Didier Raboud   Tue, 27 Dec 2016 09:13:54 +0100
+
 hplip (3.14.6-1) unstable; urgency=low
 
   * New upstream release
diff -Nru 
hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
 
hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
--- 
hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
 1970-01-01 01:00:00.0 +0100
+++ 
hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
 2016-12-27 09:10:11.0 +0100
@@ -0,0 +1,19 @@
+Description: Use the full key fingerprint, to fix insecure binary driver 
verification
+Bug-CVE: CVE-2015-0839
+Bug-Upstream: https://bugs.launchpad.net/hplip/+bug/1432516
+Bug-Debian: https://bugs.debian.org/787353
+Origin: vendor
+Last-Update: 2015-07-15
+
+--- a/base/validation.py
 b/base/validation.py
+@@ -40,8 +40,7 @@
+ 
+ 
+ class GPG_Verification(DigiSign_Verification):
+-
+-def __init__(self, pgp_site = 'pgp.mit.edu', key = 0xA59047B9):
++def __init__(self, pgp_site = 'pgp.mit.edu', key = 
0x4ABA2F66DBD5A95894910E0673D770CDA59047B9):
+ self.__pgp_site = pgp_site
+ self.__key = key
+ self.__gpg = utils.which('gpg',True)
diff -Nru hplip-3.14.6/debian/patches/series hplip-3.14.6/debian/patches/series
--- hplip-3.14.6/debian/patches/series  2014-04-04 17:05:13.0 +0200
+++ hplip-3.14.6/debian/patches/series  2016-12-27 09:04:13.0 +0100
@@ -18,3 +18,4 @@
 #hp-mkuri-libnotify-so-4-support.dpatch
 hpaio-option-duplex.diff
 musb-c-do-not-crash-on-usb-failure.patch
+cve-2015-0839-insecure-binary-driver-verification.patch