[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
This bug was fixed in the package libzip - 1.5.1-0ubuntu1 --- libzip (1.5.1-0ubuntu1) disco; urgency=medium * New upstream release (LP: #1674057) (Closes: #894813) - Removes custom AES implementation in favour of using standard crypto libs * Build with cmake, autotools support was dropped. * Bump debhelper to compat 11 * debian/control - Add Build-dep on libssl-dev and libbz2-dev * debian/libzip5.symbols: Update with new symbols * debian/rules: - Clean up Multi-arch support - set dh_missing to --fail-missing - Drop flags obsolete with dh 11 - Strip -Bsymbolic-functions link flag as it causes test failures * debian/libzip-dev.install: don't install static lib, its not built now * debian/libzip5.lintian-overrides: - override possible-gpl-code-linked-with-openssl, libzip is BSD licensed only the debian packaging is licensed under GPLv3 * debian/copyright: Update to reflect removed code -- Tim Lunn Tue, 27 Nov 2018 10:51:36 +1000 ** Changed in: libzip (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Changed in: libzip (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
also includes libzip 1.5.1 release from today -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
I have created a transition tracker (copied from Debian) http://people.canonical.com/~ubuntu-archive/transitions/html/libzip.html -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
Packaging should be good to go now, pending FFe approval. All remaining debian/patches are upstream cherry-picks that will be included in next upstream release. -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Description changed: Feature Freeze Justification This release fixes to two CVE's and most notably has removed its custom AES crypto implementation with using openssl libraries. It is for the security reasons I am requesting this FFe this late in the cycle. Other Changes: - A bunch of bug fixes - A number of new features like bzip2 (this optional and could be disabled for 18.04), improved AES encryption support, some of the new features are other platforms only - Breaks API (only 1 symbol was removed though), soname bump, so will require a mini transition, all the 24 reverse-depends that I count are in universe. Some are seeded in flavours (see below) - Build system switched to Cmake in latest release - Ark will build with libzip support where it didnt before Testing: It has a fairly comprehensive test suite, all tests are now passing. I have run a test rebuild for all the rdepends in ppa:darkxst/libzip. All built successfully, except for 2 packages, cbmc and plume-creater - that had unrelated fallout due to gcc7 and other packaging changes. + that had unrelated fallout due to gcc7 and other packaging changes + (fixed on PPA). Other Notes: - - There are a bunch of presumably private symbols leaked into the debian symbols file. Not ideal, but probably not the only package in the archive like that. - - Have forwarded upstream a couple of patches and will follow symbols later + - Various fixes (rpath, man page syntax, leaky private symbols and pkg-config fixes) have been committed upstream and will be released soon in a 1.5.1 release, cherry-picked patches for now - I will also push for the update into Debian Build Logs: - https://launchpadlibrarian.net/363222435/buildlog_ubuntu-bionic-amd64.libzip_1.5.0-0ubuntu1~bionic3_BUILDING.txt.gz + https://launchpadlibrarian.net/363623662/buildlog_ubuntu-bionic-amd64.libzip_1.5.0-0ubuntu1~bionic6_BUILDING.txt.gz Reverse-depends of libzip4 that are seeded: ark (from ark) is seeded in: kubuntu: daily-live lubuntu-next: daily-live ideviceinstaller is seeded in: ubuntu-mate: daily-live libepub0 is seeded in: kubuntu: daily-live ubuntustudio: dvd libpstoedit0c2a is seeded in: kubuntu: supported okular-extra-backends is seeded in: kubuntu: daily-live Upstream Changelog == 1.5.0 [2018-03-11] == * Use standard cryptographic library instead of custom AES implementation. This also simplifies the license. * Use `clang-format` to format the source code. * More Windows improvements. 1.4.0 [2017-12-29] == * Improve build with cmake * Retire autoconf/automake build system * Add `zip_source_buffer_fragment()`. * Add support to clone unchanged beginning of archive (instead of rewriting it). Supported for buffer sources and on Apple File System. * Add support for Microsoft Universal Windows Platform. 1.3.2 [2017-11-20] == * Fix bug introduced in last: zip_t was erroneously freed if zip_close() failed. 1.3.1 [2017-11-19] == * Install zipconf.h into ${PREFIX}/include * Add zip_libzip_version() * Fix AES tests on Linux 1.3.0 [2017-09-02] == * Support bzip2 compressed zip archives * Improve file progress callback code * Fix zip_fdopen() * CVE-2017-12858: Fix double free() * CVE-2017-14107: Improve EOCD64 parsing 1.2.0 [2017-02-19] == * Support for AES encryption (Winzip version), both encryption and decryption * Support legacy zip files with >64k entries * Fix seeking in zip_source_file if start > 0 * Add zip_fseek() for seeking in uncompressed data * Add zip_ftell() for telling position in uncompressed data * Add zip_register_progress_callback() for UI updates during zip_close() 1.1.3 [2016-05-28] == * Fix build on Windows when using autoconf ** Patch added: "updated debdiff against debian experimental" https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+attachment/5105030/+files/libzip_1.5.0-r3.debdiff ** Patch removed: "debdiff against version 1.3.2 in Debian experimental" https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+attachment/5102221/+files/libzip_1.5.0-r2.debdiff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
I have been liasing with upstream to sort of the few remaining issues, they have been super responsive, and for the the most part those are fixed upstream, I will update the packaging with upstream fixes once I get back into range of a power point! in the next day or three. -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Description changed: Feature Freeze Justification This release fixes to two CVE's and most notably has removed its custom AES crypto implementation with using openssl libraries. It is for the security reasons I am requesting this FFe this late in the cycle. Other Changes: - A bunch of bug fixes - A number of new features like bzip2 (this optional and could be disabled for 18.04), improved AES encryption support, some of the new features are other platforms only - Breaks API (only 1 symbol was removed though), soname bump, so will require a mini transition, all the 24 reverse-depends that I count are in universe. Some are seeded in flavours (see below) - Build system switched to Cmake in latest release - Ark will build with libzip support where it didnt before Testing: - It has a fairly comprehensive test suite, but I did have to disable for now, a few problematic tests that fail in the launchpad buildd chroots, but not elsewhere like local machine or Debian schroot. + It has a fairly comprehensive test suite, all tests are now passing. I have run a test rebuild for all the rdepends in ppa:darkxst/libzip. All built successfully, except for 2 packages, cbmc and plume-creater that had unrelated fallout due to gcc7 and other packaging changes. Other Notes: - There are a bunch of presumably private symbols leaked into the debian symbols file. Not ideal, but probably not the only package in the archive like that. - - I will follow up with upstream issues for the RPATH stuff, tests and symbols later + - Have forwarded upstream a couple of patches and will follow symbols later - I will also push for the update into Debian Build Logs: https://launchpadlibrarian.net/363222435/buildlog_ubuntu-bionic-amd64.libzip_1.5.0-0ubuntu1~bionic3_BUILDING.txt.gz Reverse-depends of libzip4 that are seeded: ark (from ark) is seeded in: kubuntu: daily-live lubuntu-next: daily-live ideviceinstaller is seeded in: ubuntu-mate: daily-live libepub0 is seeded in: kubuntu: daily-live ubuntustudio: dvd libpstoedit0c2a is seeded in: kubuntu: supported okular-extra-backends is seeded in: kubuntu: daily-live Upstream Changelog == 1.5.0 [2018-03-11] == * Use standard cryptographic library instead of custom AES implementation. This also simplifies the license. * Use `clang-format` to format the source code. * More Windows improvements. 1.4.0 [2017-12-29] == * Improve build with cmake * Retire autoconf/automake build system * Add `zip_source_buffer_fragment()`. * Add support to clone unchanged beginning of archive (instead of rewriting it). Supported for buffer sources and on Apple File System. * Add support for Microsoft Universal Windows Platform. 1.3.2 [2017-11-20] == * Fix bug introduced in last: zip_t was erroneously freed if zip_close() failed. 1.3.1 [2017-11-19] == * Install zipconf.h into ${PREFIX}/include * Add zip_libzip_version() * Fix AES tests on Linux 1.3.0 [2017-09-02] == * Support bzip2 compressed zip archives * Improve file progress callback code * Fix zip_fdopen() * CVE-2017-12858: Fix double free() * CVE-2017-14107: Improve EOCD64 parsing 1.2.0 [2017-02-19] == * Support for AES encryption (Winzip version), both encryption and decryption * Support legacy zip files with >64k entries * Fix seeking in zip_source_file if start > 0 * Add zip_fseek() for seeking in uncompressed data * Add zip_ftell() for telling position in uncompressed data * Add zip_register_progress_callback() for UI updates during zip_close() 1.1.3 [2016-05-28] == * Fix build on Windows when using autoconf ** Patch added: "debdiff against version 1.3.2 in Debian experimental" https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+attachment/5102221/+files/libzip_1.5.0-r2.debdiff ** Patch removed: "debdiff against version 1.3.2 in Debian experimental" https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+attachment/5101199/+files/libzip_1.5.debdiff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Changed in: libzip (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Changed in: libzip (Ubuntu Bionic) Status: In Progress => New ** No longer affects: libzip (Ubuntu Bionic) ** Tags added: bionic -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Patch added: "debdiff against version 1.3.2 in Debian experimental" https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+attachment/5101199/+files/libzip_1.5.debdiff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Description changed: - Please consider upgrading libzip to the newest version (currently 1.20). - It comes with important changes (details here: - https://nih.at/libzip/NEWS.html) and also it's used by ark since commit - ee74c157daf3604277ffcf10d2a89b2b59556dd7: + Feature Freeze Justification + + This release fixes to two CVE's and most notably has removed its custom AES crypto implementation with using openssl libraries. It is for the security reasons I am requesting this FFe this late in the cycle. - Add libzip plugin - A new plugin for libzip was added. The plugin is only built if libzip - 1.20 or higher is installed, but is the preferred plugin for zip - archives. + Other Changes: + - A bunch of bug fixes + - A number of new features like bzip2 (this optional and could be disabled for 18.04), improved AES encryption support, some of the new features are other platforms only + - Breaks API (only 1 symbol was removed though), soname bump, so will require a mini transition, all the 23-odd reverse-depends that I count are in universe. + - they appear to have dropped their custom AES implementation in favour of using openssl (this should be a plus!) + - Build system switched to Cmake in latest release + + + Testing: + It has a fairly comprehensive test suite, but I did have to disable for now, a few problematic tests that fail in the launchpad buildd chroots, but not elsewhere like local machine or Debian schroot. + + I have run a test rebuild for all the rdepends in ppa:darkxst/libzip. + All built successfully, except for 2 packages, cbmc and plume-creater + that had unrelated fallout due to gcc7 and other packaging changes. + + Other Notes: + - There are a bunch of presumably private symbols leaked into the debian symbols file. Not ideal, but probably not the only package in the archive like that. + - I will follow up with upstream issues for the RPATH stuff, tests and symbols later + - I will also push for the update into Debian + + Build Logs: + https://launchpadlibrarian.net/363222435/buildlog_ubuntu-bionic-amd64.libzip_1.5.0-0ubuntu1~bionic3_BUILDING.txt.gz + + + Upstream Changelog + == + 1.5.0 [2018-03-11] + == + + * Use standard cryptographic library instead of custom AES implementation. + This also simplifies the license. + * Use `clang-format` to format the source code. + * More Windows improvements. + + 1.4.0 [2017-12-29] + == + + * Improve build with cmake + * Retire autoconf/automake build system + * Add `zip_source_buffer_fragment()`. + * Add support to clone unchanged beginning of archive (instead of rewriting it). + Supported for buffer sources and on Apple File System. + * Add support for Microsoft Universal Windows Platform. + + 1.3.2 [2017-11-20] + == + * Fix bug introduced in last: zip_t was erroneously freed if zip_close() failed. + + 1.3.1 [2017-11-19] + == + + * Install zipconf.h into ${PREFIX}/include + * Add zip_libzip_version() + * Fix AES tests on Linux + + 1.3.0 [2017-09-02] + == + + * Support bzip2 compressed zip archives + * Improve file progress callback code + * Fix zip_fdopen() + * CVE-2017-12858: Fix double free() + * CVE-2017-14107: Improve EOCD64 parsing + + 1.2.0 [2017-02-19] + == + + * Support for AES encryption (Winzip version), both encryption + and decryption + * Support legacy zip files with >64k entries + * Fix seeking in zip_source_file if start > 0 + * Add zip_fseek() for seeking in uncompressed data + * Add zip_ftell() for telling position in uncompressed data + * Add zip_register_progress_callback() for UI updates during zip_close() + + 1.1.3 [2016-05-28] + == + + * Fix build on Windows when using autoconf -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1674057] Re: [FFe] upgrade libzip to version 1.5.0
** Summary changed: - [needs packaging] upgrade libzip to version 1.20 + [FFe] upgrade libzip to version 1.5.0 -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- kubuntu-bugs mailing list kubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs