diffoscope_75_amd64.changes uploaded successfully to localhost
along with the files:
diffoscope_75.dsc
diffoscope_75.tar.xz
diffoscope_75_amd64.buildinfo
Greetings,
Your Debian queue daemon (running on host usper.debian.org)
___
Accepted:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Fri, 10 Feb 2017 09:28:47 +1300
Source: diffoscope
Binary: diffoscope
Architecture: source
Version: 75
Distribution: unstable
Urgency: medium
Maintainer: Reproducible builds folks
Package: diffoscope
Version: 67
Severity: grave
Tags: patch security
Justification: user security hole
Dear Maintainer,
5fdfe91e71f1c520d902350b18f793b8c69d9118 introduced a security hole where
diffoscope may write to arbitrary locations on disk depending on the contents
of an untrusted archive.
The bug is closed, but I took a closer look at the issue to learn more about
the situation.
Chris' commit fixed the cleanup issue, but I think Brett's FIFO patch was
probably also needed to deal with the segfaults.
Brett Smith:
> [..] While I was debugging, I added the line
>
Your message dated Thu, 09 Feb 2017 20:49:18 +
with message-id
and subject line Bug#854670: fixed in diffoscope 75
has caused the Debian Bug report #854670,
regarding diffoscope: autopkgtest failures
to be marked as done.
This means that you claim that
Processing commands for cont...@bugs.debian.org:
> tags 854670 + pending
Bug #854670 [src:diffoscope] diffoscope: autopkgtest failures
Added tag(s) pending.
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
854670:
tags 854670 + pending
thanks
Fixed in Git:
https://anonscm.debian.org/git/reproducible/diffoscope.git/commit/?id=541de9e1f69f2fec5451584359c5f0c2aad1f172
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
tags 777239 + pending
thanks
Fixed in Git:
https://anonscm.debian.org/git/reproducible/strip-nondeterminism.git/commit/?id=506fc41
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
Processing commands for cont...@bugs.debian.org:
> tags 777239 + pending
Bug #777239 [strip-nondeterminism] strip-nondeterminism: print log entry when
fixing a file
Added tag(s) pending.
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
777239:
Source: diffoscope
Version: 74
Severity: important
autopkgtest still fails:
https://ci.debian.net/data/packages/unstable/amd64/d/diffoscope/20170209_062723.autopkgtest.log.gz
adt-run [06:33:34]: test command1: debian/tests/pytest
adt-run [06:33:34]: test command1: [---
Accepted:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 09 Feb 2017 22:11:16 +1300
Source: strip-nondeterminism
Binary: libfile-stripnondeterminism-perl strip-nondeterminism
dh-strip-nondeterminism
Architecture: source
Version: 0.030-1
Distribution: unstable
Urgency:
Your message dated Thu, 09 Feb 2017 09:34:47 +
with message-id
and subject line Bug#777239: fixed in strip-nondeterminism 0.030-1
has caused the Debian Bug report #777239,
regarding strip-nondeterminism: print log entry when fixing a file
to be marked as
Здравейте,Независимо дали
нямате опит в управлението на
проекти или искате да
систематизирате и надградите своите
познания и опит, нашите обучения са
доказано ефективни и са преминати от
хиляди участници от
Processing commands for cont...@bugs.debian.org:
> tags 854723 + pending
Bug #854723 [diffoscope] diffoscope writes to arbitrary locations on disk based
on the contents of an untrusted archive
Added tag(s) pending.
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
tags 854723 + pending
thanks
> diffoscope may write to arbitrary locations on disk depending on the contents
> of an untrusted archive
We can actually avoid all edge-cases of sanitisation by simply not using
the supplied filename and maintaining our own mapping.
Given this is both safer (and
Ximin Luo:
> Chris Lamb:
>> tags 854723 + pending
>> thanks
>>
>>> diffoscope may write to arbitrary locations on disk depending on the
>>> contents
>>> of an untrusted archive
>>
>> We can actually avoid all edge-cases of sanitisation by simply not using
>> the supplied filename and maintaining
Chris Lamb:
> tags 854723 + pending
> thanks
>
>> diffoscope may write to arbitrary locations on disk depending on the contents
>> of an untrusted archive
>
> We can actually avoid all edge-cases of sanitisation by simply not using
> the supplied filename and maintaining our own mapping.
>
>
Ximin Luo wrote:
> this particular scheme might not work so well with large archives
> with lots and lots of members
Mm although unlikely to be a serious problem as we aren't iterating
over the directory.
> Also, are you sure this doesn't interfere with the detection of
> order-only
Source: diffoscope
Version: 65
Severity important
https://ci.debian.net/data/packages/unstable/amd64/d/diffoscope/20170209_233402.autopkgtest.log.gz
adt-run [23:40:53]: test command1: debian/tests/pytest
adt-run [23:40:53]: test command1: [---
=
Control: notfound -1 65
Control: found -1 75
On Fri, Feb 10, 2017 at 01:30:24AM +0100, Mattia Rizzolo wrote:
> Version: 65
off by ten.
Yes I know v76 is out too (and still untested), but I have no reasons to
think that version fixes it.
--
regards,
Mattia Rizzolo
GPG
Hi,
First thanks very much for hosting NetBSD! It has been really
helpful. I noticed that there was a run today, but unfortunately
our git sync was broken so repository was the same as last week.
We fixed it now so if you can run again it will run with the new
data, and hopefully all the repro
Processing commands for cont...@bugs.debian.org:
> tags 854745 + pending
Bug #854745 [src:diffoscope] diffoscope: autopkgtest failures
Added tag(s) pending.
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
854745:
https://reproducible.alioth.debian.org/blog/drafts/93/
Feel free to commit fixes directly to drafts/93.mdwn in
https://anonscm.debian.org/git/reproducible/blog.git/
I will publish this in 24 hours.
X
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
On Thu, Feb 09, 2017 at 05:45:35PM +, Iain Lane wrote:
> BTW, maybe it would be nice if the 'debian' tests were run in
> autopkgtest; add a test-dep on python3-debian?
Oho, mapreri pointed me to the other tests which do run this
(needs-recommends), so nm.
--
Iain Lane
On Thu, Feb 09, 2017 at 05:45:35PM +, Iain Lane wrote:
> On Thu, Feb 09, 2017 at 11:52:50AM +0100, Mattia Rizzolo wrote:
> > E ImportError: No module named 'debian'
>
> Hmm, looks like skip_unless_module_exists() needs to catch the
> exception. Patch attached - I don't like the "skip"
strip-nondeterminism_0.030-1_amd64.changes uploaded successfully to localhost
along with the files:
strip-nondeterminism_0.030-1.dsc
strip-nondeterminism_0.030.orig.tar.gz
strip-nondeterminism_0.030-1.debian.tar.xz
strip-nondeterminism_0.030-1_amd64.buildinfo
Greetings,
Your
On Thu, Feb 09, 2017 at 11:52:50AM +0100, Mattia Rizzolo wrote:
> E ImportError: No module named 'debian'
Hmm, looks like skip_unless_module_exists() needs to catch the
exception. Patch attached - I don't like the "skip" variable, so if you
know of a nicer way (the function needs to return a
27 matches
Mail list logo