date:20080825

Bug#332782: Release Notes: license clarification

2008-08-25 Thread Steve Langasek

On Mon, Aug 25, 2008 at 02:45:50AM +0200, W. Martin Borgert wrote:
> > From , we have
> > these contributors not listed in your mail:

> >  - Daniel Nylander

> Swedish translation.

Translations being copyrightable works in their own right, their authors
should be asked to ratify the GPLv2 license to give us the best chance of
reusing material; or is there another reason you mention here that he's a
translator?

> >  - Frederik Schueler

> Obsolete AMD64 information. We don't need to care.

Ok, that appears to be true.

> >  - Adeodato Simó

> Some bits about Python, which are not in the release notes
> anymore. We don't need to care.

Correct, thanks; he still showed up in my analysis of the commit messages,
but this was a false-positive because robster made a single commit for both
the python bits and some other changes.

> >  - Nobuhiro IMAI

> TAKEI Nobumitsu

Sorry, I'm not sure what you mean here.  Are you implying that these are two
names for the same person?  Both names appear independently in the commit
messages.

> >  - Andrea Mennucci

> About Zope/Plone update. We need to know if the text still holds
> for lenny, anyway.

That's true.  At present, this text is still in the release notes, so this
is an outstanding point to be resolved, one way or the other.

> >  - Osamu Aoki

> Is this the stuff about screen etc.?

This was revision 4245; the changes appear to include a number of added
section headers, some text rearrangement, and some additions regarding
apt/aptitude.  Since he has already agreed to the licensing under GPLv2,
there's no issue here anyway.

> >  - Jordà Polo

> Catalan translation? Or more?

All the significant changes were to the Catalan translation.

> > I think we need to at least make an effort to get a sign-off from all these
> > "major" contributors as part of a GPLv2 licensing, and if they can't be
> > reached we should drop/replace their contributions.

> OK. It's in the nature of release notes, that many contributions
> are already removed from the text since long.

Bear in mind that this list of "major" contributors was assembled using bzr
(svn) blame - it only looks at those commits that still have lines present
in the current version, and this list was further filtered to exclude
any contributions of which fewer than 4 lines remain.  So although there may
be some false positives here (because I didn't check each commit to confirm
that there were substantive changes), everyone on this list is a person
whose name was mentioned in a commit log for a change which is still part of
the current version.

> > FWIW, 1585 lines of the current release notes are traceable, unmodified, to
> > joy's initial import in 2003 - I really don't know how to trace back any
> > further without a *lot* of work, we should probably assume for now that the
> > copyright on those contents is held by the people listed as release notes
> > editors for pre-sarge...

> If somebody really contributed significantly to the release
> notes and this contribution is really still part of the future
> lenny release notes and the contributor does not agree to put
> their work under GPL2+, they may just ask to remove their
> contribution and I will immediately do so.

Hmm, I didn't notice until now that you were asking for GPLv2 "or later".
The original licensing proposal for this bug was GPLv2 only.  Is the "or
later" licensing something that you think is important?

I have a slight preference for GPLv2 only for licensing of stand-alone
works, but I'm ok with GPLv2 or later if you think that's best.  If you *do*
think it's important, we should get that sorted out early, since so far the
three "ok"s we've gotten have been for GPLv2, not GPLv2+.

Cheers,
-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
[EMAIL PROTECTED] [EMAIL PROTECTED]

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495963: python-coverage: code coverage shows 0% cover on linked files

2008-08-25 Thread Nicolas Évrard

* Ben Finney  [2008-08-22 08:21 +0200]: 


Tags: patch


On 22-Aug-2008, Nicolas Évrard wrote:
* Ben Finney  [2008-08-22 01:25 +0200]: 

On 21-Aug-2008, Nicolas Évrard wrote:

% nosetests --cover-erase --with-coverage --cover-package=relatorio

And it shows the following table after the tests has runned:

Name   Stmts   Exec  Cover   Missing

relatorio  3  3   100%
relatorio.reporting   78  0 0%   21-146

relatorio.templates   11  0 0%   21-39
relatorio.templates.chart 48  0 0%   21-93
relatorio.templates.opendocument 212  0 0%   21-331
relatorio.templates.pdf   44  0 0%   21-86

TOTAL396  3 0%   


I believe python-coverage is behaving correctly in this case. Python  
doesn't care whether a module is actually a symlink on disk; different  
module files are different files. Indeed, modules should be  
implemented so that they work whether or not the filesystem supports  
symlinks. Python's namespace support makes this easy.


Well while developping I often replace the module in my $HOME/python by a 
symlink to the directory where I am working so I do not use the symlink 
to have code accessible through two different namespaces. So here's my 
setup:


$PYTHONPATH=.:$HOME/python
% ls $HOME/python
relatorio -> wherever the developpment version is


I don't understand, then. Which of the above modules are duplicates, 
under your setup? Where are the actual files? What is symlinking to 
what?


Here is a patch for this issue, that fixes the problem I am 
encountering.


--
(°>  Nicolas Évrard
/ )  Liège - Belgique
^^
--- coverage.py	2008-08-25 08:46:53.0 +0200
+++ coverage.py.old	2008-08-25 08:46:24.0 +0200
@@ -534,7 +534,7 @@
 if os.path.exists(g):
 f = g
 break
-cf = os.path.normcase(os.path.realpath(os.path.abspath(f)))
+cf = os.path.normcase(os.path.abspath(f))
 self.canonical_filename_cache[filename] = cf
 return self.canonical_filename_cache[filename]

Bug#327585: Is there any workaround ?

2008-08-25 Thread Boris Lechner


Hello,

as I met this bug too, I'd like to know if someone found a workaround ?

---
Boris LECHNER
Administrateur systeme de la Plateforme Mecanique
Institut National des Sciences Appliquées
24 bvd de la Victoire 67084 Strasbourg Cedex
Tel : 03 88 14 49 59
Fax : 03 88 14 47 99
---

begin:vcard
fn:Boris Lechner
n:Lechner;Boris
org:INSA Strasbourg;Plateforme mecanique
adr:;;24 boulevard de la Victoire;Strasbourg Cedex;;67084;France
email;internet:[EMAIL PROTECTED]
title:Administrateur systeme
tel;work:03 88 14 49 59
tel;fax:03 88 14 47 99
x-mozilla-html:TRUE
url:http://www.insa-strasbourg.fr/
version:2.1
end:vcard

Bug#415801: reportbug: SOAP support now more important due to BTS changes

2008-08-25 Thread Paul Wise

On Mon, 2008-08-25 at 13:49 +0800, Paul Wise wrote:

> Lack of SOAP support in reportbug now more important due to the latest
> HTML changes in the bug tracking system. Some packages do not show the
> list of bugs, despite saying that there are bugs.

I've been informed that the version in sid fixes this specific issue and
has already been unblocked.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part

Bug#415801: [Reportbug-maint] Bug#415801: reportbug: SOAP support now more important due to BTS changes

2008-08-25 Thread Sandro Tosi

Hello Paul,

On Mon, Aug 25, 2008 at 07:49, Paul Wise <[EMAIL PROTECTED]> wrote:
> severity 415801 important
> thanks
>
> Lack of SOAP support in reportbug now more important due to the latest
> HTML changes in the bug tracking system. Some packages do not show the
> list of bugs, despite saying that there are bugs. One example is
> exiftran (reportbug says 7 bugs found, but doesn't show them), I have
> seen others but did not take note of them.

As discussed on IRC, this problem is fixed in v3.45 actually in sid
and in few days to be moved in Lenny. The problem was due to a
spurious output that prevent the last page (if first page = last page,
then you'll see no output at all) to be displayed.

> Personally I think the lack
> of SOAP support should be RC, do the maintainers or the release team
> agree with that?

We (as reportbug maintainers) have already planned to switch to the
standardized SOAP BTS query method, but for lenny+1. As of now, I
cannot estimate the impact of the change, but for sure it won't be
just a "drop-in" replacement.

Kindly,
Sandro

-- 
Sandro Tosi (aka morph, Morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496362: closed by Thomas Goirand <[EMAIL PROTECTED]> (Re: Bug#496362: The possibility of attack with the help of symlinks in some Debian packages)

2008-08-25 Thread Dmitry E. Oboukhov

reopen 496362
thanks

DBTS> Done as the mass-opening of symlink attack in /tmp was wrong in this case.

Why wrong?
{
my $ent = shift;

if ($ent->head->mime_type eq 'message/rfc822') {
if ($DEBUG) {
unlink "/tmp/spam.log.$$" if -e "/tmp/spam.log.$$";
open(OUT, "|$SA_LEARN -D --$spamham --single >>/tmp/spam.log.$$ 
2>&1") or die "Cannot pipe $SA_LEARN: $!";
} else {
open(OUT, "|$SA_LEARN --$spamham --single") or die "Cannot pipe 
$SA_LEARN: $!";
}

$ent->bodyhandle->print(\*OUT);
--
die "$sender, I don't recognize your domain ($domain)!";
}

if ($DEBUG) {
MIME::Tools->debugging(1);
open(STDERR, ">/tmp/spam_err.log");
}
my $parser = new MIME::Parser;
$parser->extract_nested_messages(0);
$parser->output_under($UNPACK_DIR);

unlink tempfile before using is not guarantee form attack.

re-read bugreport, please:

DBTS> Even if you make rm(dir) for files/directories, then  your  system  is
DBTS> not protected. Attacker can permanently create symlinks.

attacker can write script as:

#!perl

$file_for_attack='/path/to/file';

while(1)
{
exit unless fork;
symlink $file_for_attack, "/tmp/spam.log.$_" for ($$ .. $$+1);
}
--

. ''`. Dmitry E. Oboukhov
: :’  : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537


signature.asc
Description: Digital signature

Bug#496366: [Debian-med-packaging] Bug#496366: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Thijs Kinkhorst

tags 496366 confirmed
thanks

Hi Charles,

> What is the relevance of this bug for the releasability of the package?
> Upstream is already at a much higher version number and I am not able to
> solve the prolem by myself.

I've confirmed that the bug is indeed well-present: the script in question 
uses a number of files directly in /tmp with only the PID as a unique factor.

I've checked the latest upstream and that also has the exact same problem, so 
I don't think it's really relevant that upstream is many versions ahead. If 
they fix it, the fix can be applied to the current mafft package. I don't 
know on why you cannot fix the bug yourself, but at least an upstream fix 
would be easily backportable.

But applying the fix yourself would not be very invasive either. The script 
makes extensive use of the system() call, so you could simply add system 
calls to use essential 'mktemp' to create the files safely.

In the attachment is an example patch which solves the first occurrence. As 
you can see its very simple.

If you want a pure Ruby solution it would probably be a bit more invasive, but 
in that case http://ruby-stemp.rubyforge.org/ is available.

> Since the vulnerabiilty can only be exploited by other local users, and
> since mafft is a scientific software either used on personnal computers
> or on scientific workstations in trusted environments, can I ignore the
> bug for Lenny and work with Upsteam on a fix in the latest release?

In the security team, issuing a DSA for an issue that has all these properties 
is normally not high on the priority list. However, that doesn't mean that 
I'm happy with new packages entering stable that have known bugs of this 
kind. So yes, I believe this bug should be resolved before lenny, especially 
as I don't see the problem in doing so.


Thijs
--- mafft-homologs.tmpl.orig	2008-08-25 08:55:19.0 +0200
+++ mafft-homologs.tmpl	2008-08-25 08:58:25.0 +0200
@@ -34,8 +34,9 @@
 
 require 'getopts'
 
-system( mafftpath + " --help > /tmp/_vf#{$$} 2>&1" )
-pfp = File.open( "/tmp/_vf#{$$}", 'r' )
+$tmpfile = system('mktemp')
+system( mafftpath + " --help > " + $tmpfile + " 2>&1" )
+pfp = File.open( $tmpfile, 'r' )
 while pfp.gets
 	break if $_ =~ /MAFFT v/
 end
@@ -360,4 +361,4 @@
 	puts outseq2[i].gsub( /.{1,60}/, "\\0\n" )
 end
 
-system( "rm -rf /tmp/_if#{$$} /tmp/_vf#{$$} /tmp/_af#{$$} /tmp/_bf#{$$} /tmp/_pf#{$$} /tmp/_q#{$$} /tmp/_res#{$$} /tmp/_rid#{$$}" )
+system( "rm -rf /tmp/_if#{$$} $tmpfile /tmp/_af#{$$} /tmp/_bf#{$$} /tmp/_pf#{$$} /tmp/_q#{$$} /tmp/_res#{$$} /tmp/_rid#{$$}" )


pgpow58msMlar.pgp
Description: PGP signature

Bug#494549: RFP: autoscan-network -- Network monitoring and management tool

2008-08-25 Thread Philipp Hübner

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hey,

Jonathan Wiltshire schrieb:
> I would happily package this, but the source is not available even
> though it is supposedly GPLd. If you can obtain the source, I will
> package it for you.

It is, although I also had problems finding it at the first time,
they've hidden it quite well. I wouldn't write an RFP if there was no
source code available ;)

On http://autoscan-network.com/ go to the Download section and click on
the small "More..." link under the Windows button.
Then you'll see a site offering the source code and some outdated Ubuntu
packages.

Have fun packaging it!
Kind regards,

Philipp
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiyWZsACgkQFhl05MJZ4OjQgwCghdLLJfXbIerniOn4LbgTlFyt
vEsAn2ZavJRcFGhnr9TNziNT6A0N0Q1B
=RyQ0
-END PGP SIGNATURE-



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495484: Is the rest of the data free?

2008-08-25 Thread Raphael Champeimont (Almacha)

Guus Sliepen wrote:
> On Sun, Aug 24, 2008 at 10:39:12PM +0200, Raphael Champeimont (Almacha) wrote:
> 
>> As the upstream website says "Resources are Non Free." and the original
>> tar.gz does not contain information about copyright of graphics files
>> (at least I didn't find any), I was wondering if these were DFSG-free?
> 
> According to upstream it's just the music and sound effects that was taken 
> from
> online resources, the graphics were created by upstream.
> 

Ok, so as only sound and music are not free, it would be great if the
game could still be played by using only packages in main. I see the
following solutions:

1a. Make 2 data packages, a blobwars-data-non-free with the original
data, and a blobwars-data-free with original graphics, replaced music
(eg. you could replace all music files with music file
song_revenge_of_cats.it from the gltron package for example) and dummy
sound files (by replacing all them by
http://www.almacha.org/almacha/files/1ms_of_silence.wav for example).

1b. Same as 1a, but keeping the "common" data (graphics) in the blobwars
package, and only having blobwars-audio-non-free and
blobwars-audio-free. I don't know if this possible, as it looks
everything needs to be in one PAK file.

A long term solution could be to replace sound files with free (real,
not dummy files) replacements, but this requires some work and is not
makable for the lenny release.

2. Have a non-dependancy between blobwars (from main, with code and
graphics) and eg. blobwars-audio-non-free (from non-free, with music and
sound) and patch the code so that blobwars works even if it does not
find music and sound (currently missing music files only prints a
warnings if USEPAK=0 and I'm not sure it handles correctly the situation
if USEPAK=1 even if it does not crash, but missing sound files is a
fatal error).

Solution #1 has the advantage of needing no changes in the code, but
requires you to create 2 new packages instead of 1...

Saying all that is easy when you don't do the work anyway, so it's up to
you if you want to make the game playable without non-free, or simply
move blobwars to contrib as you probably intended...

Almacha

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#492970: nfs-common 1:1.1.3-1 client disallows access to, files/directories (confirmed)

2008-08-25 Thread Jari Aalto


As others, I had exactly the same error. Root couldn't write to the
mounted directory. See full details here:

http://thread.gmane.org/gmane.linux.debian.user/333162
client: nfs-common1:1.1.3-1
server: nfs-kernel-server 1:1.1.2-6

Confirmed:

At client, cat /proc/mounts contains "sec=null" and remounting with
"sec=sys" allows root to write to the mounted NFS directory.

But this shouldn't be necessary because /etc/exports contains:

... (rw,sync,no_root_squash,no_subtree_check)
 ==

Jari



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#492477: Notes about the loggerhead package

2008-08-25 Thread Reinhard Tartler


Hi Jelmer,

here some notes I made while reviewing the loggerhead package:

 - it installs a conffile /etc/loggerhead.conf. After having a short
   look at it, it seems to me that for almost every usecase, the user is
   expected to edit this file. This means that on every upgrade where we
   edit the default config, a conffile change will happen. I don't think
   this is really what we want.

   How about shipping the default config in
   /usr/share/doc/loggerhead/example.conf and guide the user in a
   README.Debian file to copy it manually to /etc/loggerhead.conf? He
   needs to adapt the file anyways. This way we can also get rid of that
   /etc/default/loggerhead file. The initscript could then just check
   for the presence of /etc/loggerhead.conf and be done with it.

 - init script. The dependencies in loggerhead currently state this:

# Required-Start:$remote_fs $syslog
# Required-Stop: $remote_fs $syslog

  I'm not sure if this is right. The source does not reference syslog
  anywhere, moreover, AFAIUI loggerhead requires the network to be
  up. Therefore I suggest "$local_fs $remote_fs $network" instead
  (inspired by the apache2 init script)

 - any particular reason to upload to experimental? I propose uploading
   to unstable instead. Sure, it won't make it for the lenny release,
   but unless it is in an highly experimental state that we don't want
   'regular' users to use and test it, I see no reason to 'hide' it in
   experimental.

Please comment on the 3 points above and indicate if you agree or
disagree. I'll go on with uploading when we sort these changes out.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Steve Langasek

On Mon, Aug 25, 2008 at 10:40:31AM +0400, Dmitry E. Oboukhov wrote:
> On 13:15 Sun 24 Aug , Steve Langasek wrote:
> SL> severity 496410 important
> SL> thanks

> You are mistake :)

> Your script places in /usr/sbin, ie it runs with root privs.
> If I create symlink /etc/shadow -> /tmp/eglog and You start this script,
> then your system 'll damaged.

The standard for grave-severity security bugs in Debian is "can be used by
an attacker to gain control of an account of a user who uses this package",
not "can be used by an attacker to create a Denial of Service by breaking
the system".  Writing this garbage to /etc/shadow will not result in
privilege escalation, it will only result in a broken system; therefore, it
is my understanding that this is not a grave bug.

So I don't think I've made a mistake here.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
[EMAIL PROTECTED] [EMAIL PROTECTED]

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496015: wyrd: version 1.4.4 Armel requires ocaml error: No bytecode file specified.

2008-08-25 Thread clare johnstone

Hi,
Looking at it again, I found that the earlier version, 1.4.2  as well as 1.4.4
required ocaml.

Also I was wrong about Severity, Wyrd is unusable as is on this Armel
system.

thank you
clare



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#494466: [patch, RFC] Allow to select driver inclusion policy for initramfs-tools

2008-08-25 Thread Martin Michlmayr

Just for the record, this works as expected.  Thanks a lot for
implementing this, Frans!

-- 
Martin Michlmayr
http://www.cyrius.com/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496493: zeroc-icee: unsatisfiable dep on libicee-java (>= ${binary:Version})

2008-08-25 Thread Steve Langasek

Package: zeroc-icee
Version: 1.2.0-5
Severity: serious
Tags: patch

The reorganization of zeroc-icee in unstable introduces a new bug:

 Package: zeroc-icee
 Architecture: all
 Section: devel
-Depends: libicee-dev, libicee-java, icee-slice, icee-translators
+Depends: libicee-dev (>= ${binary:Version}), libicee-java (>=
+ ${binary:Version}), icee-slice (>= ${binary:Version}),
+ icee-translators (>= 1.2.0)
 Description: Embedded edition of the ZeroC Ice
  ZeroC Ice is a CORBA-like middleware solution. IceE is a subset of

libicee-java is not built from zeroc-icee; it is therefore inappropriate to
use a (>= ${binary:Version}) dependency.  zeroc-icee is currently
uninstallable in unstable as a result of this, because zeroc-icee is at
version 1.2.0-5 and libicee-java is only at version 1.2.0-3.

The fix is to drop the versioned dependency, and just depend on libicee-java
as had been done in the previous version.

I'm not sure why such package reorganization was being done during a freeze,
in any case?

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
[EMAIL PROTECTED] [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#494773: [php-maint] Bug#494773: This is #495575

2008-08-25 Thread Thijs Kinkhorst

On Monday 25 August 2008 08:44, Ariel wrote:
> forcemerge 495575 494773
> thanks
>
> This is #495575 and upgrading solved it.

Thanks for letting us know. One tip for the next time: the forcemerge command 
doesn't work when sent to [EMAIL PROTECTED], you need to cc [EMAIL PROTECTED] 
for that. I've reissued the command now.

cheers,
Thijs

pgp0OE0zcAQv5.pgp
Description: PGP signature

Bug#496362: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Thijs Kinkhorst

Hi,

> Done as the mass-opening of symlink attack in /tmp was wrong in this case.

I don't think closing this is the appropriate action. Sure, debug code is not 
top priority. But still, the fix is straghtforward and puts extra protection 
on those running in debug mode. Besides, people tend to copy-paste stuff all 
the time so eliminating it may prevent introducing a more pertinent bug.

I therefore encourage you strongly to just address the issue for lenny, even 
if it's only debug code.


Thijs


pgp8nci7kMNxn.pgp
Description: PGP signature

Bug#466643: locale affects this

2008-08-25 Thread Tomas Janousek

Hello,

this problem seems much more likely to happen when using some other locale
than en_US or C. I use the cs_CZ locale and the problem happens here, probably
because apt downloads translations for package descriptions. Running "LANG=C
apt-get update" is a workaround for now. I'd love to see this problem solved.

-- 
Tomáš Janoušek, a.k.a. Liskni_si, http://work.lisk.in/



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496393: this bug is not fixed

2008-08-25 Thread Thijs Kinkhorst

reopen 496393
thanks

Hi,

Maybe I'm completely missing something, but the patch you added just seems to 
make matters much worse. Perhaps I don't understand it, but you remove use of 
the safe "mktemp" function and replace it with tempfiles based on PID? It 
looks to me like this change just introduced a new tempfile vulnerability.

And perhaps Dmytri can tell us what the original bug was that he found in his 
file, so the real issue can be addressed.

By the way, you are aware that you're using NMU-style versioning for your 
package while making maintainer uploads?


cheers,
Thijs


--- pscal/pscal.script  2008-08-24 21:06:51.0 +
+++ pscal/pscal.script.orig 2008-08-24 21:05:08.0 +
@@ -161,7 +161,6 @@
xc\*$MONTHNAME$YEAR)
;;
*)
-   PSCAL_TEMPFILE=$(mktemp -t pscal.XX)
for file in $list
do
day=`expr $file : 'xc\([0-9]*\)'`
@@ -172,9 +171,9 @@
s/^/$day ( /
s/\$/ )/
p"
-   done > ${PSCAL_TEMPFILE}
-   holidays=`cat ${PSCAL_TEMPFILE}`
-   rm -f ${PSCAL_TEMPFILE}
+   done > /tmp/pscal$$
+   holidays=`cat /tmp/pscal$$`
+   rm -f /tmp/pscal$$
esac
 fi



pgpxdnMqmP42J.pgp
Description: PGP signature

Bug#496465: dpkg-dev: dpkg-source can't work with V3 format

2008-08-25 Thread Raphael Hertzog

Hi,

On Mon, 25 Aug 2008, Noel David Torres Taño wrote:
> $ dpkg-source --format=3 -b wmaker-data-0.9~2
> dpkg-source: error: source package format `3' is not supported (Perl module 
> Dpkg::Source::Package::V3 is required)
> 
> /usr/share/perl5/Dpkg/Source/Package/V3.pm in fact does not exist. 
> /usr/share/perl5/Dpkg/Source/Package/V3 is a directory.

Where did you read that "3" was a valid format ? It's not.
Please read dpkg-source's man page.

Valid formats are "3.0 (quilt)" or "3.0 (native)" and some others.

Cheers,
-- 
Raphaël Hertzog

Le best-seller français mis à jour pour Debian Etch :
http://www.ouaza.com/livre/admin-debian/



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496494: [libc6] gdb fail to debug with a dlopen() call

2008-08-25 Thread Laurent Carlier

Package: libc6
Version: 2.7-13
Severity: normal

--- Please enter the report below this line. ---

Debugging session fail when a dlopen() call is reached. The problem occur when 
trying to debug some gambas2 (in unstable) or gambas3 executable.

These programs run fine without dbg.

Here is an example of the backtrace/session produce with gdb:
[EMAIL PROTECTED]:~/gb2projets/TunnelSDL$ gdb gbx3
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) run -p
Starting program: /usr/local/bin/gbx3 -p
[Thread debugging using libthread_db enabled]
Error while reading shared library symbols:
Cannot find new threads: generic error
Cannot find new threads: generic error
(gdb) bt
#0  0x7ff0873787b7 in dl_open_worker () from /lib64/ld-linux-x86-64.so.2
#1  0x7ff087374366 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#2  0x7ff0873780eb in _dl_open () from /lib64/ld-linux-x86-64.so.2
#3  0x7ff086ee0fbb in dlopen_doit () from /lib/libdl.so.2
#4  0x7ff087374366 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#5  0x7ff086ee136c in _dlerror_run () from /lib/libdl.so.2
#6  0x7ff086ee0f21 in dlopen@@GLIBC_2.2.5 () from /lib/libdl.so.2
#7  0x00420685 in LIBRARY_load (lib=0x15dd400) at gbx_library.c:468
#8  0x00441f4b in COMPONENT_load (comp=0x15dd3a0) at 
gbx_component.c:250
#9  0x00441b22 in COMPONENT_load_all () at gbx_component.c:110
#10 0x0041fd5f in PROJECT_load () at gbx_project.c:456
#11 0x00432d2e in init (file=0x446378 ".") at gbx.c:85
#12 0x004332ef in main (argc=1, argv=0x7fff8f582968) at gbx.c:299
(gdb)

when trying to find similar problems, i've found this in the gdb ML:
http://sourceware.org/ml/gdb/2008-08/msg00205.html
http://sourceware.org/ml/gdb/2008-08/msg00208.html

I can send you more infos if needed

Regards,
L.C.

--- System information. ---
Architecture: amd64
Kernel:   Linux 2.6.26-1-amd64

Debian Release: lenny/sid
  992 unstablewww.debian-multimedia.org 
  992 unstableftp.fr.debian.org 
  991 experimentalftp.debian.org 
  500 kernel-dists-trunk kernel-archive.buildserver.net 

--- Package information. ---
Depends   (Version) | Installed
===-+-===
libgcc1 | 1:4.3.1-9






-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496349: libfcgi-perl: download link in copyright file is broken

2008-08-25 Thread Toni Mueller

Hi,

On Sun, 24.08.2008 at 23:40:46 +0200, Moritz Muehlenhoff <[EMAIL PROTECTED]> 
wrote:
> [EMAIL PROTECTED] wrote:
> > Package: libfcgi-perl
> > Severity: serious
> > Justification: Policy 12.5
> > 
> > 
> > Hi,
> > 
> > the download link mentioned in the copyright file does no longer
> > resolve. Also, although the package is on CPAN, the CPAN search does
> > not find it.
> 
> I don't think the severity is warranted; debian/copyrights lists
> the place where the upstream sources were fetched at the time of
> packaging. After all web sites are in flux all the time, that's
> why we distribute them through our mirror network.

I chose the severity because it's a violation of a 'must' clause in the
policy (and that's what reportbug advised to set). Of course, I'm very
much aware about the fact that web sites change all the time, but I
also do find it very important to properly track upstream sources.

Other than that, I'm inclined to do an NMU to close the bug - the
change is trivial and doesn't affect functionality in the slightest,
after all. Therefore, letting the change through should only be a
formality.

But apart from that, I am confused about the state of this package,
wrt. who is currently responsible, and why
http://packages.qa.debian.org/libf/libfcgi-perl.html
says that the package conforms to standard 3.6.2 and not 3.8.0, as it
probably should. I don't know if that's a requirement for Lenny,
however.

Kind regards,
--Toni++

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#494466: [patch, RFC] Allow to select driver inclusion policy for initramfs-tools

2008-08-25 Thread Martin Michlmayr

Frans,

There's one thing that imho could be improved with the current
driver-policy handling.  IMHO it would make sense not to create the
/etc/initramfs-tools/conf.d/driver-policy file if these conditions are
met:
 - the question was not asked (because debconf priority > medium)
 - the policy is the same as the default of initramfs-tools (most)

The second is easy ($RET != "most") but I'm not sure how to check for
the first.

Any comments?
-- 
Martin Michlmayr
http://www.cyrius.com/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496495: openssh-client: ssh-vulnkey "see manpage" message is unnecessary

2008-08-25 Thread Kevin Mitchell

Package: openssh-client
Version: 1:5.1p1-2
Severity: minor


When running ssh-vulnkey -a on a system with no compromised keys, I used
to get no output. I would argue this to be the correct behaviour. Now, however 
I get

#
# See the ssh-vulnkey(1) manual page for further advice.

which is an entirely superfluous, and even misleading message as it
would seem to suggest there is something wrong that reading the manpage
might explain. Anyone with half a brain operating a Debian system with
ssh enabled should know not only to read this man page, but also the
scores of other information about how to mitigate this vulnerability.

This is also very inconvienient for running ssh-vulnkey -a in cron,
which must now filter out this message so it doesn't email root when
there's nothing wrong.

Kevin


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (600, 'testing'), (400, 'unstable'), (300, 'stable'), (200, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1) (ignored: LC_ALL set to 
en_GB)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-client depends on:
ii  adduser   3.108  add and remove users and groups
ii  debconf [debconf-2.0] 1.5.22 Debian configuration management sy
ii  dpkg  1.14.20Debian package management system
ii  libc6 2.7-13 GNU C Library: Shared libraries
ii  libcomerr21.41.0-3   common error description library
ii  libedit2  2.11~20080614-1BSD editline and history libraries
ii  libkrb53  1.6.dfsg.4~beta1-3 MIT Kerberos runtime libraries
ii  libncurses5   5.6+20080713-1 shared libraries for terminal hand
ii  libssl0.9.8   0.9.8g-13  SSL shared libraries
ii  passwd1:4.1.1-3  change and administer password and
ii  zlib1g1:1.2.3.3.dfsg-12  compression library - runtime

Versions of packages openssh-client recommends:
ii  openssh-blacklist 0.4.1  list of default blacklisted OpenSS
ii  openssh-blacklist-extra   0.4.1  list of non-default blacklisted Op
ii  xauth 1:1.0.3-2  X authentication utility

Versions of packages openssh-client suggests:
pn  keychain   (no description available)
pn  libpam-ssh (no description available)
pn  ssh-askpass(no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Thijs Kinkhorst

Hi Rene,

Rene Engelhard wrote:
> I so far thought mktemp was safe enough? (of course, we get
> senddoc.mutt., but...

mktemp is safe enough. I think Dmitry refers to lines 3 and 4 of that script:

echo "$@" > /tmp/log.obr.$$
echo "$#" >> /tmp/log.obr.$$

which I agree should not be there, probably leftover debug code?

cheers,
Thijs

pgpUUKcx1TiD7.pgp
Description: PGP signature

Bug#496496: libx500-dn-perl: package description plainly b0rked

2008-08-25 Thread Gerfried Fuchs

Package: libx500-dn-perl
Version: 0.29-3
Severity: minor

Hi!

 The package description is plainly b0rked:

,--[ grep-available -P libx500-dn-perl -sDescription ]--
| Description: X500::DN provides a pure perl parser and formatter for RFC 2253
|  style DN strings.
`--[ grep-available -P libx500-dn-perl -sDescription ]--

 Looks like the synopsis wrapped over to the long description which is
missing completely.

 Thanks,
Rhonda



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496497: libapache-mod-perl: mod_perl not installable -- perl 5.8 removed, not compatible with perl 5.10

2008-08-25 Thread Bob McElrath

Package: libapache-mod-perl
Version: 1.29.0.4-2
Severity: grave
Justification: renders package unusable


Perl 5.8 has been removed.  libapache-mod-perl depends on it and is now
uninstallable.

Perl 5.10 is present but the version of mod_perl available is
incompatible with it.  There are many newer upstream versions of both
apache and mod_perl.  These need to be pulled from upstream.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: alpha

Kernel: Linux 2.6.15 (SMP w/1 CPU core)
Locale: LANG=en_US.ISO-8859-15, LC_CTYPE=en_US.ISO8859-15 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages libapache-mod-perl depends on:
ii  apache-common  1.3.34-2  support files for all Apache webse
ii  libc6.12.7-6 GNU C Library: Shared libraries
ii  libdevel-symdump-perl  2.03-3Perl module for inspecting perl's 
ii  libperl5.105.10.0-13 Shared Perl library
ii  liburi-perl1.35.dfsg.1-1 Manipulates and accesses URI strin
ii  libwww-perl5.812-1   WWW client/server library for Perl
ii  perl [libmime-base64-perl] 5.10.0-13 Larry Wall's Practical Extraction 

libapache-mod-perl recommends no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496387: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Georges Khaznadar

Hello Dmitri, José Luis,

Dmitri,
thank you for your investigation work: your script revealed some weak
points inside scripts of the package wims. I made a new package to fix
these weaknesses, and will send a message about them to the upstream
developer.

José Luis,
please can you sponsor the new package? The description file is at
ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc

Thanking you in advance,

best regards,   Georges.

Dmitry E. Oboukhov a écrit :
> Package: wims
> Severity: grave
> 
> Hi, maintainer!
> 
> This message about the error concerns a few packages  at  once.   I've
> tested all the packages (for Lenny) on my Debian mirror.  All  scripts
> of packages (marked as executable) were tested.
> 
> In some packages I've discovered scripts with errors which may be used
> by a user for damaging important system files or user's files.
> 
> For example if a script uses in its work a temp file which is  created
> in /tmp directory, then every user can create symlink  with  the  same
> name in this directory in order to  destroy  or  rewrite  some  system
> or user file.  Symlink attack may also  lead  not  only  to  the  data
> desctruction but to denial of service as well.
> 
> Even if you create files or directories with help of function 'RANDOM'
> or pid(), then your system is not protected. Attacker can create many
> symlinks in order to destroy your data or create 'denial  of  service'
> for your package scripts.
> 
> Even if you make rm(dir) for files/directories, then  your  system  is
> not protected. Attacker can permanently create symlinks.
> 
> This list is created with the help of script.  This list is sorted  by
> hand. Howewer in some cases mistake is possible.
> 
> Please, Be understanding to possible mistakes. :)
> 
> I set Severity into grave for this bug. The table of discovered
> problems is below.
> 
> Discussion of this bug you can see in debian-devel@:
> http://lists.debian.org/debian-devel/2008/08/msg00271.html
> 
> Binary-package: r-base-core-ra (1.1.1-1)
> file: /usr/lib/Ra/lib/R/bin/javareconf
> Binary-package: rccp (0.9-2)
> file: /usr/lib/rccp/delqueueask
> Binary-package: mafft (6.240-1)
> file: /usr/bin/mafft-homologs
> Binary-package: openoffice.org-common (1:2.4.1-6)
> file: /usr/lib/openoffice/program/senddoc
> Binary-package: crossfire-maps (1.11.0-1)
> file: /usr/share/games/crossfire/maps/Info/combine.pl
> Binary-package: sgml2x (1.0.0-11.1)
> file: /usr/bin/rlatex
> Binary-package: liguidsoap (0.3.6-4)
> file: /var/lib/liguidsoap/liguidsoap.py
> Binary-package: citadel-server (7.37-1)
> file: /usr/lib/citadel-server/migrate_aliases.sh
> Binary-package: ampache (3.4.1-1)
> file: /usr/share/ampache/www/locale/base/gather-messages.sh
> Binary-package: xen-utils-3.2-1 (3.2.1-2)
> file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
> Binary-package: dtc-common (0.29.6-1)
> file: /usr/share/dtc/admin/accesslog.php
> file: /usr/share/dtc/admin/sa-wrapper
> Binary-package: honeyd-common (1.5c-3)
> file: /usr/share/honeyd/scripts/test.sh
> Binary-package: lustre-tests (1.6.5-1)
> file: /usr/lib/lustre/tests/runiozone
> Binary-package: linuxtrade (3.65-8+b4)
> file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
> file: /usr/share/linuxtrade/bin/linuxtrade.wn
> file: /usr/share/linuxtrade/bin/moneyam.helper
> Binary-package: freevo (1.8.1-0)
> file: /usr/bin/freevo.real
> Binary-package: fml (4.0.3.dfsg-2)
> file: /usr/share/fml/libexec/mead.pl
> Binary-package: rkhunter (1.3.2-3)
> file: /usr/bin/rkhunter
> Binary-package: openswan (1:2.4.12+dfsg-1.1)
> file: /usr/lib/ipsec/livetest
> Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
> file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
> file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
> Binary-package: aptoncd (0.1-1.1)
> file: /usr/share/aptoncd/xmlfile.py
> Binary-package: cdcontrol (1.90-1.1)
> file: /usr/lib/cdcontrol/writtercontrol
> Binary-package: newsgate (1.6-23)
> file: /usr/bin/mkmailpost
> Binary-package: gpsdrive-scripts (2.10~pre4-3)
> file: /usr/bin/geo-code
> Binary-package: impose+ (0.2-11)
> file: /usr/bin/impose
> Binary-package: mgt (2.31-5)
> file: /usr/games/mailgo
> Binary-package: audiolink (0.05-1)
> file: /usr/bin/audiolink
> Binary-package: ibackup (2.27-4.1)
> file: /usr/bin/ibackup
> Binary-package: emacspeak (26.0-3)
> file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
> Binary-package: bk2site (1:1.1.9-3.1)
> file: /usr/lib/cgi-bin/bk2site/redirect.pl
> Binary-package: datafreedom-perl (0.1.7-1)
> file: /usr/bin/dfxml-invoice
> Binary-package: emacs-jabber (0.7.91-1)
> file: /usr/lib/emacsen-common/packages/install/emacs-jabber
> Binary-package: lmbench (3.0-a7-1)
> file: /usr/lib/lmbench/scripts/rccs
> file: /usr/lib/lmbench/scripts/STUFF
> Binary-package: ranci

Bug#496362: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Christian Perrier

Quoting Thomas Goirand ([EMAIL PROTECTED]):

> I'm closing this bug. If you find that it still needs to be fixed, let
> me know and reopen the bug.

But then set it to wishlist

This MBF is one of the worse I've ever seen.




signature.asc
Description: Digital signature

Bug#495423: [Pkg-xfce-devel] Bug#495423: Bug#495423: xfce4-mailwatch-plugin: Please add an option so that mailwatch does not change status of mails

2008-08-25 Thread Stephan Windmüller

On Fri, 22. Aug 2008, Tino Keitel wrote:

> So maybe the bug reporter refers to the mail status in a maildir on
> the server,

That is exactly what I meant. I have the same behaviour with mutt as you
described it.

- Stephan

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496465: dpkg-dev: dpkg-source can't work with V3 format

2008-08-25 Thread Noel David Torres Taño

El Monday 25 August 2008 09:44:14 Raphael Hertzog escribió:
> Hi,
> 
> On Mon, 25 Aug 2008, Noel David Torres Taño wrote:
> > $ dpkg-source --format=3 -b wmaker-data-0.9~2
> > dpkg-source: error: source package format `3' is not supported (Perl module 
> > Dpkg::Source::Package::V3 is required)
> > 
> > /usr/share/perl5/Dpkg/Source/Package/V3.pm in fact does not exist. 
> > /usr/share/perl5/Dpkg/Source/Package/V3 is a directory.
> 
> Where did you read that "3" was a valid format ? It's not.
> Please read dpkg-source's man page.
> 
> Valid formats are "3.0 (quilt)" or "3.0 (native)" and some others.

Thanks! It is _not_ clear in the man page the one must use those strings. 
Please make it clear or even better add an example to the man page. It will 
benefit non-english-speaking users (and english-speaking nontechnical ones).
> 
> Cheers,


Thanks again

Noel Torres
er Envite


signature.asc
Description: This is a digitally signed message part.

Bug#487016: ttf-fifthhorseman-dkg-handwriting: FTBFS: make: *** [dkg.ttf] Segmentation fault

2008-08-25 Thread Steve Langasek

reassign 487016 freetype
forcemerge 487101 487016
thanks

As noted, this bug has been fixed in freetype; re-merging the clones.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
[EMAIL PROTECTED] [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#494466: [patch, RFC] Allow to select driver inclusion policy for initramfs-tools

2008-08-25 Thread Frans Pop

On Monday 25 August 2008, Martin Michlmayr wrote:
> - the question was not asked (because debconf priority > medium)

That would break the case where the architecture default if different from 
the default of initramfs-tools.

>  - the policy is the same as the default of initramfs-tools (most)

I thought about that, but that assumes the default of initramfs-tools 
won't ever change. I'd prefer not to base code on that assumption.

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496360: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Steve Langasek

severity 496360 grave
thanks

On Mon, Aug 25, 2008 at 11:36:37AM +0400, Dmitry E. Oboukhov wrote:
> tags 496360 -moreinfo
> tags 496360 -unreproducible
> thanks

> SL> Your bug report contains *no* information about the liquidsoap package.
> SL> Where is the vulnerability?
> following by link in bugreport you can find the full report: 
> http://uvw.ru/report.lenny.txt

Oh; there's the problem, I can't read my font and the package name is
liguidsoap - not liquidsoap.

Resetting severity back to 'grave', pending further analysis.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
[EMAIL PROTECTED] [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495246: Permission for xosd NMU?

2008-08-25 Thread Sven Hoexter

Hi,
while preparing an NMU for xosd #495246 I tried to pick some of the low
hanging fruits and the diff got slightly big now.
So I'm asking if you'd like to get the whole patch with the following
changelog (debdiff attached) or only the bugfixes?

 xosd (2.2.14-1.6) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Replace pseudo dynamic Build-Conflict on libxosd-dev with an explicit
 one on libxosd-dev << 2.2.14 which is the current source:Version.
 Closes: #495246
   * Replace Source-Version with source:Version for libxosd-dev Depends.
   * Replace the pseudo Homepage field with the real one.
   * Change the Homepage from http://www.ignavus.net/software.html to
 http://libxosd.sourceforge.net which offers a link for the current
 source download and the old website.
   * Remove Suggests: xfonts-base-transcoded from libxosd2. Closes: #370034
   * Updated the copyright file to reflect the website where you can obtain
 the source code and the license used.


Sven
-- 
If God passed a mic to me to speak
I'd say stay in bed, world
Sleep in peace
   [The Cardigans - 03:45: No sleep]
diff -u xosd-2.2.14/debian/changelog xosd-2.2.14/debian/changelog
--- xosd-2.2.14/debian/changelog
+++ xosd-2.2.14/debian/changelog
@@ -1,3 +1,20 @@
+xosd (2.2.14-1.6) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Replace pseudo dynamic Build-Conflict on libxosd-dev with an explicit
+one on libxosd-dev << 2.2.14 which is the current source:Version.
+Closes: #495246
+  * Replace Source-Version with source:Version for libxosd-dev Depends.
+  * Replace the pseudo Homepage field with the real one.
+  * Change the Homepage from http://www.ignavus.net/software.html to
+http://libxosd.sourceforge.net which offers a link for the current
+source download and the old website.
+  * Remove Suggests: xfonts-base-transcoded from libxosd2. Closes: #370034
+  * Updated the copyright file to reflect the website where you can obtain
+the source code and the license used.
+
+ -- Sven Hoexter <[EMAIL PROTECTED]>  Mon, 25 Aug 2008 09:34:31 +0200
+
 xosd (2.2.14-1.5) unstable; urgency=low
 
   * Non-maintainer upload.
diff -u xosd-2.2.14/debian/copyright xosd-2.2.14/debian/copyright
--- xosd-2.2.14/debian/copyright
+++ xosd-2.2.14/debian/copyright
@@ -5,8 +5,11 @@
-It was downloaded from http://www.ignavus.net/software.html
+It was downloaded from http://libxosd.sourceforge.net
 
 Upstream author: Andre Renaud <[EMAIL PROTECTED]>
 Maintainer: Tim Wright <[EMAIL PROTECTED]>
 
 Copyright:
-
-See /usr/share/common-licenses/GPL
+Copyright 2000, 2001 Andre Renaud ([EMAIL PROTECTED])
+This package is licensed under the GPL version 2 or any
+later version.
+On a Debian system you can find the licence text in 
+/usr/share/common-licenses/GPL-2.
diff -u xosd-2.2.14/debian/control xosd-2.2.14/debian/control
--- xosd-2.2.14/debian/control
+++ xosd-2.2.14/debian/control
@@ -3,8 +3,10 @@
 Priority: optional
 Maintainer: Philipp Matthias Hahn <[EMAIL PROTECTED]>
 Build-Depends: libgtk1.2-dev, libtool, debhelper (>= 4.1.0), libgdk-pixbuf-dev, libx11-dev, libxext-dev, x11proto-core-dev, x11proto-xinerama-dev, x11proto-xext-dev, libxinerama-dev, cdbs
-Build-Conflicts: libxosd-dev (<< ${Source-Version})
+Build-Conflicts: libxosd-dev (<< 2.2.14)
 Standards-Version: 3.6.1.1
+Homepage: http://libxosd.sourceforge.net
+
 
 Package: libxosd2
 Section: libs
@@ -12,16 +14,13 @@
 Depends: ${shlibs:Depends}
 Conflicts: libxosd
 Replaces: libxosd, libxosd0
-Suggests: xfonts-base-transcoded
 Description: X On-Screen Display library - runtime
  A library for displaying a TV-like on-screen display in X.
- .
- Homepage: http://www.ignavus.net/software.html
 
 Package: libxosd-dev
 Section: libdevel
 Architecture: any
-Depends: libxosd2 (= ${Source-Version}), libx11-dev, libxext-dev, ${shlibs:Depends}, libxinerama-dev
+Depends: libxosd2 (= ${source:Version}), libx11-dev, libxext-dev, ${shlibs:Depends}, libxinerama-dev
 Conflicts: libxosd
 Description: X On-Screen Display library - development
  A library for displaying a TV-like on-screen display in X.
@@ -39,3 +37,0 @@
- .
- Homepage: http://www.ignavus.net/software.html
-

Bug#496498: (typo) Modules/FindLua51.cmake prints user messages referring to Lua 5.0

2008-08-25 Thread Apollon Oikonomopoulos

Package: cmake
Version: 2.6.0-5
Severity: minor

/usr/share/cmake-2.6/Modules/FindLua51.cmake, the module responsible for
detecting the presence of Lua 5.1, prints user messages that refer to
Lua 5.0 instead of 5.1. Thus, a user trying to compile software that
needs Lua 5.1 with liblua5.1-0-dev not present in his/her system, will
be led to the mistaken conclusion that he needs to install Lua 5.0.

The attached patch fixes the issue for me.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (90, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/2 CPU cores)
Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages cmake depends on:
ii  libc6 2.7-13 GNU C Library: Shared libraries
ii  libgcc1   1:4.3.1-2  GCC support library
ii  libidn11  1.8+20080606-1 GNU libidn library, implementation
ii  libncurses5   5.6+20080804-1 shared libraries for terminal hand
ii  libstdc++64.3.1-2The GNU Standard C++ Library v3

cmake recommends no packages.

cmake suggests no packages.

-- no debconf information
diff -uNr cmake-2.6.0/Modules/FindLua51.cmake cmake-2.6.0.patched/Modules/FindLua51.cmake
--- cmake-2.6.0/Modules/FindLua51.cmake	2008-08-25 09:35:49.0 +0300
+++ cmake-2.6.0.patched/Modules/FindLua51.cmake	2008-08-25 09:36:05.0 +0300
@@ -68,7 +68,7 @@
 INCLUDE(FindPackageHandleStandardArgs)
 # handle the QUIETLY and REQUIRED arguments and set LUA_FOUND to TRUE if 
 # all listed variables are TRUE
-FIND_PACKAGE_HANDLE_STANDARD_ARGS(Lua50  DEFAULT_MSG  LUA_LIBRARIES LUA_INCLUDE_DIR)
+FIND_PACKAGE_HANDLE_STANDARD_ARGS(Lua51  DEFAULT_MSG  LUA_LIBRARIES LUA_INCLUDE_DIR)
 
 MARK_AS_ADVANCED(LUA_INCLUDE_DIR LUA_LIBRARIES LUA_LIBRARY LUA_MATH_LIBRARY)

Bug#478502: pwlib-titan needs to be binNMU'd on sparc

2008-08-25 Thread Jurij Smakov

On Sat, Aug 23, 2008 at 07:50:17PM -0700, Steve Langasek wrote:
> On Sat, Aug 23, 2008 at 08:14:10PM +0100, Jurij Smakov wrote:
> 
> > It appears that pwlib-titan version currently in unstable got 
> > miscompiled on sparc somehow, that's currently causing RC build 
> > failures of gnugk (#478502, note that this fails on a number of 
> > architectures, so other people should test whether rebuilding 
> > pwlib-titan on failing arches fixes it) and openh323-titan (#475601). 
> > I have rebuilt pwlib-titan with the current sid toolchain, installed 
> > the resulting packages in the sid chroot and was able to successfully 
> > build both gnugk and openh323-titan. Please binNMU pwlib-titan on 
> > sparc (or let me know if I should do it myself), that should fix two 
> > outstanding RC bugs.
> 
> BinNMU scheduled; gnugk and openh323-titan given back with dep-waits set.

Both have built successfully on sparc [0,1] against the binNMU'd 
version of libpt-1.11.2 (from pwlib-titan source). It is probably 
reasonable to do the same (binNMU pwlib-titan and give back gnugk and
openh323-titan with dep-waits on the new libpt-1.11.2 version) on 
s390, m68k and armel (even though openh323-titan is reported as built 
successfully on m68k, gnugk still fails, so I guess a rebuild will not 
hurt).

[0] http://buildd.debian.org/~jeroen/status/package.php?suite=&p=gnugk&a=sparc
[1] 
http://buildd.debian.org/~jeroen/status/package.php?suite=&p=openh323-titan&a=sparc

Cheers.
-- 
Jurij Smakov   [EMAIL PROTECTED]
Key: http://www.wooyd.org/pgpkey/  KeyID: C99E03CC



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#490010: Pasting text from Pidgin into itself produces gibberish

2008-08-25 Thread Gerfried Fuchs

reassign 490010 libgtk2.0-0
thanks

* Tim Allen <[EMAIL PROTECTED]> [2008-08-23 12:48:42 CEST]:
> This happens every time I paste text from a Pidgin chat window into the
> text-box at the bottom.

 It even happened with pastes to evolution, so it's not a pidgin problem
but rather a gtkhtml widget thing, I guess.

> Steps to reproduce:
>  - Double click on a contact in your buddy list to open a chat window.
>  - In the text box at the bottom, type "wocka wocka" (or anything else)
>  - Select the text with the mouse, then right-click and choose 'copy'.
>  - Click after the text to deselect it.
>  - Right-click in the empty space, then choose "Paste as plain text".
>The text "wocka wocka" should appear.
>  - Right-click in the empty space again, then choose "Paste".
> 
> Expected result:
>  - A third copy of the text "wocka wocka" should appear.
> 
> Actual result:
>  - The text "眀漀挀欀愀 眀漀挀欀愀" appears.
> 
> I notice that the first character of the gibberish replacement is
> U+7700, while the intended text begins with the character U+0077.
> 
> Given that both I and the original reporter are using the PowerPC
> architecture, I strongly suspect Pidgin has some bad endianness
> assumptions.

 Hmm, your analysis makes it really sound like a it's an endianness bug.
we now only have to find in what code it might be ...

 So long,
Rhonda



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#493917: Copyright headers still missing

2008-08-25 Thread Daniel Le Berre


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Michael,

Michael Tautschnig a écrit :
| Hi Daniel,
|
| a few moments ago the 2.0.1 build has finally been approved by the
ftp-masters,
| so future uploads will reach the Debian archive quickly.
|
| I intend to package 2.0.2 as soon as time permits, but meanwhile you
might still
| want to fix the missing copyright headers in the test files, which would
| simplify packaging even more :-)
|
| Thanks,
| Michael
|

Il will add the headers to the automated tests code this week.

The case of the test files themselves (dimacs or opb format) will still
need to be sorted out however :(

Daniel
- --
~ Daniel Le Berre mailto:[EMAIL PROTECTED]
~ MCF,CRIL-CNRS UMR 8188,Universite d'Artois
~ http://www.cril.univ-artois.fr/~leberre
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iEYEARECAAYFAkiyawEACgkQqVioN+Yc2giY5wCfbHgzl00NSNIlY/3g1s1x6O3A
sFkAoOjClutWjVQVNO0ugkWQCnpdUQ3g
=gDC6
-END PGP SIGNATURE-



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Dmitry E. Oboukhov

On 06:13 Mon 25 Aug , Rene Engelhard wrote:
RE> Hi,

RE> Dmitry E. Oboukhov wrote:
RE>> For example if a script uses in its work a temp file which is  created
RE>> in /tmp directory, then every user can create symlink  with  the  same
RE>> name in this directory in order to  destroy  or  rewrite  some  system
RE>> or user file.  Symlink attack may also  lead  not  only  to  the  data
RE>> desctruction but to denial of service as well.
RE>> 
RE>> Even if you create files or directories with help of function 'RANDOM'
RE>> or pid(), then your system is not protected. Attacker can create many
RE>> symlinks in order to destroy your data or create 'denial  of  service'
RE>> for your package scripts.
RE> [...]
RE>> Binary-package: openoffice.org-common (1:2.4.1-6)
RE>> file: /usr/lib/openoffice/program/senddoc

RE> I guess you mean this snippet in the mutt handling part of senddoc?
$ grep -A5 -B5 /tmp/ /usr/lib/openoffice/program/senddoc
#!/bin/sh
URI_ENCODE="`dirname $0`/uri-encode"

echo "$@" > /tmp/log.obr.$$
echo "$#" >> /tmp/log.obr.$$

# tries to locate the executable specified 
# as first parameter in the user's path.
which() {
if [ ! -z "$1" ]; then

example for attacker script:

#!...perl

$file_for_attack='/path/to/file';

while(1)
{
exit unless fork;
symlink $file_for_attack, "/tmp//tmp/log.obr.$_" for ($$ .. $$+1);
}

RE> [...]
RE> --body)
RE> TEMPLATE="`basename $0`.mutt."
RE> BODY=`mktemp -q -t ${TEMPLATE}`
RE> echo "$2" > $BODY
RE> shift
RE> [...]
RE> x-terminal-emulator -e ${MAILER} \
RE> ${FROM:+-e} ${FROM:+"set from=\"${FROM}\""} \
RE> ${CC:+-c} ${CC:+"${CC}"} \
RE> ${BCC:+-b} ${BCC:+"${BCC}"} \
RE> ${SUBJECT:+-s} ${SUBJECT:+"${SUBJECT}"} \
RE> ${BODY:+-i} ${BODY:+"${BODY}"} \
RE> ${ATTACH:+-a} ${ATTACH:+"${ATTACH}"} \
RE> ${TO:+"${TO}"} &
RE> rm -f $BODY
RE> [...]

RE> I so far thought mktemp was safe enough? (of course, we get
RE> senddoc.mutt., but...

RE> Regards,

RE> Rene
--

. ''`. Dmitry E. Oboukhov
: :’  : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537


signature.asc
Description: Digital signature

Bug#332782: Release Notes: license clarification

2008-08-25 Thread Jens Seidel

On Sun, Aug 24, 2008 at 12:19:46PM -0700, Steve Langasek wrote:
> On Sun, Aug 24, 2008 at 07:00:56PM +0200, W. Martin Borgert wrote:
> > I ask hereby - and in private mails following this one - all
> > authors of the release notes to place their contribution to the
> > release notes under the GNU General Public license (version 2 or
> > higher) by an GPG-signed e-mail to
> > [EMAIL PROTECTED] and/or [EMAIL PROTECTED] Many
> > thanks for your collaboration.

> > jseidel (Jens? Seidel)

Yep, that's me. I'm fine with GPL v2 or later for all my contributions
(German translation, Makefile stuff, ...) and agree to this license.

Please note that beside jseidel (my old CVS account name) also
jseidel-guest is used (svn alioth account name).

Could this be cleaned up? Probably not (whould require a svn dump | sed
... | svn load) ...

Many commits from me are just checkins of other people translation. I do
not own the copyright for it. Nevertheless my commit messages should
always contain the contributor.

Jens

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481522: Patch for the l10n upload of jwchat

2008-08-25 Thread Christian Perrier


Dear maintainer of jwchat,

On Sunday, August 17, 2008 I sent you a notice announcing my intent to upload a
NMU of your package to fix its pending l10n issues, after an initial
notice sent on Tuesday, August 12, 2008.

We finally agreed that you would do the update yourself at the end of
the l10n update round.

That time has come.

To help you out, here's the patch which I would have used for an NMU.
Please feel free to use all of it...or only the l10n part of it.

The corresponding changelog is:


Source: jwchat
Version: 1.0beta3-2.1
Distribution: unstable
Urgency: low
Maintainer: Christian Perrier <[EMAIL PROTECTED]>
Date: Mon, 25 Aug 2008 07:33:14 +0200
Closes: 481522
Changes: 
 jwchat (1.0beta3-2.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix pending l10n issues
   * Debconf translations:
 - Brazilian Portuguese. Closes: #481522

-- 


diff -Nru jwchat-1.0beta3.old/debian/changelog jwchat-1.0beta3/debian/changelog
--- jwchat-1.0beta3.old/debian/changelog	2008-08-07 20:17:38.656301012 +0200
+++ jwchat-1.0beta3/debian/changelog	2008-08-25 07:33:26.655169349 +0200
@@ -1,3 +1,12 @@
+jwchat (1.0beta3-2.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix pending l10n issues
+  * Debconf translations:
+- Brazilian Portuguese. Closes: #481522
+
+ -- Christian Perrier <[EMAIL PROTECTED]>  Mon, 25 Aug 2008 07:33:14 +0200
+
 jwchat (1.0beta3-2) unstable; urgency=low
 
   * Switch to debhelper 5.
diff -Nru jwchat-1.0beta3.old/debian/po/cs.po jwchat-1.0beta3/debian/po/cs.po
--- jwchat-1.0beta3.old/debian/po/cs.po	2008-08-07 20:17:38.344310439 +0200
+++ jwchat-1.0beta3/debian/po/cs.po	2008-08-17 16:01:14.517115579 +0200
@@ -6,8 +6,8 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: jwchat 1.0beta2-8\n"
-"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2006-08-06 05:01-0600\n"
+"Report-Msgid-Bugs-To: [EMAIL PROTECTED]"
+"POT-Creation-Date: 2008-08-17 11:01-0300\n"
 "PO-Revision-Date: 2006-08-09 11:43+0200\n"
 "Last-Translator: Martin Sin <[EMAIL PROTECTED]>\n"
 "Language-Team: Czech <[EMAIL PROTECTED]>\n"
@@ -50,5 +50,3 @@
 "Zadejte prosím adresu vašeho jabberového serveru. Pokud máte na tomto "
 "počítači nainstalován ejabberd, pak můžete obvykle nechat výchozí hodnotu "
 "nezměněnou."
-
-
diff -Nru jwchat-1.0beta3.old/debian/po/de.po jwchat-1.0beta3/debian/po/de.po
--- jwchat-1.0beta3.old/debian/po/de.po	2008-08-07 20:17:38.344310439 +0200
+++ jwchat-1.0beta3/debian/po/de.po	2008-08-17 16:01:14.729114968 +0200
@@ -12,47 +12,50 @@
 #Developers do not need to manually edit POT or PO files.
 #
 msgid ""
-msgstr "utf-8\n"
+msgstr ""
 "Project-Id-Version: jwchat 1.0beta2-5\n"
-"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2006-07-16 23:55+0200\n"
+"Report-Msgid-Bugs-To: [EMAIL PROTECTED]"
+"POT-Creation-Date: 2008-08-17 11:01-0300\n"
 "PO-Revision-Date: 2006-07-17 00:30+0200\n"
 "Last-Translator: Torsten Werner <[EMAIL PROTECTED]>\n"
 "Language-Team: LANGUAGE <[EMAIL PROTECTED]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+"utf-8\n"
 
 #. Type: string
 #. Description
-#: ../templates:4
+#: ../templates:1001
 msgid "The name of the virtual server used for apache2:"
 msgstr "Der Name des von Apache2 verwendeten virtuellen Servers:"
 
 #. Type: string
 #. Description
-#: ../templates:4
+#: ../templates:1001
 msgid ""
 "The automatic apache2 configuration needs a name for a virtual server that "
 "is used exclusively by jwchat. If you do not want any automatic "
 "configuration, please answer 'none' here (without quotes)."
-msgstr "Die automatische Apache2-Konfiguration benötigt einen Namen für einen "
-"virtuellen Server, der ausschließlich von jwchat verwendet wird. Wenn Sie die "
-"automatische Konfiguration abschalten wollen, geben Sie bitte 'none' ein (ohne "
-"Anführungszeichen)."
+msgstr ""
+"Die automatische Apache2-Konfiguration benötigt einen Namen für einen "
+"virtuellen Server, der ausschließlich von jwchat verwendet wird. Wenn Sie "
+"die automatische Konfiguration abschalten wollen, geben Sie bitte 'none' ein "
+"(ohne Anführungszeichen)."
 
 #. Type: string
 #. Description
-#: ../templates:12
+#: ../templates:2001
 msgid "The URL of your jabber server:"
 msgstr "Die URL des Jabberservers:"
 
 #. Type: string
 #. Description
-#: ../templates:12
+#: ../templates:2001
 msgid ""
 "Please enter the address where your jabber server can be reached. Usually "
 "you can leave the default value unchanged if you have installed ejabberd "
 "locally."
-msgstr "Geben Sie bitte die Adresse des Jabberservers ein. Normalerweise können "
-"Sie den Vorgabewert benutzen, wenn Sie ejabberd lokal installiert haben."
+msgstr ""
+"Geben Sie bitte die Adresse des Jabberservers ein. Normalerweise können Sie "
+"den Vorgabewert benutzen, wenn Sie ejabberd lokal installiert haben."
diff -Nru jwchat-1.0beta3.old/debian/po/fr.po jwchat-1.0beta3/debian/po/fr.po
--- jwchat-1.0beta3.old/debian/po/fr.po	2008-08-07 20:17:38.344310439 +0200

Bug#496439: no text on graph created by rrdtool

2008-08-25 Thread Sebastian Harl

reassign 496439 librrd2
forcemerge 493575 496439
thanks

Hi,

On Sun, Aug 24, 2008 at 08:20:56PM +0200, Begault Luc wrote:
> rrdtool create graphs without any text (such as legends) in cacti. The
> blog entry
> http://ramblingfoo.blogspot.com/2007/08/softfloat-rrdtool-sequel.html
> show the same output as me.

This has already been reported twice - see [1] and [2].

Cheers,
Sebastian

[1] http://bugs.debian.org/493575
[2] http://bugs.debian.org/493594

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin



signature.asc
Description: Digital signature

Bug#496500: yaird: fails to create initrd when running 2.6.24 etchnhalf kernel

2008-08-25 Thread James Andrewartha

Package: yaird
Version: 0.0.12-18
Severity: important

This is bug 431534, exposed again because stable has an old version of
yaird but a recent kernel.

martello:~# dpkg --configure -a
Setting up linux-image-2.6.18-6-amd64 (2.6.18.dfsg.1-22etch2) ...
Running depmod.
Finding valid ramdisk creators.
Using mkinitrd.yaird to build the ramdisk.
yaird error: unrecognised line in /proc/bus/input/devices: U: Uniq= (fatal)
mkinitrd.yaird failed to create initrd image.
Failed to create initrd image.
dpkg: error processing linux-image-2.6.18-6-amd64 (--configure):
 subprocess post-installation script returned error exit status 9
 Errors were encountered while processing:
  linux-image-2.6.18-6-amd64

-- System Information:
Debian Release: lenny/sid
  APT prefers stable
  APT policy: (800, 'stable'), (500, 'testing'), (99, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-etchnhalf.1-amd64
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)

Versions of packages yaird depends on:
ii  cpio   2.6-18.1+etch1GNU cpio -- a program to manage ar
ii  dash   0.5.3-7   The Debian Almquist Shell
ii  libc6  2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii  libhtml-template-perl  2.8-1 HTML::Template : A module for usin
ii  libparse-recdescent-pe 1.94.free-3   Generates recursive-descent parser
ii  perl   5.8.8-7etch3  Larry Wall's Practical Extraction 

yaird recommends no packages.

-- no debconf information




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496362: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Thomas Goirand

Thijs Kinkhorst wrote:
> Hi,
> 
>> Done as the mass-opening of symlink attack in /tmp was wrong in this case.
> 
> I don't think closing this is the appropriate action. Sure, debug code is not 
> top priority. But still, the fix is straghtforward and puts extra protection 
> on those running in debug mode. Besides, people tend to copy-paste stuff all 
> the time so eliminating it may prevent introducing a more pertinent bug.
> 
> I therefore encourage you strongly to just address the issue for lenny, even 
> if it's only debug code.
> 
> 
> Thijs

Ok, I'll be working on it, and it will be fixed asap with a new release.

Thomas



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496499: screen-message: setting background doesn't work

2008-08-25 Thread Gerfried Fuchs

Package: screen-message
Version: 0.14-1
Severity: normal

Hi!

 Some of your further changes seem to eliminate the posibility to set
the background color of the window. It starts up for a very short while
with the chosen background color but switches to white shortly after.

 I'm not too sure but I think the problem might reside in this changes
to the code:

#v+
@@ -220,13 +258,9 @@
gtk_widget_modify_bg(window, GTK_STATE_NORMAL, &white);
gtk_widget_modify_fg(window, GTK_STATE_NORMAL, &black);

-   draw = gtk_drawing_area_new();
-   gtk_widget_set_events(draw, GDK_BUTTON_PRESS_MASK);
-   gtk_widget_set_size_request(draw,400,400);
-   gtk_widget_modify_bg(draw, GTK_STATE_NORMAL, &white);
-   gtk_widget_modify_fg(draw, GTK_STATE_NORMAL, &black);
-   g_signal_connect(G_OBJECT(draw), "realize", G_CALLBACK(realize), NULL);
-   g_signal_connect(G_OBJECT(draw), "button-press-event", 
G_CALLBACK(text_clicked), NULL);
+   gtk_widget_set_events(window, GDK_BUTTON_PRESS_MASK);
+   g_signal_connect(G_OBJECT(window), "realize", G_CALLBACK(realize), 
NULL);
+   g_signal_connect(G_OBJECT(window), "button-press-event", 
G_CALLBACK(text_clicked), NULL);

GdkPixmap *pixmap = gdk_pixmap_new(NULL, 1, 1, 1);
GdkColor color;
#v-

 The colors are only set for the window but not for the drawing area
within it? Or did the drawing area get removed all together? Maybe my
analysis is wrong, but I don't want this problem to get missing or
forget about it. :)

 Thanks for your great work anyway!
Rhonda



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496362: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Thomas Goirand

Christian Perrier wrote:
> Quoting Thomas Goirand ([EMAIL PROTECTED]):
> 
>> I'm closing this bug. If you find that it still needs to be fixed, let
>> me know and reopen the bug.
> 
> But then set it to wishlist
> 
> This MBF is one of the worse I've ever seen.

I'm reopening the issue, as there is a real one behind it. See the
"unlink" at the beginning, as pointed by the person that open the issue
in the first place? That really has to be fixed. I'll work on it and
come back with a fix not later than tomorrow (got other things to do today).

Thomas

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#474089: [Pkg-virtualbox-devel] Bug#474089: closed by Michael Meskes

2008-08-25 Thread Michael Meskes

On Sun, Aug 24, 2008 at 09:29:03PM +0200, Michael Biebl wrote:
> NOLSB=yes
> [..]
> [ -f /lib/lsb/init-functions ] || NOLSB=yes
> 
> ==> NOLSB will never be no

This is not exactly true because in [...] /etc/default/virtualbox-ose is
sourced if available. Thus NOLSB could be reset there.

> Don't make a lot of sense, as the NOLSB variable will never be empty

Again, it could be set in the default file. However, I do agree that the test 
should be the other way round:

[ -f /lib/lsb/init-functions ] && NOLSB=

Okay?

Michael
-- 
Email: Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
   Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
ICQ: 179140304, AIM/Yahoo: michaelmeskes, Jabber: [EMAIL PROTECTED]
Go VfL Borussia! Go SF 49ers! Use Debian GNU/Linux! Use PostgreSQL!



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496387: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Dmitry E. Oboukhov

JL> please can you sponsor the new package? The description file is at
JL> ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc

$ dget ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
dget: retrieving
ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc

curl: (67) Access denied: 530
dget: curl wims_3.62-15.dsc
ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc failed

sorry, i cannot download it :(
--

. ''`. Dmitry E. Oboukhov
: :’  : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537


signature.asc
Description: Digital signature

Bug#496501: cups: samba can't see printers with iso-8859-1

2008-08-25 Thread Kevin Mitchell

Package: cups
Version: 1.3.8-1
Severity: normal

Upon a fresh boot, samba can see all printers fine as evidenced by

#rpcclient  -c enumprinters localhost

However, if samba is restarted, I see the following message repeated 5 times in 
/var/log/cups/error_log:

E [22/Aug/2008:02:51:12 -0700] Unsupported character set "iso-8859-1"!

and the command above returns no printers. I found that it was necessary to add

   display charset = UTF8

into /etc/samba/smb.conf to force samba to use utf8 even if the system default 
is iso-8859-1. 

That seems to fix things. I would speculate that the reason samba sees
printers on boot is that it is started before the default system locale
is applied. 

It would be nice if the above fix were not necessary.

Kevin


-- System Information: Debian Release: lenny/sid APT
prefers testing APT policy: (600, 'testing'), (400, 'unstable'), (300,
'stable'), (200, 'experimental') Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1) (ignored: LC_ALL set to 
en_GB)
Shell: /bin/sh linked to /bin/bash

Versions of packages cups depends on:
ii  adduser   3.108  add and remove users and groups
ii  cups-common   1.3.8-1Common UNIX Printing System(tm) - 
ii  debconf [debconf-2.0] 1.5.22 Debian configuration management sy
ii  ghostscript   8.62.dfsg.1-3  The GPL Ghostscript PostScript/PDF
ii  libavahi-compat-libdn 0.6.23-2   Avahi Apple Bonjour compatibility 
ii  libc6 2.7-13 GNU C Library: Shared libraries
ii  libcups2  1.3.8-1Common UNIX Printing System(tm) - 
ii  libcupsimage2 1.3.8-1Common UNIX Printing System(tm) - 
ii  libdbus-1-3   1.2.1-3simple interprocess messaging syst
ii  libgnutls26   2.4.1-1the GNU TLS library - runtime libr
ii  libkrb53  1.6.dfsg.4~beta1-3 MIT Kerberos runtime libraries
ii  libldap-2.4-2 2.4.10-3   OpenLDAP libraries
ii  libpam0g  1.0.1-2Pluggable Authentication Modules l
ii  libpaper1 1.1.23+nmu1library for handling paper charact
ii  libslp1   1.2.1-7.3  OpenSLP libraries
ii  lsb-base  3.2-19 Linux Standard Base 3.2 init scrip
ii  perl-modules  5.10.0-11.1Core Perl modules
ii  poppler-utils [xpdf-u 0.8.4-1.1  PDF utilitites (based on libpopple
ii  procps1:3.2.7-8  /proc file system utilities
ii  ssl-cert  1.0.22 simple debconf wrapper for OpenSSL

Versions of packages cups recommends:
ii  avahi-utils   0.6.23-2   Avahi browsing, publishing and dis
ii  cups-client   1.3.8-1Common UNIX Printing System(tm) - 
ii  foomatic-filters  3.0.2-20080211-3.1 OpenPrinting printer support - fil
ii  smbclient 2:3.2.0-4  a LanManager-like simple client fo

Versions of packages cups suggests:
ii  cups-bsd1.3.8-1  Common UNIX Printing System(tm) - 
pn  cups-driver-gutenprint (no description available)
ii  cups-pdf2.4.8-2  PDF printer for CUPS
ii  foomatic-db 20080211-2   OpenPrinting printer support - dat
ii  foomatic-db-engine  3.0.2-20080211-1 OpenPrinting printer support - pro
ii  hplip   2.8.6-2  HP Linux Printing and Imaging Syst
pn  xpdf-korean | xpdf-japa(no description available)

-- debconf information:
* cupsys/raw-print: true
* cupsys/backend: ipp, lpd, parallel, scsi, serial, socket, usb, snmp, dnssd



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495484: Is the rest of the data free?

2008-08-25 Thread Guus Sliepen

On Mon, Aug 25, 2008 at 09:01:49AM +0200, Raphael Champeimont (Almacha) wrote:

> > According to upstream it's just the music and sound effects that was taken 
> > from
> > online resources, the graphics were created by upstream.
> 
> Ok, so as only sound and music are not free, it would be great if the
> game could still be played by using only packages in main. I see the
> following solutions:
> 
> 1a. Make 2 data packages, a blobwars-data-non-free with the original
> data, and a blobwars-data-free with original graphics, replaced music
[...]
> 1b. Same as 1a, but keeping the "common" data (graphics) in the blobwars
> package, and only having blobwars-audio-non-free and
> blobwars-audio-free. I don't know if this possible, as it looks
> everything needs to be in one PAK file.
[...]
> 2. Have a non-dependancy between blobwars (from main, with code and
> graphics) and eg. blobwars-audio-non-free (from non-free, with music and
> sound) and patch the code so that blobwars works even if it does not
> find music and sound (currently missing music files only prints a
> warnings if USEPAK=0 and I'm not sure it handles correctly the situation
> if USEPAK=1 even if it does not crash, but missing sound files is a
> fatal error).

I'm already working on it, and I'm going for option 2. I don't have too much
free time at the moment, so it might take a few days before I'll upload the
results.

-- 
Met vriendelijke groet / with kind regards,
  Guus Sliepen <[EMAIL PROTECTED]>


signature.asc
Description: Digital signature

Bug#492665: Uploaded: copher -- automatically make a SourceForge release

2008-08-25 Thread Reuben Thomas


On Mon, 25 Aug 2008, Jonathan Wiltshire wrote:


Uploaded to mentors.debian.net and awaiting sponsorship. If you want it
sooner, the source package is at
http://mentors.debian.net/debian/pool/main/c/copher


Thanks very much for this.

--
http://rrt.sc3d.org/ | Travail broadens the behind



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#494466: [patch, RFC] Allow to select driver inclusion policy for initramfs-tools

2008-08-25 Thread Martin Michlmayr

* Frans Pop <[EMAIL PROTECTED]> [2008-08-25 10:10]:
> On Monday 25 August 2008, Martin Michlmayr wrote:
> > - the question was not asked (because debconf priority > medium)
> 
> That would break the case where the architecture default if different from 
> the default of initramfs-tools

This would be met by the 2nd condition:

> >  - the policy is the same as the default of initramfs-tools (most)
> I thought about that, but that assumes the default of initramfs-tools 
> won't ever change. I'd prefer not to base code on that assumption.

Okay, fair enough.

-- 
Martin Michlmayr
http://www.cyrius.com/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496450: ncmpc: Jumping to song dir from search (F5) not possible

2008-08-25 Thread Sebastian Harl

Hi,

On Sun, Aug 24, 2008 at 09:59:22PM +0200, Hagen Fuchs wrote:
> It would be very logical to implement a way to enter the album that
> corresponds to one of the resulting entries in a search list; á la:
> 
>   "I'd really like to hear that album where 'foo' sang 'bar'!"

I'm not sure I did understand you correctly. What do you mean by
"entering some album"? Do you mean something like "add the corresponding
album to the playlist"?

Cheers,
Sebastian

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin

signature.asc
Description: Digital signature

Bug#496494: [libc6] gdb fail to debug with a dlopen() call

2008-08-25 Thread Aurelien Jarno

Laurent Carlier a écrit :
> Package: libc6
> Version: 2.7-13
> Severity: normal
> 
> --- Please enter the report below this line. ---
> 
> Debugging session fail when a dlopen() call is reached. The problem occur 
> when 
> trying to debug some gambas2 (in unstable) or gambas3 executable.
> 

Please try to install libc6-dbg to see if it helps.


-- 
  .''`.  Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' :  Debian developer   | Electrical Engineer
 `. `'   [EMAIL PROTECTED] | [EMAIL PROTECTED]
   `-people.debian.org/~aurel32 | www.aurel32.net



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496191: Package description misses a space at the begining of a line, causing "dpkg -l" to fail.

2008-08-25 Thread Fabian Fagerholm

tags + unreproducible
thanks

On Sat, 2008-08-23 at 08:14 -0300, Henrique de Moraes Holschuh wrote:
> On Sat, 23 Aug 2008, nathael wrote:
> > -suse this package on a server that provides SASL authentication, then
> > + suse this package on a server that provides SASL authentication, then
> 
> Rather, it should be
> -suse this package on a server that provides SASL authentication, then
> + use this package on a server that provides SASL authentication, then

Indeed, but how on earth did that change occur? It's not present in any
SVN revision that I can find. The latest version of the control file is
visible here:

http://svn.debian.org/wsvn/pkg-cyrus-sasl2/cyrus-sasl-2.1/trunk/debian/control?op=file&rev=0&sc=0

The latest armel buildd log doesn't show that string either:

http://buildd.debian.org/fetch.cgi?pkg=cyrus-sasl2;ver=2.1.22.dfsg1-22%2Bb1;arch=armel;stamp=1219452953

Nathanael, are you sure everything is ok with your armel system? Could
there be some corruption of the dpkg databases or some other local
error? If you reinstall the package, does that change anything? Which
mirror are you using -- could it be a local error on that mirror?

Cheers,
-- 
Fabian Fagerholm <[EMAIL PROTECTED]>

signature.asc
Description: This is a digitally signed message part

Bug#496495: openssh-client: ssh-vulnkey "see manpage" message is unnecessary

2008-08-25 Thread Colin Watson

tags 496495 pending
thanks

On Mon, Aug 25, 2008 at 12:51:23AM -0700, Kevin Mitchell wrote:
> When running ssh-vulnkey -a on a system with no compromised keys, I used
> to get no output. I would argue this to be the correct behaviour. Now, 
> however I get
> 
> #
> # See the ssh-vulnkey(1) manual page for further advice.
> 
> which is an entirely superfluous, and even misleading message as it
> would seem to suggest there is something wrong that reading the manpage
> might explain. Anyone with half a brain operating a Debian system with
> ssh enabled should know not only to read this man page, but also the
> scores of other information about how to mitigate this vulnerability.
> 
> This is also very inconvienient for running ssh-vulnkey -a in cron,
> which must now filter out this message so it doesn't email root when
> there's nothing wrong.

I do think the message is useful if there are compromised or unknown
keys (it is superfluous in some sense, but this is a delicate situation
that I think justifies some extra hand-holding). However, you're right
that it's clearly pointless if all keys are OK.

I've changed ssh-vulnkey for my next upload to only display this message
if there are compromised or unknown keys, and tweaked the verbose mode a
little.

Thanks,

-- 
Colin Watson   [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496494: [libc6] gdb fail to debug with a dlopen() call

2008-08-25 Thread Laurent Carlier

Le Monday 25 August 2008 10:54:11, vous avez écrit :
> Laurent Carlier a écrit :
> > Package: libc6
> > Version: 2.7-13
> > Severity: normal
> >
> > --- Please enter the report below this line. ---
> >
> > Debugging session fail when a dlopen() call is reached. The problem occur
> > when trying to debug some gambas2 (in unstable) or gambas3 executable.
>
> Please try to install libc6-dbg to see if it helps.

It's already installed and doesn't change anything (except the backtrace for 
the glibc part). 

[EMAIL PROTECTED]:~$ apt-cache policy libc6-dbg
libc6-dbg:
  Installé : 2.7-13
  Candidat : 2.7-13

I've installed the libc6 experimental package on my laptop without any 
changes.

++




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496387: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Georges Khaznadar

Hello Dmitri,

wget downloads the description file easily:
---8<-
gk:/tmp$ LC_ALL=C wget 
ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
--2008-08-25 11:00:51--  
ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
   => `wims_3.62-15.dsc'
Resolving debian.ofset.org... 131.246.124.227
Connecting to debian.ofset.org|131.246.124.227|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.==> PWD ... done.
==> TYPE I ... done.  ==> CWD /debian/pool/main/w ... done.
==> SIZE wims_3.62-15.dsc ... 411
==> PASV ... done.==> RETR wims_3.62-15.dsc ... done.
Length: 411

100%[==>] 411 --.-K/s   in 0.001s  

2008-08-25 11:00:52 (507 KB/s) - `wims_3.62-15.dsc' saved [411]
---8<-

However nor dget, neither curl do succeed to access the same URL. I suppose
that it is due to some misconfiguration of our ftp server, but I ignore which
configuration is wrong. If you wan I can send you the files directly.

Best regards,   Georges.

Dmitry E. Oboukhov a écrit :
> JL> please can you sponsor the new package? The description file is at
> JL> ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
> 
> $ dget ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
> dget: retrieving
> ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
> 
> curl: (67) Access denied: 530
> dget: curl wims_3.62-15.dsc
> ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc failed
> 
> sorry, i cannot download it :(
> --
> 
> . ''`. Dmitry E. Oboukhov
> : :’  : [EMAIL PROTECTED]
> `. `~’ GPGKey: 1024D / F8E26537 2006-11-21
>   `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537



-- 
Georges KHAZNADAR et Jocelyne FOURNIER
22 rue des mouettes, 59240 Dunkerque France.
Téléphone +33 (0)3 28 29 17 70



signature.asc
Description: Digital signature

Bug#492597: cairo backend crashes

2008-08-25 Thread Daniel Leidert

Hi Martin,

I cannot reproduce the crash on my system. Can you check with LANG=C
and/or send me a backtrace?

Regards, Daniel




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496375: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Julien Valroff

Hi Dmitry,

Le dimanche 24 août 2008 à 22:05 +0400, Dmitry E. Oboukhov a écrit :
> Package: rkhunter
> Severity: grave
> 
> Hi, maintainer!
> 
> This message about the error concerns a few packages  at  once.   I've
> tested all the packages (for Lenny) on my Debian mirror.  All  scripts
> of packages (marked as executable) were tested.
> 
> In some packages I've discovered scripts with errors which may be used
> by a user for damaging important system files or user's files.
> 
> For example if a script uses in its work a temp file which is  created
> in /tmp directory, then every user can create symlink  with  the  same
> name in this directory in order to  destroy  or  rewrite  some  system
> or user file.  Symlink attack may also  lead  not  only  to  the  data
> desctruction but to denial of service as well.

I think rkhunter is safe, given that the script does check that the file
in /tmp is a file (and not a symlink) before using it:

if [ "$1" = "--debug" ]; then
if [ -e "/tmp/rkhunter-debug" ]; then
if [ -f "/tmp/rkhunter-debug" -a ! -h 
"/tmp/rkhunter-debug" ]; then
rm -f /tmp/rkhunter-debug >/dev/null 2>&1
else
echo "Cannot use '--debug' option. 
/tmp/rkhunter-debug already exists, but it is not a file."
exit 1
fi
fi

Would you please confirm this is ok so that I can close this bug?

Cheers,
Julien






--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496038: stellarium: segmentation fault

2008-08-25 Thread Klaus Ade Johnstad

Fredag 22 august 2008 19:49, skrev Cedric Delfosse:
> Looks like the segfault comes from the DRI library. Could you disable
> DRI from your X configuration, and try again ?
>
> Regards,
>
> Cédric

I have no mention of DRI in my X configuration. But adding this stanza 
to xorg.conf helped:

Section "Module"
Disable "dri"
EndSection



-- 
Klaus Ade
67E61D18B2C44F8A3DA35C6D849F9F5F 26FA477D




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496502: mdadm: Tries to start array at boot before partitions is found.

2008-08-25 Thread Lars Michael Jogback

Package: mdadm
Version: 2.6.7-3
Severity: critical
Justification: breaks the whole system


Hi,

I've got a system setup with two physical disks, md-raid1 on top of those,
dm-crypt on top of that and lvm at the top.

The hardware is a SunFire v120 SPARC.

The system was originally installed with Debian Etch, and worked fine, but
upgrading to lenny cause this problem.

When booting with lenny, mdadm tries to start the array before the partitions
have been detected. I've solved the issue temporarily by putting a "sleep 10"
first in /usr/share/initramfs-tools/scripts/local-top/mdadm

The bootlog when it doesn't work:
---
[   39.127637] scsi 0:0:0:0: Direct-Access FUJITSU  MAP3367NC0108 
PQ: 0 ANSI: 3
[   39.450517]  target0:0:0: tagged command queuing enabled, command queue 
depth 16.
[   39.758693]  target0:0:0: Beginning Domain Validation
[   39.938798]  target0:0:0: asynchronous
[   40.088667]  target0:0:0: wide asynchronous
[   40.247300]  target0:0:0: FAST-40 WIDE SCSI 80.0 MB/s ST (25 ns, offset 31)
[   40.475801]  target0:0:0: Domain Validation skipping write tests
[   40.678572]  target0:0:0: Ending Domain Validation
[   40.856260] scsi 0:0:1:0: Direct-Access FUJITSU  MAP3367NC0108 
PQ: 0 ANSI: 3
[   41.178809]  target0:0:1: tagged command queuing enabled, command queue 
depth 16.
[   41.486787]  target0:0:1: Beginning Domain Validation
[   41.667130]  target0:0:1: asynchronous
[   41.810661] Probing IDE interface ide1...
[   41.828389]  target0:0:1: wide asynchronous
[   41.987341]  target0:0:1: FAST-40 WIDE SCSI 80.0 MB/s ST (25 ns, offset 31)
[   42.218272]  target0:0:1: Domain Validation skipping write tests
[   42.418864]  target0:0:1: Ending Domain Validation
[   43.17] md: raid1 personality registered for level 1
[   43.388968] md: md0 stopped.
[   43.533868] md: md1 stopped.
[   43.722734] eth0: Link is up at 100 Mbps, full-duplex.
[   43.722734] eth0: Pause is disabled
[   48.467190] eth1: switching to forced 100bt
[   48.660482] Driver 'sd' needs updating - please use bus_type methods
[   48.906909] sd 0:0:0:0: [sda] 71775284 512-byte hardware sectors (36749 MB)
[   49.136431] sd 0:0:0:0: [sda] Write Protect is off
[   49.307100] sd 0:0:0:0: [sda] Mode Sense: b3 00 00 08
[   49.308473] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, 
doesn't support DPO or FUA
[   49.655872] sd 0:0:0:0: [sda] 71775284 512-byte hardware sectors (36749 MB)
[   49.887985] sd 0:0:0:0: [sda] Write Protect is off
[   50.059144] sd 0:0:0:0: [sda] Mode Sense: b3 00 00 08
[   50.060510] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, 
doesn't support DPO or FUA
[   50.407309]  sda: sda1 sda2 sda3
[   50.619336] sd 0:0:0:0: [sda] Attached SCSI disk
[   50.792713] sd 0:0:1:0: [sdb] 71775284 512-byte hardware sectors (36749 MB)
[   51.021391] sd 0:0:1:0: [sdb] Write Protect is off
[   51.191363] sd 0:0:1:0: [sdb] Mode Sense: b3 00 00 08
[   51.196236] sd 0:0:1:0: [sdb] Write cache: enabled, read cache: enabled, 
doesn't support DPO or FUA
[   51.543951] sd 0:0:1:0: [sdb] 71775284 512-byte hardware sectors (36749 MB)
[   51.773558] sd 0:0:1:0: [sdb] Write Protect is off
[   51.943268] sd 0:0:1:0: [sdb] Mode Sense: b3 00 00 08
[   51.947632] sd 0:0:1:0: [sdb] Write cache: enabled, read cache: enabled, 
doesn't support DPO or FUA
[   52.291287]  sdb: sdb1 sdb2 sdb3
[   52.503614] sd 0:0:1:0: [sdb] Attached SCSI disk
---
Note that the mdadm script is run at approx 43 seconds, before the partitions is
detected.

When I've set the "sleep 10" first in mdadm-script this is the bootlog
---
[   39.135641] scsi 0:0:0:0: Direct-Access FUJITSU  MAP3367NC0108 
PQ: 0 ANSI: 3
[   39.458520]  target0:0:0: tagged command queuing enabled, command queue 
depth 16.
[   39.766686]  target0:0:0: Beginning Domain Validation
[   39.946875]  target0:0:0: asynchronous
[   40.096772]  target0:0:0: wide asynchronous
[   40.255505]  target0:0:0: FAST-40 WIDE SCSI 80.0 MB/s ST (25 ns, offset 31)
[   40.483927]  target0:0:0: Domain Validation skipping write tests
[   40.686574]  target0:0:0: Ending Domain Validation
[   40.864459] scsi 0:0:1:0: Direct-Access FUJITSU  MAP3367NC0108 
PQ: 0 ANSI: 3
[   41.186769]  target0:0:1: tagged command queuing enabled, command queue 
depth 16.
[   41.494787]  target0:0:1: Beginning Domain Validation
[   41.675130]  target0:0:1: asynchronous
[   41.818662] Probing IDE interface ide1...
[   41.834068]  target0:0:1: wide asynchronous
[   41.992104]  target0:0:1: FAST-40 WIDE SCSI 80.0 MB/s ST (25 ns, offset 31)
[   42.220035]  target0:0:1: Domain Validation skipping write tests
[   42.422847]  target0:0:1: Ending Domain Validation
[   46.531492] Driver 'sd' needs updating - please use bus_type methods
[   46.756232] sd 0:0:0:0: [sda] 71775284 512-byte hardware sectors (36749 MB)
[   46.986986] sd 0:0:0:0: [sda] Write Protect is off
[   47.158990] sd 0:0:0:0: [sda] Mode Sense: b3 00 00 08
[   47.160415] sd 0:0:0:0: [sda] Write cac

Bug#496368: Downgrading due to lack of evidence

2008-08-25 Thread Neil Williams

Without a clear explanation of exactly what problem might occur and with
clear signs that this bug was filed without due preparation, I've
downgraded it pending clarification of the precise problem.

-- 


Neil Williams
=
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/




signature.asc
Description: This is a digitally signed message part

Bug#496503: vim-full: Please talk about "filetype plugin on"

2008-08-25 Thread Marc Fargas

Package: vim-full
Version: 2:7.2.000-2
Severity: wishlist

Hi,

For us, the lame vim users, 2.7.2c disabled "Filetype plugins" (that
is, they are no longer automatically enabled) and, as lame we are, it
took a while to first look at NEWS.Debian.gz where it says about that,
and later find out how to enable filetype plugins (add "filetype
plugin on" to .vimrc).

Maybe the NEWS file could say this where it says that it's no longer
auto enabled!

Anyway, thanks for packaging the best editor ever made ;))

Regards,
Marc

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'gutsy'), (300, 'unstable'), (150, 
'experimental'), (100, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages vim-full depends on:
ii  vim-gnome2:7.2.000-2 Vi IMproved - enhanced vi editor -

vim-full recommends no packages.

vim-full suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495738: abiword: Garbled text

2008-08-25 Thread Lorenzo Breda

I have the same problem, with a lot of fonts. Expecially with Microsoft
ones, it is so annoying when I read files made with MS Office.

-- 
Lorenzo Breda
Linux user #387700
Query keyserver.linux.it for gpg key
Fingerprint:
4A99 1D3C 3EDE 9A08 E074 D6AD 9916 53D8 CF52 7180




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#482439: cfengine2: There are still a ton of segfaults

2008-08-25 Thread Morten Werner Forsbring

Richard A Nelson <[EMAIL PROTECTED]> writes:

>>> ==12662== Invalid read of size 1
>>> ==12662==at 0x80778C8: (within /usr/sbin/cfagent)
>>> ==12662==by 0x8077A8A: (within /usr/sbin/cfagent)
>>> ==12662==by 0x807A48E: (within /usr/sbin/cfagent)
>>> ==12662==by 0x8053AC0: (within /usr/sbin/cfagent)
>>> ==12662==by 0x8053ECC: (within /usr/sbin/cfagent)
>>> ==12662==by 0x431A44F: (below main) (libc-start.c:222)
>>> ==12662==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
>>> ==12662==
>>> ==12662== Process terminating with default action of signal 11 (SIGSEGV)
>>> ==12662==  Access not within mapped region at address 0x0
>
>> Hi,
>>
>> and sorry for this late reply. Have you tested if this is improved
>> with 2.2.7-1 of cfengine?
>
> I don't see it on the servers (amd64), but it persists on the
> client (x86-32) boxen - now with about the same regularity (ie, not
> every single run, but a couple times a day) - so much better than
> before :)

Cfengine2 2.2.8-1 was uploaded to unstable a few days ago, are you able
to test this version as well? Upstream claims that they have been
"fixing an important threading error that has become apparent with the
influx of multicore processors".


- Werner



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#494227: xmlroff: diff for NMU version 0.6.0-1.1

2008-08-25 Thread Daniel Leidert

Am Montag, den 25.08.2008, 01:14 +0200 schrieb W. Martin Borgert:
> On 2008-08-25 00:13, Thomas Viehmann wrote:
> > Unfortunately, Martin, it makes the Debian refcard look ugly.
> > Nonetheless, I believe moving from segfault to quirky output
> > warrants closing the RC bug here. As such, I'll upload in the
> > next days unless someone objects.
> 
> No objection from my side. But it would be good if you post the
> patch on upstream mailing list for comments. Thanks!

I've forwarded it to upstream tracker item #99 as it is already about
several problems with the table rendering code.

Regards, Daniel




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481581: [Debian-olpc-devel] Bug#481581: Bug#481581 sugar: Sugar can power down the computer

2008-08-25 Thread Morgan Collett

2008/8/23 [EMAIL PROTECTED] <[EMAIL PROTECTED]>:
> Hi,
> I refresh my patch for the 82.0 release of sugar. The patch is really
> simple since now the sugar's session_manager have a function that handle
> the logout.

Reported upstream, with your patch, at http://dev.laptop.org/ticket/8141

Regards
Morgan



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#478502: pwlib-titan needs to be binNMU'd on sparc

2008-08-25 Thread Mark Purcell

On Monday 25 August 2008 18:17:03 Jurij Smakov wrote:
> Both have built successfully on sparc [0,1] against the binNMU'd 
> version of libpt-1.11.2 (from pwlib-titan source)

Jurij,

Thanks for your debuging of this.  Good news.

Mark



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#492299: closing...

2008-08-25 Thread Holger Levsen

severity 492299 normal
close 492299
thanks

Hi Terry,

first, setting the right severity...

second, closing, as you failed to provide any useful info to debug and fix 
this bug, which is probably already fixed anyway, as Debian is used on many 
Thinkpads.

If the problem still occurs, after updating to latest lenny, please do open 
another bugreport.


regards,
Holger


pgpQniGS4bJMJ.pgp
Description: PGP signature

Bug#495331: Same bug as bug #400768

2008-08-25 Thread A . Kuckartz

This is the same bug as bug #400768: 

apt: Returns "E: Wow, you exceeded the number of versions this APT is 
capable of" 

Bug #400768 has been merged with bug #466643 




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#400768: Same bug as bug #495331

2008-08-25 Thread A . Kuckartz

This is the same bug as bug #495331: 

apt-get on SID fails in German locale: "E: Toll, Sie haben die Anzahl an 
Beschreibungen überschritten, die APT handhaben kann." 





--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496338: udev: Buffer I/O error following upgrade to 0.125-5

2008-08-25 Thread Marco d'Itri

On Aug 24, frank <[EMAIL PROTECTED]> wrote:

> When upgrading from udev_0.105-4 to udev_0.125-5 Buffer I/O errors are
> reported when connecting a digital camera. Following this, the camera cannot
I can't see how udev could cause this. For a start, raise the udev log
level (using udevcontrol/udevadm) and check which programs are started
by RUN rules.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Bug#496438: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Thijs Kinkhorst

tags 496438 security confirmed
thanks

Hi,

There are indeed several occurances of insecure tempfile usage:

15:${EXTRA_AREC_OPT} ${1} |tee /tmp/v-recorder${2}-out 
&>/dev/tty$[${2}+1]
18:${EXTRA_AREC_OPT} ${1} |tee /tmp/v-recorder${2}-out 
&>/dev/ttyv$[${2}+1]
33:${EXTRA_DREC_OPT} ${1} |tee /tmp/v-recorder${2}-out 
&>/dev/tty$[${2}+1]
36:${EXTRA_DREC_OPT} ${1} |tee /tmp/v-recorder${2}-out 
&>/dev/ttyv$[${2}+1]

As the package looks otherwise unmaintained and there are many alternatives 
available, I'm filing a removal bug instead of attempting to fix this. So I 
believe it may also be removed from testing.


cheers,
Thijs


pgphz5Olc5ad3.pgp
Description: PGP signature

Bug#494969: sympa: Leftover debug code may lead to data loss

2008-08-25 Thread Olivier Berger

Le jeudi 21 août 2008 à 16:14 +0200, Thijs Kinkhorst a écrit :

> When grepping the sympa source for "/tmp" I find quite some occurances
> of
> other files directly in tmp with insecure filenames. It should be
> checked
> for each if that code is executed and whether or not they should be
> moved
> to Sympa's private tempdir.
> 

Indeed, grepping through contents of binary package gives quite some
occurrences :

./usr/share/doc/sympa/examples/config/sympa.conf:tmpdir /var/spool/sympa/tmp
./usr/lib/sympa/bin/Log.pm:#open TMP, ">/tmp/logs.dump";
./usr/lib/sympa/bin/tt2.pl: open my $fh, ">/tmp/tt2/$newname";
./usr/lib/sympa/bin/tools.pl:## first step is the msg signing OK ; 
/tmp/sympa-smime.$$ is created
./usr/lib/sympa/bin/tools.pl:my $temporary_file = "/tmp/smime-sender.".$$ ;
./usr/lib/sympa/bin/List.pm:#   $parser->output_dir($Conf{'spool'} ."/tmp");
./usr/lib/sympa/bin/List.pm:#open TMP2, ">/tmp/digdump"; 
&tools::dump_var($param, 0, \*TMP2); close TMP2;
./usr/lib/sympa/bin/List.pm:#open TMP2, ">/tmp/digdump"; 
&tools::dump_var($param, 0, \*TMP2); close TMP2;
./usr/lib/sympa/bin/sympasoap.pm:#open TMP2, ">>/tmp/yy"; printf TMP2 
"xx  parameters \n"; &tools::dump_var($proxy_vs, 0, \*TMP2);printf TMP2 
"\n"; close TMP2;
./usr/lib/sympa/bin/CAS.pm:  $cas->proxyMode(pgtFile => '/tmp/pgt.txt',
./usr/lib/sympa/bin/sympa_wizard.pl:my $new_wwsympa_conf = '/tmp/wwsympa.conf';
./usr/lib/sympa/bin/sympa_wizard.pl:my $new_sympa_conf = '/tmp/sympa.conf';
./usr/lib/sympa/bin/Conf.pm:$o{'tmpdir'}[0] = "$spool/tmp";
./usr/lib/sympa/bin/Conf.pm:# open TMP, 
">/tmp/dump1";&tools::dump_var(&load_generic_conf_file($config,\%trusted_applications);,
 0,\*TMP);close TMP;
./usr/lib/sympa/bin/Conf.pm:#open TMP2, ">>/tmp/sss"; printf TMP2 
"xxxstructure admin\n"; &tools::dump_var(\%admin, 0, 
\*TMP2);printf TMP2 "xxx\n"; close TMP2;
./usr/lib/sympa/bin/sympa_soap_client.pl:#   
file => '/tmp/my_cookies' );
./usr/lib/sympa/bin/sympa_soap_client.pl:
file => '/tmp/my_cookies' );
./usr/lib/sympa/bin/Family.pm: #   open TMP, ">/tmp/dump1";
./usr/lib/sympa/bin/Auth.pm:# open TMP2, ">>/tmp/yy"; printf TMP2 
"xxx\@ trusted_apps \n"; &tools::dump_var([EMAIL PROTECTED], 0, 
\*TMP2);printf TMP2 "\n"; close TMP2;
./usr/lib/sympa/bin/sympa.pl:   --make_alias_file : create 
file in /tmp with all aliases (usefull when aliases.tpl is changed)
./usr/lib/cgi-bin/sympa/wwsympa.fcgi: #open TMP, ">/tmp/dump1";
./usr/lib/cgi-bin/sympa/wwsympa.fcgi: #open TMP, ">/tmp/dump2";
./usr/lib/cgi-bin/sympa/wwsympa.fcgi: #open TMP, ">/tmp/dump1";
./usr/bin/sympa:   --make_alias_file : create file in /tmp 
with all aliases (usefull when aliases.tpl is changed)
./usr/bin/sympa_wizard:my $new_wwsympa_conf = '/tmp/wwsympa.conf';
./usr/bin/sympa_wizard:my $new_sympa_conf = '/tmp/sympa.conf';

I think that even though the first ones reported on 
/usr/lib/cgi-bin/sympa/wwsympa.fcgi and /usr/lib/sympa/bin/sympa.pl are now 
fixed by uploaded 5.3.4-5.1, there's some more need for analysis (checking with 
upstream too).

I think that opening a distinct bug would probably be better too.

Hope this helps.

-- 
Olivier BERGER <[EMAIL PROTECTED]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#472680: close

2008-08-25 Thread Holger Levsen

severity 472680 normal
close 472680
thanks

Hi,

First, setting the right severity. (This bug, if it is one in Debian at all, 
clearly doesnt affect many users of Debian.)

Second, closing it, as we cannot fix it with the information provided by the 
submitter and because it really looks like an issue with the local network 
settings or the ISPs.


regards,
Holger


pgpnFMU1ETkfn.pgp
Description: PGP signature

Bug#496467: screen-message: patch for better timeout handling

2008-08-25 Thread Joachim Breitner

Hi Paul,

Am Montag, den 25.08.2008, 10:00 +0800 schrieb Paul Wise:
> Source: screen-message
> Version: 0.14-1
> Severity: wishlist
> 
> The attached patch adds better handling for hiding the edit widget on
> timeouts:
> 
>   * a command-line option to give a custom timeout
>   * doesn't render text underneath the edit widget
>   * timeout doesn't occur when the user is moving the arrow keys
> around

Thanks for the patch. Two comments though:

 * I’d still like to avoid command line options, and I think the entry
timeout is something that does not have to be configurable. Rather, I
think we can find a more suitable value. Do you think 5 seconds is too
much? What do you use?

 * Rendering the text underneath the edit widget is actually a feature:
Then the text won’t jump when the edit widget is hidden, which I find
nicer. Have you considered that?

 * Thanks for the rest of the patch!

BTW, if you want you can use darcs to record and send your patches. This
would make it easier for you to send separate patches for separate
features, but still all in one .dpatch file. Just use "darcs get
http://darcs.nomeata.de/screenmessage"; to get the sources, "darcs
record" to select and name your patch and "darcs send" to send all your
recorded modifications to me. 

Greetings,
Joachim

-- 
Joachim "nomeata" Breitner
Debian Developer
  [EMAIL PROTECTED] | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: [EMAIL PROTECTED] | http://people.debian.org/~nomeata


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Bug#496505: RM: cdcontrol -- RoQA; RC-buggy, security issues, unmaintained, low popcon

2008-08-25 Thread Thijs Kinkhorst

Package: ftp.debian.org

Hi,

Please remove cdcontrol from unstable, for the following reasons:

* It has an RC security bug about insecure tempfile usage.
* It is unmaintained, last MU four years ago.
  Maintainer seems MIA and is also upstream.
* It has few popcon votes.


thanks,
Thijs


pgpDHGHNerlBU.pgp
Description: PGP signature

Bug#493689: insight: FTBFS on ia64

2008-08-25 Thread Chris Lamb

Chris Lamb wrote:

> Patch attached.

D'oh, it already had a patch; that was silly.


Regards,

-- 
Chris Lamb, UK   [EMAIL PROTECTED]
GPG: 0x634F9A20


signature.asc
Description: PGP signature

Bug#490290: live-helper: Could handle empty LH_LINUX_PACKAGES more gracefully

2008-08-25 Thread Daniel Baumann

Hi,

could you please elaborate how you constructed a situation where you got
empty LH_LINUX_PACAKGES? As said, this is seems impossible to me, since
by default lh sets values for empty variables automatically. Otherwise,
I intend to close the bug report.

Regards,
Daniel

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496393: this bug is not fixed

2008-08-25 Thread Lars Bahner

On Mon, Aug 25, 2008 at 09:44:03AM +0200, Thijs Kinkhorst wrote:
> reopen 496393
> thanks
> 
> Hi,
> 
> Maybe I'm completely missing something, but the patch you added just seems to 
> make matters much worse. Perhaps I don't understand it, but you remove use of 
> the safe "mktemp" function and replace it with tempfiles based on PID? It 
> looks to me like this change just introduced a new tempfile vulnerability.
> 
> And perhaps Dmytri can tell us what the original bug was that he found in his 
> file, so the real issue can be addressed.

I inadvertently mixed up my two source directories and sent off a build
from the wrong directory thus reversing my patch :P

> By the way, you are aware that you're using NMU-style versioning for your 
> package while making maintainer uploads?

because I forgot, duh!


Thanks for noticing, Thijs. The correct patch is being built as I write.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496499: screen-message: setting background doesn't work

2008-08-25 Thread Joachim Breitner

Version: 0.15-1

Hi,

I guess I’m uploading versions too fast. But at least with 0.15, it
seems to work here.

Sorry for not trying out that feature before doing the 0.14 upload.

Greetings,
Joachim

Am Montag, den 25.08.2008, 10:29 +0200 schrieb Gerfried Fuchs:
> Package: screen-message
> Version: 0.14-1
> Severity: normal
> 
>   Hi!
> 
>  Some of your further changes seem to eliminate the posibility to set
> the background color of the window. It starts up for a very short while
> with the chosen background color but switches to white shortly after.
> 
>  I'm not too sure but I think the problem might reside in this changes
> to the code:
> 
> #v+
> @@ -220,13 +258,9 @@
> gtk_widget_modify_bg(window, GTK_STATE_NORMAL, &white);
> gtk_widget_modify_fg(window, GTK_STATE_NORMAL, &black);
> 
> -   draw = gtk_drawing_area_new();
> -   gtk_widget_set_events(draw, GDK_BUTTON_PRESS_MASK);
> -   gtk_widget_set_size_request(draw,400,400);
> -   gtk_widget_modify_bg(draw, GTK_STATE_NORMAL, &white);
> -   gtk_widget_modify_fg(draw, GTK_STATE_NORMAL, &black);
> -   g_signal_connect(G_OBJECT(draw), "realize", G_CALLBACK(realize), 
> NULL);
> -   g_signal_connect(G_OBJECT(draw), "button-press-event", 
> G_CALLBACK(text_clicked), NULL);
> +   gtk_widget_set_events(window, GDK_BUTTON_PRESS_MASK);
> +   g_signal_connect(G_OBJECT(window), "realize", G_CALLBACK(realize), 
> NULL);
> +   g_signal_connect(G_OBJECT(window), "button-press-event", 
> G_CALLBACK(text_clicked), NULL);
> 
> GdkPixmap *pixmap = gdk_pixmap_new(NULL, 1, 1, 1);
> GdkColor color;
> #v-
> 
>  The colors are only set for the window but not for the drawing area
> within it? Or did the drawing area get removed all together? Maybe my
> analysis is wrong, but I don't want this problem to get missing or
> forget about it. :)
> 
>  Thanks for your great work anyway!
> Rhonda
> 
> 

-- 
Joachim "nomeata" Breitner
Debian Developer
  [EMAIL PROTECTED] | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: [EMAIL PROTECTED] | http://people.debian.org/~nomeata


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Bug#459779: Bug fixed in git

2008-08-25 Thread Daniel Baumann

tags 459697 +pending
tags 459779 +pending
tags 468900 +pending
thanks

This bug has been fixed in git.

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496360: closed by Romain Beauxis <[EMAIL PROTECTED]> (Not a bug for us)

2008-08-25 Thread Dmitry E. Oboukhov


reopen 496360
thanks


Please do not close, if You want, change severity :)

user's files can be very important,
for example ~/.gnupg/*

if attacker creates symlink to its then your gpg's private key may be
corrupted.


On 09:24 Mon 25 Aug , Debian Bug Tracking System wrote:

DBTS> This is an automatic notification regarding your Bug report
DBTS> which was filed against the liguidsoap package:

DBTS> #496360: The possibility of attack with the help of symlinks in some 
Debian packages

DBTS> It has been closed by Romain Beauxis <[EMAIL PROTECTED]>.

DBTS> Their explanation is attached below along with your original report.
DBTS> If this explanation is unsatisfactory and you have not received a
DBTS> better one in a separate message then please contact Romain Beauxis 
<[EMAIL PROTECTED]> by
DBTS> replying to this email.

DBTS> --
DBTS> 496360: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496360
DBTS> Debian Bug Tracking System
DBTS> Contact [EMAIL PROTECTED] with problems

DBTS> Date: Mon, 25 Aug 2008 11:21:24 +0200
DBTS> From: Romain Beauxis <[EMAIL PROTECTED]>
DBTS> To: [EMAIL PROTECTED]
DBTS> Subject: Not a bug for us
DBTS> User-Agent: KMail/1.9.9
DBTS> Cc: "Dmitry E. Oboukhov" <[EMAIL PROTECTED]>

DBTS> Hi !

DBTS> Indeed, liguidsoap uses files under /tmp to write logs and dump audio data
DBTS> during the live show.

DBTS> We don't consider this as a bug, but as feature (tm). Furthermore, this is
DBTS> known to the user, the name is predictible -- "/tmp/liguidsoap.log" -- and
DBTS> run manually by the user, with no root rights.

DBTS> It would be nice if your system could report scripts that are meant to be 
run
DBTS> as root, at least starting with maintainers scripts only...

DBTS> Romain

DBTS> Date: Sun, 24 Aug 2008 22:05:28 +0400
DBTS> From: "Dmitry E. Oboukhov" <[EMAIL PROTECTED]>
DBTS> To: [EMAIL PROTECTED]
DBTS> Subject: The possibility of attack with the help of
DBTS> symlinks in some Debian packages
DBTS> Cc: [EMAIL PROTECTED]

DBTS> Package: liguidsoap
DBTS> Severity: grave

DBTS> Hi, maintainer!

DBTS> This message about the error concerns a few packages  at  once.   I've
DBTS> tested all the packages (for Lenny) on my Debian mirror.  All  scripts
DBTS> of packages (marked as executable) were tested.

DBTS> In some packages I've discovered scripts with errors which may be used
DBTS> by a user for damaging important system files or user's files.

DBTS> For example if a script uses in its work a temp file which is  created
DBTS> in /tmp directory, then every user can create symlink  with  the  same
DBTS> name in this directory in order to  destroy  or  rewrite  some  system
DBTS> or user file.  Symlink attack may also  lead  not  only  to  the  data
DBTS> desctruction but to denial of service as well.

DBTS> Even if you create files or directories with help of function 'RANDOM'
DBTS> or pid(), then your system is not protected. Attacker can create many
DBTS> symlinks in order to destroy your data or create 'denial  of  service'
DBTS> for your package scripts.

DBTS> Even if you make rm(dir) for files/directories, then  your  system  is
DBTS> not protected. Attacker can permanently create symlinks.

DBTS> This list is created with the help of script.  This list is sorted  by
DBTS> hand. Howewer in some cases mistake is possible.

DBTS> Please, Be understanding to possible mistakes. :)

DBTS> I set Severity into grave for this bug. The table of discovered
DBTS> problems is below.

DBTS> Discussion of this bug you can see in debian-devel@:
DBTS> http://lists.debian.org/debian-devel/2008/08/msg00271.html

DBTS> Binary-package: r-base-core-ra (1.1.1-1)
DBTS> file: /usr/lib/Ra/lib/R/bin/javareconf
DBTS> Binary-package: rccp (0.9-2)
DBTS> file: /usr/lib/rccp/delqueueask
DBTS> Binary-package: mafft (6.240-1)
DBTS> file: /usr/bin/mafft-homologs
DBTS> Binary-package: openoffice.org-common (1:2.4.1-6)
DBTS> file: /usr/lib/openoffice/program/senddoc
DBTS> Binary-package: crossfire-maps (1.11.0-1)
DBTS> file: /usr/share/games/crossfire/maps/Info/combine.pl
DBTS> Binary-package: sgml2x (1.0.0-11.1)
DBTS> file: /usr/bin/rlatex
DBTS> Binary-package: liguidsoap (0.3.6-4)
DBTS> file: /var/lib/liguidsoap/liguidsoap.py
DBTS> Binary-package: citadel-server (7.37-1)
DBTS> file: /usr/lib/citadel-server/migrate_aliases.sh
DBTS> Binary-package: ampache (3.4.1-1)
DBTS> file: /usr/share/ampache/www/locale/base/gather-messages.sh
DBTS> Binary-package: xen-utils-3.2-1 (3.2.1-2)
DBTS> file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
DBTS> Binary-package: dtc-common (0.29.6-1)
DBTS> file: /usr/share/dtc/admin/accesslog.php
DBTS> file: /usr/share/dtc/admin/sa-wrapper
DBTS> Binary-package: honeyd-common (1.5c-3)
DBTS> file: /usr/share/honeyd/scripts/test.sh
DBTS> Binary-package: lustre-tests (1.6.5-1)
DBTS> file: /usr/lib/lustre/tests/runiozone
DBTS> Binary-package: linuxtrade (3.65-8+b4)
DBTS> file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
DBTS> file: /usr/share/linuxtrade/bin/linuxtrade.wn
DBTS> file: /usr/sha

Bug#496467: screen-message: patch for better timeout handling

2008-08-25 Thread Paul Wise

On Mon, 2008-08-25 at 12:03 +0200, Joachim Breitner wrote:

>  * I’d still like to avoid command line options, and I think the entry
> timeout is something that does not have to be configurable. Rather, I
> think we can find a more suitable value. Do you think 5 seconds is too
> much? What do you use?

At debconf I wanted it to be 1 second, so that it would hide pretty much
immediately after starting - I intended to use it at the end of my
lightning talk with a pre-prepared text string. Now that you made it
hide by default when some input is specified, I don't think this is
needed. I think 3 seconds would be the best timeout, 5 is a bit too long
and 1 is too short.

>  * Rendering the text underneath the edit widget is actually a feature:
> Then the text won’t jump when the edit widget is hidden, which I find
> nicer. Have you considered that?

Ok, I think the reason I did that was because I got rendering glitches
when the edit box covered the text and then got hidden. I suppose making
it translucent would be too flashy? :)

> BTW, if you want you can use darcs to record and send your patches.

I'm not familiar with darcs (only git/svn/cvs), I'll try to remember
this next time.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

signature.asc
Description: This is a digitally signed message part

Bug#495144: anjuta in Debian and the RC bug #495144

2008-08-25 Thread Thomas Viehmann


Hi Marcos,

thanks for working on RC bugs!

Your comment on bts.turmzimmer.net regarding #495144 looks  
interesting, but I'm not sure whether I entirely understand the  
comment and its implications. For one, if the bug does not occur in  
unstable, what happened to make it disappear?
Also, it might be nice if you could share / elaborate on your  
insights in the bug log itself.


[FREEZE] Package: anjuta (optional; Rob Bradford) [anjuta/2:2.4.2-1 ;  
=] [add/edit comment]

19-Jun-2008: Marcos Marado: fixed in unstable
495144 [   ] Anjuta hangs on execute program

Kind regards and thanks,

T.



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Rene Engelhard

found 496361 1:2.4.1-6
notfound 496361 1:3.0.0~beta2-1
notfound 496361 2.0.4.dfsg.2-7etch5
tag 496361 + pending
thanks

Dmitry E. Oboukhov wrote:
> #!/bin/sh
> URI_ENCODE="`dirname $0`/uri-encode"
> 
> echo "$@" > /tmp/log.obr.$$
> echo "$#" >> /tmp/log.obr.$$
[...]

Oops, I didn't see it because I checked in the 3.0 packages which don't have it
anymore..

(Only 2.4.1 is affected)

Regards,

Rene



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496360: Not a bug for us

2008-08-25 Thread Julien Cristau

reopen 496360
severity 496360 important
kthxbye

On Mon, Aug 25, 2008 at 11:21:24 +0200, Romain Beauxis wrote:

>   Hi !
> 
> Indeed, liguidsoap uses files under /tmp to write logs and dump audio data 
> during the live show.
> 
> We don't consider this as a bug, but as feature (tm).

This is broken.

> Furthermore, this is known to the user, the name is predictible --
> "/tmp/liguidsoap.log" -- and run manually by the user, with no root
> rights.
> 
That makes symlink attacks against root impossible, but it still allows
an attacker to overwrite any file owned by the user running liguidsoap.
Please move the files out of /tmp.

Cheers,
Julien



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#468264: live-helper: lh_build leaves chroot/dev/pts mounted after it has finished

2008-08-25 Thread Daniel Baumann

retitle 468264 if live-helper fails, it doesn't unmount chroot/dev/pts
thanks

Hi,

live-helper does unmount /dev/pts in the chroot after having built the
image. There is only one case where it doesn't do it, and that is if it
fails somewhere before the end (where it will unmount).

Regards,
Daniel

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496500: [Yaird-devel] Bug#496500: yaird: fails to create initrd when running 2.6.24 etchnhalf kernel

2008-08-25 Thread Jonas Smedegaard

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Aug 25, 2008 at 04:29:39PM +0800, James Andrewartha wrote:
>Package: yaird
>Version: 0.0.12-18
>Severity: important
>
>This is bug 431534, exposed again because stable has an old version of
>yaird but a recent kernel.

Acknowledged.

I see some different approaches to this:

  1. Leave this bug open but do nothing about it.
 * This bug is not a security issue in itself
 * Security-related kernel updates can switch to initramfs-tools
  2. Release 0.0.12-18+etch1 fixing only this specific issue
 * Security-updates must be minimal
  3. Release backport of newest yaird in unstable
 * Linux changes are large already, so "must be minimal" cannot
   apply here
 * Most if not all recent yaird changes are to support the major 
   changes to recent Linux kernels
  4. Drop yaird from etchnhalf
 * Yaird has been dropped from testing (see bug#457177)

If we do 1) when should probably go through and etch-tag all other bugs 
fixed recently.

If we do 3) then a single change must be made compared to current 
package in Sid: LVM workaround must be enabled by default.

Cc'ing release team and security team for input.

NB! Even if yaird really is "generally too buggy" as judged in 
bug#457177, the current release in unstable is far better than the 
version currently in Etch, (contains no known regressions, and actually 
works out-of-the-box in many cases with recent Linux kernels whereas 
etch release don't).

  - Jonas

- -- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiyiPAACgkQn7DbMsAkQLge4wCfYhhTWaIPnltEgh3ECoUWdZcu
2GcAniQxwrHdWpVuOJcc+6jG0z4rLtxc
=/t+B
-END PGP SIGNATURE-

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#492081: (no subject)

2008-08-25 Thread Joel Sevilleja

Same here, I've done a fresh install of Debian Lenny Beta2, configuring 
the installation with the locales "Spanish from Spain", and I can do the 
following things:

login users in tty
login root in tty
login users in kdm
su in tty
But I can't switch to root with su in kdm. My password contains several 
".", and if I change the password to one without symbols (only numbers 
and letters (no matters if they are capitalized)), I can do su correctly 
on kdm. I've not installed console-setup. Another curious thing is that 
if a press cap-locks in a tty, all the letters are capitalized, except 
"e" and "c". If I press the "shift" key, all the letters are 
capitalized. Thanks for all, and apologize my bad English.




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#495144: anjuta in Debian and the RC bug #495144

2008-08-25 Thread Marcos Marado

Hi there,

On Monday 25 August 2008 11:19:58 you wrote:
> Your comment on bts.turmzimmer.net regarding #495144 looks
> interesting, but I'm not sure whether I entirely understand the
> comment and its implications. For one, if the bug does not occur in
> unstable, what happened to make it disappear?
> Also, it might be nice if you could share / elaborate on your
> insights in the bug log itself.
>
> [FREEZE] Package: anjuta (optional; Rob Bradford) [anjuta/2:2.4.2-1 ;
> =] [add/edit comment]
> 19-Jun-2008: Marcos Marado: fixed in unstable
> 495144 [   ] Anjuta hangs on execute program

I'm puzzled. This seems to be a bug of some sort on  bts.turmzimmer.net , that 
comment wasn't made in relation to #495144 ... If you see carefully, that bug 
was created on 14 Aug 2008, and my comment dates 19-Jun-2008... I've removed 
the comment from the bts now, sorry about this mess... I guess I'll review 
the rest of the comments there and see if any other comment is messed up...

Best regards, and thanks for spotting this,
-- 
Marcos Marado

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496283: nvidia-kernel-2.6.26-1-amd64 still broken

2008-08-25 Thread ian_bruce

There's still a problem.

"nvidia-kernel-2.6.26-1-amd64" depends on "nvidia-kernel-common", which
contains the header "Recommends: nvidia-kernel-source | nvidia-kernel".

Apparently there is no package which "Provides: nvidia-kernel".
Therefore, "nvidia-kernel-common" sucks in an extra 96MB of stuff with
"nvidia-kernel-source", which is completely unnecessary.

The solution is to have "nvidia-kernel-2.6.26-1-amd64" "Provides:
nvidia-kernel, nvidia-kernel-173.14.09".

Either that, or change the header in "nvidia-kernel-common" to
"Recommends: nvidia-kernel-173.14.09".




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496375: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Julien Valroff

Le lundi 25 août 2008 à 14:02 +0400, Dmitry E. Oboukhov a écrit :
> On 11:09 Mon 25 Aug , Julien Valroff wrote:
> JV> Hi Dmitry,
> 
> JV> Le dimanche 24 août 2008 à 22:05 +0400, Dmitry E. Oboukhov a écrit :
> JV>> Package: rkhunter
> JV>> Severity: grave
[...]
> JV>> In some packages I've discovered scripts with errors which may be used
> JV>> by a user for damaging important system files or user's files.
> JV>> 
> JV>> For example if a script uses in its work a temp file which is  created
> JV>> in /tmp directory, then every user can create symlink  with  the  same
> JV>> name in this directory in order to  destroy  or  rewrite  some  system
> JV>> or user file.  Symlink attack may also  lead  not  only  to  the  data
> JV>> desctruction but to denial of service as well.
> 
> JV> I think rkhunter is safe, given that the script does check that the file
> JV> in /tmp is a file (and not a symlink) before using it:
> 
> JV> if [ "$1" = "--debug" ]; then
> JV> if [ -e "/tmp/rkhunter-debug" ]; then
> JV> if [ -f "/tmp/rkhunter-debug" -a ! -h "/tmp/rkhunter-debug" ]; then
> JV> rm -f /tmp/rkhunter-debug >/dev/null 2>&1
> JV> else
> JV> echo "Cannot use '--debug' option. /tmp/rkhunter-debug already exists, 
> but it is not a file."
> JV> exit 1
> JV> fi
> JV> fi
> 
> JV> Would you please confirm this is ok so that I can close this bug?
> 
> could you create temp-file as:
> 
> if [ $1 = "--debug" ]; then
> DEBUG_FILE=`mktemp -t rkhunter-debug.XX`
> ...
> unsing debug file $DEBUG_FILE
> fi

Sure, but can you explain what this would change in terms of security
and wrt to the bug reported?

Cheers,
Julien




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496508: xulrunner-1.9: Invalid memory reference

2008-08-25 Thread Alban Browaeys

Package: xulrunner-1.9
Version: 1.9.0.1-1
Severity: important
File: /usr/lib/xulrunner-1.9/xulrunner-stub

*** Please describe what you were doing when the application crashed ***

0xe424 in ?? ()
#0  0xe424 in ?? ()

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.27-rc1-00509-g76c2726 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages xulrunner-1.9 depends on:
ii  libatk1.0-01.22.0-1  The ATK accessibility toolkit
ii  libbz2-1.0 1.0.5-1   high-quality block-sorting file co
ii  libc6  2.7-13GNU C Library: Shared libraries
ii  libcairo2  1.6.4-6   The Cairo 2D vector graphics libra
ii  libfontconfig1 2.6.0-1   generic font configuration library
ii  libfreetype6   2.3.7-2   FreeType 2 font engine, shared lib
ii  libgcc11:4.3.1-9 GCC support library
ii  libglib2.0-0   2.17.4-1  The GLib library of C routines
ii  libgtk2.0-02.12.11-3 The GTK+ graphical user interface 
ii  libhunspell-1.2-0  1.2.6-1   spell checker and morphological an
ii  libjpeg62  6b-14 The Independent JPEG Group's JPEG 
ii  liblcms1   1.17.dfsg-1   Color management library
ii  libmozjs1d 1.9.0.1-1 The Mozilla SpiderMonkey JavaScrip
ii  libnspr4-0d4.7.1-3   NetScape Portable Runtime Library
ii  libnss3-1d 3.12.0-5  Network Security Service libraries
ii  libpango1.0-0  1.20.5-1  Layout and rendering of internatio
ii  libpng12-0 1.2.27-1  PNG library - runtime
ii  libreadline5   5.2-3 GNU readline and history libraries
ii  libsqlite3-0   3.5.9-3   SQLite 3 shared library
ii  libstartup-notificatio 0.9-1 library for program launch feedbac
ii  libstdc++6 4.3.1-9   The GNU Standard C++ Library v3
ii  libx11-6   2:1.1.4-2 X11 client-side library
ii  libxrender11:0.9.4-2 X Rendering Extension client libra
ii  libxt6 1:1.0.5-3 X11 toolkit intrinsics library
ii  zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime

xulrunner-1.9 recommends no packages.




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#483777: live-helper: Change from --sections option to --category option

2008-08-25 Thread Daniel Baumann

tags 483777 +pending
thanks

Fixed in git, thanks.

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#161978: this really should be checked by lintian

2008-08-25 Thread Holger Levsen

severity 161978 important
thanks

Hi,

downgrading severity, as this is about an old issue with tetex and because 
there is probably even a lintian check for this already. (Too lazy to confirm 
now, thus I'm also not reassigning the bug to lintian yet.)


regards,
Holger


pgpEdv6EozCnM.pgp
Description: PGP signature

Bug#496507: [www.debian.org] Debian Description Translation Project (DDTP) Translation-lang files not only available for sid

2008-08-25 Thread Filipus Klutiero

Package: www.debian.org
Severity: minor

According to http://www.debian.org/international/l10n/ddtp

This version of APT downloads Translation-lang files from Debian mirrors. 
These are only available for sid at the moment and may be missing on some 
mirrors. The location of these files on mirrors is dists/main/sid/i18n/.

But these files are also available for at least lenny.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Rene Engelhard

Hi,

Thijs Kinkhorst wrote:
> Rene Engelhard wrote:
> > I so far thought mktemp was safe enough? (of course, we get
> > senddoc.mutt., but...
> 
> mktemp is safe enough. I think Dmitry refers to lines 3 and 4 of that script:
> 
> echo "$@" > /tmp/log.obr.$$
> echo "$#" >> /tmp/log.obr.$$
> 
> which I agree should not be there, probably leftover debug code?

Sigh. Yes, looks like it. (Checked with the 3.0 packages, which don't have
those lines anymore).

Regards,

Rene



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

1 2 3 4 5 >

1 - 100 of 452 matches

Mail list logo