Bug#291117: wakeonlan: progrma refers to incorrect manpage

2005-01-18 Thread Steve Kemp 
On Tue, Jan 18, 2005 at 04:18:06PM -0500, Jim Paris wrote:

> Running the program with no arguments refers to the wakelan(1)
> man page, which should probably read wakeonlan(1) instead.

  Agreed.  I will make an upload to fix this once the package
 has entered into "testing".

  That should be in six days time.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#291332: dsniff fails looking for libnids.so.1.18, but linked against libnids.so.1.19

2005-01-20 Thread Steve Kemp 
On Wed, Jan 19, 2005 at 08:02:34PM -0800, Josh Carroll wrote:

> When attempting to run dsniff, it complains about needing
> libnids.so.1.18:
> 
> dsniff: error while loading shared libraries: libnids.so.1.18: cannot
> open shared object file: No such file or directory
> 
> However, ldd reports the program is linked against libnids.so.1.19:
> 
> libnids.so.1.19 => /usr/lib/libnids.so.1.19 (0x25004000)
> 
> I could link /usr/lib/libnids.so.1.19 to /usr/lib/libnids.so.1.18, but
> that is obviously not ideal. Also, dsniff notices the shared library
> difference when doing so:
> 
> dsniff: Symbol `nids_params' has different size in shared object,
> consider re-linking

  That's very strange - the package itself depends upon libnids .19,
 and there should be no mention of .18 anywhere.

  I wonder if the i386 build was broken when I made it, because I had
 version 18 installed too?  I'll build it again cleanly in a chroot()
 jail and see how that works out.

  Thanks for the report.

> Architecture: i386 (i686)

> ii  libnids1 1.19-1  IP defragmentation TCP segment 
> rea

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#342044: security.debian.org: Systemically making Debian GNU/Linux less suseptible to buffer overflow attacks

2005-12-06 Thread Steve Kemp 
On Sun, Dec 04, 2005 at 02:25:07PM -0800, Bill Wohler wrote:
> Package: security.debian.org
> Severity: wishlist

  This is an inappropriate package to report this bug against,
 I'd suggest at least using GCC.

> They mentioned StackGuard, ProPolice, StackShield, and RAD (Return
> Address Defender) for the compiler and libsafe (already a Debian package
> in sid) for the OS. Some of these have been discussed on Debian lists
> already.
> 
> I have no idea how these tools might be incorporated into Debian, but I
> think it would be a Good Thing if every program were protected by them.
> It would make our systems safer, and would be great for Debian
> marketing.

  I concur.  I've made Sarge packages of SSP available here:

http://people.debian.org/~skx/ssp.html

  Two relevent bugs reports you should read are:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=213994
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=233208

  These were relating to the addition of compiler protection in
 GCC.  When GCC v4.1 comes out it will have one.  
 
  The next step is of course to enable it and use it on the
 buildds - whether that happens or not will be an interesting
 situation; I'd be very pleased if it did but either way
 security.debian.org isn't the right place to discuss it.

  I'd suggest the debian-security mailing list as a good
 target for discussion..


-- 
Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#342550: firefox: Javascript, history.dat & DoS

2005-12-08 Thread Steve Kemp 
On Thu, Dec 08, 2005 at 04:48:07PM +0200, Timo Poikola wrote:
> Package: firefox
> Version: 1.4.99+1.5rc3.dfsg-2
> Severity: grave
> Tags: security
> Justification: causes non-serious data loss
> 
> http://packetstormsecurity.org/0512-exploits/firefox-1.5-buffer-overflow.txt
> 
> My ff does not crashed, but it ate really much cpu-time when I tested 
> slightly modified version of javascript. 

  Not a security issue, "just" a DOS attack.

  Mozilla.org do not regard DOS attacks as security issues, so we cannot
 either.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#343180: apachetop: problems with logfiles greater than 2gb

2005-12-16 Thread Steve Kemp 

  Thanks for your report and your patch (and your other patches!)

  I'm not too sure if this is a good fix right now, so I'm going to
 leave this patch unapplied for the moment.  If I can gain access to
 a couple more platforms I'll be able to test it out and see how
 well it works on non-x86 systems.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#344081: ITP: xen-debiantools -- Tools to manage debian XEN virtual servers

2005-12-19 Thread Steve Kemp 
On Mon, Dec 19, 2005 at 11:54:26PM +0200, Radu Spineanu wrote:
> Package: wnpp
> Severity: wishlist
> Owner: Radu Spineanu <[EMAIL PROTECTED]>
> 
> 
> * Package name: xen-debiantools

  ?

  I'd strongly suggest keeping the name as xen-tools, or
 xen-tools-debian if you must change it.

  Because otherwise searching for 'xen-tools' will fail to find it.


  Otherwise looks good.  0.3 is out now:

http://www.steve.org.uk/Software/xen-tools/

  I'll leave the code alone for a few days now to see how it settles
 down.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#344398: CVE-2005-4470: Integer overhead in header parser for .blend import

2005-12-22 Thread Steve Kemp 
On Thu, Dec 22, 2005 at 02:30:46PM +0100, Moritz Muehlenhoff wrote:

> An integer overflow in the header parser for .blend files can potentially
> be exploited to execute code through a heap overflow. Please see 
> http://www.overflow.pl/adv/blenderinteger.txt for details.
> 
> This is CVE-2005-4470.

  Woody is non-free so most likely won't get updated.

  Sarge is vulnerable.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#338312: osh: Environment Variable Input Validation Bug

2005-11-09 Thread Steve Kemp 
On Wed, Nov 09, 2005 at 04:42:08AM -0800, Charles Stevenson wrote:

> Due to a bug in the environment variable substitution code it is
> possible to inject environment variables such as LD_PRELOAD and gain a
> root shell.

  Confirmed.

  Joey we'll need an ID for it.
  
  I guess we need to use two buffers to handle the expansion correctly...

Steve
--

Bug#347221: smstools: Format string attack in logging code

2006-01-09 Thread Steve Kemp 

Package: smstools
Version: 1.16-1+b1
Severity: grave
Justification: user security hole
Tags: security

*** Please type your report below this line ***

  A DSA has just been released for smstools due to an insecure
 usage of syslog in the logging code.

  The following patch will correct the issue:

--- smstools-1.14.8.orig/src/logging.c
+++ smstools-1.14.8/src/logging.c
@@ -78,7 +78,7 @@
   va_end(argp);
   if (Filehandle<0)
   {
-syslog(severity,text);
+syslog(severity,"%s",text);
   }
   else
   {


Steve
--

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.6-xen
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages smstools depends on:
ii  libc6 2.3.5-11   GNU C Library: Shared libraries an
ii  libmm14   1.4.0-1Shared memory library - runtime

smstools recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#346101: More info?

2006-01-11 Thread Steve Kemp 

  What output do you see if you run via strace?


apt-get install strace
strace apachetop

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#346101: Strace log not being accepted

2006-01-11 Thread Steve Kemp 
On Wed, Jan 11, 2006 at 03:46:19PM -0600, Bonilla, Alejandro wrote:
> I have sent the strace of apachetop and the bug system is not letting it
> in, maybe as an spam check?
> 
> Here goes again attached.

  Cheers, got it.

  Looks like I tracked down the bug without this.  See :

http://lists.debian.org/debian-devel/2006/01/msg00648.html

  The proble appears to be that a structure is allocated and not
 initialized to NULL, so an invalid free appears.

  The fix is in the message linked to above - and I'll upload a 
 new revision shortly.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#344398: CVE-2005-4470: Integer overhead in header parser for .blend import

2005-12-23 Thread Steve Kemp 
On Fri, Dec 23, 2005 at 12:10:00AM +0100, Florian Ernst wrote:

> Steve, btw, any news on CVE-2005-3302 aka bug#330895 (arbitrary code
> execution when importing a .bvh file)? Last I heard you were going to
> prepare an update unless anybody had an issue with the changes made,
> yet I haven't heard of any such issues (or anything at all, to be
> precise) since then...

  Utterly slipped my mind.  :(

> FWIW, I've put together an update for Sarge's version of the blender
> package based on the upstream change mentioned above, please find
> attached a cumulative interdiff for both CVE-2005-3302 aka bug#330895
> and this bug so these issues can be resolved for Sarge.

  Great, thanks a lot.

> Please tell whether you deem those patches sufficient for a potential
> future security advisory, and if not, please provide pointers at what
> might be missing.

  It looks good to me.  I've built a package and if nobody has any 
 objections I'll upload later today.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#340989: gnump3d: Problems with final in UTF-8 mp3 tags

2005-12-23 Thread Steve Kemp 

  I would do this if I knew how.  Any suggestion or patch is most
 welcome.

  I only deal with ASCII characters so I'm not sure what needs to
 be changed..

-- 
Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#344398: CVE-2005-4470: Integer overhead in header parser for .blend import

2005-12-23 Thread Steve Kemp 
On Fri, Dec 23, 2005 at 05:56:59PM +0100, Wouter van Heyst wrote:

> >   It looks good to me.  I've built a package and if nobody has any 
> >  objections I'll upload later today.
> 
> No objections from me.

  Great I already uploaded the package ;)

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#345912: xen-tools: The generated /etc/fstab file is broken.

2006-01-04 Thread Steve Kemp 
Package: xen-tools
Version: 0.6-1
Severity: normal
Tags: patch

*** Please type your report below this line ***

  Version 0.6 of xen-tools generates a broken /etc/fstab file for
 all new images.

  The script used to create this "etc/xen-create-image.d/90-make-fstab"
 needs the following minor patch:

-/dev/sda1 / $CONFIG{'fs'} ${options}   0 1
+/dev/sda1 / ${fs} ${options}   0 1

  This is fixed in new upstream version 0.7, which should be uploaded
 to sid once the current version makes it to testing.  One more day!

Steve
--

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.6-xen
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#335959: reprepro: bz2 example is broken

2005-10-26 Thread Steve Kemp 
Package: reprepro
Version: 0.6-1~sarge
Severity: minor
Tags: patch


  The sample file included in examples/bzip.example contains several
 errors.

  The section at the top reading thus:

--
# DscIndices Sources Release . .gz bzip2.sh
# DebIndices Packages Release . .gz bzip2.sh
# UDebIndices Packages . .gz bzip2.sh

--

  Should read like so:

--
# DscIndices: Sources Release . .gz bzip2.sh
# DebIndices: Packages Release . .gz bzip2.sh
# DebIndices: Packages . .gz bzip2.sh
--

Steve
--

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages reprepro depends on:
ii  apt0.5.28.6  Advanced front-end for dpkg
ii  binutils   2.15-6The GNU assembler, linker and bina
ii  libc6  2.3.2.ds1-22  GNU C Library: Shared libraries an
ii  libdb3 3.2.9-22  Berkeley v3 Database Libraries [ru
ii  libgpgme6  0.3.16-2  GPGME - GnuPG Made Easy
ii  zlib1g 1:1.2.2-4.sarge.2 compression library - runtime

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#328129: PATCH: The following patch fixes this issue

2005-11-03 Thread Steve Kemp 

  The following patch extracted from the SF.net discussion linked
 above fixes the issue for me.

Steve
--

--- xine-ui-0.99.3.orig/src/xitk/menus.c
+++ xine-ui-0.99.3/src/xitk/menus.c
@@ -425,8 +425,7 @@
   int  x, y;
   xitk_menu_widget_t   menu;
   char buffer[2048];
-  char*sh[255];
-  int  shc = 0;
+  int  i;
   xitk_widget_t   *w;
 #ifdef HAVE_XINERAMA
   int  fullscr_mode = (FULLSCR_MODE | FULLSCR_XI_MODE);
@@ -439,15 +438,15 @@
   "",  
   NULL, NULL   
  },
 { _("Show controls"),
-  (sh[shc++] = menu_get_shortcut("ToggleVisibility")),
+  menu_get_shortcut("ToggleVisibility"),
   panel_is_visible() ? "" : "",  
   menu_panel_visibility, NULL  
  },
 { _("Show video window"),
-  (sh[shc++] = menu_get_shortcut("ToggleWindowVisibility")),
+  menu_get_shortcut("ToggleWindowVisibility"),
   video_window_is_visible() ? "" : "",  
   menu_video_ctrl, (void *) VIDEO_TOGGLE   
  },
 { _("Fullscreen"),
-  (sh[shc++] = menu_get_shortcut("ToggleFullscreen")),
+  menu_get_shortcut("ToggleFullscreen"),
   (video_window_get_fullscreen_mode() & fullscr_mode) ? "" : 
"",
   menu_video_ctrl, (void *) VIDEO_FULLSCR  
  },
 { "SEP",  
@@ -459,7 +458,7 @@
   "",   
   NULL, NULL   
  },
 { _("Open/File..."),
-  (sh[shc++] = menu_get_shortcut("FileSelector")),
+  menu_get_shortcut("FileSelector"),
   NULL,
   menu_file_selector,NULL  
  },
 { _("Open/Playlist..."),
@@ -467,7 +466,7 @@
   NULL,
   menu_playlist_ctrl, (void *) PLAYL_LOAD  
  },
 { _("Open/Location..."),
-  (sh[shc++] = menu_get_shortcut("MrlBrowser")),
+  menu_get_shortcut("MrlBrowser"),
   NULL,
   menu_mrl_browser, NULL   
  },
 { _("Playback"),
@@ -475,15 +474,15 @@
   "",
   NULL, NULL   
  },
 { _("Playback/Play"),
-  (sh[shc++] = menu_get_shortcut("Play")),
+  menu_get_shortcut("Play"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_PLAY  
  },
 { _("Playback/Stop"),
-  (sh[shc++] = menu_get_shortcut("Stop")),
+  menu_get_shortcut("Stop"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_STOP  
  },
 { _("Playback/Pause"),
-  (sh[shc++] = menu_get_shortcut("Pause")),
+  menu_get_shortcut("Pause"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_PAUSE 
  },
 { _("Playback/SEP"),
@@ -491,11 +490,11 @@
   "",  
   NULL,  NULL  
  },
 { _("Playback/Next MRL"),
-  (sh[shc++] = menu_get_shortcut("NextMrl")),
+  menu_get_shortcut("NextMrl"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_NEXT  
  },
 { _("Playback/Previous MRL"),
-  (sh[shc++] = menu_get_shortcut("PriorMrl")),
+  menu_get_shortcut("PriorMrl"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_PREV  
  },
 { _("Playback/SEP"),
@@ -503,11 +502,11 @@
   "",  
   NULL,  NULL  
  },
 { _("Playback/Increase Speed"),
-  (sh[shc++] = menu_get_shortcut("SpeedFaster")),
+  menu_get_shortcut("SpeedFaster"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_SPEEDM
  },
 { _("Playback/Decrease Speed"),
-  (sh[shc++] = menu_get_shortcut("SpeedSlower")),
+  menu_get_shortcut("SpeedSlower"),
   NULL,
   menu_playback_ctrl, (void *) PLAYB_SPEEDL
  },
 { _("Playlist"),
@@ -523,7 +522,7 @@
   NULL,
   menu_playlist_ctrl, (void *) PLAYL_LOAD  
  },
 { _("Playlist/Editor..."),
-  (sh[shc++] = menu_get_shortcut("PlaylistEditor")),
+  menu_get_shortcut("PlaylistEditor"),
   NULL,
   menu_playlist_ctrl, (void *) PLAYL_EDIT  
  },
 { _("Playlist/SEP"),  
@@ -555,7 +554,7 @@
   (gGui->playlist.loop == PLAYLIST_LOOP_SHUF_PLUS) ? "" : 
"",
   menu_playlist_ctrl, (void *) PLAYL_SHUF_PLUS 
  },

Bug#339431: CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code

2005-11-16 Thread Steve Kemp 
On Wed, Nov 16, 2005 at 02:05:11PM +0100, Loic Minier wrote:
>  Security team, did you start work on CVE-2005-3186 and CVE-2005-2975,
>  CVE-2005-2976 (not described in this report)?  Ubuntu has released some
>  packages which might help .

>  Do you need the Gtk maintainers to prepare an upload for stable?

  That would certainly be appreciated.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#334601: I have very interest in vnc2swf

2005-11-18 Thread Steve Kemp 
On Fri, Nov 18, 2005 at 05:00:46PM -0200, Rodrigo Tadeu Claro wrote:

> I have very interest of "pyvnc2swf" package.

  :)

> Inclusively, I?ll liked of the to make this package. However, I see what
> you makes the ITP for vnc2swf (BUG: 334601).

  Yes that's correct.

> How much time you needed for terminated this vnc2swf package?
> The release of the vnc2swf to changed too.

  I know that there has been a new release, that is one of the reasons
 I've been slow with packaging it.

  I guess it would take me a few weeks to have a working package, as
 there are problems with the software.   The main problem is that lots
 of the commands have short "generic" names, so they should be moved
 to places like /usr/lib/pvnc2swf.

  Do you have any thoughts on how to handle that?  Or even a package
 available at the moment?

  If you have more free time than me it might make sense for you to
 take over the ITP; I'm certainly happy to be a comaintainer if that
 is what you'd like to do ..

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#334601: I have very interest in vnc2swf

2005-11-19 Thread Steve Kemp 
On Fri, Nov 18, 2005 at 07:59:28PM -0200, Rodrigo Tadeu Claro wrote:

> I packed pyvnc2swf for the Debian. But still necessary to finish some small 
> adjustments, such as, to make a manual page in nroff that not have.

  OK.

> I have it much will to keep this package and would like to have you as 
> comaintainer.

  That is fine by me.  I'm just pleased that it will enter the archive
 so that it will be available to our users (and myself!)

> Being possible, will be able to send the package for you in some days for 
> your analysis and, perhaps posterior upload of this.That you find?

  That is fine.

> Sorry, my english is weak.

  It is good enough for me :)

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#340079: insecure tempfiles

2005-11-20 Thread Steve Kemp 
On Sun, Nov 20, 2005 at 08:17:17PM +0100, Uwe Zeisberger wrote:

> Tags: security patch

> With the attached patch applied, it uses mktemp for their creation.

  The patch is .. missing.

Steve
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#340284: mozilla-firefox: "su root -c firefox" gives root access to any other firefox loaded.

2005-11-22 Thread Steve Kemp 
On Tue, Nov 22, 2005 at 12:36:46PM +0100, S. Thommerel wrote:

> To reproduce this bug:
> 
>  su root and then load firefox from the term. Then launch firefox from
>  another unrelated and normal user terminal. The newly launched firefox reads 
> root's
>  profile and gets root's rights.

  Isn't this expected behaviour from Firefox?  When invoking new copies
 it doesn't spawn an independent new instance, instead it connects to
 the already-running instance?

  I guess it's a security hole in a sense...

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#311251: Confirmed

2005-06-05 Thread Steve Kemp 

  I can confirm this bug, but I don't see a simple obvious solution.

  I've been getting lost in the parser whilst trying to resolve it,
 but I'll keep working on it.

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#301470: spider: Binaries in wrong location, and package discription incorrect.

2005-06-04 Thread Steve Kemp 
On Sat, Jun 04, 2005 at 12:16:49PM -0400, Dale C. Scheetz wrote:

> My appologies for a slow reply...

  You're welcome, it's not a serious bug.

> My last reading of policy suggested that the X11 path was depricated and that
> bins should be in /usr/bin. Please point me to where it says otherwise?


  Debian policy 11.11:

http://www.debian.org/doc/debian-policy/ch-customized-programs.html

"As described in the FHS, binaries of games should be installed
   in the directory /usr/games. This also applies to games that use the X
   Window System. Manual pages for games (X and non-X games) should be
   installed in /usr/share/man/man6."

> While I agree that discription and actual location should agree, I am not 
> convinced that I have the wrong location...

  I hope the extract enough is enough to persuade you?  If not then
 I'd let it drop as it's only a minor issue.


Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#301695: True

2005-04-18 Thread Steve Kemp 

  This is a limitation of the software, it is only designed to show
 JPEG images, and as such PNG files are not supported.

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#309722: ITP: xwc -- lightweight Explorer-like file manager

2005-05-18 Thread Steve Kemp 
On Wed, May 18, 2005 at 11:59:10PM -0400, Roberto C. Sanchez wrote:

> * Package name: xwc
>   Version : 0.91.5a
> 
>  Supports association by file name and file type, tree view and device
>  mounting and unmounting.  Supports a wide variety of confifuartion

  That should probably be 'configuration'.

  Is there any real reason for packaging this?  The last release
 was in 2003 - and it includes it's own copy of libfox because it
 won't cope with newer versions.

  The more recent file manager, xfe, which is included in Debian
 already is built on top of xwc.  It looks the same, it acts the
 same, but it's more recent and already present.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#299560: dsniff: fails due to not finding libnids

2005-03-14 Thread Steve Kemp 
On Tue, Mar 15, 2005 at 01:36:08AM +0100, txemi wrote:
> Package: dsniff
> Version: 2.4b1-8
> Severity: grave
> 
> dsniff fails this way in debian testing after last upgrade:

  Strange it works for me.

> $ sudo dsniff
> dsniff: error while loading shared libraries: libnids.so.1.19: cannot
> open shared object file: No such file or directory

  Please show me the output of :

ls -l `which dsniff`
ls -l /usr/sbin/dsniff

  (The last time this was reported the user had a local copy in
 /usr/local/bin - I'm trying to make sure you're not doing that).

> Perhaps this bug should be forwarded to libnids.

  Keep it here for the moment.

  The problem seems to be that the version of dsniff you have installed 
 is looking for libnids.so.1.19 when it starts - which it shouldn't
 because the package has an explicit dependency upon ...1.20.

  From the dpkg information included it looks like you have the most
 recent version of everythign so it should work.


Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#299560: dsniff: fails due to not finding libnids

2005-03-14 Thread Steve Kemp 
On Tue, Mar 15, 2005 at 01:36:08AM +0100, txemi wrote:
> Package: dsniff
> Version: 2.4b1-8

  I spoke too soon.

  libnids 1.20 has made it into testing.  dsniff version 2.4b1-9 has
 not.

  This is not something I can fix, when the most recent version of
 dsniff makes it into testing your problem will be fixed.

  You have three choices:

1. Install an older version of libnids for the moment to allow
  dsniff to work.

2. Build from source yourself.

3. Wait.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#300995: gnocatan-client: Deadlock if you use a road-building card with less than two roads

2005-03-22 Thread Steve Kemp 
Package: gnocatan-client
Version: 0.8.1.54-1
Severity: normal
Tags: upstream


  Towards the end of a long game I obtained and used a 'Road Building'
 card.

  I'd not noticed I had only one 'road' piece left - so was unable to
 place more than that piece.

  Unfortunately the game doesn't re-enable the finish button until
 you have placed the two pieces that you get for free with that card.
 So I had to exit the client.

  Solution?  Either disallow the card from being used if you have
 only one road/ship left, or enable the 'Finish' button if you have
 no more roads/shops left.

  Definately an upstream bug.

Steve


  

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages gnocatan-client depends on:
ii  libart-2.0-2 2.3.17-1Library of functions for 2D graphi
ii  libatk1.0-0  1.8.0-4 The ATK accessibility toolkit
ii  libbonobo2-0 2.8.1-2 Bonobo CORBA interfaces library
ii  libbonoboui2-0   2.8.1-2 The Bonobo UI library
ii  libc62.3.2.ds1-20GNU C Library: Shared libraries an
ii  libgconf2-4  2.8.1-4 GNOME configuration database syste
ii  libglib2.0-0 2.6.3-1 The GLib library of C routines
ii  libgnome2-0  2.8.1-2 The GNOME 2 library - runtime file
ii  libgnomecanvas2-02.8.0-1 A powerful object-oriented display
ii  libgnomeui-0 2.8.1-3 The GNOME 2 libraries (User Interf
ii  libgnomevfs2-0   2.8.4-2 The GNOME virtual file-system libr
ii  libgtk2.0-0  2.6.2-4 The GTK+ graphical user interface 
ii  libice6  4.3.0.dfsg.1-12.0.1 Inter-Client Exchange library
ii  liborbit21:2.10.5-0.1libraries for ORBit2 - a CORBA ORB
ii  libpango1.0-01.8.1-1 Layout and rendering of internatio
ii  libpopt0 1.7-5   lib for parsing cmdline parameters
ii  libsm6   4.3.0.dfsg.1-12.0.1 X Window System Session Management
ii  libxml2  2.6.16-3GNOME XML library
ii  xlibs4.3.0.dfsg.1-12 X Keyboard Extension (XKB) configu
ii  zlib1g   1:1.2.2-4   compression library - runtime

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#314869: perldoc.el

2005-06-23 Thread Steve Kemp 
On Thu, Jun 23, 2005 at 12:59:37PM -0400, Peter S Galbraith wrote:
> Hello Steve,
> 
> There's a minor bug against emacs-goodies-el for perldoc.el.  Would you
> like to fix it upstream or should I patch for Debian?
> 
>  http://bugs.debian.org/314869
> 
> I suppose patching for Debian makes sense since anyone installing perldoc.el
> for themselves will have perldoc also installed.  Althought you could
> image, years later, perldoc getting removed without the user realising
> it...  Anyway, your call.  Except for the extra `t' argument...

  Upstream is essentially dead for this code.

  OK, looking over it would something as simple as using nil there work?

  I admit I'm hazy on lisp nowadays, but I must point out that this code
 isn't mine - I guess you added it looking at the header... so it's your
 bug!

  Failing that it might be better to use shell-command-to-string?  or
 start-process-shell-command?

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#314869: perldoc.el

2005-06-23 Thread Steve Kemp 
On Thu, Jun 23, 2005 at 06:51:31PM -0400, Peter S Galbraith wrote:

> I was looking at the original file in my CVS tree, but in fact you're
> right I did substantially modify the file using dpatch, and I hadn't
> noticed.  How embarassing.  Don't worry about it.  I'll deal with it!

  No worries, took me a while to realise too :)

> Sorry again,

  No problem, it's good that the code lives on even if it's not 100%
 perfect.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#315877: ITP: initng -- next generation init system

2005-06-26 Thread Steve Kemp 
On Sun, Jun 26, 2005 at 07:10:12PM +0200, Bartosz Fenski aka fEnIo wrote:

> Not sure how hard would be to integrate this with Debian (had to tune some
> files by hand on test box), but it's definitely worth trying.
> 
> On my test box it started system almost *three* times faster.

  I guess the obvious question would be .. does it require any
 changes to the init.d scripts themselves to gain this speedup?

  Or is the asynchronous nature sufficient to boost startup
 performance?

  If that is the case that'd be great - but I'd be initially
 suspicious unless it could ensure the correct ordering such
 that network access is available before servers start, etc.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#316173: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding and Content-Length headers

2005-06-28 Thread Steve Kemp 
On Wed, Jun 29, 2005 at 12:49:31AM +0200, Moritz Muehlenhoff wrote:
> Package: apache2
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Latest 2.1.6-alpha fixes a security in the proxy HTTP code:
> 
> | The 2.1.6-alpha release addresses a security vulnerability present
> | in all previous 2.x versions.  This fault did not affect Apache 1.3.x
> | (which did not proxy keepalives or chunked transfer encoding);
> 
> |Proxy HTTP: If a response contains both Transfer-Encoding
> |and a Content-Length, remove the Content-Length to eliminate
> |an HTTP Request Smuggling vulnerability and don't reuse the
> |connection, stopping some HTTP Request Spoofing attacks.
> 

  Can I be the first to say that I don't understand the nature of this
 issue?

  Is this also present in 2.0.54 which is the latest stable release?
 There's no mention of it in the changelog there..

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#318678: dsniff needs to depend on libnids1.20 instead of libnids1

2005-07-16 Thread Steve Kemp 
On Sat, Jul 16, 2005 at 06:10:08PM -0600, Michael Berg wrote:
> Package: dsniff
> Version: 2.4b1-11
> Severity: important
> 
> dsniff currently Depends on libnids1 (>= 1.20), but libnids1 was recently 
> changed to libnids1.20 in Debian/unstable - making dsniff uninstallable.
> 
> Given that the version of the source code is the same at 1.20 (only the 
> package name changed), rebuilding dsniff to pick up the new name in its 
> dependancy list should fix the problem.
> 

  This is correct.  However since the GCC default has changed we
 cannot upload a new dsniff package until bug #315198 is fixed.

  Once that's closed there will be a new package.  Hopefully it
 will be fairly soon.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#301470: spider: Binaries in wrong location, and package discription incorrect.

2005-03-25 Thread Steve Kemp 
Package: spider
Version: 1.2-2
Severity: normal


  The package description for spide contains the following text:

  --
   The default is round.spider. If you wish to use small.spider, either call
   it directly, or change the link /usr/X11R6/bin/spider to point to
   small.spider instead of round.spider.
  --

  1.  The package doesn't install anything inside /usr/X11R6/bin.

  2.  This package is a game, so the two binaries :

/usr/bin/round.spider
/usr/bin/small.spider

  should both be installed in /usr/games.

Steve
--


-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages spider depends on:
ii  libc62.3.2.ds1-20GNU C Library: Shared libraries an
ii  libice6  4.3.0.dfsg.1-12.0.1 Inter-Client Exchange library
ii  libsm6   4.3.0.dfsg.1-12.0.1 X Window System Session Management
ii  libx11-6 4.3.0.dfsg.1-12.0.1 X Window System protocol client li
ii  libxaw7  4.3.0.dfsg.1-12.0.1 X Athena widget set library
ii  libxext6 4.3.0.dfsg.1-12.0.1 X Window System miscellaneous exte
ii  libxmu6  4.3.0.dfsg.1-12.0.1 X Window System miscellaneous util
ii  libxpm4  4.3.0.dfsg.1-12.0.1 X pixmap library
ii  libxt6   4.3.0.dfsg.1-12.0.1 X Toolkit Intrinsics
ii  xlibs4.3.0.dfsg.1-12 X Keyboard Extension (XKB) configu

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#288195: New homepage

2005-03-27 Thread Steve Kemp 

  The new homepage appears to be:

http://www.securesoftware.com/resources/download_rats.html

  I will update the package shortly, thanks for the report!

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#302415: F11 maybe a bad choice?

2005-04-01 Thread Steve Kemp 

  I just spotted that F11 is grabbed by IceWM too.

  Perhaps the easiest approach might be to switch the default
 to F12 or so?

  I guess that changing the code isn't too useful as we still don't
 see *which* program is already grabbing the key, but the following
 patch does give an error message:

Steve
--

--- skippy.c-orig   2005-04-01 11:39:23.217799616 +0100
+++ skippy.c2005-04-01 11:41:21.802771960 +0100
@@ -222,6 +222,7 @@
const char *tmp, *homedir;
char cfgpath[8192];
Bool invertShift = False;
+   int grabret;
 
if(! dpy) {
fprintf(stderr, "FATAL: Couldn't connect to
display.\n");
@@ -285,7 +286,13 @@
XSelectInput(mw->dpy, mw->root, PropertyChangeMask);
 
keycode = XKeysymToKeycode(mw->dpy, keysym);
-   XGrabKey(mw->dpy, keycode, AnyModifier, mw->root, False,
GrabModeAsync,
 GrabModeAsync);
+   grabret = XGrabKey(mw->dpy, keycode, AnyModifier, mw->root,
False, Grab
ModeAsync, GrabModeAsync);
+
+   if ( grabret == 1 )
+   {
+ printf("Keygrab failed - perhaps the key is grabbed by another
applic
aion?\n");
+ exit( -1 );
+   }
while(! DIE_NOW)
{
XEvent ev;



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#302415: F11 maybe a bad choice?

2005-04-01 Thread Steve Kemp 
On Fri, Apr 01, 2005 at 03:43:18PM +0200, Niv Altivanik wrote:
> 
> This patch is not really useful, as XGrabKey *always* returns 1 ...
> 
> as far as I understood, the only way to catch an X error, is by using
> XErrorEvent and friends, witch looks like a PITA.

  D'oh!

  OK.

> Maybe F11 is not the best choice, but what to do ? Have we got to
> change the defaults so that they 'complies' with other arbitrary
> choices ? so maybe icewm binds F11 by default, maybe enlightenment
> does that too, and maybe ion binds F12, openbox F10, ... I mean, this
> is endless... I don't think that changing the default will help.

  Yes I agree.  Just thought I'd point out that IceWM was another
 candidate along with xbindkeys et al.

> From now, my position is to stick completing the documentation rather
> than switching to other arbitrary defaults.

  :)

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#334601: ITP: vnc2swf -- Create shockwave flash videos of windows or desktops

2005-10-18 Thread Steve Kemp 

Subject: ITP: vnc2swf -- Create shockwave flash videos of windows or desktops
Package: wnpp
Owner: Steve Kemp <[EMAIL PROTECTED]>
Severity: wishlist

*** Please type your report below this line ***

* Package name: vnc2swf
  Version : 0.6.4
  Upstream Author : Yusuke Shinyama <[EMAIL PROTECTED]>
* URL : http://www.unixuser.org/~euske/vnc2swf/
* License : (GPL)
  Description : Create shockwave flash videos of windows or desktops
  .
  This package allows you to record on-screen activities observed
  via a VNC server, and convert the recordings to Shockwave Flash
  movies.
  .
  The movies may then be displayed inside a browser.


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#334641: ITP: metaplanet -- Web-based feed aggregator written in PHP

2005-10-19 Thread Steve Kemp 
On Tue, Oct 18, 2005 at 10:37:19PM -0300, Fernando J.Rodr??guez wrote:

> Metaplanet is a feed agregrator that shows the news of multiple sources
> in a unified web page. The main objetive is to serve web pages as fast
> as posible with a minimum load on the server.

  Just a minor typo that caught my eye 'posible' -> 'possible'.

Steve
--



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#335439: vncserver: passwords over 8 chars not handled correctly

2005-10-23 Thread Steve Kemp 
On Sun, Oct 23, 2005 at 08:19:35PM -0400, Collin E Borrlewyn wrote:

> vncserver lets me in without supplying the full password.
> 
> To reproduce this:
> start vncserver: vncserver :1
> whe prompted enter a password of eight or more characters
> start xvncviewer and connect to :1
> when prompted enter the first eight characters of the password and hit enter
> You have been authenticated.

  This appears to be a known weakness in VNC, for which I can find
 references going back to 1999.

  e.g.

http://www.realvnc.com/pipermail/vnc-list/1999-November/010853.html


  The source documents this:

vnc-3.3.7/vncpasswd/vncpasswd.c

  "Always ignore anything after 8 characters, since this is what Solaris 
getpass() does anyway.".


  As does "man vncpasswd":

  "The password must be at least six characters long, and only the first eight
characters are significant"

  Perhaps a more prominent warning is required, but I consider it unlikely
 that this will be fixed if upstream is content with the current state

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#335817: wordpress: SECURITY : Contains an insecure version of class.snoopy

2005-10-25 Thread Steve Kemp 
Package: wordpress
Version: 1.5.2-2
Severity: grave
Justification: user security hole


  As described upon the following bugtraq post the class Snoopy which
 is included in wordpress potentially allows arbitary command execution.

http://seclists.org/lists/fulldisclosure/2005/Oct/0536.html

  The class is contained within the wordpress distribution - although
 I haven't explicitly told them yet, I leave it to you to give them
 a nod.

Steve
--
  

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#331067: gnump3d: Broken link http://server:port/COPYING

2005-10-01 Thread Steve Kemp 
Package: gnump3d
Version: 2.9.5-1
Severity: minor
Tags: patch


  Broken link because the plugin test first lower-cases the plugin
  filename.

  Fix:

 sudo mv /usr/share/perl5/gnump3d/plugins/COPYING.pm \
 /usr/share/perl5/gnump3d/plugins/copying.pm


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-k7
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages gnump3d depends on:
ii  adduser   3.67.1 Add and remove users and groups
ii  debconf [debconf-2.0] 1.4.58 Debian configuration management sy
ii  logrotate 3.7.1-2Log rotation utility
ii  perl  5.8.7-5Larry Wall's Practical Extraction 
ii  perl-modules  5.8.7-5Core Perl modules

gnump3d recommends no packages.

-- debconf information:
* gnump3d/user: gnump3d
* gnump3d/root: /home/mp3
* gnump3d/port: 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#327165: pioneers-client has problems with mouse and toolbar.

2005-09-07 Thread Steve Kemp 
Package: pioneers-client
Version: 0.9.23-1
Severity: normal
Tags: upstream


  The toolbar upon the pioneers-client appears to behave strangely.

  When the mouse is over a disabled button it cannot be clicked when
 it is enabled without moving away from the current location.

  This is hard to describe, but simple to test.

  1. Join a game (any kind) with more than two players.  (human or ai).
  2. When it is *not* your turn move your mouse pointer over the
 "roll dice" button.
  3. When it becomes your turn the "roll dice" button becomes enabled.
  4. Note the problem.

  What *should* happen is that the "roll dice" button becomes enabled
 and you click it immediately.

  What actually happens is that you cannot click the button at all.
 Instead you must move your mouse pointer away from the button, then
 back onto it to click.

  This slows down the game a lot.

  (It seems that pioneers is significantly slower to play than gnocatan
 was - but I can't see whether that is the server, the client-ai
 package, or my system which is causing the delay).



-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-k7
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages pioneers-client depends on:
ii  libatk1.0-0   1.10.1-2   The ATK accessibility toolkit
ii  libbonobo2-0  2.10.0-1   Bonobo CORBA interfaces library
ii  libc6 2.3.5-6GNU C Library: Shared libraries an
ii  libgconf2-4   2.10.1-1   GNOME configuration database syste
ii  libglib2.0-0  2.8.0-1The GLib library of C routines
ii  libgnome2-0   2.10.1-1   The GNOME 2 library - runtime file
ii  libgnomevfs2-02.10.1-5   The GNOME virtual file-system libr
ii  libgtk2.0-0   2.6.10-1   The GTK+ graphical user interface 
ii  liborbit2 1:2.12.2-3 libraries for ORBit2 - a CORBA ORB
ii  libpango1.0-0 1.8.2-1Layout and rendering of internatio
ii  libpopt0  1.7-5  lib for parsing cmdline parameters

Versions of packages pioneers-client recommends:
pn  pioneers-help  (no description available)
ii  pioneers-server-gtk   0.9.23-1   computer version of the settlers o

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#327165: pioneers-client has problems with mouse and toolbar.

2005-09-07 Thread Steve Kemp 
On Thu, Sep 08, 2005 at 07:57:14AM +0200, Roland Clobus wrote:

> I've tried to reproduce this, but I got different results (Gtk 2.6.8):

  Right I'm using 2.6.10-1, as packaged in Debian's unstable distribution.

> When the button under the mouse becomes enabled, it can be clicked.
> When the button was raised before is became disabled, and if the mouse 
> has not yet move away from the button, it is still raised. Otherwise, 
> the button is not shown raised, although it would normally be.
> The game is thus playable normally.

  That appears to be the behaviour I would expect, but is not what
 I see.

> * Does the shortcutkey F1 work correctly while the button is not?

  Yes it does.

> * Is the menu also showing the correct enabled items?

  Yes it does.

  The behaviour only seems to affect whether the border of the button
 is shown, and whether things can be clicked.

> AFAIK there have been no specific changes that would slow the 
> application down. The AI is better and could take some more time, but 
> I think that that effect is quite negligible given the delay of 
> 1000ms the AI makes in each step.

  This is a snippet from the chat window, playing in the "Conquest"
 map.  Four players, three AI, one human (skx).

07:01:16 Begin turn 1 for skx.
07:01:19 skx rolled 7.
07:01:20 skx moved the robber.
07:01:21 You stole a brick card from Coolio.
07:01:27 Begin turn 2 for Saddam Hussein.
07:01:28 Saddam Hussein rolled 10.
07:01:28 Saddam Hussein receives an ore card.
07:01:29 Begin turn 2 for Godzilla.
07:01:29 Godzilla rolled 7.
07:01:30 Godzilla moved the robber.
07:01:30 Godzilla stole a resource from Saddam Hussein.
07:01:31 Begin turn 2 for Coolio.
07:01:31 Coolio rolled 7.
07:01:32 Coolio moved the robber.
07:01:32 Coolio stole a resource from Saddam Hussein.
07:01:33 Begin turn 2 for skx.

  Notice the timestamps show almost a second for each step?  That 
 seems to me to be much slower than previously although I dont
 have logs to prove it.

  Thanks for your comments anyway.  If nobody else can confirm
 the toolbar issue I guess I could put it down to my system, but
 I'm not running anything sufficiently unusual for me to suspect
 this.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#327165: pioneers-client has problems with mouse and toolbar.

2005-09-08 Thread Steve Kemp 
On Thu, Sep 08, 2005 at 11:00:56AM +0200, Bas Wijnen wrote:

> >   Right I'm using 2.6.10-1, as packaged in Debian's unstable distribution.
> 
> I could reproduce this with Gtk 2.6.10-1 as well.

  Good to see I'm not alone.

> That second is the delay the AI makes on purpose, to avoid the game going too
> fast.  It can be changed when you start the AI from the commandline.  

  I see this, I looked over the code in both gnocatan-0.8.1.59 and
 pioneers-0.9.23.

  I don't see any obvious differences in the delays being used, but
 it certainly feels slower to play.

> I'm not sure about the delay in the previous AI, but I think it was 
> 1 second as well.

  It was.

> It could be that it occurred less often, making the game in total a bit
> faster.

  That could be a possible explaination - one delay of a second per
 turn, vs one delay per turn componant.  (eg, building road, discarding).

  I've not managed to look into it in that much detail though, so that
 could be a completely bogus suggestion.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#324034: base-config 2.70 uninstallable

2005-08-19 Thread Steve Kemp 
Package: base-config
Version: 2.70
Severity: important
Tags: patch

  When attempting to upgraded today I see the following error:

Setting up base-config (2.70) ...
/var/lib/dpkg/info/base-config.postinst: line 59: syntax error near unexpected
token `db_fset'
dpkg: error processing base-config (--configure):
 subprocess post-installation script returned error exit status 2
Errors were encountered while processing:
 base-config
E: Sub-process /usr/bin/dpkg returned an error code (1)


  The patch below fixes this issue.

Steve
-- 

--- /var/lib/dpkg/info/base-config.postinst~2005-08-19 23:22:53.0
+0100
+++ /var/lib/dpkg/info/base-config.postinst 2005-08-19 23:22:12.0
+0100
@@ -54,7 +54,7 @@
apt-setup/non-free apt-setup/contrib apt-setup/badsource \
apt-setup/another apt-setup/badedit \
apt-setup/security-updates \
-   apt-setup/security-updates-failed \
+   apt-setup/security-updates-failed ;
do 
db_fset $q seen false || true
done



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#324201: ITP libcgi-session-expiresessions-perl: Clean up old CGI sessions

2005-08-20 Thread Steve Kemp 

Package: wnpp
Version: N/A; reported 2002-05-17
Severity: wishlist

* Package name: libcgi-session-expiresessions-perl
  Version : 1.04
  Upstream Author : Ron Savage <[EMAIL PROTECTED]>
* URL : 
http://savage.net.au/Perl-modules/html/CGI/Session/ExpireSessions.html
* License : Perl Artistic License
  Description : Class to clean up old CGI::Sessions objects.

  A Perl5 libary which is designed to expire old sessions produced
 by the CGI::Session module.
 .
  The module can correctly remove and clean sessions stored upon
 the filesystem, and inside MySQL databases.
 .
 Homepage: 
http://savage.net.au/Perl-modules/html/CGI/Session/ExpireSessions.html


Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#213957: Fixed.

2005-08-20 Thread Steve Kemp 

  This is fixed in Sarge, Etch, and unstable.

  Probably time to close it.

-- 
Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#202963: This is fixed now

2005-08-20 Thread Steve Kemp 

  This is fixed in Woody, Sarge, and Sid.

  Probably time to close it now.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#325135: maildrop: lockmail doesn't drop privileges

2005-08-27 Thread Steve Kemp 
On Sat, Aug 27, 2005 at 12:27:51PM +0200, Martin Schulze wrote:

> Thanks a lot for the report.  This is CAN-2005-2655.
> 
> > The bug affects 1.5.3-1.1 sarge/etch/sid and 1.8.1-2 in experimental,
> > and should be easy to fix: Just add setgid(getgid()) before the
> > execvp(). I tested the attached patch briefly and verified that it
> > builds and prevents this bug.
> 
> Steve, could you take care of sid and experimental packages if Joy
> is too busy?

  Certainly.  Once the advisory is out I can make an upload if Joy
 hasn't already made one.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#333682: security problem within CDDB communication

2005-10-13 Thread Steve Kemp 
On Thu, Oct 13, 2005 at 10:52:28AM +0200, Michal ??iha?? wrote:

> xine announcement [1] is four day old, it says issue has been found by
> Debian Security Audit Project, so I'd expect that Debian will have it
> fixed also :-).

  We do.

> Sorry if you're already working on this issue and I interrupt you from
> work, but I wanted to make sure you know about this.

  Please see DSA-863, released on the 12th of October:

http://www.us.debian.org/security/2005/dsa-863

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#333734: curl: Buffer overflow in NTLM authentication

2005-10-13 Thread Steve Kemp 
On Thu, Oct 13, 2005 at 03:03:42PM +0200, Moritz Muehlenhoff wrote:
> Package: curl
> Version: 7.14.1-5
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Another buffer overflow has been found in curl's NTLM authentication
> code. (This one is different from CAN-2005-0490 and doesn't seem to
> have a CVE assignment yet). Please see 
> http://www.mail-archive.com/wget%40sunsite.dk/msg08294.html
> for more information.

  Noted already, and an update for Sarge should be available soon.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#327722: Patch for Gopher bug CAN-2005-2772

2005-09-26 Thread Steve Kemp 
On Mon, Sep 26, 2005 at 09:23:16AM -0500, John Goerzen wrote:

> >   Attached are the patches that Joey (Schulze) approved.
> 
> Can you (or Joey) comment: did you use a different patch because you
> believe mine to be insecure, or for a different reason?  (That's an
> important question, since as you know, my patch was uploaded to unstable
> and will presumably be in the next stable release.)

  Your patch looks good.

  The reason that I used the one I did was because it was created
 a few weeks ago when there was no other patch publically
 available.  Had I seen yours at the time I would have used it
 instead, rather than going with something different.

  I certainly don't think you need do anything drastic like
 use the one I made in another upload.  Although it was a 
 fair question to ask.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#325135: maildrop: lockmail doesn't drop privileges

2005-08-28 Thread Steve Kemp 
On Sat, Aug 27, 2005 at 07:03:55PM -0400, Andres Salomon wrote:

> >   Certainly.  Once the advisory is out I can make an upload if Joy
> >  hasn't already made one.
> > 
> 
> I can also do an upload; Joy already said I should comaintain, I've just
> been waiting for racke to do a new courier upload so that I can actually
> use maildrop (I have new maildrop packages in experimental that're just
> rotting away, waiting).

  I'll leave it to you then, unless you tell me differently.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#325769: Format string security hole in anon-proxy

2005-08-30 Thread Steve Kemp 

Package: anon-proxy
Version: 00.02.39-7
Severity: serious
Tags: patch, upstream


  The logging code in anon-proxy contains a misuse of the syslog function
 allowing potential remote compromise of the host it is running upon.

  (This depends whether logging is enabled).

  The patch below fixes the issue.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit

--- CAMsg.cpp-orig  2005-08-29 21:17:42.0 +0100
+++ CAMsg.cpp   2005-08-29 21:18:30.0 +0100
@@ -124,7 +124,7 @@
{
case MSG_LOG:
#ifndef _WIN32
-   
syslog(type,oMsg.m_strMsgBuff);
+   
syslog(type,"%s",oMsg.m_strMsgBuff);
#endif
break;
case MSG_FILE:
[EMAIL PROTECTED]:/tmp/anon-proxy-00.02.39$ 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#322152: Please mention forums.debian.net

2005-08-09 Thread Steve Kemp 
On Tue, Aug 09, 2005 at 01:19:07PM +0200, Jeroen van Wolffelaar wrote:

> forums.debian.net, which for full disclosure, I started and host, has
> been steadily gaining popularity in the past year, and consequently it
> has become a resource for new Debian users with actually quite a good
> chance of getting a useful response.

  It is a good site too, which helps.

> With now well over 700 contributions per month and steadily growing, I
> think it makes sense to mention these web forums somewhere on the
> debian.org website, for example http://www.debian.org/support#web.
> The current list of 4 websites is a bit on the short side in my opinion
> anyway, with also only 1 out of 4 websites actually being
> Debian-specific. A simple google query alone give a lot more useful
> resources for Debian users.

  I agree, and would also pimp my site ;)

  My suggestion would be to move the URLs listed in the page:

http://www.us.debian.org/misc/related_links

  I'm not too sure which way it should be, either move the misc/related
 sites into support#web, or vice-versa.  But having two lists which
 overlap so significantly is unnecessary duplication IMHO.

   Perhaps a seperate tree '/support/web', or similar?

Steve
-- 
www.debian-administration.org


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#319272: I suspect I can't win either way

2005-08-13 Thread Steve Kemp 

  I suspect that there are still sufficiently many people
 using Apache 1.3x that changing the default file will
 just result in a new bug report from them.

  I guess the best approach is to:

1.  Use any logfile specified upon the command line.
2.  Then attempt to use /var/log/aapche/access.log
3.  Then attempt to use /var/log/apache2/access.log
4.  Quit with error.

  I'll look into modifying the code to do this search.
 
Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#320204: Solution ..

2005-07-28 Thread Steve Kemp 


  This bug is common to all the module-assistant built modules.

  The problem comes from the fact that the compiler you used to build
 the fuse-source module differs from that used to build your kernel.

  Run 'cat /proc/version' to see the GCC version used to build your
 current kernel.  Mine said 3.3.6 - which is gcc-3.3.

  Install that, then the hacky solution for building fuse is:

[EMAIL PROTECTED]:# cd /usr/src/modules/fuse/kernel
[EMAIL PROTECTED]:# rm .*.cmd *.o *.ko
[EMAIL PROTECTED]:# rm /usr/bin/gcc
[EMAIL PROTECTED]:# ln -s /usr/bin/gcc-3.3 /usr/bin/gcc
[EMAIL PROTECTED]:# module-assistant build fuse --force
[EMAIL PROTECTED]:# module-assistant install fuse --force
[EMAIL PROTECTED]:# rm /usr/bin/gcc
[EMAIL PROTECTED]:# ln -s /usr/bin/gcc-4.0 /usr/bin/gcc

  (Not sure if removing the .o files, etc, is necessary.  Seemed 
 safest to ensure the module was rebuilt.)

  On my Sid system /usr/bin/gcc points to gcc-4.0 by default - so
 don't forget to replace the link when you're done.

  Hope that helps...  

  I tried using "CC=gcc-3.3 m-a build ..." but that failed, I didn't
 investigate trying to propogate a particular gcc version to the
 build system although that would be cleaner than messing with
 the symlinks.

Steve
-- 
# Debian System Administration
www.debian-administration.org/




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#404233: CVE-2006-6678: Netrik arbitrary command execution

2006-12-22 Thread Steve Kemp 
On Fri, Dec 22, 2006 at 06:42:41PM +0100, Stefan Fritsch wrote:

> A vulnerability has been reported in Netrik:

  Thanks for the report.  Security update for Sarge is building now.

  Patch attached:

Steve
-- 

--- form-file.c 2003-08-06 10:28:45.0 +
+++ /home/skx/form-file.c   2006-12-22 22:19:12.0 +
@@ -10,6 +10,7 @@
  * (C) 2003 antrik
  */

+#include 
 #include 
 #include 
 #include 
@@ -107,6 +108,14 @@
   char temp_name[size];
   snprintf(temp_name, size, format, name);

+  /* make sure we get a proper filename */
+  {
+char   *chr;
+for(chr=temp_name; *chr; ++chr)
+   if(!isalnum(*chr))/* not safe filename char -> replace */
+  *chr='_';
+  }
+
   /* write temporary file */
   {
 intfildes;



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#404455: xen-tools should check if volumegroup exists, exit with error if not

2006-12-25 Thread Steve Kemp 
On Mon, Dec 25, 2006 at 12:52:34AM +0100, Henning Sprang wrote:

> But in the logs I saw an error in lvm creation. I think such errors
> should be caught and properly reported at the command line, and vm
> config file creation should not happen.

  Noted.  Fixed in CVS now.

Steve
-- 


signature.asc
Description: Digital signature

Bug#404443: xen-tools should not overwrite exitsing vm config file without --force

2006-12-25 Thread Steve Kemp 
On Mon, Dec 25, 2006 at 12:20:43AM +0100, Henning Sprang wrote:

> The problem why it didn't stop was, it seems to only check if a given
> lvm or disk already exists.

  True.

> It seems not to check, if the vm config file it is about to create
> already exists and just overwrote an existing config.
> While in this case I don't blame xen-tools for my own errors, I think
> it's generally a important to check if a config file already exists,
> and only overwrite it with --force.

  Fixed in CVS.

> Also interesting: the config file was also written when the lvm volume
> couldn't be created. It seemd like xen-tools doesn't realize if
> there's an error in lvm creation (ganna add an extra bug for this).

  (Fixed that seperately.)

Steve
-- 


signature.asc
Description: Digital signature

Bug#402889: xen-tools: in hooks/roles, installDebianPackage always fail

2006-12-25 Thread Steve Kemp 
On Wed, Dec 13, 2006 at 01:07:00PM +0100, Abaakouk Mehdi wrote:

> When hook or role call installDebianPackage it fail with error like
> this:
> 
>   assert failed: ${the hook script name}:103 []

  Thanks for the patch, it has been committed to CVS and will be in
 the next release (very soon!)

Steve
-- 


signature.asc
Description: Digital signature

Bug#404444: make customization hooks optional

2006-12-25 Thread Steve Kemp 
On Mon, Dec 25, 2006 at 12:39:47AM +0100, Henning Sprang wrote:

> In these cases, the only other solution (if I don't want to lose
> xen-tools for creating my configs and block devices) would be to do a
> no-install, then mount manually, and untar the file in there.

  Added the new option "--no-hooks" to avoid running the hooks.

  Enjoy!

  :)

Steve
-- 


signature.asc
Description: Digital signature

Bug#404454: make xt-install.image recognize debootstrap=0

2006-12-25 Thread Steve Kemp 
On Mon, Dec 25, 2006 at 12:51:40AM +0100, Henning Sprang wrote:

> While it seems like xen-create-image is correctly working when I
> overwrite the installation method in a config provided with --config,
> setting the default installation method to "0" like this:

  Seems like the obvious solution is to comment out the default
 in the main configuration file ..

  I agree that the overwriting should work, but can't see the bug
 at the moment.  Will look more carefully sometime soon.

Steve
-- 


signature.asc
Description: Digital signature

Bug#404509: undefined subroutine logpring

2006-12-25 Thread Steve Kemp 
On Mon, Dec 25, 2006 at 03:14:42PM -0500, Joey Hess wrote:

> Undefined subroutine &main::logpring called at /usr/bin/xen-create-image line 
> 2504.
> 
> It's a typo, s/logpring/logprint/

  Thanks, fixed in CVS now.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#404508: (no subject)

2006-12-25 Thread Steve Kemp 
On Mon, Dec 25, 2006 at 02:56:01PM -0500, Joey Hess wrote:

> Here xen-create-image likes to copy over my dom0's /lib/modules, all 650
> mb of it (I have a "few" kernels installed).

  Agreed.

> Seems to me that for etch and up, a better approach when creating an
> image is to install linux-modules-$(uname -r)

  I've thought about different solutions to this problem several times,
 but I can't quite convince myself that there is a perfect solution.

  I find that the Debian xen-kernels are unsuitable for me on a lot
 of machines, so I use custom kernels and source-compiles of Xen.

  I can see that copying /lib/modules/$(uname -r) might be OK since
 it will do the right thing on machines which are running a Debian
 image, or on a self-made Xen installation.  If you could be happy
 with that not being controlled by dpkg then I'd make that change.

  Otherwise I think that adding a simple hook script would be
 simple enough.  Something like:

#!/bin/sh
# role-script for purging modules
prefix=$1

if [ ! -d "${prefix}/lib/modules" ]; then
echo "No modules directory.  Weirdness.  Aborting"
exit
fi

# remove all modules
rm -rf "${prefix}/lib/modules";
 
# make a new directory
mkdir ${prefix}/lib/modules

# install package
chroot ${prefix} /usr/bin/apt-get -q -q install linux-modules-$(uname -r)

  The only downside to that approach would be that you can only have
 one role script so using that one would rule out using others..

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#404508: your mail

2006-12-25 Thread Steve Kemp 
On Mon, Dec 25, 2006 at 05:14:19PM -0500, Joey Hess wrote:

> Here's an approach that tries to be smart about using linux-modules
> packages iff available:

  Thanks, applied now:


http://www.cvsrepository.org/cgi-bin/trac/xen-tools/chngview?cn=771

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#404518: fails to install ssh, libc6-xen: installDebianPackage fails with assert

2006-12-25 Thread Steve Kemp 
On Mon, Dec 25, 2006 at 04:15:57PM -0500, Joey Hess wrote:

> This happens with every call to installDebianPackage, because of line 81 of
> common.sh:
> 
> disableStartStopDaemon

  Yes.  Fixed in CVS already.  See #402889 for the original report.
 (I'll merge this one in.)

> I think it might be worth trying to get the fix for this into etch.
> domU's without ssh, module-init-tools, sudo, and libc6-xen are less than
> ideal.

  Indeed it is a very big irritation, however Etch doesn't have this
 problem since it contains the previous upstream release without this
 problem.

  Tomorrow I'll make a 3.1 release which will have fixes for the bugs
 you've reported today and those from Henning - it would be lovely to
 have that included in Etch but I'd suspect the chances aren't high.
 There are no important/release-critical bugs in the Etch package..

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#404516: insufficient checking for failure when creating disk image

2006-12-25 Thread Steve Kemp 
On Mon, Dec 25, 2006 at 04:01:23PM -0500, Joey Hess wrote:

> Notice, no errors, and it seemed to succeed, yet in fact no disk image was
> produced at all. I have to look in the xen-tools log to see that:

  This is a duplicate of #404455 reported earlier today.

  Fixed in upstream CVS here:

http://www.cvsrepository.org/cgi-bin/trac/xen-tools/chngview?cn=767

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#404521: --accounts does not copy over groups

2006-12-25 Thread Steve Kemp 
On Mon, Dec 25, 2006 at 04:55:30PM -0500, Joey Hess wrote:

> I ran xen-create-image with the --accounts option, and it copied over my
> joey user to /etc/passwd and /etc/shadow, but failed to do so in
> /etc/group and /etc/gshadow.

  Fixed now, thanks.

  
http://www.cvsrepository.org/cgi-bin/trac/xen-tools/getfile/xen-tools/hooks/debian/35-setup-users

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#404603: no /etc/hosts for dhcp machines?

2006-12-26 Thread Steve Kemp 
On Tue, Dec 26, 2006 at 04:21:50PM -0500, Joey Hess wrote:

> Why is /etc/hosts only set up for machines w/o dhcp?

  Because I rarely use DHCP ;)

> d-i sets up a basic
> hosts file for all machines. Machines with dhcp should still have the
> ipv6 stuff, and it makes sense for them to have a localhost entry as
> well. 

  Agreed.  I've added support now, so that DHCP hosts will receive
 a stub file.

> (There's also no particular reason why dhcp systems can't have static
> hostnames defined in /etc/hosts.)

  Sure but I figure if DHCP is being used then the local DNS 
 configuration is assumed to have local hosts ..

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#401834: weird warnings and checksums errors

2006-12-06 Thread Steve Kemp 

> debsums: checksum mismatch xen-tools file 
> /usr/lib/xen-tools/edgy.d/20-setup-apt
> debsums: checksum mismatch xen-tools file 
> /usr/lib/xen-tools/edgy.d/30-disable-gettys
> 

  I guess this is caused because prior to this release the edge.d +
 dapper.d were both symlinks pointing to ubuntu.

  I guess the preinst script should check for these being symlinks
 and delete them.  Radu?

Steve
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#401969: please build using hunspell

2006-12-09 Thread Steve Kemp 
On Fri, Dec 08, 2006 at 10:32:50PM +0100, Mike Hommey wrote:

> How does the security team feel about having to rebuild iceape,
> iceweasel, icedove (you forgot to file a bug on icedove), OOo and enchant
> if there happens to be a security bug in hunspell ?

  In general having multiple packages needing a rebuild for a
 single security fix is a problem, and not something we'd like
 to have to deal with.

  (For a specific example think of the pdf/gs updates we had to
 make earlier in the year/last year.  Lots of different programs
 with very similar code which didn't always get spotted at the
 same time.)

  A more recent example would be the links + elinks updates.  Links
 was updated first then we updated elinks afterwards when we learnt
 there was shared code ..  (Obvious in retrospect, but if there are
 a lot of packages which would require a rebuild keeping track of
 all of them can be difficult; especially if we don't know about it
 in advance.)

Steve
-- 


signature.asc
Description: Digital signature

Bug#402315: add no-install for people who want only config files generated

2006-12-09 Thread Steve Kemp 

  I'm not sure this patch makes sense.  It seems to me that if you
 want to create the configuration file(s) only then you should instead
 invoke xt-create-xen-config directly - and not use xen-create-image
 at all.

  Unless you're suggesting that you want to use it in a situation where
 you want volumes/filesystems and configuration files created but have
 nothing installed in the guests?

  I can't imagine that is a terribly common requirement - so I'd be
 inclined to say it is unsupported unless you have a compelling
 argument...

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#402328: #402328 - check --config file for existance

2006-12-09 Thread Steve Kemp 

  The code already reads the file only if it exists:

   readConfigurationFile( $path ) if ( -e $path );

  That is the same as:

if ( -e $path ) { readConfigurationFile( $path ); }

  I think that aborting if the file doesn't exist is too strong
 a reaction.. so I'm inclined to ignore it!

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#402315: add no-install for people who want only config files generated

2006-12-09 Thread Steve Kemp 

  OK .. I will add the option.

  And then we'll close this bug and the other almost-identical one!

  I'm glad the talk went well too!

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#402315: add no-install for people who want only config files generated

2006-12-09 Thread Steve Kemp 

  See-also:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383057

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#402328: #402328 - check --config file for existance

2006-12-09 Thread Steve Kemp 
On Sat, Dec 09, 2006 at 06:17:40PM +0100, Henning Sprang wrote:

> So, if a user gives --config with an unexisting file it is therefore
> very likely a typo, which the user wants to be warned as fast as
> possible. In this case, there's no use to run the install until the end
> with an unwanted configuration - the user wants to run again, with the
> right config file.

  OK you've persuaded me.  Patch applied.

Steve
-- 


signature.asc
Description: Digital signature

Bug#401206: xen-tools: Please consider setting the kernel + initrd image at package-install time.

2006-12-01 Thread Steve Kemp 
Package: xen-tools
Version: 2.9-2
Severity: wishlist
Tags: patch

*** Please type your report below this line ***

  Please consider adding a postinst file to automatically specify
 the Xen kernel and initrd image.

  The attached script is one potential solution, it won't work in 100%
 of cases however nothing will!

Steve
-- 

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.29-xen
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages xen-tools depends on:
ii  debootstrap   0.3.3.1Bootstrap a basic Debian system
ii  libtext-template-perl 1.44-1.1   Text::Template perl module
ii  perl-modules  5.8.8-6.1  Core Perl modules

Versions of packages xen-tools recommends:
pn  perl-doc   (no description available)
pn  reiserfsprogs  (no description available)
ii  rpmstrap  0.5.2-2bootstrap a basic RPM-based system
pn  xen-hypervisor (no description available)
pn  xfsprogs   (no description available)

-- no debconf information


#!/bin/sh
#
#  Attempt to setup the kernel= + initrd= lines in the xen-tools configuration
# file.
#
# Steve
# --


#
#  Find a kernel
#
kernel=` ls -1 /boot | grep ^vm  |grep -v syms| grep xen | head -n 1`

if [ ! -z "${kernel}" ]; then
  # it worked - update the configuration file.
  perl -pi.bak -e "s/^\s*kernel\s*=(.*)/kernel = \/boot\/${kernel}/" 
/etc/xen-tools/xen-tools.conf
else
  # failed.  but the user can fixup.
  :
fi


#
# Find a ramdisk
#
ramdisk=` ls -1 /boot | grep ^init | grep xen | head -n 1`

if [ ! -z "${ramdisk}" ]; then
  # it worked - update the configuration file.
  perl -pi.bak -e "s/^\s*initrd\s*=(.*)/initrd = \/boot\/${ramdisk}/" 
/etc/xen-tools/xen-tools.conf
else
   # failed.  user can fixup
   :
fi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#396277: allows creating any file as root

2006-10-31 Thread Steve Kemp 
On Mon, Oct 30, 2006 at 10:56:28PM +0100, Marco d'Itri wrote:

> By creating a /tmp/start_thttpd symlink a local attacker will be able to
> create/touch any file as root.

  Thanks for the report.  Once I get a CVE identifier allocated I'll
 handle an update for Sarge.

  Daniel if you have a preferred patch that would be appreciated,
 otherwise I'll come up with a solution and add it to this bug.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#396277: allows creating any file as root

2006-10-31 Thread Steve Kemp 

Daniel

  Please find attached the patch I'm going to use for the security
 update.

  Could you please apply it, or a comparable patch to the version
 in unstable and let us know which version will fix the problem?

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit

[EMAIL PROTECTED]:/tmp$ interdiff thttpd_2.23beta1-3sarge1.diff  
thttpd_2.23beta1-3sarge2.diff
diff -u thttpd-2.23beta1/debian/changelog thttpd-2.23beta1/debian/changelog
--- thttpd-2.23beta1/debian/changelog
+++ thttpd-2.23beta1/debian/changelog
@@ -1,3 +1,11 @@
+thttpd (2.23beta1-3sarge2) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix the insecure use of temporary files when invoked by logrotate.
+[CVE-2006-4248]
+
+ -- Steve Kemp <[EMAIL PROTECTED]>  Tue, 31 Oct 2006 17:49:34 +
+
 thttpd (2.23beta1-3sarge1) stable-security; urgency=high

   * Non-maintainer upload by the Security Team
diff -u thttpd-2.23beta1/debian/thttpd.logrotate 
thttpd-2.23beta1/debian/thttpd.logrotate
--- thttpd-2.23beta1/debian/thttpd.logrotate
+++ thttpd-2.23beta1/debian/thttpd.logrotate
@@ -4,15 +4,9 @@
 compress
 missingok
 delaycompress
-prerotate
-   if pidof thttpd 2>&1 > /dev/null; then
-   touch /tmp/start_thttpd
-   fi
-endscript
 postrotate
-   if [ -f /tmp/start_thttpd ]; then
+if [ -f /var/run/thttpd.pid ]; then
/etc/init.d/thttpd restart 2>&1 > /dev/null
-   rm -f /tmp/start_thttpd
fi
 endscript
 }



signature.asc
Description: Digital signature

Bug#390295: Still willing to adopt gnump3d?

2006-11-02 Thread Steve Kemp 
Hi,

  Are you still intending to adopt the gnump3d package?

  If not I will make a new upload and set the maintainer to the QA team
 in the next day or two.

Steve
-- 



signature.asc
Description: Digital signature

Bug#390822: Still willing to adopt dsniff?

2006-11-02 Thread Steve Kemp 

Hi,

  Are you still interested in adopting, with sponsorship, dsniff?

  If not I will make a new upload with the maintainer set to QA
 over the next day or two.

  (I don't want to have the package be in the etch release with
 my name still on it, when I've given up maintaining packages.)

Steve
-- 



signature.asc
Description: Digital signature

Bug#390822: Still willing to adopt dsniff?

2006-11-02 Thread Steve Kemp 
On Thu, Nov 02, 2006 at 08:41:18AM -0300, Luciano Bello wrote:

> I has working in some bugs. Dun tell me that he will release a new version 
> (rewriten from scratch) in the next weeks. But, as you point, etch will be 
> release soon. 

  Great!

> So i will upload a new package in these days (maybe today). Do 
> you want to sponsor it?

  I'm afraid I cannot, but I'd be pleased if you could manage an
 upload shortly.

  I'm sure that the debian-mentors list would find you a sponsor
 fairly easily if you don't already have one.

Steve
-- 


signature.asc
Description: Digital signature

Bug#397784: xen-tools: xen-create-image fetches libc6-xen from ftp.debian.org

2006-11-15 Thread Steve Kemp 
On Thu, Nov 09, 2006 at 02:53:13PM +0100, Thomas P??hnitzsch wrote:

> The mirror defined in /etc/xen-tools/xen-tools.conf is ignored when
> xen-create-image installs libc6-xen.
> 
> Thus the installation of libc6-xen should probably be moved to the hook
> 20-setup-apt, just after the "apt-get update" call.
> 

  Thanks.  Fixed in upstream CVS now.

Steve
-- 


signature.asc
Description: Digital signature

Bug#398769: xen-tools: reports --untar as option

2006-11-15 Thread Steve Kemp 
On Wed, Nov 15, 2006 at 12:59:02PM +, Neil Wilson wrote:

> -   --untar file.tar  =  Install by untarring the given file.
> +   --tar file.tar  =  Install by untarring the given file.

  Thanks.  Applied to upstream CVS now.

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/



signature.asc
Description: Digital signature

Bug#397933: xen-tools: don't run disable-tls on amd64

2006-11-15 Thread Steve Kemp 
On Fri, Nov 10, 2006 at 03:33:09PM +0100, Miquel van Smoorenburg wrote:

> If you run a 64 bit xen dom0/domU, the disable-tls script should not be run.
> The TLS issue doesn't exist on a 64 bit kernel, not even on 32 bit
> userland (--arch i386). Disabling TLS cripples libpthread.

  Fixed in upstream CVS.  Thanks for the report.

Steve
-- 


signature.asc
Description: Digital signature

Bug#398936: libapache2-mod-ifier: The module breaks POST processing

2006-11-16 Thread Steve Kemp 
Package: libapache2-mod-ifier
Version: 0.8-2
Severity: grave
Justification: renders package unusable


  This module, when installed and enabled, breaks all processing of
 POST requests.

  It should be removed from Etch until it can be updated to work
 correctly.

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-486
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages libapache2-mod-ifier depends on:
ii  apache2.2-common 2.2.3-3.1   Next generation, scalable, extenda
ii  libc62.3.6.ds1-8 GNU C Library: Shared libraries

libapache2-mod-ifier recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#399778: xen-create-image should avoid perl warnings about missing locale

2006-11-22 Thread Steve Kemp 
On Tue, Nov 21, 2006 at 11:50:06PM +0100, Petter Reinholdtsen wrote:

> xen-create-image should unset the current locale (or set it to the C
> locale), to avoid a lot of warnings from perl when installing
> packages.

  True.   But I've always figured if the caller was setup the
 appropriate locale would be inherited.

> I recommend setting environment variable 'LC_ALL' to 'C' at the start
> of the xen-create-image script to avoid this problem.

  Fixed in CVS now, thanks for the report.

Steve
-- 


signature.asc
Description: Digital signature

Bug#399705: distribution in config file should be etch and debootstrap should be set

2006-11-22 Thread Steve Kemp 
On Tue, Nov 21, 2006 at 06:00:43PM +0100, Henning Sprang wrote:

> It's enough to do it in the debian package. Or, better, in conjunction
> with the distribution setting above. Because, in conjunction with etch
> as distriution, only copying would also make sense, rpmstrap would not
> be right - but before you can create an image with copying, you need to
> make one with debootstrap.

  Well to be fair the copy/tar options make a lot of sense when you
 have other pre-made distributions regardless of where they come
 from.  So they don't necessarily imply that you've previously used
 debootstrap.

> I think when these are set in the config, the only missing option is the
> hostname.

  + lvm/dir + networking options.   But yes I mostly agree.

Steve
-- 


signature.asc
Description: Digital signature

Bug#399708: --mac option should be mentioned in manpage

2006-11-22 Thread Steve Kemp 
On Tue, Nov 21, 2006 at 03:24:57PM +0100, Henning Sprang wrote:
> package: xen-tools
> version: 2.8-2
> 
> The --mac option is not mentioned in the man page

  Fixed in CVS, thanks for the report.

Steve
-- 


signature.asc
Description: Digital signature

Bug#295401: gnump3d-index dies on uninitialised numeric value in a less-than operation

2005-02-15 Thread Steve Kemp 
On Tue, Feb 15, 2005 at 04:15:27PM +, James Cummings wrote:
> Package: gnump3d
> Version: 2.9-1
> Severity: normal
> 
> 
> cron.daily gives me this every day:
> 
> /etc/cron.daily/gnump3d:
> Use of uninitialized value in numeric lt (<) at
> /usr/bin/gnump3d-index line 391.
> 
> which means my mp3s aren't indexed properly.  

  If you run the program manually after changing /usr/bin/gnump3d-index
 lines 390ish from:

--- original code ---
#
# Skip file if it's 0-bytes.  Dunno why people
# would want to do this, but I've had reports..
#
my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,
$atime,$mtime,$ctime,$blksize,$blocks);

($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,
 $atime,$mtime,$ctime,$blksize,$blocks) = stat($file);
next if ( $size < 1 );
--- end original code --


  to this:


 new code to test 
  #
# Skip file if it's 0-bytes.  Dunno why people
# would want to do this, but I've had reports..
#
my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,
$atime,$mtime,$ctime,$blksize,$blocks);

($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,
 $atime,$mtime,$ctime,$blksize,$blocks) = stat($file);
next if not defined $size;
next if ( $size < 1 );
 end new code to test 

  (We added another line 'next if not defined $size;')

  I think that should fix it, however I'm confused why the $size
 variable would be undefined.

  Are you sure the user who gnump3d is running as has permission
 to read (and stat) all the files beneath your root?

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#295556: FWD: [SECURITY] [DSA 684-1] New typespeed packages fix arbitrary group games code execution

2005-02-16 Thread Steve Kemp 
On Wed, Feb 16, 2005 at 06:53:07PM +, Dafydd Harries wrote:

> > Filing this bug to track the security hole in the DSA below. Apparently
> > a fix for unstable has not yet been uploaded.
> 
> Since I don't have a copy of the original security patch, I tried to
> extract the changes by interdiffing the fixed stable version with the
> latest unstable version. The changes to network.c and typespeed.c apply
> cleanly, but the changes to file.c don't. I'm working on resolving those
> conflicts.
> 
> Note, however, that my time and Internet access are limited this week,
> and I won't be back home until next Monday, so it may be best for a fix
> to be NMUd.

  I can make one tomorrow if that would be useful?

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

debian-bugs-dist@lists.debian.org

2005-01-11 Thread Steve Kemp 
Package: trackballs
Version: 1.0.0-6
Severity: normal
Tags: patch, sarge

  There are three unchecked buffer overflows in the code I missed
 last time round (#184478)

  They are:

1.  Unchecked use of $TRACKBALLS
2.  Overflow on command line parameter (-e)
3.  Overflow on command line parameter (-l)

  Patch below should be sufficient to close them up.

Steve

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.9-1-686
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages trackballs depends on:
ii  guile-1.6-libs  1.6.4-4  Main Guile libraries
ii  libc6   2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libgcc1 1:3.4.3-6GCC support library
ii  libguile-ltdl-1 1.6.7-1  Guile's patched version of libtool
ii  libqthreads-12  1.6.7-1  QuickThreads library for Guile
ii  libsdl-image1.2 1.2.3-6  image loading library for Simple D
ii  libsdl-mixer1.2 1.2.5-9  mixer library for Simple DirectMed
ii  libsdl-ttf2.0-0 2.0.6-5  ttf library for Simple DirectMedia
ii  libsdl1.2debian 1.2.7+1.2.8cvs20041007-3 Simple DirectMedia Layer
ii  libstdc++5  1:3.3.5-5The GNU Standard C++ Library v3
ii  trackballs-data 1.0.0-6  Data files for trackballs
ii  xlibmesa-gl [li 4.3.0.dfsg.1-10  Mesa 3D graphics library [XFree86]
ii  xlibmesa-glu [l 4.3.0.dfsg.1-10  Mesa OpenGL utility library [XFree
ii  zlib1g  1:1.2.2-4compression library - runtime

-- no debconf information



--- mmad.cc-orig2005-01-11 23:07:43.0 +
+++ mmad.cc 2005-01-11 23:08:30.0 +
@@ -166,7 +166,7 @@
  print_usage (stdout, 0);
case 'e':
  editMode = 1;
- sprintf(Settings::settings->specialLevel,"%s",optarg);
+ 
snprintf(Settings::settings->specialLevel,sizeof(Settings::settings->specialLevel)-1,"%s",optarg);
  Settings::settings->doSpecialLevel=1;
  break;
case 't':
@@ -175,7 +175,7 @@
  audio=0; // no audio
  break;
case 'l':
- sprintf(Settings::settings->specialLevel,"%s",optarg);
+ 
snprintf(Settings::settings->specialLevel,sizeof(Settings::settings->specialLevel)-1,"%s",optarg);
  Settings::settings->doSpecialLevel=1;
  break;
case 'w': settings->is_windowed=1;  break;
@@ -397,7 +397,7 @@
   effectiveShareDir[0]=0;
   /* From environment variable */
   char *evar=getenv("TRACKBALLS"); 
-  if(evar && strlen(evar) > 0) sprintf(effectiveShareDir,"%s",evar);
+  if(evar && strlen(evar) > 0) 
snprintf(effectiveShareDir,sizeof(effectiveShareDir)-1,"%s",evar);
   //printf("Looking for %s\n", effectiveShareDir);
   if(!testDir()) { 
char thisDir[256];


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#289784: [Debian-audit] xshisen (again)

2005-01-12 Thread Steve Kemp 
On Wed, Jan 12, 2005 at 02:00:46PM -0500, Grzegorz B. Prokopski wrote:

> > >   That's an .. unlikely .. bug to occur in practise.  I guess only
> > >  root can modify the GECOS field.
> > 
> > No, you can use the chfn command to change all data in your own GECOS field
> > except your real name. The command checks the length of all data, so you
> > probably can't use it for this attack (it might be possible to enter the
> > maximum amount in each field and make it reach 160 bytes that way). There 
> > are
> > other systems that will let you edit your GECOS field, like webmin (I think)
> > and more.
> > 
> > It's not a really serious bug, but IMHO worth fixing.
> 
> I do not have my new GPG key signed yet (sigh) so I am in no position to
> perform an upload.  Could somebody please apply the fix and NMU?

  I will do so tomorrow if nobody else beats me to it.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#298060: (forw) Bug#298060: Please don't install login as setuid root

2005-03-05 Thread Steve Kemp 
On Sat, Mar 05, 2005 at 03:34:58PM +0100, Christian Perrier wrote:
> Security and release teams, may I have your advice about this suggestion?
> 
> As you may know, I currently act as maintainer for the shadow package,
> but I'm also aware of my own weaknesses when it comes at security (and
> security-related) issues so I prefer getting the advice of more
> competent people.
> 
> Given that installing login non setuid has been blessed for Ubuntu,
> I'm inclined to follow the suggestion, but doing so close to a release
> is maybe not wise.so I'm seeking for advices..:-)

  I see no reason not to follow the suggestion, for what that opinion
 is worth ..

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#298573: O: checksecurity -- basic system security checks

2005-03-08 Thread Steve Kemp 
Package: wnpp
Severity: normal


 I intend to orphan the checksecurity package, honestly I've done a bad
 job of looking after it.  It deserves a better keeper and I've not had
 much success at getting a co-maintainer for it.


The package description is:
 Checksecurity does some very basic system security checks, such as
 looking for changes in which programs have setuid permissions, and that
 remote filesystems are not allowed to have runnable setuid programs.
 .
 Note that these are not to be considered in any way complete, and
 you should not rely on checksecurity to actually provide any useful
 information concerning the security or vulnerability of your system.
 .
 The lockfile-progs package is only a "Suggests" because of the poor
 way that dselect handles "Recommends", but I do strongly suggest that
 you install it; it prevents /etc/cron.daily/standard from running multiple
 times if something gets jammed.
 .
 Checksecurity was previously part of the cron package.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#295401: User error.

2005-02-19 Thread Steve Kemp 

  After private dialog this turned out to be a local error with
 the machine setup - and not a bug in the application.

  I'm closing it now.

Steve
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#296326: gnocatan-client: Crash after trading fails.

2005-02-21 Thread Steve Kemp 
Package: gnocatan-client
Version: 0.8.1.53-1
Severity: normal


  Sometimes when trading the 'finish' button becomes grayed out,
 making it impossible to dismiss the trading view.

  The game can continue with both the map and the game board
 active - using the finish button to complete my turn leaves
 me with both the game board and the trading tab active.
 
  If at any subsequent point in the game I click the trade
 button / keypress the game quits.
 
  No significant output appears when the finish button becomes
 unusable.  At the point the client crashes I see this in the
 launching terminal:

  ** ERROR **: file quoteinfo.c: line 33 (quotelist_new): assertion
  failed: (*list == NULL)

  Definately an upstream bug, but hard to reproduce.

Steve

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages gnocatan-client depends on:
ii  libart-2.0-2 2.3.17-1Library of functions for 2D graphi
ii  libatk1.0-0  1.8.0-4 The ATK accessibility toolkit
ii  libbonobo2-0 2.8.1-2 Bonobo CORBA interfaces library
ii  libbonoboui2-0   2.8.1-1 The Bonobo UI library
ii  libc62.3.2.ds1-20GNU C Library: Shared libraries an
ii  libgconf2-4  2.8.1-4 GNOME configuration database syste
ii  libglib2.0-0 2.6.2-1 The GLib library of C routines
ii  libgnome2-0  2.8.0-6 The GNOME 2 library - runtime file
ii  libgnomecanvas2-02.8.0-1 A powerful object-oriented display
ii  libgnomeui-0 2.8.0-3 The GNOME 2 libraries (User Interf
ii  libgnomevfs2-0   2.8.3-11The GNOME virtual file-system libr
ii  libgtk2.0-0  2.6.2-3 The GTK+ graphical user interface 
ii  libice6  4.3.0.dfsg.1-10 Inter-Client Exchange library
ii  liborbit21:2.10.5-0.1libraries for ORBit2 - a CORBA ORB
ii  libpango1.0-01.8.0-3 Layout and rendering of internatio
ii  libpopt0 1.7-5   lib for parsing cmdline parameters
ii  libsm6   4.3.0.dfsg.1-10 X Window System Session Management
ii  libxml2  2.6.16-3GNOME XML library
ii  xlibs4.3.0.dfsg.1-12 X Keyboard Extension (XKB) configu
ii  zlib1g   1:1.2.2-4   compression library - runtime

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

  1   2   3   4   5   >