Bug#818908: jessie-pu: package dpkg/1.17.27
Hi! On Wed, 2016-03-23 at 20:52:04 +0100, Julien Cristau wrote: > On Mon, Mar 21, 2016 at 16:49:35 +0100, Guillem Jover wrote: > > diff --git a/man/dpkg.1 b/man/dpkg.1 > > index 4e9f7a3..fb6c43e 100644 > > --- a/man/dpkg.1 > > +++ b/man/dpkg.1 > > @@ -694,8 +694,9 @@ Sent just before a processing stage starts. \fIstage\fR > > is one of > > .TP > > \fB\-\-status\-logger\fR=\fIcommand\fR > > Send machine-readable package status and progress information to the > > -shell \fIcommand\fR's standard input. This option can be specified > > -multiple times. The output format used is the same as in \fB\-\-status\-fd. > > +shell \fIcommand\fR's standard input, to be run via \*(lqsh \-c\*(rq. > > +This option can be specified multiple times. > > +The output format used is the same as in \fB\-\-status\-fd. > > .RE > > .TP > > \fB\-\-log=\fP\fIfilename\fP > > @@ -739,7 +740,7 @@ temporary files and directories. > > The program \fBdpkg\fP will execute when displaying the conffiles. > > .TP > > .B SHELL > > -The program \fBdpkg\fP will execute when starting a new shell. > > +The program \fBdpkg\fP will execute when starting a new interactive shell. > > .TP > > .B COLUMNS > > Sets the number of columns \fBdpkg\fP should use when displaying formatted > > This change regresses translations. As it's essentially a clarification > rather than a fix to the previous text, wouldn't it be better to leave > the text as-is so as not to invalidate existing translations? I always hesitate with string changes, as PO files are designed to cope with this gracefully, but in this case I guess it's indeed probably not worth it. So I've removed them and rerolled the release. Attached the new patch. Thanks, Guillem dpkg-1.17.26-1.17.27.debdiff.xz Description: application/xz
Bug#818906: wheezy-pu: package dpkg/1.16.18
Hi! On Wed, 2016-03-23 at 18:07:46 +0100, Guillem Jover wrote: > On Mon, 2016-03-21 at 16:36:16 +0100, Guillem Jover wrote: > > Package: release.debian.org > > Severity: normal > > Tags: wheezy > > User: release.debian@packages.debian.org > > Usertags: pu > > > Here's a proposed dpkg 1.16.18, with cherry picked fixes from master > > (already in unstable). These include fixes for regressions, memory leaks, > > segmentation faults, portability and interaction with tools such as > > GNU tar or the system shell. > > > > The change for Config-Version should be safe, as at worst it will have > > no effect, otherwise packages relying on the correct behavior will > > start to work now. > > > > The «git log» fix is not yet in master though, but it should also be safe, > > otherwise the build would simply fail. And I've just realized it's not > > documented in debian/changelog, it will be in the ChangeLog, but I could > > add it to debian/changelog too. > > > > The changes have passed all unit tests which are part of the build, > > and all functional test in the dpkg-tests git repo. Attached a diff > > with translation updates filtered. > > The same reply as the one for jessie applies here. I've also taken out > the git log fix here, and I'm attaching the compressed full diff. Let > me know if anything else needs clarification, etc. Same as for the 1.17.x release, I've removed the string changes in the man page and rerolled the release. Attached the new patch. Thanks, Guillem dpkg-1.16.17-1.16.18.debdiff.xz Description: application/xz
NEW changes in stable-new
Processing changes file: postgresql-common_165+deb8u1_amd64.changes REJECT
Bug#819243: jessie-pu, wheezy-pu: package librsvg/2.40.5-1 and librsvg/2.36.1-2
Control: tags -1 + pending On Sat, 2016-03-26 at 23:58 +0100, Santiago Ruano Rincón wrote: > El 25/03/16 a las 13:58, Adam D. Barratt escribió: > ... > > > > On Fri, 2016-03-25 at 14:49 +0100, Santiago Ruano Rincón wrote: [...] > > > Please consider the following debdiffs to fix librsvg's CVE-2015-7557 > > > for Jessie and Wheezy. This is a no-dsa bug, that could fit a point > > > release. It applies the following simple patch, that upstream proposed > > > against 2.40.6. > > > > Please go ahead. > > > > Thanks. Packages uploaded. Both flagged for acceptance. Regards, Adam
Processed: Re: Bug#819243: jessie-pu, wheezy-pu: package librsvg/2.40.5-1 and librsvg/2.36.1-2
Processing control commands: > tags -1 + pending Bug #819243 [release.debian.org] jessie-pu: package librsvg/2.40.5-1 Added tag(s) pending. -- 819243: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819243 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#819243: jessie-pu, wheezy-pu: package librsvg/2.40.5-1 and librsvg/2.36.1-2
Processing control commands: > tags -1 + pending Bug #819244 [release.debian.org] wheezy-pu: package librsvg/2.36.1-2 Added tag(s) pending. -- 819244: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819244 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#819326: jessie-pu: package postgresql-common/165+deb8u1
Processing control commands: > tags -1 + pending Bug #819326 [release.debian.org] jessie-pu: package postgresql-common/165+deb8u1 Added tag(s) pending. -- 819326: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819326 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#819326: jessie-pu: package postgresql-common/165+deb8u1
Control: tags -1 + pending On Sat, 2016-03-26 at 22:19 +, Adam D. Barratt wrote: > The upload appears to have acquired some cruft: > > 165+deb8u1.diff | 82 > [...] > tags | 263 > ++ It was re-uploaded without the cruft, and I've flagged that version for acceptance. Regards, Adam
NEW changes in oldstable-new
Processing changes file: librsvg_2.36.1-2+deb7u1_amd64.changes ACCEPT
NEW changes in stable-new
Processing changes file: chromium-browser_49.0.2623.108-1~deb8u1_i386.changes ACCEPT Processing changes file: chromium-browser_49.0.2623.108-1~deb8u1_amd64.changes ACCEPT Processing changes file: librsvg_2.40.5-1+deb8u1_amd64.changes ACCEPT Processing changes file: postgresql-common_165+deb8u1_amd64.changes ACCEPT
Bug#819362: wheezy-pu: package gtk+3.0/3.4.2-7+deb7u1
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to upate gtk+3.0 in wheezy to fix CVE-2013-7447.patch with the attached debiff. Wheezy is currnelty the only unfixed gtk+3.0 version. Cheers, -- Guido -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff --git a/debian/changelog b/debian/changelog index 999a883..37c3d67 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +gtk+3.0 (3.4.2-7+deb7u1) oldstable-proposed-updates; urgency=medium + + * Non-maintainer upload. + * CVE-2013-7447.patch: Avoid integer overflow when allocating a large block +of memory in gdk_cairo_set_source_pixbuf (Closes: #818090) + + -- Guido Günther Sun, 13 Mar 2016 16:22:28 +0100 + gtk+3.0 (3.4.2-7) stable; urgency=low [ Raphaël Geissert ] diff --git a/debian/patches/CVE-2013-7447.patch b/debian/patches/CVE-2013-7447.patch new file mode 100644 index 000..cb851a2 --- /dev/null +++ b/debian/patches/CVE-2013-7447.patch @@ -0,0 +1,24 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= +Date: Sun, 13 Mar 2016 15:38:37 +0100 +Subject: CVE-2013-7447 + +Cherry-pick of upstream commit + +https://git.gnome.org/browse/gtk+/commit?id=894b1ae76a32720f4bb3d39cf460402e3ce331d6 +--- + gdk/gdkcairo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gdk/gdkcairo.c b/gdk/gdkcairo.c +index 19bed04..2e1d8dc 100644 +--- a/gdk/gdkcairo.c b/gdk/gdkcairo.c +@@ -213,7 +213,7 @@ gdk_cairo_set_source_pixbuf (cairo_t *cr, + format = CAIRO_FORMAT_ARGB32; + + cairo_stride = cairo_format_stride_for_width (format, width); +- cairo_pixels = g_malloc (height * cairo_stride); ++ cairo_pixels = g_malloc_n (height, cairo_stride); + surface = cairo_image_surface_create_for_data ((unsigned char *)cairo_pixels, + format, + width, height, cairo_stride); diff --git a/debian/patches/series b/debian/patches/series index e9942cf..866e6e9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -15,3 +15,4 @@ 074_try-harder-to-discriminate-Shift-F10-and-F10.patch 075_gtkplug-fix-handling-of-key-events-for-layouts.patch 076_check_wm_supports_hint.patch +CVE-2013-7447.patch
NEW changes in stable-new
Processing changes file: librsvg_2.40.5-1+deb8u1_amd64.changes REJECT Processing changes file: librsvg_2.40.5-1+deb8u1_arm64.changes ACCEPT Processing changes file: librsvg_2.40.5-1+deb8u1_armel.changes ACCEPT Processing changes file: librsvg_2.40.5-1+deb8u1_armhf.changes ACCEPT Processing changes file: librsvg_2.40.5-1+deb8u1_i386.changes ACCEPT Processing changes file: librsvg_2.40.5-1+deb8u1_mips.changes ACCEPT Processing changes file: librsvg_2.40.5-1+deb8u1_powerpc.changes ACCEPT Processing changes file: librsvg_2.40.5-1+deb8u1_ppc64el.changes ACCEPT Processing changes file: librsvg_2.40.5-1+deb8u1_s390x.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: librsvg_2.36.1-2+deb7u1_armel.changes ACCEPT Processing changes file: librsvg_2.36.1-2+deb7u1_armhf.changes ACCEPT Processing changes file: librsvg_2.36.1-2+deb7u1_i386.changes ACCEPT Processing changes file: librsvg_2.36.1-2+deb7u1_ia64.changes ACCEPT Processing changes file: librsvg_2.36.1-2+deb7u1_kfreebsd-amd64.changes ACCEPT Processing changes file: librsvg_2.36.1-2+deb7u1_kfreebsd-i386.changes ACCEPT Processing changes file: librsvg_2.36.1-2+deb7u1_mips.changes ACCEPT Processing changes file: librsvg_2.36.1-2+deb7u1_mipsel.changes ACCEPT Processing changes file: librsvg_2.36.1-2+deb7u1_powerpc.changes ACCEPT Processing changes file: librsvg_2.36.1-2+deb7u1_s390.changes ACCEPT Processing changes file: librsvg_2.36.1-2+deb7u1_s390x.changes ACCEPT
NEW changes in stable-new
Processing changes file: librsvg_2.40.5-1+deb8u1_mipsel.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: librsvg_2.36.1-2+deb7u1_sparc.changes ACCEPT
Bug#810882: jessie-pu: package gnome-shell-extension-weather/0~20151125.gitccaa1eb-1~deb8u1
Le mercredi 23 mars 2016 à 20:29 +, Adam D. Barratt a écrit : > On Wed, 2016-01-13 at 11:07 +0100, Sébastien Villemot wrote: > > > > I'd like to push a new upstream release of gnome-shell-extension- > > weather in jessie. [...] > Assuming that the resulting package has been tested in Jessie, please > go > ahead. Indeed this upstream version has been tested in Jessie, and has been in a long time in Stretch. Package uploaded. Thanks, -- .''`.Sébastien Villemot : :' :Debian Developer `. `' http://sebastien.villemot.name `- GPG Key: 4096R/381A7594 signature.asc Description: This is a digitally signed message part
NEW changes in stable-new
Processing changes file: gnome-shell-extension-weather_0~20151125.gitccaa1eb-1~deb8u1_amd64.changes ACCEPT Processing changes file: quagga_0.99.23.1-1+deb8u1_allonly.changes ACCEPT Processing changes file: quagga_0.99.23.1-1+deb8u1_amd64.changes ACCEPT Processing changes file: quagga_0.99.23.1-1+deb8u1_arm64.changes ACCEPT Processing changes file: quagga_0.99.23.1-1+deb8u1_armel.changes ACCEPT Processing changes file: quagga_0.99.23.1-1+deb8u1_armhf.changes ACCEPT Processing changes file: quagga_0.99.23.1-1+deb8u1_i386.changes ACCEPT Processing changes file: quagga_0.99.23.1-1+deb8u1_mips.changes ACCEPT Processing changes file: quagga_0.99.23.1-1+deb8u1_mipsel.changes ACCEPT Processing changes file: quagga_0.99.23.1-1+deb8u1_powerpc.changes ACCEPT Processing changes file: quagga_0.99.23.1-1+deb8u1_ppc64el.changes ACCEPT Processing changes file: quagga_0.99.23.1-1+deb8u1_s390x.changes ACCEPT
NEW changes in oldstable-new
Processing changes file: quagga_0.99.22.4-1+wheezy2_amd64.changes ACCEPT Processing changes file: quagga_0.99.22.4-1+wheezy2_armel.changes ACCEPT Processing changes file: quagga_0.99.22.4-1+wheezy2_armhf.changes ACCEPT Processing changes file: quagga_0.99.22.4-1+wheezy2_i386.changes ACCEPT Processing changes file: quagga_0.99.22.4-1+wheezy2_ia64.changes ACCEPT Processing changes file: quagga_0.99.22.4-1+wheezy2_mips.changes ACCEPT Processing changes file: quagga_0.99.22.4-1+wheezy2_mipsel.changes ACCEPT Processing changes file: quagga_0.99.22.4-1+wheezy2_powerpc.changes ACCEPT Processing changes file: quagga_0.99.22.4-1+wheezy2_s390.changes ACCEPT Processing changes file: quagga_0.99.22.4-1+wheezy2_s390x.changes ACCEPT Processing changes file: quagga_0.99.22.4-1+wheezy2_sparc.changes ACCEPT
Processed: Re: Bug#810882: jessie-pu: package gnome-shell-extension-weather/0~20151125.gitccaa1eb-1~deb8u1
Processing control commands: > tags -1 + pending Bug #810882 [release.debian.org] jessie-pu: package gnome-shell-extension-weather/0~20151125.gitccaa1eb-1~deb8u1 Added tag(s) pending. -- 810882: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810882 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#810882: jessie-pu: package gnome-shell-extension-weather/0~20151125.gitccaa1eb-1~deb8u1
Control: tags -1 + pending On Sun, 2016-03-27 at 20:00 +0200, Sébastien Villemot wrote: > Le mercredi 23 mars 2016 à 20:29 +, Adam D. Barratt a écrit : > > On Wed, 2016-01-13 at 11:07 +0100, Sébastien Villemot wrote: > > > > > > I'd like to push a new upstream release of gnome-shell-extension- > > > weather in jessie. > > [...] > > > Assuming that the resulting package has been tested in Jessie, please > > go > > ahead. > > Indeed this upstream version has been tested in Jessie, and has been in > a long time in Stretch. > > Package uploaded. Flagged for acceptance. Please don't rely on getting uploads accepted at this stage of the point release process in general. Regards, Adam
Bug#819409: jessie-pu: package: torbrowser-launcher/0.1.9-1+deb8u3
package: release.debian.org tags: jessie User: release.debian@packages.debian.org Usertags: pu x-debbugs-cc: pkg-privacy-maintain...@lists.alioth.debian.org Dear release team, (this mail is probably more complicated than the changes proposed…) please accept torbrowser-launcher 0.1.9-1+deb8u3 into the upcoming point release to prevent breakage when www.tor-project.org changes its ssl certificate (which is valid til May 3rd 2016, so this is very likely to happen between the coming pointrelease and the one after…). The patches addressing this issue are 0012, 0012a and 0014. Patch 0012a just disables the certificate checking code, the upstream solution (present in stretch and sid) actually removes the related code, but as the code has changed quite a bit since then I felt this was safer this way. Patch 0012 adds a safeguard against replay attacks (where old versions with valid gpg signatures are presented by an attacker controlling the download host for torbrowser itself) and patch 0014 is an improvement for 0012. (The github issue referenced in debian/changelog explains this in even more detail if you are interested.) 0011 is not strictly needed but very nice to have and a simple oneliner. 0013 prevents a gpg signature verification attack (and is a one line change too.) https://jenkins.debian.net/view/torbrowser/job/torbrowser-launcher_test_on_jessie_amd64_from_git_branch_debian_jessie_proposed/5 successfully shows this version being used. * Add these patches backported from 0.2.3-1 and 0.2.4-1: - 0011-Fix-issue-with-detecting-language-fixes-220.patch to fix issue with detecting language (Closes: #753173) - 0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch - 0012a-Remove-certificate-pinning--github-issue-224.patch to avoid issues with upcoming certificate change, thus the minimum Tor Browser version was hard-coded in the release (Closes: #811499) For more info on patch 0012 and 0012a see https://github.com/micahflee/torbrowser-launcher/issues/229 - 0013-Prevent-signature-verification-attack-by-passing-bot.patch fixing CVE-2016-3180, for more info see https://github.com/micahflee/torbrowser-launcher/issues/229 - 0014-Prevent-attempts-at-directory-traversal-attacks-even.patch This is an improvement for patch 0012. - 0099-Bump-version-to-0.1.9-deb8u3.patch to bump version to 0.1.9+deb8u3 in share/torbrowser-launcher/version. The full debdiff compared to the version in stable is attached. Thanks for your work on stable! (And apologies for not uploading earlier, I got drafted into an unexpected lot of dc17 work (no typo)…) -- cheers, Holger diff -Nru torbrowser-launcher-0.1.9/debian/changelog torbrowser-launcher-0.1.9/debian/changelog --- torbrowser-launcher-0.1.9/debian/changelog 2016-01-16 07:55:58.0 -0500 +++ torbrowser-launcher-0.1.9/debian/changelog 2016-03-28 01:33:06.0 -0400 @@ -1,3 +1,24 @@ +torbrowser-launcher (0.1.9-1+deb8u3) jessie; urgency=medium + + * Add these patches backported from 0.2.3-1 and 0.2.4-1: +- 0011-Fix-issue-with-detecting-language-fixes-220.patch + to fix issue with detecting language (Closes: #753173) +- 0012-Fail-to-launch-Tor-Browser-if-its-version-is-earlier.patch +- 0012a-Remove-certificate-pinning--github-issue-224.patch + to avoid issues with upcoming certificate change, thus the minimum + Tor Browser version was hard-coded in the release (Closes: #811499) + For more info on patch 0012 and 0012a see + https://github.com/micahflee/torbrowser-launcher/issues/229 +- 0013-Prevent-signature-verification-attack-by-passing-bot.patch + fixing CVE-2016-3180, for more info see + https://github.com/micahflee/torbrowser-launcher/issues/229 +- 0014-Prevent-attempts-at-directory-traversal-attacks-even.patch + This is an improvement for patch 0012. +- 0099-Bump-version-to-0.1.9-deb8u3.patch to bump version to 0.1.9+deb8u3 + in share/torbrowser-launcher/version. + + -- Holger Levsen Mon, 28 Mar 2016 01:33:03 -0400 + torbrowser-launcher (0.1.9-1+deb8u2) jessie; urgency=medium * Dedicated to the memory of Ian Murdock. diff -Nru torbrowser-launcher-0.1.9/debian/patches/0011-Fix-issue-with-detecting-language-fixes-220.patch torbrowser-launcher-0.1.9/debian/patches/0011-Fix-issue-with-detecting-language-fixes-220.patch --- torbrowser-launcher-0.1.9/debian/patches/0011-Fix-issue-with-detecting-language-fixes-220.patch 1969-12-31 19:00:00.0 -0500 +++ torbrowser-launcher-0.1.9/debian/patches/0011-Fix-issue-with-detecting-language-fixes-220.patch 2016-03-27 17:27:25.0 -0400 @@ -0,0 +1,25 @@ +From 7c896725304574052f3320d253c9c17c9794cd57 Mon Sep 17 00:00:00 2001 +From: Micah Lee +Date: Tue, 1 Mar 2016 13:14:15 +0100 +Subject: [PATCH] Fix issue with detecting language (fixes #220) + +--- + torbrowser_launcher/common.py | 2 +- + 1 file changed, 1 insertion(+), 1 del
