Bug#933595: marked as done (transition: pkg-js-tools)
Your message dated Tue, 6 Aug 2019 09:39:53 +0200 with message-id <83e5c5c6-38a7-a0e1-d6ec-43016631d...@debian.org> and subject line Re: transition: pkg-js-tools has caused the Debian Bug report #933595, regarding transition: pkg-js-tools to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 933595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933595 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition (please explain about the transition: impacted packages, reason, ... for more info see: https://wiki.debian.org/Teams/ReleaseTeam/Transitions) Hi all, pkg-js-tools provides a debhelper plugin that handles "dh --with nodejs". Until 0.7, it was used for dh_auto_test. Since version 0.8.6, it provides a dh_auto_install hooks that permits to automatically install node packages in the right place: /usr/share/nodejs or /usr/lib//nodejs instead of old /usr/lib/nodejs. It also reads package.json to select automatically files to install. More than 90% node modules can be installed then without debian/install. A package that uses it for tests will probably have build failures and risks to install libraries in old and new place. Around 100 packages are affected, I prepared the update in salsa for those I have identified. I fill this request to prevent testing migration reject because of autopkgtest regressions. I'm not sure this is the good place or if a transition issue is needed in this case. If not, please forgive me for this inconvenience and close this issue. Cheers, Xavier Ben file: title = "pkg-js-tools"; is_affected = .depends ~ "pkg-js-tools"; is_good = .depends ~ "pkg-js-tools (>= 0.8.[6-9])"; is_bad = .depends ~ "pkg-js-tools"; --- End Message --- --- Begin Message --- All packages updated and migrated to testing. Closing Thanks!--- End Message ---
Bug#933986: marked as done (nmu: pygalmesh_0.3.6-1)
Your message dated Tue, 06 Aug 2019 09:37:14 + with message-id and subject line Bug#933986: fixed in pygalmesh 0.3.6-2 has caused the Debian Bug report #933986, regarding nmu: pygalmesh_0.3.6-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 933986: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933986 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Hi, I uploaded a new version of cgal which bumped the SOVERSION of libCGAL_ImageIO.so and was not aware that there is nowadays a reverse dependency of this library in Debian. nmu pygalmesh_0.3.6-1 . ANY . unstable . -m "Rebuild against libCGAL_ImageIO.so.14" Thanks, Joachim -- System Information: Debian Release: 10.0 APT prefers stable-debug APT policy: (800, 'stable-debug'), (800, 'stable'), (700, 'testing-debug'), (700, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) --- End Message --- --- Begin Message --- Source: pygalmesh Source-Version: 0.3.6-2 We believe that the bug you reported is fixed in the latest version of pygalmesh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 933...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Drew Parsons (supplier of updated pygalmesh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 06 Aug 2019 16:53:03 +0800 Source: pygalmesh Architecture: source Version: 0.3.6-2 Distribution: unstable Urgency: medium Maintainer: Debian Science Maintainers Changed-By: Drew Parsons Closes: 933848 933986 Changes: pygalmesh (0.3.6-2) unstable; urgency=medium . * debian/clean: delete pygalmesh-from-inr.1 and pygalmesh-volume-from-surface.1, generated in override_dh_auto_build. Thanks Joachim Reichel. Closes: #933848, #933986. Checksums-Sha1: 2fd53bb4702aa1f5a0ca3ac7e38741d401769364 2169 pygalmesh_0.3.6-2.dsc a8bec4fa979dc3be9b02851a3c7b66eb7d2d9df1 4168 pygalmesh_0.3.6-2.debian.tar.xz Checksums-Sha256: 5a24c3fa744d6dc0bf83f233a120fc4d0d5bcd87931a3b308434a8c62154445b 2169 pygalmesh_0.3.6-2.dsc 108a6fa47aade572b34fc79acfba8c4b2fa3fb46ee1c757494649656e3d03e1e 4168 pygalmesh_0.3.6-2.debian.tar.xz Files: d9fbf0c95d3704d6d7cda1981c522f05 2169 python optional pygalmesh_0.3.6-2.dsc 63ee76cd6a0dc763f963f80b4e8232bd 4168 python optional pygalmesh_0.3.6-2.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEI8mpPlhYGekSbQo2Vz7x5L1aAfoFAl1JRfYACgkQVz7x5L1a Afoybg/+IHCSboKXOGklFjVOFBZWCO/4sq7YmLOIk4GNvUEwpZNt1UL4gDBcOUVy 4GBCivfvfwJbjmHzwyBYfsbpq6APpzGKLrou1G9dtKRvhv55tehRRr4a8kbfaSyN zqjBGcHDOxeFY98EoT2ojRqQpuRzbix8biQwDeMNXJPWgIcfdPl3FFMaBcDlLAsT w/PSb1OYOoMGxmc/yQQwLGTreV7v+W6S5cvtmdwcCZ8fAjSBRngUoiBRPdew6EtH f6wtIPn/OqHFmvICqjJgrGuh1FrhaviQ866mx+QtwwADdoF0lQ7E0n3SKWU/LFjo pk2Qt/5GCcMHWJLWT0Ss+n8aMzA0/jUH2bCGhU4Hgrkl9rWiwpyaWr5nbqtJ8W/W 2dMRYgfISJ7hfV/ZTEPpjgl9EjIZA0aKaWgeK6mE3CCPSyi94wAvyRJktM7s6ots P7xNzxIIhbzm/W2YvbRXJWbEG4bm0x9eEjziBGyJgl41oyqZvLhwb56UIFCwBhbO aTiVkmO/S5EvZ+/f0eyaqOklWyFVj4b0VzGrojUeNVjwVPj4EeI558Ck4rsYaf0J XBKryelLD1tv5ByYbPzXTaB99ALCROhV9OHZQRz5NkLpneztjWXNEbsEJ/U6XNMB kXDd/OVi/T4OueinlMAQ70eE7iy577q4/+xmlgToU8L0iukzT0g= =HFyZ -END PGP SIGNATURE End Message ---
Processed: tagging 933094
Processing commands for cont...@bugs.debian.org: > tags 933094 + pending Bug #933094 [release.debian.org] transition: octomap Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 933094: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933094 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#894663: transition: wxwidgets3.0
On Sun, Sep 30, 2018 at 10:09:28AM +0100, Olly Betts wrote: > On Sun, Sep 30, 2018 at 08:47:00AM +, Niels Thykier wrote: > > Are we planning to complete this transition > > in buster (transition deadline being 2019-01-05) or it is fine if this > > transition is first completed in bullseye ? > > I'd still love to complete it for buster, but I suspect we may well not > manage to get all the remaining rdeps moved over. > > We never actually got around to filing bugs against rdeps, but perhaps > we should to encourage them to move where there aren't any blockers. Now that we're post-release, Scott Talbert has filed bugs and the transition is progressing well (we've gone from 17% to 41% in just a week). Please can you re-enable export for this transition so that it appears in tracker.d.o, etc? I've attached a patch which should be suitable. Cheers, Olly diff --git a/config/ongoing/wxwidgets3.0-gtk3.ben b/config/ongoing/wxwidgets3.0-gtk3.ben index 27a9e072..525b0a4f 100644 --- a/config/ongoing/wxwidgets3.0-gtk3.ben +++ b/config/ongoing/wxwidgets3.0-gtk3.ben @@ -3,4 +3,3 @@ is_affected = .depends ~ /libwxgtk(-media)?3\.0-0v5/ | .depends ~ /libwxgtk(-med is_good = .depends ~ /libwxgtk(-media)?3\.0-gtk3-0v5/; is_bad = .depends ~ /libwxgtk(-media)?3\.0-0v5/; notes = "#894663"; -export = false;
Bug#934094: buster-pu: package clamav/0.101.2+dfsg-1+deb10u1
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal
Clamav upstream released 0.101.3 which is a "security patch release"
only. It is described [0] as:
|ClamAV 0.101.3 is a patch release to address a vulnerability to non-recursive
|zip bombs.
|
|A Denial-of-Service (DoS) vulnerability may occur when scanning a zip bomb as a
|result of excessively long scan times. The issue is resolved by detecting the
|overlapping local file headers which characterize the non-recursive zip bomb
|described by David Fifield.
It also contains an updated libmspack but this is not included in the
repacked orig file since the in-archive libmspack is used.
I cherry-picked the version update and the zip fix from upstream and
prepared an upload for Buster.
[0] https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html
Sebastian
diff -Nru clamav-0.101.2+dfsg/debian/changelog
clamav-0.101.2+dfsg/debian/changelog
--- clamav-0.101.2+dfsg/debian/changelog2019-03-30 16:25:48.0
+0100
+++ clamav-0.101.2+dfsg/debian/changelog2019-08-06 22:07:01.0
+0200
@@ -1,3 +1,10 @@
+clamav (0.101.2+dfsg-1+deb10u1) buster; urgency=medium
+
+ * Cherry-pick a fix from 0.101.3 to address a vulnerability to
+non-recursive zip bombs.
+
+ -- Sebastian Andrzej Siewior Tue, 06 Aug 2019
22:07:01 +0200
+
clamav (0.101.2+dfsg-1) unstable; urgency=high
* Import 0.101.2
diff -Nru clamav-0.101.2+dfsg/debian/.git-dpm
clamav-0.101.2+dfsg/debian/.git-dpm
--- clamav-0.101.2+dfsg/debian/.git-dpm 2019-03-30 15:32:49.0 +0100
+++ clamav-0.101.2+dfsg/debian/.git-dpm 2019-08-06 22:02:44.0 +0200
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-cb77f255d9bc2871a474227e2a8676dfd930a483
-cb77f255d9bc2871a474227e2a8676dfd930a483
+f9c686061408a8a6378bb089e57c541713fb8a7c
+f9c686061408a8a6378bb089e57c541713fb8a7c
5a612c89e68e5010b2cd71002ceb15efc03a2324
5a612c89e68e5010b2cd71002ceb15efc03a2324
clamav_0.101.2+dfsg.orig.tar.xz
diff -Nru
clamav-0.101.2+dfsg/debian/patches/Adds-detection-and-heuristic-alert-for-zips-with-ove.patch
clamav-0.101.2+dfsg/debian/patches/Adds-detection-and-heuristic-alert-for-zips-with-ove.patch
---
clamav-0.101.2+dfsg/debian/patches/Adds-detection-and-heuristic-alert-for-zips-with-ove.patch
1970-01-01 01:00:00.0 +0100
+++
clamav-0.101.2+dfsg/debian/patches/Adds-detection-and-heuristic-alert-for-zips-with-ove.patch
2019-08-06 22:02:44.0 +0200
@@ -0,0 +1,233 @@
+From f9c686061408a8a6378bb089e57c541713fb8a7c Mon Sep 17 00:00:00 2001
+From: Micah Snyder
+Date: Fri, 12 Jul 2019 21:09:45 -0400
+Subject: Adds detection and heuristic alert for zips with overlapping files,
+ preventing extraction of non-recursive zip bombs.
+
+Patch-Name: Adds-detection-and-heuristic-alert-for-zips-with-ove.patch
+Signed-off-by: Sebastian Andrzej Siewior
+---
+ NEWS.md | 15 ++
+ libclamav/unzip.c | 74 ---
+ 2 files changed, 72 insertions(+), 17 deletions(-)
+
+diff --git a/NEWS.md b/NEWS.md
+index 3cd2587..76d8474 100644
+--- a/NEWS.md
b/NEWS.md
+@@ -5,14 +5,17 @@ Note: This file refers to the source tarball. Things
described here may differ
+
+ ## 0.101.3
+
+-ClamAV 0.101.3 is a patch release...
++ClamAV 0.101.3 is a patch release to address a vulnerability to non-recursive
++zip bombs.
+
+-- Fixes for the following vulnerabilities affecting 0.101.2 and prior:
+- -
++A Denial-of-Service (DoS) vulnerability may occur when scanning a zip bomb as
a
++result of excessively long scan times. The issue is resolved by detecting the
++overlapping local file headers which characterize the non-recursive zip bomb
++described by David Fifield,
++[here](https://www.bamsoftware.com/hacks/zipbomb/).
+
+-Additional thanks to the following community members for submitting bug
reports:
+-
+--
++Thank you to Hanno Böck for reporting the issue as it relates to ClamAV,
++[here](https://bugzilla.clamav.net/show_bug.cgi?id=12356).
+
+ ## 0.101.2
+
+diff --git a/libclamav/unzip.c b/libclamav/unzip.c
+index 0216908..a67b92d 100644
+--- a/libclamav/unzip.c
b/libclamav/unzip.c
+@@ -54,6 +54,8 @@
+ #define UNZIP_PRIVATE
+ #include "unzip.h"
+
++#define ZIP_MAX_NUM_OVERLAPPING_FILES 5
++
+ #define ZIP_CRC32(r,c,b,l)\
+ do { \
+ r = crc32(~c,b,l); \
+@@ -493,14 +495,14 @@ static inline int zdecrypt(const uint8_t *src, uint32_t
csize, uint32_t usize, c
+ if (pass_zip)
+ pass_zip = pass_zip->next;
+ else
+- pass_any = pass_any->next;
++ pass_any = pass_any->next;
+ }
+
+ cli_dbgmsg("cli_unzip: decrypt - skipping encrypted file, no valid
passwords\n");
+ return CL_SUCCESS;
+ }
+
+-static unsigned int lhdr(fmap_t *map, uint32_t loff,uint32_t zsize, unsigned
int *fu, unsigned int fc, const uint
Processed: block 894663 with 934096 934097 934098 934099
Processing commands for cont...@bugs.debian.org: > block 894663 with 934096 934097 934098 934099 Bug #894663 [release.debian.org] transition: wxwidgets3.0 894663 was blocked by: 933413 933457 933454 933460 933462 933459 933447 933409 933415 933476 933432 933430 933412 933417 933423 933433 933441 933464 933478 933453 933422 933477 933445 933442 933431 933474 933443 933424 933461 933451 933438 933439 895134 933425 933472 933421 933444 933458 933466 933426 933471 933465 933455 933468 933414 933411 933450 933475 933428 933467 933470 933436 933452 933480 933416 933448 933473 933435 933420 933440 933434 933418 933456 933479 933429 933408 933407 933469 933446 933427 933419 933463 894663 was not blocking any bugs. Added blocking bug(s) of 894663: 934096, 934099, 934097, and 934098 > thanks Stopping processing here. Please contact me if you need assistance. -- 894663: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894663 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#934112: transition: poco
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hey release team, I would like to transition Poco to the new ABI version. Cheers Jochen Ben file: title = "poco"; is_affected = .depends ~ /\b(libpococrypto60|libpocodata60|libpocodatamysql60|libpocodataodbc60|libpocodatasqlite60|libpocoencodings60|libpocofoundation60|libpocojson60|libpocomongodb60|libpoconet60|libpoconetssl60|libpocoredis60|libpocoutil60|libpocoxml60|libpocozip60)\b/ | .depends ~ /\b(libpococrypto62|libpocodata62|libpocodatamysql62|libpocodataodbc62|libpocodatasqlite62|libpocoencodings62|libpocofoundation62|libpocojson62|libpocomongodb62|libpoconet62|libpoconetssl62|libpocoredis62|libpocoutil62|libpocoxml62|libpocozip62)\b/; is_good = .depends ~ /\b(libpococrypto62|libpocodata62|libpocodatamysql62|libpocodataodbc62|libpocodatasqlite62|libpocoencodings62|libpocofoundation62|libpocojson62|libpocomongodb62|libpoconet62|libpoconetssl62|libpocoredis62|libpocoutil62|libpocoxml62|libpocozip62)\b/; is_bad = .depends ~ /\b(libpococrypto60|libpocodata60|libpocodatamysql60|libpocodataodbc60|libpocodatasqlite60|libpocoencodings60|libpocofoundation60|libpocojson60|libpocomongodb60|libpoconet60|libpoconetssl60|libpocoredis60|libpocoutil60|libpocoxml60|libpocozip60)\b/; -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: armhf (armv7l) Kernel: Linux 4.19.0-5-armmp (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
