Bug#1022860: bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1

2022-10-27 Thread Jérôme Charaoui 

Le 2022-10-27 à 00 h 25, Salvatore Bonaccorso a écrit :

On Wed, Oct 26, 2022 at 11:05:05PM -0400, Jérôme Charaoui wrote:

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
I would like to upload powerline-gitstatus to stable to fix CVE-2022-42906.
I have consulted with the security team and they suggested we make the fix
available via the next point release.

[ Impact ]
powerline-gitstatus/1.3.1 and earlier versions are susceptible to code
execution via malicious repository. Note that the malicious repository must
be obtained other than by "git clone".

[ Tests ]
The package has no autopkgtests. It has been tested manually.

[ Risks ]
The changeset between 1.3.1 and 1.3.2 is small. The risk is low that
a new bug or security issue is introduced.

[ Checklist ]
   [x] *all* changes are documented in the d/changelog
   [x] I reviewed all changes and I approve them
   [x] attach debdiff against the package in (old)stable
   [x] the issue is verified as fixed in unstable

[ Changes ]
The fix for CVE-2022-42906 is straightforward: it simply appends the
argument "-C core.fsmonitor=" to the git command. Aside from that, a simple
program option was added (untracked_not_dirty) and the README is updated.

[Other info]
As I expect a positive response, I will be uploading the package shortly.


-- Jerome



diff -Nru powerline-gitstatus-1.3.1/debian/changelog 
powerline-gitstatus-1.3.2/debian/changelog
--- powerline-gitstatus-1.3.1/debian/changelog  2020-07-08 16:17:05.0 
-0400
+++ powerline-gitstatus-1.3.2/debian/changelog  2022-10-26 22:54:03.0 
-0400
@@ -1,3 +1,10 @@
+powerline-gitstatus (1.3.2-1+deb11u1) bullseye; urgency=medium
+
+  * New upstream version 1.3.2
+- Fix command injection via malicious repository config (CVE-2022-42906)
+
+ -- Jérôme Charaoui   Wed, 26 Oct 2022 22:54:03 -0400
+
  powerline-gitstatus (1.3.1-2) unstable; urgency=medium


The former proposed update was to just cherry-pick the needed change,
so the version number 1.3.1-2+deb11u1. But if you propose to import
1.3.2 instread, then you need to pick 1.3.2-1~deb11u1 or
1.3.2-0+deb11u1 here, to have it sorting before the version which hit
the archive as 1.3.2-1.

In fact, if you just import a new upstream version on top of the
current packaging then I would go for 1.3.2-0+deb11u1. If it is OTOH
merely a rebuild of the upper-suite version then 1.3.2-1~deb11u1.

In your case I think both of the ones is perfectly reasonable.


Thanks for the review. I've opted to import the new upstream version on 
top of the bullseye packaging, so I have uploaded version 1.3.2-0+deb11u1.


-- Jerome

NEW changes in stable-new

2022-10-27 Thread Debian FTP Masters 
Processing changes file: tio_2.2-1~bpo11+1_amd64.changes
  REJECT

Processed: Re: Bug#1022003: transition: gssdp/gupnp 1.2->1.6 (+ rygel 0.42.0)

2022-10-27 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 = confirmed
Bug #1022003 [release.debian.org] transition: gssdp/gupnp 1.2->1.6 (+ rygel 
0.42.0)
Added tag(s) confirmed.

-- 
1022003: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022003
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1022003: transition: gssdp/gupnp 1.2->1.6 (+ rygel 0.42.0)

2022-10-27 Thread Sebastian Ramacher 
Control: tags -1 = confirmed

On 2022-10-18 21:24:03 +0200, Andreas Henriksson wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: transition
> 
> Hello release team,
> 
> I'd like to transition gssdp/gupnp to 1.6 version as part of current
> GNOME release.

Please go ahead

Cheers

> 
> I've just uploaded the new versions of gssdp and gupnp 1.6.0 to
> binary-NEW/experimental.
> 
> I will team-upload new releases of the following reverse dependencies as
> part of gnome-team:
> 
> * rygel (0.42.0-1 just uploaded to binary-NEW/experimental) 
>   - FYI internal soname bump for broken plugin ABI, but there are no
> external plugins (all built from src:rygel).
> * gupnp-tools (0.12.0-1 just uploaded to experimental)
> * gupnp-igd (needs cherry-pick 
> https://gitlab.gnome.org/GNOME/gupnp-igd/-/commit/79a1e4cf8c256132978a1d8ab718c8ad132386de
>  )
> 
> I've just done QA uploads to unstable for latest version of
> dleyna-{core,renderer,server} to make it easier to cherry-pick upstream
> changes for gssdp/gupnp 1.6 (not yet in a released version).
> I can do qa uploads of dleyna-* but would prefer if these packages where
> simply removed from testing as they've been orphaned for many years
> (since their initial upload to debian).
> Will file a bug for each package and point out the upstream commits
> respectively:
> * 
> https://github.com/phako/dleyna-core/commit/b88f231affc697be813d7c77c17e3130df81cb9a
> * 
> https://github.com/phako/dleyna-renderer/commit/b3a06c8bc4b91803d7bde312f49a68109b8ad8d4
> * 
> https://github.com/phako/dleyna-server/commit/e7f64192643f5783e19482a11697de9ec3eea033
> 
> I will file bugs for remaining (and offer to NMU if no response),
> fixed-upstream (not yet in a released version):
> 
> * caja-extensions -- 
> https://github.com/mate-desktop/caja-extensions/issues/110
> * librm -- 
> https://gitlab.com/tabos/librm/-/commit/c9aae663ff40c1ab171476652eba68c174d96ba2
>  + 
> https://gitlab.com/tabos/librm/-/commit/a849d9a6a6624d5f3c6a70dd63590d1a2b79d1af
> 
> 
> Regards,
> Andreas Henriksson
> 
> 
> PS. Once I've filed all bug reports I'll set them as blockers for this bug
> report.
> 
> 
> Ben file:
> 
> title = "gupnp";
> is_affected = .depends ~ "libgupnp-1.2-1" | .depends ~ "libgssdp-1.2-0" | 
> .depends ~ "libgupnp-1.6-0" | .depends ~ "libgssdp-1.6-0";
> is_good = .depends ~ "libgupnp-1.6-0" | .depends ~ "libgssdp-1.6-0";
> is_bad = .depends ~ "libgupnp-1.2-1" | .depends ~ "libgssdp-1.2-0";
> 

-- 
Sebastian Ramacher

Bug#1020230: marked as done (transition: qtbase-opensource-src)

2022-10-27 Thread Debian Bug Tracking System 
Your message dated Thu, 27 Oct 2022 19:36:16 +0200
with message-id 
and subject line Re: Bug#1020230: transition: qtbase-opensource-src
has caused the Debian Bug report #1020230,
regarding transition: qtbase-opensource-src
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1020230: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020230
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
Control: block -1 by 1019974

Dear Release team,

I would like to upgrade Qt 5 from 5.15.4 to 5.15.6. The packages are prepared
in experimental. As usual, packages which use private ABI need to be rebuilt.

The only blocker I am aware of is uim FTBFS which affects armhf and maybe
other architectures like armel (#1019974). The previous maintainer stepped
down, so it's unlikely that we get it fixed anytime soon. Perhaps the binaries
may be removed on this architecture(s).

Here is the ben file (no qtwebengine this time):

title = "Qt 5.15.6";
is_affected = .depends ~ "qtbase-abi-5-15-4" | .depends ~ 
"qtdeclarative-abi-5-15-4" | .depends ~ "qtbase-abi-5-15-6" | .depends ~ 
"qtdeclarative-abi-5-15-6";
is_good = .depends ~ "qtbase-abi-5-15-6" | .depends ~ 
"qtdeclarative-abi-5-15-6";
is_bad = .depends ~ "qtbase-abi-5-15-4" | .depends ~ "qtdeclarative-abi-5-15-4";

--
Dmitry Shachnev


signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
On 2022-09-28 23:13:06 +0200, Sebastian Ramacher wrote:
> Control: tags -1 confirmed
> Control: forwarded -1 
> https://release.debian.org/transitions/html/qtbase-abi-5-15-6.html
> 
> On 2022-09-18 17:58:30 +0300, Dmitry Shachnev wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: transition
> > Control: block -1 by 1019974
> > 
> > Dear Release team,
> > 
> > I would like to upgrade Qt 5 from 5.15.4 to 5.15.6. The packages are 
> > prepared
> > in experimental. As usual, packages which use private ABI need to be 
> > rebuilt.
> 
> Please go ahead

… and it's done.

Cheers
-- 
Sebastian Ramacher--- End Message ---

Bug#1022768: marked as done (nmu: libgdal-grass_1:1.0.1-1)

2022-10-27 Thread Debian Bug Tracking System 
Your message dated Thu, 27 Oct 2022 19:37:35 +0200
with message-id 
and subject line Re: Bug#1022768: nmu: libgdal-grass_1:1.0.1-1
has caused the Debian Bug report #1022768,
regarding nmu: libgdal-grass_1:1.0.1-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1022768: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022768
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu
X-Debbugs-Cc: pkg-grass-de...@lists.alioth.debian.org

nmu libgdal-grass_1:1.0.1-1 . ANY . unstable . -m "Rebuild with grass (>= 
8.2.0-2)"

The GRASS version check fails since the new build in unstable. See:

 
https://salsa.debian.org/debian-gis-team/gdal-grass/-/blob/master/debian/README.source

Kind Regards,

Bas 
--- End Message ---
--- Begin Message ---
On 2022-10-25 15:51:18 +0200, Bas Couwenberg wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: binnmu
> X-Debbugs-Cc: pkg-grass-de...@lists.alioth.debian.org
> 
> nmu libgdal-grass_1:1.0.1-1 . ANY . unstable . -m "Rebuild with grass (>= 
> 8.2.0-2)"

Scheduled

Cheers
-- 
Sebastian Ramacher--- End Message ---

Bug#1021093: marked as done (transition: ros2-rcutils)

2022-10-27 Thread Debian Bug Tracking System 
Your message dated Thu, 27 Oct 2022 19:39:08 +0200
with message-id 
and subject line Re: Bug#1021093: transition: ros2-rcutils
has caused the Debian Bug report #1021093,
regarding transition: ros2-rcutils
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1021093: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021093
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear release team,

I'd like to transition ros2-rcutils after a SONAME bump.
I could rebuild all reverse dependencies on amd64 successfully.

The Ben tracker at
https://release.debian.org/transitions/html/auto-ros2-rcutils.html
looks mostly fine, even though I would have expected ros-ros-comm in
dependency level 2.


Cheers
Timo


-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmM4v40ACgkQ+C8H+466
LVlD2Qv/dVq3i6htTlnsWKjM3fmiAhGvQG2SE2u3tIU7Yajo3BTGBeiRNBto5QCm
yup2Z33g1VEGsOGNiwUwuxAhop8zsTQUwrgcqh8A8ZIHvSnKs2laTWe/V2JQzmwU
ehaDC2d8mI1lnK6oA68dU8kwYgxFfelTh4long3qS+SqnaTaRf7f/ACn+C+Vm0jk
gVQNLu3RFhAWD4SZ5ReU+UO0EeHbi/aAOsVlZhmhxQ5c/Qxa1EDxHRx4+rk7/jen
TeTI3yZ9qGrCygM7ivbxBQ7fGWFB3nEehgLcabsA0ywtugQ1T9Wcz8g3iEeBHPbi
UF4nA344L22rx6taWUi2on86a/BgZ2sNwuFNC++o4LM7y9kE1mx8vMz2tdQPMbpb
jSNPuW0F1RYCV0HRSaNXrKXZ9eD4ZAHc8m2bLqKIvRzkp1I90YOJDzJczKrWhASh
pjepRKgkEbE56qeGoDq1RO5K3+pt1O6/G5sdEBL6JLbIJ67lowkDUVMqmasbdUZ6
hYyn2Ow/
=BT9t
-END PGP SIGNATURE-
--- End Message ---
--- Begin Message ---
On 2022-10-02 15:57:49 +0200, Sebastian Ramacher wrote:
> Control: tags -1 confirmed
> 
> On 2022-10-02 00:30:41 +0200, Timo Röhling wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: transition
> > 
> > Dear release team,
> > 
> > I'd like to transition ros2-rcutils after a SONAME bump.
> > I could rebuild all reverse dependencies on amd64 successfully.
> > 
> > The Ben tracker at
> > https://release.debian.org/transitions/html/auto-ros2-rcutils.html
> > looks mostly fine, even though I would have expected ros-ros-comm in
> > dependency level 2.
> 
> Please go ahead

The old binaries got removed from testing.

Cheers
-- 
Sebastian Ramacher--- End Message ---

Bug#1022003: transition: gssdp/gupnp 1.2->1.6 (+ rygel 0.42.0)

2022-10-27 Thread Andreas Henriksson 
Hello Sebastian Ramacher,

On Thu, Oct 27, 2022 at 07:38:14PM +0200, Sebastian Ramacher wrote:
> Control: tags -1 = confirmed
> 
> On 2022-10-18 21:24:03 +0200, Andreas Henriksson wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: transition
> > 
> > Hello release team,
> > 
> > I'd like to transition gssdp/gupnp to 1.6 version as part of current
> > GNOME release.
> 
> Please go ahead

I'll hold off a few more days if that's not a problem.

Both because I'll be a bit busy the next couple of days but also
because there was a (newly added) test that failed on s390x
in gupnp/experimental.

With help from upstream the actual bug in gssdp/experimental should
be fixed, new gssdp/experimental has built (except on ppc64el) and I've
done a giveback of gupnp/experimental on s390x but it has still not
built yet confirming if the problem is actually fixed and the test
passes.
Is there any chance you have a way to give some priority to
gupnp/experimental on s390x?
https://buildd.debian.org/status/package.php?p=gupnp&suite=experimental

I'll probably also look into doing some NMUs to experimental of rdeps
before kicking off the actual transition.

If this means you want to put me back on hold and give the slot to
someone else, that's fine with me! I just want to make sure we get this
transition done before freeze so gnome versions are all synced up.

Regards,
Andreas Henriksson


PS. Thanks for being very responsive through this process. A few years ago
waiting several months without hearing anything was common and kind of
what I still was expecting. This feels alot more like coordinating
in the real sense of the word.

Bug#1022926: transition: glibc 2.36

2022-10-27 Thread Aurelien Jarno 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition
X-Debbugs-Cc: debian-gl...@lists.debian.org

Dear release team,

I would like to get a transition slot for glibc 2.36. It has been
available in experimental for a bit more than one month and does not
have any known major issue. It has been built successfully on all
release architectures and many ports architectures. A few issues found
through the autopkgtest pseudo excuses for experimental have been fixed.
The remaining ones are due to britney bugs, broken autopkgtest or
packages parts of the transition.

As glibc is using symbol versioning, there is no soname change. That
said a few packages are using libc internal symbols and have to be
rebuilt for this transition. Here is the corresponding ben file:

  title = "glibc";
  is_affected = .depends ~ /libc[0-9.]* \(<

Bug#1022248: transition: icu

2022-10-27 Thread Sebastian Ramacher 
Control: tags -1 moreinfo
Control: forwarded -1 https://release.debian.org/transitions/html/icu72.html

On 2022-10-22 19:17:58 +0200, László Böszörményi wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: transition
> 
> Hi RMs,
> 
> My intention is to release Bookworm with ICU 72.1 which is already
> packaged and is in experimental. As Sid has the previous,71.1 release
> the transition is plain, I don't expect any breakage. The rebuilds are
> ongoing and only level1 and level2 are ready at this time.
> Transition is similar to the previous ones, this time boost1.74 needs
> to be binNMUed after level1 before other level2 packages and pyicu
> will need a sourceful upload (its Git version seems to be ready, but I
> wait for its release).

I've set up the tracker. Please remove the moreinfo tag once the test
builds are done.

Cheers

> 
> The only FTBFS is from the Sid version of nodejs (18.10.0+dfsg-6) due
> to a flaky self-test - its experimental version (18.11.0+dfsg-3)
> doesn't suffer from it. I will post more when I build all levels of
> the transition.
> 
> Regards,
> Laszlo/GCS
> 

-- 
Sebastian Ramacher

Processed: Re: Bug#1022248: transition: icu

2022-10-27 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 moreinfo
Bug #1022248 [release.debian.org] transition: icu
Added tag(s) moreinfo.
> forwarded -1 https://release.debian.org/transitions/html/icu72.html
Bug #1022248 [release.debian.org] transition: icu
Set Bug forwarded-to-address to 
'https://release.debian.org/transitions/html/icu72.html'.

-- 
1022248: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022248
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1022705: unplanned transition: ghostscript

2022-10-27 Thread Sebastian Ramacher 
On 2022-10-24 15:15:09 +0200, Jonas Smedegaard wrote:
> > Also, it would have been nice to disentangle the -common rename from the 
> > SONAME 
> > bump.
> 
> Yes, I agree that would have been more elegant.

I have uploaded a new version that partially reverts the change.
Unfortunately, libgs9-common contained the unversioned ICC profiles, so
we will end up some Breaks+Replaces for the bullseye to bookworm
upgrade. With that in mind, the new version keeps the ICC profiles in
libgs-common and the version specific files are moved back to
libgs10-common.

Cheers
-- 
Sebastian Ramacher

Bug#1019353: marked as done (transition: perl 5.36)

2022-10-27 Thread Debian Bug Tracking System 
Your message dated Fri, 28 Oct 2022 08:41:07 +0200
with message-id <396fe273-1146-47bf-dfee-5193dee07...@debian.org>
and subject line Re: Bug#1019353: transition: perl 5.36
has caused the Debian Bug report #1019353,
regarding transition: perl 5.36
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1019353: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019353
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: transition
Tags: moreinfo
X-Debbugs-Cc: p...@packages.debian.org
Control: block -1 with 1016761

We'd like to get Perl 5.36 in bookworm. Filing this to get it on the
radar properly, but I'd like to do a few more checks first. So tagging
'moreinfo' for now. I'll remove that when I'm done with the checks,
hopefully in a couple of weeks at the latest.

The package in experimental is in good shape.  We've been continuously
rebuilding perl reverse dependencies (currently 4507 packages) since
June or so on http://perl.debian.net/ , and tracking regressions at

  
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=perl-5.36-transition;users=debian-p...@lists.debian.org

The only remaining regression in testing that I'm aware of is #1016761
which should be easy to fix by dropping the problematic test case that
uses HTTP::Tiny internals in a not forward compatible way.

I ran autopkgtest checks of 3847 packages that have Testsuite-Triggers:
perl or Testsuite: autopkgtest-pkg-perl locally in July and did not find
any regressions from sid.  I intend to recheck this on ci.debian.net
soon now that we have support for external repositories there (thanks,
Paul et al.!) The recent egrep deprecation (#1019335) in sid may be a
blocker for this though.

I also intend to test rebuild the ~500 packages in sid that will need a
binNMU one more time to catch any non-perl-related new build failures.
I don't have a good way to spot non-amd64 architecture specific issues
or unrelated version skew between unstable and testing, so those can
still yield surprises for the transition.

title = "perl";
is_affected = .depends ~ "libperl5.34|perlapi-5.34" | .pre-depends ~ 
"libperl5.34|perlapi-5.34";
is_good = .depends ~ "libperl5.36|perlapi-5.36" | .pre-depends ~ 
"libperl5.36|perlapi-5.36";
is_bad = .depends ~ "libperl5.34|perlapi-5.34" | .pre-depends ~ 
"libperl5.34|perlapi-5.34";

Thanks for your work on the release,
-- 
Niko Tyni   nt...@debiar.org
--- End Message ---
--- Begin Message ---

On 18/10/2022 19:25, Niko Tyni wrote:

On Tue, Oct 18, 2022 at 03:05:59PM +0200, Emilio Pozuelo Monfort wrote:

On Wed, Sep 07, 2022 at 09:47:39PM +0300, Niko Tyni wrote:



We'd like to get Perl 5.36 in bookworm. Filing this to get it on the
radar properly, but I'd like to do a few more checks first. So tagging
'moreinfo' for now. I'll remove that when I'm done with the checks,
hopefully in a couple of weeks at the latest.



That looks good. Please go ahead.


Thanks! perl_5.36.0-4 uploaded to unstable.


And it migrated last night. Thanks for the help to everyone involved!

Cheers,
Emilio--- End Message ---