Bug#944741: transition: openscenegraph
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi, the package openscenegraph-3.4 is being replaced by openscenegraph, already in the archives. Their rdeps build fine against openscenegraph. The plan is to eventually remove openscenegraph-3.4 since it is not used anymore. Can you issue the transition for me, please? Thank you! Ben file: title = "openscenegraph-3.4-rm"; is_affected = (.build-depends ~ /\b(libopenscenegraph\-3\.4\-dev|openscenegraph\-3\.4)\b/)|(.depends ~ /\b(libopenscenegraph\-3\.4\-(131|dev)|openscenegraph\-3\.4(\-(doc|examples))?)\b/); is_good = false is_bad = .depends ~ /\b(libopenscenegraph\-3\.4\-(131|dev)|openscenegraph\-3\.4(\-(doc|examples))?)\b/;
Bug#756478: transition: openscenegraph
On 22 sep 2014, j...@debian.org wrote: > Hi, > > On 2014-09-17 13:38, Jonathan Wiltshire wrote: >> Control: tag -1 confirmed >> >> Ok, let's go! Please upload to unstable. > > ping on that? Done. Thanks a lot! -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87y4tbpnd4@eps142.cdf.udc.es
Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
"Adam D. Barratt" writes: > On Sun, 2010-11-07 at 11:55 +0100, Alberto Luaces wrote: >> recently a bug has been reported for the lenny version of the >> openscenegraph 2.4.0-1.1 source package, based upon the fact that this >> package includes an embedded, vulnerable copy of the lib3ds library: >> >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181 >> >> The security team said that our proposed update did not warrant a >> security update, and that we should make a stable release instead. >> >> The Debian Developers of this package and me have now available a new >> version of the package which removes the embedded copy and makes the >> compilation process link the generated libraries against Debian system's >> lib3ds version. > > Your own comment in the bug referenced above is that the embedded copy > of lib3ds contains changes which are not in the standard library. If > that is the case, then won't using the packaged library cause problems > and/or regressions? > Fortunately not, since those changes addressed some lib3ds deficiencies at that time (assumed little endianess, assumed 32 bit system) that were corrected in later lib3ds versions, including the one in stable. It is not a seriuous proof, but I have loaded some 3ds files as a test and they worked. >> I'm attaching the diff in this mail for you to >> inspect. > > That "diff" appears to be the entire of the debian/ directory, including > changelog entries going back to 2004. In order to review it, we'd need > a debdiff of the source package currently in stable compared to your > proposed update (i.e. a debdiff of the .dscs). > I'll do it and get back to you. >> I wonder if the `high' priority that I have given to this >> release is fine or not. > > Urgency is basically irrelevant for stable updates, as it makes no > difference as to when the package will move from p-u-new to > proposed-updates nor from there in to stable. > Ok. > (fwiw, the version number should be 2.4.0-1.1+lenny1 or similar; > possibly 2.4.0-2 if there was never such a revision in the archive. The > current versioning implies that the package is an update to 2.4.0-2, > which is not the case) > Understood. I will also correct this. Thank you, Alberto -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87d3qhb5m4@eps142.cdf.udc.es
Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
Moritz Muehlenhoff writes: > In gmane.linux.debian.devel.release, you wrote: >> --=-=-= >> >> Hello, >> >> recently a bug has been reported for the lenny version of the >> openscenegraph 2.4.0-1.1 source package, based upon the fact that this >> package includes an embedded, vulnerable copy of the lib3ds library: >> >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181 >> >> The security team said that our proposed update did not warrant a >> security update, and that we should make a stable release instead. >> >> The Debian Developers of this package and me have now available a new >> version of the package which removes the embedded copy and makes the >> compilation process link the generated libraries against Debian system's >> lib3ds version. I'm attaching the diff in this mail for you to >> inspect. I wonder if the `high' priority that I have given to this >> release is fine or not. > > That wouldn't buy us much, since lib3ds isn't fixed in Lenny yet, it > would need to be updated along. Yes, that was my intention. It seemed sensible to me to pull out openscenegraph the insecure code and make it depend on the new lib3ds version. I thought that since lenny and squeeze versions of lib3ds are compatible, the latter could be backported in short by the security team. What do you think? Should I wait for lenny's lib3ds to get fixed or could we start updating openscenegraph to use the external library? Regards, Alberto -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87oca0g79p@gmail.com
Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
Moritz Muehlenhoff writes: > On Sun, Nov 07, 2010 at 10:20:50PM +0100, Alberto Luaces wrote: >> Moritz Muehlenhoff writes: >> >> > In gmane.linux.debian.devel.release, you wrote: >> >> --=-=-= >> >> >> >> Hello, >> >> >> >> recently a bug has been reported for the lenny version of the >> >> openscenegraph 2.4.0-1.1 source package, based upon the fact that this >> >> package includes an embedded, vulnerable copy of the lib3ds library: >> >> >> >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181 >> >> >> >> The security team said that our proposed update did not warrant a >> >> security update, and that we should make a stable release instead. >> >> >> >> The Debian Developers of this package and me have now available a new >> >> version of the package which removes the embedded copy and makes the >> >> compilation process link the generated libraries against Debian system's >> >> lib3ds version. I'm attaching the diff in this mail for you to >> >> inspect. I wonder if the `high' priority that I have given to this >> >> release is fine or not. >> > >> > That wouldn't buy us much, since lib3ds isn't fixed in Lenny yet, it >> > would need to be updated along. >> >> Yes, that was my intention. It seemed sensible to me to pull out >> openscenegraph the insecure code and make it depend on the new lib3ds >> version. I thought that since lenny and squeeze versions of lib3ds are >> compatible, the latter could be backported in short by the security >> team. >> >> What do you think? Should I wait for lenny's lib3ds to get fixed or >> could we start updating openscenegraph to use the external library? > > lib3ds also has been labeled as not warranting a DSA, so it won't be > updated by the Security Team (we're barely keeping up with regular > DSAs currently). Since it's orphaned it's unlikely to be updated in > stable soon. Fixing it should be straight-forward, though. The patch > from my 1.3.0-5 NMU in unstable can be applied straight-away for Lenny. If that could be possible it would be great. In that case, I have attached the debdiff that Adam asked for. Otherwise we would have to remove 3DS support in openscenegraph, maybe breaking some end user program. Another possibility could be to fix the embedded lib3ds in openscenegraph, just following the error description in the CVE. Regards, Alberto openscenegraph_deb.diff.bz2 Description: Binary data
Bug#601181: unblock: openscenegraph-2.4.0-1.1+lenny1 (was: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds)
Alberto Luaces writes:
> Moritz Muehlenhoff writes:
>
>> On Sun, Nov 07, 2010 at 10:20:50PM +0100, Alberto Luaces wrote:
>>> Moritz Muehlenhoff writes:
>>>
>>> > In gmane.linux.debian.devel.release, you wrote:
>>> >> --=-=-=
>>> >>
>>> >> Hello,
>>> >>
>>> >> recently a bug has been reported for the lenny version of the
>>> >> openscenegraph 2.4.0-1.1 source package, based upon the fact that this
>>> >> package includes an embedded, vulnerable copy of the lib3ds library:
>>> >>
>>> >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181
>>> >>
>>> >> The security team said that our proposed update did not warrant a
>>> >> security update, and that we should make a stable release instead.
>>> >>
>>> >> The Debian Developers of this package and me have now available a new
>>> >> version of the package which removes the embedded copy and makes the
>>> >> compilation process link the generated libraries against Debian system's
>>> >> lib3ds version. I'm attaching the diff in this mail for you to
>>> >> inspect. I wonder if the `high' priority that I have given to this
>>> >> release is fine or not.
>>> >
>>> > That wouldn't buy us much, since lib3ds isn't fixed in Lenny yet, it
>>> > would need to be updated along.
>>>
>>> Yes, that was my intention. It seemed sensible to me to pull out
>>> openscenegraph the insecure code and make it depend on the new lib3ds
>>> version. I thought that since lenny and squeeze versions of lib3ds are
>>> compatible, the latter could be backported in short by the security
>>> team.
>>>
>>> What do you think? Should I wait for lenny's lib3ds to get fixed or
>>> could we start updating openscenegraph to use the external library?
>>
>> lib3ds also has been labeled as not warranting a DSA, so it won't be
>> updated by the Security Team (we're barely keeping up with regular
>> DSAs currently). Since it's orphaned it's unlikely to be updated in
>> stable soon. Fixing it should be straight-forward, though. The patch
>> from my 1.3.0-5 NMU in unstable can be applied straight-away for Lenny.
>
> If that could be possible it would be great. In that case, I have
> attached the debdiff that Adam asked for. Otherwise we would have to
> remove 3DS support in openscenegraph, maybe breaking some end user
> program.
>
> Another possibility could be to fix the embedded lib3ds in
> openscenegraph, just following the error description in the CVE.
I have finally came across this and made a release patching
openscenegraph in the same way as it is done in lib3ds for
Squeeze. Please unblock.
diff -u openscenegraph-2.4.0/debian/changelog
openscenegraph-2.4.0/debian/changelog
--- openscenegraph-2.4.0/debian/changelog
+++ openscenegraph-2.4.0/debian/changelog
@@ -1,3 +1,11 @@
+openscenegraph (2.4.0-1.1+lenny1) stable; urgency=high
+
+ * A vulnerability (CVE-2010-0280) was detected in OSG's embedded copy of
+lib3ds. Applying the same patch for lib3ds in Squeeze, since there are
+few chances for lib3ds to get updated in Lenny (Closes: #601181).
+
+ -- Alberto Luaces Thu, 11 Nov 2010 10:08:03 +0100
+
openscenegraph (2.4.0-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -u openscenegraph-2.4.0/debian/patches/00list
openscenegraph-2.4.0/debian/patches/00list
--- openscenegraph-2.4.0/debian/patches/00list
+++ openscenegraph-2.4.0/debian/patches/00list
@@ -3,0 +4 @@
+lib3ds_vulnerability.dpatch
only in patch2:
unchanged:
--- openscenegraph-2.4.0.orig/debian/patches/lib3ds_vulnerability.dpatch
+++ openscenegraph-2.4.0/debian/patches/lib3ds_vulnerability.dpatch
@@ -0,0 +1,24 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## lib3ds_vulnerability.dpatch by
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+...@dpatch@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git'
'--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr'
openscenegraph-2.4.0~/OpenSceneGraph/src/osgPlugins/3ds/mesh.cpp
openscenegraph-2.4.0/OpenSceneGraph/src/osgPlugins/3ds/mesh.cpp
+--- openscenegraph-2.4.0~/OpenSceneGraph/src/osgPlugins/3ds/mesh.cpp
2006-08-21 17:07:31.0 +0200
openscenegraph-2.4.0/OpenSceneGraph/src/osgPlugins/3ds/mesh.cpp
2010-11-11 09:59:08.0 +0100
+@@ -93,8 +93,11 @@
+ faces=lib3ds_word_read(f);
+ for (i=0; ifaces);
+- strcpy(mesh->faceL[index].material, name);
++ if (indexfaces) {
++strncpy(mesh->faceL[index].material, name, 64);
++ } else {
++// TODO warning
++ }
+ }
+ }
+ break;
Regards,
Alberto
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87mxpggqsk@eps142.cdf.udc.es
Bug#729289: Bug#720816: openscenegraph: FTBFS with libav9: FFmpegDecoder.cpp:282:76: error: 'url_feof' was not declared in this scope
"Rebecca N. Palmer" writes: > Sorry for not notifying you earlier; given the names on the git > commits, I thought Alberto was effectively the maintainer and you his > sponsor. Hi, I plan to be the maintainer, but I'm not a DM yet, and so I rely on the expertise of Manuel in order to make the releases. He has always guided me through the technical difficulties that arised in the past. I am also subscribed to the bug reports of the package, so you can drop me from the Cc: as long as you keep the discussion in the bug reports. > Would you like to set up a maintainer-team mailing list to avoid such > problems in future? Indeed, it already exists... but it is hosted on Alioth. > Are you still looking for help (#392266), and if so with what? > This is a past request from Loic, and it stood. I guess the philosophy is «the more, the merrier». [...] >>> Since the transition requested already mentions libopenscenegraph100, >>> but 3.2.1 is not released, I think that it's actually more risky (or >>> prone to more delays) if to tie the current transition to these future >>> ones of OSG. > The 99->100 soname bump is 3.2.0rc->3.2.0 not 3.2.0->3.2.1 and appears > to be a standard OSG release procedure (possibly intended as a "don't > use pre-releases in production" marker) rather than a real change > (https://github.com/openscenegraph/osg/commits/OpenSceneGraph-3.2?page=2, > scroll down to Jul 23), so I wouldn't _expect_ further breakage, but I > agree it's always possible. (E.g. building with --as-needed, which > you do (as recommended), is currently unreliable on ia64: #718047) I wouldn't also, but it is not written on stone. That's why I'm not so keen on uploading a RC again, given the grief that caused the last one. Maybe we can just patch 3.2.0 and then wait for the 3.2.1, or keep waiting for 3.2.1, since it should be realeased soon. Regards, Alberto -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8738n1orer@eps142.cdf.udc.es
Bug#729289: Bug#720816: openscenegraph: FTBFS with libav9: FFmpegDecoder.cpp:282:76: error: 'url_feof' was not declared in this scope
"Rebecca N. Palmer" writes: >> That's why I'm not so >> keen on uploading a RC again, given the grief that caused the last one. >> Maybe we can just patch 3.2.0 and then wait for the 3.2.1, > > If you mean real 3.2.0 as opposed to the current 3.2.0rc, that could > be a good compromise: it has soname 100 (so no need for binNMUs when > 3.2.1 comes out) and avoids the need to patch libcitygml (as the bug > in that is that it doesn't understand ~rc version numbers). Yes, I mean 3.2.0. -- Alberto -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87li0tn7me@eps142.cdf.udc.es
Bug#729289: transition: openscenegraph
Some additional notes: 1. Upstream's trunk (3.3.1) has currently a soname named "111". From the logs, it is just a version number bump, but it would make sense to make sure that the ABI is not broken again. Several weeks ago I used abi-compliance-checker on OSG, but it failed to finish the analysis. 2. The transition page (https://release.debian.org/transitions/html/osg.html) is titled "libopenscenegraph100", but actually it deals with the "80" to "99" transition. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87k3dcwmdx@eps142.cdf.udc.es
Bug#756478: transition: openscenegraph
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear Release Team, we are packaging the 3.2.1 stable release of openscenegraph, which is API-compatible with the current version in Debian, so only binNMUs should be needed. Reverse dependencies are: fgrun flightgear libcitygml osgearth ossim qgis simgear Can you create a transition for us, please? Ben file: title = "openscenegraph"; is_affected = .build-depends ~ /libopenscenegraph-dev|libopenthreads-dev/; is_good = .depends ~ /libopenscenegraph100|libopenthreads20/; is_bad = .depends ~ /libopenscenegrap99|libopenthreads14/; Thank you, -- Alberto pgpsApBxDwi_2.pgp Description: PGP signature
