Bug#1074088: bookworm-pu: package cjson/1.7.15-1+deb12u2
Package: release.debian.org
Control: affects -1 + src:cjson
X-Debbugs-Cc: cj...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
[ Reason ]
CVE-2024-31755
[ Impact ]
Segmentation violation via the cJSON_SetValuestring function.
If the valuestring passed to cJSON_SetValuestring is NULL, a null
pointer dereference will happen, which can potentially cause denial of
service (DOS).
[ Tests ]
Upstream's tests continue to pass, no new tests were added since this is
a trivial change.
[ Risks ]
Minimal risk as the patch is trivial and only changes 1 line to fix this
security issue.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Backport patch to add NULL check to cJSON_SetValuestring (CVE-2024-31755)
(Closes: #1071742)
[ Other info ]
Security team have marked it no-dsa.
--
Maytham Alsudany
Debian Maintainer
maytham @ OFTC
maytha8 @ Libera
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog 2024-04-09 09:30:29.0 +0800
+++ cjson-1.7.15/debian/changelog 2024-06-23 14:27:41.0 +0800
@@ -1,3 +1,11 @@
+cjson (1.7.15-1+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport patch to add NULL check to cJSON_SetValuestring (CVE-2024-31755)
+(Closes: #1071742)
+
+ -- Maytham Alsudany Sun, 23 Jun 2024 14:27:41 +0800
+
cjson (1.7.15-1+deb12u1) bookworm; urgency=medium
* Non-maintainer upload.
diff -Nru cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch
--- cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch 1970-01-01 08:00:00.0 +0800
+++ cjson-1.7.15/debian/patches/0002-add-null-check-to-cjson-setvaluestring.patch 2024-06-23 14:27:41.0 +0800
@@ -0,0 +1,23 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/7e4d5dabe7a9b754c601f214e65b544e67ba9f59
+From: Up-wind
+Bug: https://github.com/DaveGamble/cJSON/issues/839
+Bug-Debian: https://bugs.debian.org/1071742
+Acked-by: Maytham Alsudany
+Subject: [PATCH] Add NULL check to cJSON_SetValuestring()
+ If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer
+ dereference will happen. This patch adds the NULL check of valuestring before
+ it is dereferenced.
+ .
+ Fix for CVE-2024-31755.
+
+--- a/cJSON.c
b/cJSON.c
+@@ -406,7 +406,7 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
+ return NULL;
+ }
+ /* return NULL if the object is corrupted */
+-if (object->valuestring == NULL)
++if (object->valuestring == NULL || valuestring == NULL)
+ {
+ return NULL;
+ }
diff -Nru cjson-1.7.15/debian/patches/series cjson-1.7.15/debian/patches/series
--- cjson-1.7.15/debian/patches/series 2024-04-09 09:29:47.0 +0800
+++ cjson-1.7.15/debian/patches/series 2024-06-23 14:27:41.0 +0800
@@ -1 +1,2 @@
0001-add-null-checkings.patch
+0002-add-null-check-to-cjson-setvaluestring.patch
signature.asc
Description: This is a digitally signed message part
Bug#1074090: bullseye-pu: package cjson/1.7.14-1+deb11u1
Package: release.debian.org
Control: affects -1 + src:cjson
X-Debbugs-Cc: cj...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal
[ Reason ]
CVE-2023-50472, CVE-2023-50471, CVE-2024-31755
[ Impact ]
Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c
Segmentation violation via the cJSON_SetValuestring function.
If the valuestring passed to cJSON_SetValuestring is NULL, a null
pointer dereference will happen, which can potentially cause denial of
service (DOS).
[ Tests ]
Upstream's tests continue to pass, and they have also added new tests to cover
the first two CVEs.
[ Risks ]
Patches are minimal, no change to API.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Backport patch to add NULL checks to cJSON_SetValuestring and
cJSON_InsertItemInArray (CVE-2023-50472, CVE-2023-50471, CVE-2024-31755)
(Closes: #1059287, #1071742)
[ Other info ]
Security team have marked these security bugs as no-dsa.
--
Maytham Alsudany
Debian Maintainer
maytham @ OFTC
maytha8 @ Libera
diff -Nru cjson-1.7.14/debian/changelog cjson-1.7.14/debian/changelog
--- cjson-1.7.14/debian/changelog 2020-09-06 22:48:14.0 +0800
+++ cjson-1.7.14/debian/changelog 2024-06-23 15:27:49.0 +0800
@@ -1,3 +1,12 @@
+cjson (1.7.14-1+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport patch to add NULL checks to cJSON_SetValuestring and
+cJSON_InsertItemInArray (CVE-2023-50472, CVE-2023-50471, CVE-2024-31755)
+(Closes: #1059287, #1071742)
+
+ -- Maytham Alsudany Sun, 23 Jun 2024 15:27:49 +0800
+
cjson (1.7.14-1) unstable; urgency=medium
* New upstream release 1.7.14.
diff -Nru cjson-1.7.14/debian/gbp.conf cjson-1.7.14/debian/gbp.conf
--- cjson-1.7.14/debian/gbp.conf 1970-01-01 08:00:00.0 +0800
+++ cjson-1.7.14/debian/gbp.conf 2024-06-23 14:56:13.0 +0800
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bullseye
diff -Nru cjson-1.7.14/debian/patches/0001-add-null-checkings.patch cjson-1.7.14/debian/patches/0001-add-null-checkings.patch
--- cjson-1.7.14/debian/patches/0001-add-null-checkings.patch 1970-01-01 08:00:00.0 +0800
+++ cjson-1.7.14/debian/patches/0001-add-null-checkings.patch 2024-06-23 14:56:05.0 +0800
@@ -0,0 +1,101 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+From: Peter Alfred Lee
+Bug: https://github.com/DaveGamble/cJSON/issues/803
+Bug: https://github.com/DaveGamble/cJSON/issues/802
+Bug-Debian: https://bugs.debian.org/1059287
+Acked-by: Maytham Alsudany
+Subject: [PATCH] add NULL checkings (#809)
+ * add NULL checks in cJSON_SetValuestring
+ Fixes #803(CVE-2023-50472)
+ .
+ * add NULL check in cJSON_InsertItemInArray
+ Fixes #802(CVE-2023-50471)
+ .
+ * add tests for NULL checks
+ add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+
+--- a/cJSON.c
b/cJSON.c
+@@ -397,7 +397,12 @@
+ {
+ char *copy = NULL;
+ /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
+-if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++{
++return NULL;
++}
++/* return NULL if the object is corrupted */
++if (object->valuestring == NULL)
+ {
+ return NULL;
+ }
+@@ -2258,7 +2263,7 @@
+ {
+ cJSON *after_inserted = NULL;
+
+-if (which < 0)
++if (which < 0 || newitem == NULL)
+ {
+ return false;
+ }
+@@ -2269,6 +2274,11 @@
+ return add_item_to_array(array, newitem);
+ }
+
++if (after_inserted != array->child && newitem->prev == NULL) {
++/* return false if after_inserted is a corrupted array item */
++return false;
++}
++
+ newitem->next = after_inserted;
+ newitem->prev = after_inserted->prev;
+ after_inserted->prev = newitem;
+--- a/tests/misc_tests.c
b/tests/misc_tests.c
+@@ -353,6 +353,19 @@
+ {
+ char buffer[10];
+ cJSON *item = cJSON_CreateString("item");
++cJSON *array = cJSON_CreateArray();
++cJSON *item1 = cJSON_CreateString("item1");
++cJSON *item2 = cJSON_CreateString("corrupted array item3");
++cJSON *corruptedString = cJSON_CreateString("corrupted");
++struct cJSON *originalPrev;
++
++add_item_to_array(array, item1);
++add_item_to_array(array, item2);
++
++originalPrev = item2->prev;
++item2->prev = NULL;
++free(corruptedString->valuestring);
++corruptedString->valuestring = NULL;
+
+ cJSON
Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cj...@packages.debian.org
Control: affects -1 + src:cjson
[ Reason ]
CVE-2023-50472, CVE-2023-50471
[ Impact ]
Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c
[ Tests ]
Upstream's test continue to pass, and they have also added new tests to
cover this security issue.
[ Risks ]
Minimal, no change to API. Only minimal changes were made to fix this
security issue.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
- Set myself as Maintainer (I am adopting the package, #1067510)
- Bump Standards-Version to 4.6.2
- Add Build-Depends-Package to symbools
- Backport upstream's patch to 'add NULL checkings'.
Upstream adds a few more if statements to avoid the segmentation
fault, and thus resolve the security vulnerability.
[ Other info ]
If you can spare the time, could you please upload this for me? (I need
a sponsor, #1068624.) I'm also still waiting for someone to give me
access to the Salsa repo.
Thanks,
Maytham
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.0 +0300
+++ cjson-1.7.15/debian/changelog 2024-04-03 06:57:10.0 +0300
@@ -1,3 +1,13 @@
+cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium
+
+ * Update Maintainer field
+ * Bump Standards-Version to 4.6.2 (no changes)
+ * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471)
+(Closes: #1059287)
+ * Add Build-Depends-Package to symbols
+
+ -- Maytham Alsudany Wed, 03 Apr 2024 06:57:10 +0300
+
cjson (1.7.15-1) unstable; urgency=medium
* New upstream release 1.7.15.
diff -Nru cjson-1.7.15/debian/control cjson-1.7.15/debian/control
--- cjson-1.7.15/debian/control 2021-08-29 23:29:57.0 +0300
+++ cjson-1.7.15/debian/control 2024-04-03 06:38:29.0 +0300
@@ -1,10 +1,10 @@
Source: cjson
Section: libs
Priority: optional
-Maintainer: Boyuan Yang
+Maintainer: Maytham Alsudany
Build-Depends: cmake, debhelper-compat (= 13)
Rules-Requires-Root: no
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
Homepage: https://github.com/DaveGamble/cJSON
Vcs-Git: https://salsa.debian.org/debian/cjson.git
Vcs-Browser: https://salsa.debian.org/debian/cjson
diff -Nru cjson-1.7.15/debian/gbp.conf cjson-1.7.15/debian/gbp.conf
--- cjson-1.7.15/debian/gbp.conf1970-01-01 03:00:00.0 +0300
+++ cjson-1.7.15/debian/gbp.conf2024-04-03 06:56:58.0 +0300
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff -Nru cjson-1.7.15/debian/libcjson1.symbols
cjson-1.7.15/debian/libcjson1.symbols
--- cjson-1.7.15/debian/libcjson1.symbols 2021-08-29 23:28:57.0
+0300
+++ cjson-1.7.15/debian/libcjson1.symbols 2024-04-03 06:57:10.0
+0300
@@ -1,4 +1,5 @@
libcjson.so.1 libcjson1 #MINVER#
+* Build-Depends-Package: libcjson-dev
cJSON_AddArrayToObject@Base 1.7.5
cJSON_AddBoolToObject@Base 1.7.5
cJSON_AddFalseToObject@Base 1.7.5
diff -Nru cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
--- cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 1970-01-01
03:00:00.0 +0300
+++ cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 2024-04-03
06:51:36.0 +0300
@@ -0,0 +1,101 @@
+Origin: backport,
https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+From: Peter Alfred Lee
+Bug: https://github.com/DaveGamble/cJSON/issues/803
+Bug: https://github.com/DaveGamble/cJSON/issues/802
+Bug-Debian: https://bugs.debian.org/1059287
+Acked-by: Maytham Alsudany
+Subject: [PATCH] add NULL checkings (#809)
+ * add NULL checks in cJSON_SetValuestring
+ Fixes #803(CVE-2023-50472)
+ .
+ * add NULL check in cJSON_InsertItemInArray
+ Fixes #802(CVE-2023-50471)
+ .
+ * add tests for NULL checks
+ add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+
+--- a/cJSON.c
b/cJSON.c
+@@ -401,7 +401,12 @@
+ {
+ char *copy = NULL;
+ /* if object's type is not cJSON_String or is cJSON_IsReference, it
should not set valuestring */
+-if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++if ((object == NULL) || !(object->type & cJSON_String) || (object->type &
cJSON_IsReference))
++{
++return NULL;
++}
++/* return NULL if the object is corrupted */
++if (object->valuestring == NULL)
+ {
+ return NULL;
+ }
+@@ -2260,7 +2265,7 @@
+ {
+ cJSON *after_inserted = NULL;
+
+-if (which < 0)
++if (which < 0 || newitem == NULL)
+ {
+ return false;
Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
Hi Salvatore,
On Mon, 2024-04-08 at 21:13 +0200, Salvatore Bonaccorso wrote:
> > diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
> > --- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.0 +0300
> > +++ cjson-1.7.15/debian/changelog 2024-04-03 06:57:10.0 +0300
> > @@ -1,3 +1,13 @@
> > +cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium
>
> The target distribution should be simply bookworm.
I had already changed that but forgot to update the debdiff :)
> > +
> > + * Update Maintainer field
> > + * Bump Standards-Version to 4.6.2 (no changes)
>
> This is usually not allowed to do in a stable update.
>
> > + * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471)
> > +(Closes: #1059287)
> > + * Add Build-Depends-Package to symbols
>
> While this might be sensible, I'm not sure if SRM will accept it.
>
> So you might want to adjust already the things above and seek for an
> ack from SRM.
Thank you for your feedback, attached is a revised debdiff.
Kind regards,
Maytham
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.0 +0300
+++ cjson-1.7.15/debian/changelog 2024-04-09 04:30:29.0 +0300
@@ -1,3 +1,11 @@
+cjson (1.7.15-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471)
+(Closes: #1059287)
+
+ -- Maytham Alsudany Tue, 09 Apr 2024 04:30:29 +0300
+
cjson (1.7.15-1) unstable; urgency=medium
* New upstream release 1.7.15.
diff -Nru cjson-1.7.15/debian/gbp.conf cjson-1.7.15/debian/gbp.conf
--- cjson-1.7.15/debian/gbp.conf 1970-01-01 03:00:00.0 +0300
+++ cjson-1.7.15/debian/gbp.conf 2024-04-09 04:29:47.0 +0300
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff -Nru cjson-1.7.15/debian/patches/0001-add-null-checkings.patch cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
--- cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 1970-01-01 03:00:00.0 +0300
+++ cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 2024-04-09 04:29:47.0 +0300
@@ -0,0 +1,101 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+From: Peter Alfred Lee
+Bug: https://github.com/DaveGamble/cJSON/issues/803
+Bug: https://github.com/DaveGamble/cJSON/issues/802
+Bug-Debian: https://bugs.debian.org/1059287
+Acked-by: Maytham Alsudany
+Subject: [PATCH] add NULL checkings (#809)
+ * add NULL checks in cJSON_SetValuestring
+ Fixes #803(CVE-2023-50472)
+ .
+ * add NULL check in cJSON_InsertItemInArray
+ Fixes #802(CVE-2023-50471)
+ .
+ * add tests for NULL checks
+ add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+
+--- a/cJSON.c
b/cJSON.c
+@@ -401,7 +401,12 @@
+ {
+ char *copy = NULL;
+ /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
+-if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++{
++return NULL;
++}
++/* return NULL if the object is corrupted */
++if (object->valuestring == NULL)
+ {
+ return NULL;
+ }
+@@ -2260,7 +2265,7 @@
+ {
+ cJSON *after_inserted = NULL;
+
+-if (which < 0)
++if (which < 0 || newitem == NULL)
+ {
+ return false;
+ }
+@@ -2271,6 +2276,11 @@
+ return add_item_to_array(array, newitem);
+ }
+
++if (after_inserted != array->child && newitem->prev == NULL) {
++/* return false if after_inserted is a corrupted array item */
++return false;
++}
++
+ newitem->next = after_inserted;
+ newitem->prev = after_inserted->prev;
+ after_inserted->prev = newitem;
+--- a/tests/misc_tests.c
b/tests/misc_tests.c
+@@ -353,6 +353,19 @@
+ {
+ char buffer[10];
+ cJSON *item = cJSON_CreateString("item");
++cJSON *array = cJSON_CreateArray();
++cJSON *item1 = cJSON_CreateString("item1");
++cJSON *item2 = cJSON_CreateString("corrupted array item3");
++cJSON *corruptedString = cJSON_CreateString("corrupted");
++struct cJSON *originalPrev;
++
++add_item_to_array(array, item1);
++add_item_to_array(array, item2);
++
++originalPrev = item2->prev;
++item2->prev = NULL;
++free(corruptedString->valuestring);
++corruptedString->valuestring = NULL;
+
+ cJSON_InitHooks(NULL);
+ TEST_ASSERT_NULL(cJSON_Parse(NULL));
+@@ -412,6 +425,8 @@
+ cJSON_DeleteItemFromObject(item, NULL);
+ cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item");
+ c
Re: Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
Ping! Could someone please have a look at and approve the bookworm-pu for cjson?
The debdiff was changed a while back, and it is attached in this mail.
Kind regards,
Maytham
On Mon, 2024-04-08 at 12:27 +0300, Maytham Alsudany wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: cj...@packages.debian.org
> Control: affects -1 + src:cjson
>
> [ Reason ]
> CVE-2023-50472, CVE-2023-50471
>
> [ Impact ]
> Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c
>
> [ Tests ]
> Upstream's test continue to pass, and they have also added new tests to
> cover this security issue.
>
> [ Risks ]
> Minimal, no change to API. Only minimal changes were made to fix this
> security issue.
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in (old)stable
> [x] the issue is verified as fixed in unstable
>
> [ Changes ]
> - Set myself as Maintainer (I am adopting the package, #1067510)
> - Bump Standards-Version to 4.6.2
> - Add Build-Depends-Package to symbools
> - Backport upstream's patch to 'add NULL checkings'.
> Upstream adds a few more if statements to avoid the segmentation
> fault, and thus resolve the security vulnerability.
>
> [ Other info ]
> If you can spare the time, could you please upload this for me? (I need
> a sponsor, #1068624.) I'm also still waiting for someone to give me
> access to the Salsa repo.
>
> Thanks,
> Maytham
diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog
--- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.0 +0300
+++ cjson-1.7.15/debian/changelog 2024-04-09 04:30:29.0 +0300
@@ -1,3 +1,11 @@
+cjson (1.7.15-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471)
+(Closes: #1059287)
+
+ -- Maytham Alsudany Tue, 09 Apr 2024 04:30:29 +0300
+
cjson (1.7.15-1) unstable; urgency=medium
* New upstream release 1.7.15.
diff -Nru cjson-1.7.15/debian/gbp.conf cjson-1.7.15/debian/gbp.conf
--- cjson-1.7.15/debian/gbp.conf 1970-01-01 03:00:00.0 +0300
+++ cjson-1.7.15/debian/gbp.conf 2024-04-09 04:29:47.0 +0300
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff -Nru cjson-1.7.15/debian/patches/0001-add-null-checkings.patch cjson-1.7.15/debian/patches/0001-add-null-checkings.patch
--- cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 1970-01-01 03:00:00.0 +0300
+++ cjson-1.7.15/debian/patches/0001-add-null-checkings.patch 2024-04-09 04:29:47.0 +0300
@@ -0,0 +1,101 @@
+Origin: backport, https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+From: Peter Alfred Lee
+Bug: https://github.com/DaveGamble/cJSON/issues/803
+Bug: https://github.com/DaveGamble/cJSON/issues/802
+Bug-Debian: https://bugs.debian.org/1059287
+Acked-by: Maytham Alsudany
+Subject: [PATCH] add NULL checkings (#809)
+ * add NULL checks in cJSON_SetValuestring
+ Fixes #803(CVE-2023-50472)
+ .
+ * add NULL check in cJSON_InsertItemInArray
+ Fixes #802(CVE-2023-50471)
+ .
+ * add tests for NULL checks
+ add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+
+--- a/cJSON.c
b/cJSON.c
+@@ -401,7 +401,12 @@
+ {
+ char *copy = NULL;
+ /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
+-if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++{
++return NULL;
++}
++/* return NULL if the object is corrupted */
++if (object->valuestring == NULL)
+ {
+ return NULL;
+ }
+@@ -2260,7 +2265,7 @@
+ {
+ cJSON *after_inserted = NULL;
+
+-if (which < 0)
++if (which < 0 || newitem == NULL)
+ {
+ return false;
+ }
+@@ -2271,6 +2276,11 @@
+ return add_item_to_array(array, newitem);
+ }
+
++if (after_inserted != array->child && newitem->prev == NULL) {
++/* return false if after_inserted is a corrupted array item */
++return false;
++}
++
+ newitem->next = after_inserted;
+ newitem->prev = after_inserted->prev;
+ after_inserted->prev = newitem;
+--- a/tests/misc_tests.c
b/tests/misc_tests.c
+@@ -353,6 +353,19 @@
+ {
+ char buffer[10];
+ cJSON *item = cJSON_CreateString("item");
++cJSON *array = cJSON_CreateArray();
++cJSON *item1 = cJSON_CreateString("item1");
++cJSON *item2 = cJSON_CreateString("corrupted a
Bug#1100960: bookworm-pu: package lintian/2.116.3+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: lint...@packages.debian.org, po...@debian.org Control: affects -1 + src:lintian -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 [ Reason ] Fix for #1051140; make lintian in bookworm know about bookworm. [ Impact ] Maintainers uploading to bookworm and bookworm-backports continuously getting false warnings from lintian in bookworm. [ Tests ] Lintian test suite passes. See autopkgtest job at https://salsa.debian.org/lintian/lintian/-/pipelines/835870 [ Risks ] Trivial change. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Adds bookworm to the list of known distributions. [ Other info ] N/A. -BEGIN PGP SIGNATURE- iQJHBAEBCgAxFiEESl/RzRFQh8wD3DXB1ZeJcgbF8H8FAmfcv5wTHG1heXRoYW1A ZGViaWFuLm9yZwAKCRDVl4lyBsXwf2ynD/0S3jOd8UkAP9nwr2h7slbfyA8r6A8c 7fkkShTt8iWUSjs3WHYFaR3/dVMY3i1GheXMG8QnE8NvK/XW2mhRNWZYjXgWZPv5 nhWM957G8/F0lxypkBx+c5Nb8OqDvirbR/7QldIdCZkPJ2/sfJmaDjLC9yitGIK4 d/lImacWspBPYiNuslwSTVHgI7uby/fFCMXTiMq5/+8UPlhwxkmHiz8BTvtuOi26 QvJ2e4nLyZ+yKgFqjgTsLDB4HG4OIQbZtyrBCw71os7kYC99IpwwxF+QO18ncG2X MaV3izHoeiITnGjMWyqrbh5ovLcqnN5BnsyFeI6kzs/rof0tIsiSA+JH2czqdmY9 BFULZnjGbd8Dq2gmIx14qS2bWNI7HO/8U8k9zzUXUEx1wYc0LYv7hxKh6HMEQjaw egIVgJ0UwQ97WxR8yrbcWCM4ZDzM+ug5wZZWnwS8mzWTudumPSf/LwWKhOZdCsQx CklJM9gtWGx1lbeO2IY9TbCTP6x1MnT0IXqbxPJeloK7OebCvmbKMCZSjAzHnGtH hCPQkWTKnDyGTVQ9tzRFTuP1vhXg6dg42Xl7z3FBhfPMyl5QirguH0I0Hv4HK0ZP cmxSblmOrrMZDihDTTww8gp0USgbCyeMRdr3QsEroI/gn6d0d7cvKOlDNoxwuPCv H9QVPEEpahLE0A== =mG/7 -END PGP SIGNATURE- diff -Nru lintian-2.116.3/data/changes-file/known-dists lintian-2.116.3+deb12u1/data/changes-file/known-dists --- lintian-2.116.3/data/changes-file/known-dists 2019-07-10 23:54:56.0 +0800 +++ lintian-2.116.3+deb12u1/data/changes-file/known-dists 2024-06-17 19:43:58.0 +0800 @@ -11,6 +11,7 @@ stretch buster bullseye +bookworm sid # Aliases diff -Nru lintian-2.116.3/debian/changelog lintian-2.116.3+deb12u1/debian/changelog --- lintian-2.116.3/debian/changelog2023-02-05 16:10:20.0 +0800 +++ lintian-2.116.3+deb12u1/debian/changelog2024-06-17 19:43:58.0 +0800 @@ -1,3 +1,10 @@ +lintian (2.116.3+deb12u1) UNRELEASED; urgency=medium + + * Team upload. + * data/changes-file/known-dists: Add bookworm (Closes: #1051140) + + -- Maytham Alsudany Mon, 17 Jun 2024 19:43:58 +0800 + lintian (2.116.3) unstable; urgency=medium The "FFP3 (Fixing False Positives, Three Small Changes)" Release.
Bug#1100960: bookworm-pu: package lintian/2.116.3+deb12u1
On Mon, 2025-07-07 at 01:20 +0300, Adrian Bunk wrote:
> I'd like to suggest a slightly larger update with two changes instead:
>
>
> * data/changes-file/known-dists: Add releases bookworm to duke.
> (Closes: #1051140)
>
> All releases up to what is in trixie:
> https://salsa.debian.org/lintian/lintian/-/commit/d16a8f67ba842b8c395d2e983b2a7560a5866856
>
> E.g. running bookworm lintian on trixie-pu updates will not emit this
> tag now.
>
>
> * Don't emit source-nmu-has-incorrect-version-number for stable updates.
> (Closes: #1022759)
>
> That's two commits, changing Nmu.pm to its version in trixie:
> https://salsa.debian.org/lintian/lintian/-/commit/79d146acb7b4784cea4e7cd705de9f9854e98bd6
> https://salsa.debian.org/lintian/lintian/-/commit/809dd16a279e43cc351c2831f6456f519cf3f810
Revised debdiff (attached) needs to be acked by Release Team.
Thanks,
Maytham
diff -Nru lintian-2.116.3/data/changes-file/known-dists lintian-2.116.3+deb12u1/data/changes-file/known-dists
--- lintian-2.116.3/data/changes-file/known-dists 2019-07-10 23:54:56.0 +0800
+++ lintian-2.116.3+deb12u1/data/changes-file/known-dists 2025-07-18 20:02:34.0 +0800
@@ -11,6 +11,10 @@
stretch
buster
bullseye
+bookworm
+trixie
+forky
+duke
sid
# Aliases
diff -Nru lintian-2.116.3/debian/changelog lintian-2.116.3+deb12u1/debian/changelog
--- lintian-2.116.3/debian/changelog 2023-02-05 16:10:20.0 +0800
+++ lintian-2.116.3+deb12u1/debian/changelog 2025-07-18 20:03:34.0 +0800
@@ -1,3 +1,19 @@
+lintian (2.116.3+deb12u1) UNRELEASED; urgency=medium
+
+ * Team upload.
+
+ [ Maytham Alsudany ]
+ * data/changes-file/known-dists: Add bookworm, trixie, forky, duke (Closes: #1051140)
+
+ [ Emilio Pozuelo Monfort ]
+ * Don't emit source-nmu-has-incorrect-version-number for stable updates
+(Closes: #1022759)
+
+ [ Adrian Bunk ]
+ * source-nmu-has-incorrect-version-number: Fix false positive for +deb*u* versions
+
+ -- Maytham Alsudany Fri, 18 Jul 2025 20:03:34 +0800
+
lintian (2.116.3) unstable; urgency=medium
The "FFP3 (Fixing False Positives, Three Small Changes)" Release.
diff -Nru lintian-2.116.3/lib/Lintian/Check/Nmu.pm lintian-2.116.3+deb12u1/lib/Lintian/Check/Nmu.pm
--- lintian-2.116.3/lib/Lintian/Check/Nmu.pm 2022-07-02 21:47:11.0 +0800
+++ lintian-2.116.3+deb12u1/lib/Lintian/Check/Nmu.pm 2025-07-18 20:01:21.0 +0800
@@ -102,6 +102,7 @@
my $version_nmuness = 0;
my $version_local = 0;
my $upload_is_backport = $version =~ m/~bpo(\d+)\+(\d+)$/;
+my $upload_is_stable_update = $version =~ m/[~|\+]deb(\d+)u(\d+)$/;
if ($version =~ /-[^.-]+(\.[^.-]+)?(\.[^.-]+)?$/) {
$version_nmuness = 1 if defined $1;
@@ -158,6 +159,7 @@
$pointer, $version)
if $upload_is_nmu
&& $version_nmuness != 1
+ && !$upload_is_stable_update
&& !$upload_is_backport;
}
signature.asc
Description: This is a digitally signed message part
Bug#1110315: unblock: miniflux/2.2.6-2
Package: release.debian.org Severity: normal X-Debbugs-Cc: minif...@packages.debian.org Control: affects -1 + src:miniflux User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please unblock package miniflux [ Reason ] Debconf translation updates for Portugese and Catalan. [ Impact ] N/A [ Tests ] N/A [ Risks ] Translation update doesn't affect package functionality. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] N/A unblock miniflux/2.2.6-2 -BEGIN PGP SIGNATURE- iQJHBAEBCgAxFiEESl/RzRFQh8wD3DXB1ZeJcgbF8H8FAmiPCdATHG1heXRoYW1A ZGViaWFuLm9yZwAKCRDVl4lyBsXwf6lnEACWHQx1dhiYs7V9bwkMnNzvFXa3yRyI wOe2erw6q8viZNmGuEJSpBPfsdVogKOPaRVjyunLwcOMMnz6nukaa2CtJ9JtW0YT FiDcUndUiJidzmpl2G/t7igKyAgv1wJb9lawd9CfAyv6U/q+WxfYuIzTY0MYPwOp GTo/75Yw9PnrPDp6V+9kfJzvgPzm/OGz43RRHmRwzqH0ScE9IpxET2rS2jhalV4V oikOyPS/CwC2eGwuszrX0sbyn6RQlVm6f/dTlqNmic8dv9D3CnLDM7iTOHp0OHVc yLaE6SH6mt+FTtDWo0YBb1UffnFz4Gk789dRC6g4FIRMaZ6UzThJ9nLMKQ7UiiDX N1s4EpM5G04qJg8gEF0PSpK3Z4foRXx4bIhghoRNLUmiFd+m5TJjdE5c0cOcxtGy d37WyDvXT9FRf0GYHjckgHLaAkzG78xY+uNnlO/Py5/TNfmyCN2iNlMrcznBxE1d k6g8GTBadRvYxmUm/j3F8mHZREDsAs3t1P2mMDLd0ECytfnvmavMNBLpfgB5D+2M F3Jnt+tpwOGWdquSxUo1g0spBYveJtWTqauTFwV7XALvXs4zumESYlsfm8ZaoBcQ Wa7xb8n8o8Jyv2fBM3GIDLlWITZCWS6DBWJRgPd9fSU6vfIMV5upP5DyP752zvMe 4wiJYLAWOP3Rug== =PhUD -END PGP SIGNATURE- diff -Nru miniflux-2.2.6/debian/changelog miniflux-2.2.6/debian/changelog --- miniflux-2.2.6/debian/changelog 2025-02-25 08:13:05.0 +0800 +++ miniflux-2.2.6/debian/changelog 2025-08-03 14:43:41.0 +0800 @@ -1,3 +1,13 @@ +miniflux (2.2.6-2) unstable; urgency=medium + + [ Maytham Alsudany ] + * Add debconf template translation for Portuguese (Closes: #1101151) + + [ Carles Pina i Estany ] + * Add debconf template translation for Catalan (Closes: #1106016) + + -- Maytham Alsudany Sun, 03 Aug 2025 14:43:41 +0800 + miniflux (2.2.6-1) unstable; urgency=medium * New upstream version 2.2.6 diff -Nru miniflux-2.2.6/debian/po/ca.po miniflux-2.2.6/debian/po/ca.po --- miniflux-2.2.6/debian/po/ca.po 1970-01-01 08:00:00.0 +0800 +++ miniflux-2.2.6/debian/po/ca.po 2025-08-03 14:43:21.0 +0800 @@ -0,0 +1,59 @@ +# Translation of miniflux debconf templates to Catalan. +# This file is distributed under the same license as the miniflux package. +# poc senderi , 2025. +# +msgid "" +msgstr "" +"Project-Id-Version: miniflux\n" +"Report-Msgid-Bugs-To: minif...@packages.debian.org\n" +"POT-Creation-Date: 2024-03-23 15:28+0800\n" +"PO-Revision-Date: 2025-04-02 23:47+0200\n" +"Last-Translator: poc senderi \n" +"Language-Team: Catalan \n" +"Language: ca\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Poedit 2.4.2\n" + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid "Would you like to create an admin account?" +msgstr "Voleu crear un compte d'administrador?" + +#. Type: boolean +#. Description +#: ../templates:1001 +msgid "" +"By default, miniflux comes with no user accounts. You can choose to create " +"an administrator account for miniflux here, or do it manually afterwards " +"(see /usr/share/doc/miniflux/README.Debian)." +msgstr "" +"Per defecte, el «miniflux» ve sense comptes d'usuari. Podeu crear un compte " +"d'administrador per al «miniflux» aquí, o fer-ho manualment després (vegeu " +"«/usr/share/doc/miniflux/README.Debian»)." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Username:" +msgstr "Nom d'usuari:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Username for the new admin account on miniflux." +msgstr "Nom d'usuari per al nou compte d'administrador del «miniflux»." + +#. Type: password +#. Description +#: ../templates:3001 +msgid "Password:" +msgstr "Contrasenya:" + +#. Type: password +#. Description +#: ../templates:3001 +msgid "Password for the new admin account on miniflux." +msgstr "Contrasenya per al nou compte d'administrador del «miniflux»." diff -Nru miniflux-2.2.6/debian/po/pt.po miniflux-2.2.6/debian/po/pt.po --- miniflux-2.2.6/debian/po/pt.po 1970-01-01 08:00:00.0 +0800 +++ miniflux-2.2.6/debian/po/pt.po 2025-08-03 14:43:21.0 +0800 @@ -0,0 +1,60 @@ +# Translation of miniflux debconf templates to European Portuguese. +# This file is distributed under the same license as the miniflux package. +# Américo Monteiro , 2025. +# +msgid "" +msgstr "" +"
Bug#1110319: unblock: redict/7.3.5+ds-1
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: red...@packages.debian.org
Control: affects -1 + src:redict
User: release.debian@packages.debian.org
Usertags: unblock
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Please unblock package redict
[ Reason ]
RC bugs:
* Fix CVE-2025-21605 (Closes: #1104011)
* Fix CVE-2025-48367 (Closes: #1108980)
* Fix CVE-2025-32023 (Closes: #1108977)
* Fix CVE-2025-27151 (Closes: #1106823)
and an important bug:
* Fix CVE-2025-49112 (Closes: #1107212)
[ Impact ]
Redict won't be in Trixie.
[ Tests ]
Upstream's tests are extensive and continue to pass.
[ Risks ]
Leaf package. Same/similar fixes are already applied for redis and
valkey packages.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
debdiff might be hard to digest because it contains a new upstream
version; summary included below. Upstream only publishes security fixes,
there are no new features that could potentially break anything.
Upstream changes:
( https://codeberg.org/redict/redict/compare/7.3.2...7.3.5 )
* d73a7eac9b Limiting output buffer for unauthenticated client (CVE-2025-21605)
* b75220c7e1 tests: Fix redict test command
* f7cd2acc2a Retry accept(2) on transient errors (CVE-2025-48367)
* 682ea40774 Fix CVE-2025-32023
* and various version number bumps
Debian changes:
* Patch to fix CVE-2025-27151
https://salsa.debian.org/redict-team/redict/-/blob/debian/7.3.5+ds-1/debian/patches/0006-CVE-2025-27151.patch
* Patch to fix CVE-2025-49112
https://salsa.debian.org/redict-team/redict/-/blob/debian/7.3.5+ds-1/debian/patches/0007-CVE-2025-49112.patch
unblock redict/7.3.5+ds-1
-BEGIN PGP SIGNATURE-
iQJHBAEBCgAxFiEESl/RzRFQh8wD3DXB1ZeJcgbF8H8FAmiPE0MTHG1heXRoYW1A
ZGViaWFuLm9yZwAKCRDVl4lyBsXwf/hBD/4rWzwyFdrvuu1zFR9oGAYNjzGbOYi+
tG6iUsKkCcGyt/Ug2iE4mDpiaQOpdRIXd1RgkvchZ3ffT9Cs+EPO7r9+OgOeQMxX
qx9j+S4ehnDs+0g5IQpAtsRuKV9ajEFJeMxGVxC0XUZlEUKfok9TJBLw1oW8jeDA
7Us0V+kSDCrWgeDCpIErA48ZihP9hRG0GzChD30S57pLy61Y7zBd2s5Mrg+ovk+z
xTKp2qqch5Rsmw5N6TvkkrZ+eiRPPmoLp5xNA/Pm3JEl2lA6bxBlzdYWcv5IUNX4
nydEZYVm21OTnBCvEOgKNijuXhshwJwa6tDSNuosoFL59CYUZbIRiFfPN+s8yl9y
7ulbnY0TGAiIggt50tr0UcySTCcvCJnBx/1uZD4q9Cu+EWTSo6lXgmOg3Xv90Wyh
l0OTnrcOQgOnWEWxP/Wcw/E33IYy6A5x2CP+CmLQgHjqNCy8bMh61Z3dvVtHWc+E
/TBa6eUVZpmRqbNSXKvH2UZ+yjpIczvlfULZqY9D1p0I/8TeyEHZ0adBaUPFEq/u
v7Jd9njqmn8AWOLUpglP55plbnQUOMu2neF3+AsuSPIxYxM8IzKVj3hM90K0w1z9
trS0t7ebkl5Qujhbzj2vOzCeO4mXmLqyQ/iC4bp4JS/iwqo52/M8eHHQ3dezizAB
4nZV1sKuzjgpvg==
=XHBu
-END PGP SIGNATURE-
diff -Nru redict-7.3.2+ds/debian/changelog redict-7.3.5+ds/debian/changelog
--- redict-7.3.2+ds/debian/changelog2025-01-08 21:10:54.0 +0800
+++ redict-7.3.5+ds/debian/changelog2025-08-03 14:22:26.0 +0800
@@ -1,3 +1,14 @@
+redict (7.3.5+ds-1) unstable; urgency=medium
+
+ * New upstream version 7.3.5
+* Contains fix for CVE-2025-21605 (Closes: #1104011)
+* Contains fix for CVE-2025-48367 (Closes: #1108980)
+* Contains fix for CVE-2025-32023 (Closes: #1108977)
+ * Add patch to fix CVE-2025-27151 (Closes: #1106823)
+ * Add patch to fix CVE-2025-49112 (Closes: #1107212)
+
+ -- Maytham Alsudany Sun, 03 Aug 2025 14:22:26 +0800
+
redict (7.3.2+ds-1) unstable; urgency=medium
* New upstream version 7.3.2
diff -Nru redict-7.3.2+ds/debian/gbp.conf redict-7.3.5+ds/debian/gbp.conf
--- redict-7.3.2+ds/debian/gbp.conf 2024-10-13 08:27:29.0 +0800
+++ redict-7.3.5+ds/debian/gbp.conf 2025-08-03 14:18:23.0 +0800
@@ -1,3 +1,4 @@
[DEFAULT]
debian-branch=debian/latest
upstream-branch=upstream
+ignore-branch=True
diff -Nru redict-7.3.2+ds/debian/patches/0006-CVE-2025-27151.patch
redict-7.3.5+ds/debian/patches/0006-CVE-2025-27151.patch
--- redict-7.3.2+ds/debian/patches/0006-CVE-2025-27151.patch1970-01-01
08:00:00.0 +0800
+++ redict-7.3.5+ds/debian/patches/0006-CVE-2025-27151.patch2025-08-03
14:22:26.0 +0800
@@ -0,0 +1,26 @@
+From: YaacovHazan
+From: fossdd
+Acked-by: Maytham Alsudany
+Subject: [PATCH] Check length of AOF file name in redict-check-aof
(CVE-2025-27151)
+Applied-Upstream:
https://codeberg.org/redict/redict/commit/40aa98db1d6601d30154ff078705dcfe1c4c7708
+Bug-Debian: https://bugs.debian.org/1106823
+
+Adapted from
https://github.com/redis/redis/commit/643b5db235cb82508e72f11c7b4bbfc7dc39be56
+
+Ensure that the length of the input file name does not exceed PATH_MAX
+
+--- a/src/redict-check-aof.c
b/src/redict-check-aof.c
+@@ -534,6 +534,12 @@ int redict_check_aof_main(int argc, char **argv) {
+ goto invalid_args;
+ }
+
++/* Check if filepath is longer than PATH_MAX */
++if (strlen(filepath) > PATH_MAX) {
++printf("Error: filepath is too long (exceeds PATH_MAX)\n");
++goto invalid_args;
++}
++
+ /* In the glibc implementation dirname may modify their argument. */
+
Bug#1110005: unblock: quickemu/4.9.7-3
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: quick...@packages.debian.org
Control: affects -1 + src:quickemu
User: release.debian@packages.debian.org
Usertags: unblock
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Please unblock package quickemu
[ Reason ]
Contains backported fix for #1105178
[ Impact ]
quickemu cannot be used at all with the version of QEMU currently in
Trixie.
[ Tests ]
N/A
[ Risks ]
Trivial change, already applied upstream:
https://github.com/quickemu-project/quickemu/pull/1640
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
N/A
unblock quickemu/4.9.7-3
-BEGIN PGP SIGNATURE-
iQJHBAEBCgAxFiEESl/RzRFQh8wD3DXB1ZeJcgbF8H8FAmiG1uoTHG1heXRoYW1A
ZGViaWFuLm9yZwAKCRDVl4lyBsXwfynLEAC52MO9TouVaee28VxWsoVFeeHfgY2y
VTZqrVEZb3RbnBDVNcioa/G8dEJw4MXIfJiMH4/8EMlwqAwyAvGKhn91eGr9tNYW
eLAR/dRW/2w3JYBv67rOjxAUgpvEQAQi0eDPo6pwoqIdDny8SVqiKiZk0LNZtKjI
4nCkl1/B7vtruD3CwrBgj6++xxRWBd50Ruox9kCexkhspUzSnx7ybNyU3biJZB5v
MmStbt+PQZBfbSdFOXInrxQUWXbh1G7u6K2ls1miGo2Mq1/DAonoD9y0+pKmBSFX
O6lZN8eb93Sd0C4CCzfCOyFNYs5UhMkesAgM8k1WCHEsGHbh4ouubUtLfhnVznf7
WVz9wFyc/b+qWtr9x3NQuGjAYwSdr11mvLBV2I3zhojbIa9tEB8T6aqTqeMMYGCU
US2n0SsO3NJ3XKi9o/I5gnG9UsEagOdh9pykUeARA/3F25Ij8TMstUJSUKZcv8jG
LN5wPr2H99L4/yrnJkNtdcY0W3Gjdu9TQMMzd5vqKt3zFTRLElTX49GOP8oWsUhE
wusvpLXc5PkiCtbDEinR8ODCmOT1uyhHWL73q+eb83ZA1hAFoYLFNSZvq+zV4Qxj
U8bgNHGjmdWDnreqUT1hsGWQ+Os0C+0/w+gLALLAPRcp2rPqEtXGyQTECJjfgb65
d5CIk64czQSgbQ==
=QiaG
-END PGP SIGNATURE-
diff -Nru quickemu-4.9.7/debian/changelog quickemu-4.9.7/debian/changelog
--- quickemu-4.9.7/debian/changelog 2025-03-02 11:59:45.0 +0800
+++ quickemu-4.9.7/debian/changelog 2025-07-28 08:40:03.0 +0800
@@ -1,3 +1,9 @@
+quickemu (4.9.7-3) unstable; urgency=medium
+
+ * Backport patch to fix fetching QEMU version (Closes: #1105178)
+
+ -- Maytham Alsudany Mon, 28 Jul 2025 08:40:03 +0800
+
quickemu (4.9.7-2) unstable; urgency=medium
* Depend: swtpm instead of libtss2-tcti-swtpm0 (Closes: #1076281)
diff -Nru quickemu-4.9.7/debian/patches/0001-qemu-version.patch
quickemu-4.9.7/debian/patches/0001-qemu-version.patch
--- quickemu-4.9.7/debian/patches/0001-qemu-version.patch 1970-01-01
08:00:00.0 +0800
+++ quickemu-4.9.7/debian/patches/0001-qemu-version.patch 2025-07-28
08:39:13.0 +0800
@@ -0,0 +1,17 @@
+From: spameier <40004508+spame...@users.noreply.github.com>
+Subject: [PATCH] fix(quickemu): correctly handle version 10.0.0 of QEMU
+Forwarded: https://github.com/quickemu-project/quickemu/issues/1637
+Applied-Upstream:
https://github.com/quickemu-project/quickemu/commit/8fad1b9370bf4f825614fa161a41e5e5815665f8
+
+--- a/quickemu
b/quickemu
+@@ -1938,7 +1938,8 @@
+ fi
+
+ QEMU_VER_LONG=$(${QEMU_IMG} --version | head -n 1 | awk '{print $3}')
+-QEMU_VER_SHORT=$(echo "${QEMU_VER_LONG//./}" | cut -c1-2)
++# strip patch version and remove dots. 6.0.0 => 60 / 10.0.0 => 100
++QEMU_VER_SHORT=$(echo "${QEMU_VER_LONG%.*}" | sed 's/\.//g')
+ if [ "${QEMU_VER_SHORT}" -lt 60 ]; then
+ echo "ERROR! QEMU 6.0.0 or newer is required, detected ${QEMU_VER_LONG}."
+ exit 1
diff -Nru quickemu-4.9.7/debian/patches/series
quickemu-4.9.7/debian/patches/series
--- quickemu-4.9.7/debian/patches/series1970-01-01 08:00:00.0
+0800
+++ quickemu-4.9.7/debian/patches/series2025-07-28 08:39:01.0
+0800
@@ -0,0 +1 @@
+0001-qemu-version.patch
Bug#1110005: unblock: quickemu/4.9.7-4
Control: retitle -1 unblock: quickemu/4.9.7-4
I've made a new upload with another fix, see revised debdiff attached.
On Mon, 2025-07-28 at 09:48 +0800, Maytham Alsudany wrote:
> Please unblock package quickemu
>
> [ Reason ]
> Contains backported fix for #1105178
And now also contains a fix for #1109330
> [ Impact ]
> quickemu cannot be used at all with the version of QEMU currently in
> Trixie.
And some dependencies are missing meaning some things don't work out-of-
the-box.
> [ Tests ]
> N/A
>
> [ Risks ]
> Trivial change, already applied upstream:
> https://github.com/quickemu-project/quickemu/pull/1640
Added dependencies also trivial.
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> [ Other info ]
> N/A
--
Maytham
diff -Nru quickemu-4.9.7/debian/changelog quickemu-4.9.7/debian/changelog
--- quickemu-4.9.7/debian/changelog 2025-03-02 11:59:45.0 +0800
+++ quickemu-4.9.7/debian/changelog 2025-07-28 09:53:59.0 +0800
@@ -1,3 +1,15 @@
+quickemu (4.9.7-4) unstable; urgency=medium
+
+ * Add missing curl and uuid-runtime dependencies (Closes: #1109330)
+
+ -- Maytham Alsudany Mon, 28 Jul 2025 09:53:59 +0800
+
+quickemu (4.9.7-3) unstable; urgency=medium
+
+ * Backport patch to fix fetching QEMU version (Closes: #1105178)
+
+ -- Maytham Alsudany Mon, 28 Jul 2025 08:40:03 +0800
+
quickemu (4.9.7-2) unstable; urgency=medium
* Depend: swtpm instead of libtss2-tcti-swtpm0 (Closes: #1076281)
diff -Nru quickemu-4.9.7/debian/control quickemu-4.9.7/debian/control
--- quickemu-4.9.7/debian/control 2025-03-02 11:59:41.0 +0800
+++ quickemu-4.9.7/debian/control 2025-07-28 09:53:29.0 +0800
@@ -16,6 +16,7 @@
Depends:
${shlibs:Depends},
${misc:Depends},
+ curl,
genisoimage,
jq,
procps,
@@ -26,6 +27,7 @@
swtpm,
unzip,
usbutils,
+ uuid-runtime,
wget,
xdg-user-dirs,
zsync,
diff -Nru quickemu-4.9.7/debian/patches/0001-qemu-version.patch quickemu-4.9.7/debian/patches/0001-qemu-version.patch
--- quickemu-4.9.7/debian/patches/0001-qemu-version.patch 1970-01-01 08:00:00.0 +0800
+++ quickemu-4.9.7/debian/patches/0001-qemu-version.patch 2025-07-28 08:39:13.0 +0800
@@ -0,0 +1,17 @@
+From: spameier <40004508+spame...@users.noreply.github.com>
+Subject: [PATCH] fix(quickemu): correctly handle version 10.0.0 of QEMU
+Forwarded: https://github.com/quickemu-project/quickemu/issues/1637
+Applied-Upstream: https://github.com/quickemu-project/quickemu/commit/8fad1b9370bf4f825614fa161a41e5e5815665f8
+
+--- a/quickemu
b/quickemu
+@@ -1938,7 +1938,8 @@
+ fi
+
+ QEMU_VER_LONG=$(${QEMU_IMG} --version | head -n 1 | awk '{print $3}')
+-QEMU_VER_SHORT=$(echo "${QEMU_VER_LONG//./}" | cut -c1-2)
++# strip patch version and remove dots. 6.0.0 => 60 / 10.0.0 => 100
++QEMU_VER_SHORT=$(echo "${QEMU_VER_LONG%.*}" | sed 's/\.//g')
+ if [ "${QEMU_VER_SHORT}" -lt 60 ]; then
+ echo "ERROR! QEMU 6.0.0 or newer is required, detected ${QEMU_VER_LONG}."
+ exit 1
diff -Nru quickemu-4.9.7/debian/patches/series quickemu-4.9.7/debian/patches/series
--- quickemu-4.9.7/debian/patches/series 1970-01-01 08:00:00.0 +0800
+++ quickemu-4.9.7/debian/patches/series 2025-07-28 08:39:01.0 +0800
@@ -0,0 +1 @@
+0001-qemu-version.patch
signature.asc
Description: This is a digitally signed message part
