a reasonable
assumption, as it looks like the patches are tracked in git. For the
purposes of fixing this in squeeze it doesn't actually have any impact
anyway.
--
Brian May
Brian May writes:
> The version for testing is available here:
>
> https://linuxpenguins.xyz/debian/pool/main/g/gajim/
Just noticed this version has some quilt files in the source which are
not applicable because gajim doesn't use quilt format. Ignore them, I
will fix this befor
ibm.so.6?
(squeeze-amd64-default)root@prune:/tmp/eglibc-2.11.3# objdump -T /lib/libm.so.6
| grep __strtod_nan
DF *UND* GLIBC_2.2.5 __strtod_nan
Not sure I can see the problem. Maybe something wrong with Matus'
libm.so.6?
--
Brian May
Brian May writes:
> Which package owns /lib/i686/cmov/libm.so.6?
I am not able to find this file in any package on my chroot.
--
Brian May
UND* GLIBC_2.0 __strtod_nan
That doesn't look healthy to me.
--
Brian May
Brian May writes:
> That doesn't look healthy to me.
Spoke too soon.
(squeeze-i386-default)root@prune:/home/brian# objdump -T /lib/libc.so.6 | grep
__strtod_nan
0003b180 gDF .text 00b5 GLIBC_2.0 __strtod_nan
On i386, looks like GLIBC_2.0 is correct, and as such it should
actually loading the new symbol.
--
Brian May
0072 if I persisted, not sure I
would necessarily be able to trust the results.
So I am inclined to apply the 0071 patch to the version in squeeze, and
then mark TEMP-0811308-B63DA1 as resolved. Or should I do something else
like create seperate entries for each issue or something?
--
Brian May
rning imagemagick have
been marked no-DSA for wheezy and jessie.
What would you advise for these issues?
Also I note that a number of security issues fixed in squeeze-lts don't
have assigned CVEs - is this something that needs rectifying?
Brian May writes:
> Just been looking
Sébastien Delafond writes:
> - imagemagick in squeeze appears to only be vulnerable
> TEMP-0811308-B63DA1[0].
This is five separate issues. See #811308. So does it make sense to ask
for a separate CVE for each issue?
--
Brian May
bian.org/msgid-search/20160208082335.ga10...@fantomas.sk
I don't think there was a bug report filed in the BTS.
The previous upload was announced here:
https://lists.debian.org/msgid-search/20160205162120.GA20334@novelo
--
Brian May
y breakage other then with already running
processes. Especially as squeeze-lts support will be ending soon.
--
Brian May
have had to restart
all processes anyway.
--
Brian May
Brian May writes:
> This is five separate issues. See #811308. So does it make sense to ask
> for a separate CVE for each issue?
Requests for CVEs aren't getting any response. Might have to deal
without.
http://www.openwall.com/lists/oss-security/2016/02/22/4
--
Brian May
oing a full restart, it still crashes in the
same manner?
--
Brian May
at the changes made between the squeeze
version (3.1.6-1.2+squeeze3) and squeeze-lts version
(3.1.6-1.2+squeeze6) however nothing seems to touch either forward.cc or
the server_fd global variable.
Seems to be crashing when trying to close a connection.
--
Brian May
Brian May writes:
> What version did you upgrade from?
>
> Does this crash happen immediately after restart, or in response to in
> incoming request?
>
> Can I assume that after doing a full restart, it still crashes in the
> same manner?
Just realized I should have also a
* Revert CVE-2016-2569 patch. This fix heavily relies on exception
handling of more recent squid versions, and more intrusive changes.
Closes: #816601
--
Brian May
Brian May writes:
> I will also make debs available for testing.
Available now at: https://people.debian.org/~bam/wheezy/imagemagick/
--
Brian May
asy way of being able to link each issue to each
patch. So if a CVE was provided for each issue, it would be relatively
hard to link it to the appropriate patch with 100% certainty.
With so many different issues, I suspect it is going to be overwhelming
requesting a CVE for each issue no matter what you do.
--
Brian May
good if it does get resolved.
--
Brian May
Luciano Bello writes:
> On Sunday 06 March 2016 16.34.26 Brian May wrote:
>> The following patch applied to the imagemagick in Debian wheezy should
>> fix the security problem already resolved in squeeze. The patches have
>> been ported from the squeeze version.
>
> Th
bols files for the C ABIs, only the C++ ABI
-- Simon McVittie Wed, 12 Aug 2015 07:50:55 +0100
--
Brian May
Brian May writes:
> However, it looks like version -5.1 (see below) has some non-security
> related changes that might not be appopriate for Jessie, so not yet
> decided. I will investigate further and report here.
Here is my attempt at a Jessie security update. It takes all secur
Brian May writes:
>> However, it looks like version -5.1 (see below) has some non-security
>> related changes that might not be appopriate for Jessie, so not yet
>> decided. I will investigate further and report here.
>
> Here is my attempt at a Jessie security updat
ne atomic operation or do we
have to do them one at a time? The later could be potentially risky and
break things if both versions end up being included in the one
application, especially if versioned symbols not used (I haven't
checked).
--
Brian May
Brian May writes:
>> 2. Spend some time on investigating what it takes to backport
>> libav from jessie to wheezy. 11.x is still supported by
>> libav upstream and we could share triage work for jessie/wheezy
>> going forwards. 0.8 has simply too much missing.
>> Th
.html
So I am wondering if I can just mark xen in squeeze and wheezy as not
being affected by CVE-2015-2756 too?
--
Brian May
time now, will continue looking at this later.
--
Brian May
>From 16794c97e99228ca551ff09fa696d00f39ceee82 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk
Date: Wed, 19 Nov 2014 12:57:11 -0500
Subject: Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64
GFNs (or less)
S
Ubuntu precise has 4.1.6; no idea if this
matters. Am speculating that 4.1.6 might have security updates.
So one possible strategy might be to take Ubuntu's package as is and
port it to Debian wheezy.
Wonder how many of the CVEs the Ubuntu version fixes.
--
Brian May
Brian May writes:
> So one possible strategy might be to take Ubuntu's package as is and
> port it to Debian wheezy.
Have rebuilt Ubuntu's xen package for wheezy.
The results are available for testing.
https://people.debian.org/~bam/wheezy/xen/
The most significant change I h
Brian May writes:
>> Wonder how many of the CVEs the Ubuntu version fixes.
>
> Will have a look at this now.
Comparing the changelog with our security tracker (by hand; not sure if
anybody has written a tool to automate this, if not might be a good
idea):
Not fixed in backported Ub
according to the
> security tracker. You probably mean CVE-2015-8104...
Yes, that looks like a typo. Thanks for the correction.
> That is an impressive list, and it does seem like we should merge our
> efforts with Ubuntu here!
Agreed.
--
Brian May
you want to
> followup on Xen yourself?
I won't be able to look again at this until next week. So sure, go
ahead.
If you haven't looked at it by then, I will have a look again.
--
Brian May
Luciano Bello writes:
> On Thursday 10 March 2016 13.39.31 Brian May wrote:
>> I have wheezy packages for testing:
>> https://people.debian.org/~bam/wheezy/imagemagick/
>>
>> I also have jessie packages for testing:
>> https://people.debian.org/~bam/jessie/ima
of these are at the stage where they can be uploaded or almost
there. I will continue working on these next month.
--
Brian May
Luciano Bello writes:
> On Saturday 26 March 2016 17.40.39 Brian May wrote:
>> > If you didn't get any other comment, fill free to upload to security
>> > master. I'm not part of the LTS team, but I guess you can also update
>> > there. I will release t
the documentation from
http://secure-testing-master.debian.net/uploading.html
I tried security-master too, but got identical results. Permission
Denied with the upload.
--
Brian May
e problem. I didn't notice that this used ftp, and ftp is broken
on my network because I haven't needed it in ages and haven't noticed it
was broken.
So I have uploaded the packages now using my 4G network.
--
Brian May
Luciano Bello writes:
> On Thursday 07 April 2016 12.36.12 Brian May wrote:
>> Found the problem. I didn't notice that this used ftp, and ftp is broken
>> on my network because I haven't needed it in ages and haven't noticed it
>> was broken.
>
> Gr
Brian May writes:
> However the upload of imagemagick for Jessie didn't go so well; I didn't
> realize that packages.debian.org has the correct binary but old source
> (doesn't take into account point updates properly), so I will have to
> redo it with the la
Antoine Beaupré writes:
> Heads up! The Xen packages prepared by Brian May have passed preliminary
> testing and are ready for wider testing on Wheezy! See:
>
> https://people.debian.org/~anarcat/debian/wheezy-lts/
[...]
> So here's a debdiff based on Brian's work. I d
nd on libav, however during
the process suddenly noticed that the --extra-packages argument to
sbuild (used by ratt) doesn't appear to be working for me, so I actually
was testing against the libav already in wheezy :-(
I submitted bug report #820882 on this.
In a previous email, Brian M
Brian May writes:
> I intended to rebuild all packages that depend on libav, however during
> the process suddenly noticed that the --extra-packages argument to
> sbuild (used by ratt) doesn't appear to be working for me, so I actually
> was testing against the libav already
Brian May writes:
> The following packages have unmet dependencies:
> libpostproc-dev : Depends: libavutil-dev (= 6:0.8.17-2) but 6:11.6-1~deb7u1
> is to be installed
> E: Unable to correct problems, you have held broken packages.
Ok, so looks like we would need a new version of
Brian May writes:
> The current list of packages that fail to build against the new libav is
> (the building is still ongoing):
All build logs in
https://people.debian.org/~bam/wheezy/libav/amd64/buildlogs/
Looks like a total of 85 packages failed to build and 46 packages
succeeded.
Antoine Beaupré writes:
> Heads up! The Xen packages prepared by Brian May have passed preliminary
> testing and are ready for wider testing on Wheezy! See:
>
> https://people.debian.org/~anarcat/debian/wheezy-lts/
This was missing the original source.
I have updated my pac
tproc-dev will be uninstallable - does this matter?
Or do we have to somehow upload everything in one single atomic batch?
For now, I am going to look at creating a simple staging area with
reprepro on people.debian.org
--
Brian May
Brian May writes:
> For now, I am going to look at creating a simple staging area with
> reprepro on people.debian.org
Ok, mostly done. I think. Has xen and libav packages.
Find instructions at:
https://people.debian.org/~bam/debian/README.txt
I appear to be having random problems try
Holger Levsen writes:
> yes, if you break packages like this you cannot fix them if other more
> severe problems show up in those packages.
Good point.
My current plan will be to to to fix all non-EOLed packages in my
staging repository, and then find out what I need to do next.
--
Brian May
Brian May writes:
> libpostproc-dev will be uninstallable - does this matter?
Whoops. Just noticed that libpostproc-dev is provided by the old libav,
however not provided by the new libav. I had thought it was another
source package.
So any packages that depend on it will need to be fixed
eg_impl.hpp:1443:35: error:
'dump_format' was not declared in this scope
/<>/modules/highgui/src/cap_ffmpeg_impl.hpp:1470:36: error:
'avcodec_open' was not declared in this scope
/<>/modules/highgui/src/cap_ffmpeg_impl.hpp:1507:42: error:
'URL_WRONLY' was not declared in this scope
/<>/modules/highgui/src/cap_ffmpeg_impl.hpp:1507:52: error:
'url_fopen' was not declared in this scope
/<>/modules/highgui/src/cap_ffmpeg_impl.hpp:1513:25: error:
'av_write_header' was not declared in this scope
make[3]: *** [modules/highgui/CMakeFiles/opencv_highgui.dir/src/cap_ffmpeg.o]
Error 1
--
Brian May
Brian May writes:
> Whoops. Just noticed that libpostproc-dev is provided by the old libav,
> however not provided by the new libav. I had thought it was another
> source package.
What do I do with ffmpeg?
Looks like this use to be provided by libav.
Jessie doesn't have ffm
Brian May writes:
> So guessing the solution might be to backport the stretch version to
> wheezy?
Backporting ffmpeg could prove challenging, this is the version from
jessie-backports:
The following packages have unmet dependencies:
sbuild-build-depends-ffmpeg-dummy : Depends: deb
for staging my proposed updates for
testing. https://people.debian.org/~bam/debian/
There is much work remaining fixing the dependancies of libav, which I
plan to continue on - as much as feasible anyway - next month. ffmpeg
might be a stumbling point.
--
Brian May
https://linuxpenguins.xyz
te important too,
e.g. ffmpeg.
--
Brian May
Unless our sponsors are using wheezy LTS actively for multimedia
processing, it is very possible they will not get hit by the security
issues we are attempting to fix.
Is it worth continuing with this?
--
Brian May
pplied to imagemagick, this will completely fix CVE-2016-3714?
Thanks
--
Brian May
/github.com/ImageMagick/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181
It does seem like that these 2 patches combined don't fix CVE-2016-3714
and I can't see anything that attempts to fix CVE-2016-3715 -
CVE-2016-3718 either.
--
Brian May
versions of this work; however I will have a
look at the above and see if I can stil reproduce the Jessie build
errors.
--
Brian May
Brian May writes:
> I see that there are two versions of this work; however I will have a
> look at the above and see if I can stil reproduce the Jessie build
> errors.
Looks like your patch modifies files such as lib/nfkc.c which have been
declared the source to the documentati
documentation which was failing to build after
applying security patches triggered a rebuild.
Versions for wheezy and jessie available here:
https://people.debian.org/~bam/debian/pool/main/libi/libidn/
Please test.
Also attached is the debdiff patches.
--
Brian May
diff -Nru libidn-1.25/debian
y, I will
> not have time to followup on those until next week so I hope others can
> pick this up!
I think it might be worth uploading what he have, and then fixing this
security issue in another upload.
--
Brian May
fuzz) to librsvg in
Wheezy, I imagine they will apply equally as cleanly to librsvg in
Jessie. Hence the reason for CCing the security team.
Wheezy packages for testing are available here:
https://people.debian.org/~bam/debian/pool/main/libr/librsvg/
The patch is attached.
Any comments??
Thanks
al change
> unto itself anyway?
Any objections by anybody if I upload Antoine Beaupré's packages to
Debian, this Monday morning at Melbourne timezone?
https://people.debian.org/~anarcat/debian/wheezy-lts/
Unless of course Antoine Beaupré wants to do it himself; he said he
might have time this week.
--
Brian May
Antoine Beaupré writes:
> I reviewed the patch quickly, nothing strikes me as completely wrong,
> but I am not currently in a position to test the patchset.
Unless there are any objections I plan on rechecking this and uploading
this to wheezy-security, Monday, Melbourne timezone.
--
Brian May
Brian May writes:
> Any objections by anybody if I upload Antoine Beaupré's packages to
> Debian, this Monday morning at Melbourne timezone?
Done.
Next step, the DLA. I went through the changelog and remove entries that
are already marked as fixed in the security tracker. I think
Antoine Beaupré writes:
> I do believe you are correct: some DLAs are definitely missing. I wrote
> about libidn in <871t50elvf@angela.anarcat.ath.cx>, the uploader was
> Brian May (in CC).
I sent DLAs for both libidn and librsvg:
libidn: 20160516070110.ga26...@prune.li
Antoine Beaupré writes:
> Indeed, sorry I missed that. Then let me rephrase:
>
> Brian, do you still intend to send that DLA? :)
I did. My emails appears to have gone missing somewhere along the way
:-(
--
Brian May
Antoine Beaupré writes:
> It's hard to tell without redoing the exact same process you did
> yourself. :p
Ok, I will go ahead. Will pay particular attention this time, see if my
email goes missing again.
--
Brian May
Markus Koschany writes:
> Don't forget to use Inline-PGP for signing the e-mails. :)
Yes, did that.
Oh wait, maybe I signed with the wrong key. My old key, not my new
one. Ooops.
Apologies for that, will resend the DLAs.
--
Brian May
Brian May writes:
> However I don't see them in the archives. I can try resending...
I resent the DLAs. I suspect I might have used the wrong GPG key for
signing.
Apologies.
--
Brian May
ode vs policy patches?
My code passes these tests.
I have built debs available for testing:
https://people.debian.org/~bam/debian/pool/main/i/imagemagick/
Unless I get feedback I plan to upload next Mondayish, UTC+10 timezone.
--
Brian May
nal sanity
check you listed the correct CVE), if there are many CVE's the risk of
error in filling out details for one of the CVEs by hand increases. It
could also add more standardised text (such as "This is fixed in version
X; we recommend you upgrade.").
--
Brian May
Hello,
Do we care about vulerabilities that are specific to HFS+?
http://www.talosintel.com/reports/TALOS-2016-0093/
CVE-2016-2334
Regards
--
Brian May
https://linuxpenguins.xyz/brian/
Brian May writes:
> Hello,
>
> Do we care about vulerabilities that are specific to HFS+?
>
> http://www.talosintel.com/reports/TALOS-2016-0093/
> CVE-2016-2334
Along similar lines, just noticed that the next issue is UDF specific.
http://www.talosintel.com/reports/TALOS-2
Ben Hutchings writes:
> [ Unknown signature status ]
> On Thu, 2016-06-02 at 17:39 +1000, Brian May wrote:
>> Hello,
>>
>> Do we care about vulerabilities that are specific to HFS+?
>>
>> http://www.talosintel.com/reports/TALOS-2016-0093/
>> CVE-2016-2
Brian May writes:
> Will continue to check the code to make sure.
Actually looks like the vulnerable HFS+ is not present in the wheezy
version p7zip. In this version CPP/7zip/Archive/Hfs/HfsHandler.cpp is
only 243 lines, the exploit is in a function that doesn't exist on lines
1496
Brian May writes:
> I think there would need to be some code to disable the UDF code if it
> isn't a UDF file system. Even if just for compression not
> decompression. Still looking for this however.
Just realized I have been talking a lot of nonsense. UDF support isn't
abou
gt; http://www.talosintel.com/reports/TALOS-2016-0093/ claims that as well
> 9.20 is affected.
Yes, I noticed this too. Will check.
--
Brian May
1072
I note the following code which is the same (if my arithmetic is
correct):
const UInt32 kBufSize = (1 << 16);
In report this is:
const size_t kBufSize = kCompressionBlockSize; // 0x1
However everything else looks very different.
--
Brian May
Brian May writes:
> I asked here https://twitter.com/penguin_brian/status/739583514153091072
I got a response:
@penguin_brian there is wrong info. Ofc vulnerable code exist since :
9.32 alpha 2013-12-01
https://twitter.com/_Icewall/status/739731922998448129
Looks like Jessie is
Brian May writes:
> Just realized I have been talking a lot of nonsense. UDF support isn't
> about compressing files from UDF file systems, it is about compressing
> UDF images. So yes, it is a format issue like Ben said, and it should
> get fixed.
I have a version available f
Brian May writes:
> I have a version available for testing with a fix for the UDF issue
> (CVE-2016-2335):
>
> https://people.debian.org/~bam/debian/pool/main/p/p7zip/
>
> (only i386 version so far, hope to upload amd64 version ASAP).
Now got AMD64 version available for testing.
--
Brian May
eInfo *) NULL);
+ }
}
dot_product=dx.q*dy.p-dx.p*dy.q;
if (dot_product <= 0.0)
Am wondering if maybe only this last part is required - it merges
cleanly too. Although not really entirely sure how this one function can
fit all CVEs. Possibly this patch only fixes CVE-2016-4563?
Anyway, out of time now, just wanted to summarize the situation so I
don't forget...
--
Brian May
Just guessing a bit here:
Brian May writes:
> CVE-2016-4562
>
> The DrawDashPolygon function in MagickCore/draw.c in ImageMagick before
> 6.9.4-0 and 7.x before 7.0.1-2 mishandles calculations of certain
> vertices integer data, which allows remote attackers to cause a deni
Brian May writes:
> DrawDashPolygon had the following change:
>
> - for (i=1; (i < number_vertices) && (length >= 0.0); i++)
> + for (i=1; (i < (ssize_t) number_vertices) && (length >= 0.0); i++)
Actually just noticed this change is a NOP. Both
oundcube-dummy : Depends: libjs-jquery-ui (>= 1.10) but
it is not going to be installed
E: Unable to correct problems, you have held broken packages.
apt-get failed.
E: Package installation failed
Not removing build depends: cloned chroot in use
--
Brian May
s not necessary.
Not sure if you were asking me or the mailing list, however no
objections from me. I say go ahead and do it.
--
Brian May
Brian May writes:
> Significant changes to TraceStrokePolygon function:
Here is a diff ignoring white space changes:
@@ -6021,13 +6022,25 @@
}
if (q >= (ssize_t) (max_strokes-6*BezierQuantum-360))
{
+if (~max_strokes < (6*BezierQu
I have a version available for testing at:
https://people.debian.org/~bam/debian/pool/main/i/imagemagick/
Brian May writes:
> CVE-2016-4562
>
> The DrawDashPolygon function in MagickCore/draw.c in ImageMagick before
> 6.9.4-0 and 7.x before 7.0.1-2 mishandles calculations of certai
Brian May writes:
> Markus Koschany writes:
>
>> I just had a closer look at the vulnerabilities. I have marked
>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because
>> the vulnerable code is not present in this version. There is no upstream
>&
Brian May writes:
> It might be worth somebody else testing it, just in case this is
> something specific to my build.
>
> Will continue investigating.
Looks like the test certificates may have expired.
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1581084
Most likely r
Brian May writes:
> Looks like the test certificates may have expired.
>
> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1581084
Yes, builds fine now after applying the patch from the above link.
--
Brian May
4.1.6.1-1+deb7u2.dsc; however I never uploaded that version. It has
known problems on i386.
Maybe you meant to say you have version 4.1.6.1-1+deb7u1 ?
--
Brian May
nd the same
> error here:
>
> https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1515145
--
Brian May
Brian May writes:
> It appears that we need an extra patch to get the fix for xsa97 working
> properly. See the linked Ubuntu bug report.
>
> https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1515145
>
> Just wondering if you included this in version 4.1.6.1-1+deb7u2 by an
identified for CVE-2016-2372 was
the same as one of the patches for CVE-2016-2369 so I didn't apply it
twice.
Still need to test this and make a copy for testing.
--
Brian May
https://linuxpenguins.xyz/brian/
diff -Nru pidgin-2.10.10/debian/changelog pidgin-2.10.10/debian/changelog
--- p
Brian May writes:
> Attached is a patch to fix all known security issues in pidgin in
> Wheezy-LTS.
>
> I found that a number of ther CVEs under security-tracker.debian.org
> referenced the patch for the fix for the wrong CVE, so I had to retrieve
> the correct patches from u
OS-CAN-0123
https://bitbucket.org/pidgin/main/commits/8172584fd640
- correct
* CVE-2016-4323 / TALOS-CAN-0128
Patch not given
- Believe correct patch is 5fa3f2bc69d7918d1e537e780839df63d5df59aa
- was patch listed for CVE-2016-2365 / TALOS-CAN-0133
--
Brian May
401 - 500 of 527 matches
Mail list logo
