Daniel Kahn Gillmor | 30 Sep 00:05 2014

Bug#763402: assword: error message "Invalid key ID" can be misleading

Package: assword
Version: 0.8-1
Severity: normal

assword initializes gpgme like this:

        gpg = gpgme.Context()
    except gpgme.GpgmeError:
        print >>sys.stderr, "Invalid key ID:", keyid

But it's entirely possible that the error raised has nothing to do
with the choice of keyid. (indeed, i just found a bug in the
intersection of the versions of gpgme and gnupg that i'm running that
causes an exception to be raised no matter what keyID is supplied).

The error message produced to the user should include some information
from the gpgme exception.


PS in the use case that i found, the gpgme exception was just

  gpgme.GpgmeError: (7, 16383, u'End of file')

which itself wasn't actually useful at all, but that's an issue to be
raised with python-gpgme (or perhaps gpgme itself) separately.

(Continue reading)

Steven Chamberlain | 30 Sep 00:00 2014

Bug#755105: kadu: no longer builds on kfreebsd-*

tags 755105 + patch
user debian-bsd <at> lists.debian.org
usertags 755105 + kfreebsd


The shared library libantistring.so seems to be built fine on kfreebsd,
and the build system gives it a multiarch path.  But dh_install later
looks for it in the wrong place...

> /usr/bin/c++  -fPIC -std=c++0x -O3 -DNDEBUG   -shared -Wl,-soname,libantistring.so -o
libantistring.so CMakeFiles/antistring.dir/antistring.cpp.o
CMakeFiles/antistring.dir/antistring_automoc.cpp.o ../../kadu-core/libkadu.so
-lQtDeclarative -lQtScript -lQtSvg -lQtWebKit -lQtXmlPatterns -lQtGui -lQtDBus -lQtXml -lQtSql
-lQtNetwork -lQtCore 
> -- Installing: /«PKGBUILDDIR»/debian/tmp/usr/lib/x86_64-kfreebsd-gnu/kadu/plugins/libantistring.so
> dh_install -s
> cp: cannot stat 'debian/tmp/debian/tmp/usr/lib/kadu/plugins/libantistring.so': No such file or directory
> dh_install: cp -a debian/tmp/debian/tmp/usr/lib/kadu/plugins/libantistring.so
debian/kadu//usr/lib/kadu/plugins/ returned exit code 1

This is apparently due to some workaround that was added to debian/rules
but is now not needed.  Please see attached patch fixing this.
(Continue reading)

Jay Berkenbilt | 29 Sep 23:56 2014

Bug#759247: icu bug fixed...

The ICU bug that contributed to this was fixed in the most recent upload.


Jay Berkenbilt <qjb <at> debian.org>

Petter Reinholdtsen | 29 Sep 23:53 2014

Bug#710222: ldap2zone: Please produce stable output ordering

Control: tags -1 + patch


I finally found time to sit down and try to implement a fix for this
issue.  The attached file can be placed in
debian/patches/stable-zone-ordering.patch and added to
debian/patches/series to ensure the output ordering of ldap2zone is the
same every time.  Please include in a future version of ldap2zone.  It
would be great if it was included in Jessie.


Happy hacking
Petter Reinholdtsen
Antoine Beaupré | 29 Sep 23:41 2014

Bug#527258: tircd: please offer identica connect additionally

Package: tircd
Version: 0.30-1
Followup-For: Bug #527258

This will be more complicated than s/twitter.com/identi.ca/ - see


... for the new identi.ca API.

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages tircd depends on:
ii  adduser                   3.113+nmu3
ii  libhtml-parser-perl       3.71-1+b2
ii  libjson-any-perl          1.36-1
ii  libnet-twitter-lite-perl  0.12006-1
ii  libpoe-filter-ircd-perl   2.44-1
ii  libpoe-perl               2:1.3640-1
ii  liburi-perl               1.64-1
ii  libwww-perl               6.08-1
(Continue reading)

Uwe Schindler | 29 Sep 23:36 2014

Bug#762812: Same on i386


I have the same issue since yesterday when debian testing updated to 3.16:
Linux sirius 3.16-2-686-pae #1 SMP Debian 3.16.3-2 (2014-09-20) i686 GNU/Linux

[55356.351794] <unknown>: hw csum failure
[55356.351820] CPU: 0 PID: 3512 Comm: dnsmasq Not tainted 3.16-2-686-pae #1 Debian 3.16.3-2
[55356.351829] Hardware name:    /CN700-8237, BIOS 6.00 PG 11/30/2007
[55356.351838]  f4a73340 f3f3fbd0 c14747f8 f3f3fcf0 c1394419 00000000 f3f3fbc0 ffff87e2
[55356.351861]  00000000 4a7fb580 f4a73340 f3ff4340 f3f3fdd8 f3f3fc10 c1445123 f3f3fbfc
[55356.351883]  f3f3fc00 f3ff45c4 f3ff4398 00000000 00000053 00000000 00000053 00000000
[55356.351904] Call Trace:
[55356.351937]  [<c14747f8>] ? dump_stack+0x3e/0x4e
[55356.351958]  [<c1394419>] ? skb_copy_and_csum_datagram_iovec+0xe9/0xf0
[55356.351981]  [<c1445123>] ? udpv6_recvmsg+0x213/0x570
[55356.351999]  [<c140283f>] ? inet_recvmsg+0x6f/0x90
[55356.352089]  [<c1386ef1>] ? sock_recvmsg+0x81/0xa0
[55356.352110]  [<c117c470>] ? poll_select_copy_remaining+0x100/0x100
[55356.352125]  [<c117c470>] ? poll_select_copy_remaining+0x100/0x100
[55356.352139]  [<c1392f06>] ? verify_iovec+0x46/0xc0
[55356.352153]  [<c1386e70>] ? kernel_sendmsg+0x40/0x40
[55356.352167]  [<c138718b>] ? ___sys_recvmsg.part.17+0xfb/0x1c0
[55356.352181]  [<c1386e70>] ? kernel_sendmsg+0x40/0x40
[55356.352196]  [<c117c470>] ? poll_select_copy_remaining+0x100/0x100
[55356.352216]  [<c13898d1>] ? sock_init_data+0x91/0x200
[55356.352232]  [<c1388118>] ? __sys_recvmsg+0x48/0x80
[55356.352248]  [<c1388b8d>] ? SYSC_socketcall+0x85d/0xaa0
[55356.352264]  [<c117ecce>] ? dput+0x1e/0x140
[55356.352278]  [<c117cf77>] ? core_sys_select+0x1c7/0x260
[55356.352299]  [<c11759a5>] ? filename_lookup+0x25/0xb0
(Continue reading)

Antoine Beaupr? | 29 Sep 23:30 2014

Bug#763400: do not echo password on the commandline or require storage

Package: davfs2
Version: 1.5.2-1
Severity: wishlist

Right now there are two ways of sending the password to the WebDAV
server: the secrets file and the clunky username=foo mount option.

The former I would rather avoid because I do not want to store the
password (in cleartext!!) on disk.

The latter currently echoes the password on standard output when
prompting, which allow for shoulder surfing.

So basically, there is currently no secure way to use this command
right now.

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages davfs2 depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.53
(Continue reading)

bancfc | 29 Sep 23:24 2014

Bug#763399: Hardening dpkg/apt

Package: apt
Version: all

Sometimes apt/dpkg can contain vulnerable, remotely exploitable bugs 
which s a big risk when used over the untrusted internet. As it happens, 
anyone could have been in a position to run man-in-the-middle attacks 
with the latest security hole [CVE-2014-6273] in apt-get. What makes 
this bug cripling is that updating apt to fix it would have exposed it 
to what the fix was supposed to rpevent, so manually downloading the 
package out of band was the safest option this time.

In order to drastically limit an attackers options I recommend creating 
a seccomp-bpf filter for apt and dpkg to limit what they can do should a 
weak function be remotely exploited. Other options include enabling any 
and all compile-time binary hardening such as PIE, RELRO, CANARY etc.

Seccomp Resources:

(Kernel documentation for the feature)

http://outflux.net/teach-seccomp/ ( A guide on writing a simple filter 
and using error checking. Note that seccomp supports whitelists which 
can make it easier, you simply allow only the bear minimum of safe 
syscalls needed to make curl function).

ares | 29 Sep 23:13 2014

Bug#761590: fixed in owncloud-client 1.7.0~beta1+really1.6.3+dfsg-2

It didn't fix the issue for me. Could you please describe what was the patch 
so I could verify manually?



On Sat, 20 Sep 2014 15:23:05 +0000 =?utf-8?q?Sandro_Knau=C3=9F?= 
<bugs <at> sandroknauss.de> wrote:
> Source: owncloud-client
> Source-Version: 1.7.0~beta1+really1.6.3+dfsg-2
> We believe that the bug you reported is fixed in the latest version of
> owncloud-client, which is due to be installed in the Debian FTP archive.
> A summary of the changes between this version and the previous one is
> attached.
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to 761590 <at> bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
> Debian distribution maintenance software
> pp.
> Sandro Knauß <bugs <at> sandroknauss.de> (supplier of updated owncloud-client 
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
(Continue reading)

Svante Signell | 29 Sep 23:19 2014

Bug#763398: handbrake: FTBFS on hurd-i386

Source: handbrake
Version: 0.9.9+svn6422+dfsg1-1
Severity: important
Tags: patch
User: debian-hurd <at> lists.debian.org
Usertags: hurd


Currently handbrake fails to build from source due to usage of
PATH_MAX, which is not defined on GNU/Hurd. Another issue is missing
linkage with libpthread, the same as for kFreeBSD, see #730976

For the PATH_MAX issues strcmp and strlen are used instead of strncmp
and strnlen, respectively. According to the submitters knowledge there
is no big difference between these functions, and the chosen functions
avoid the on some systems undefined constant PATH_MAX. If there is a
wish to keep the old code a conditional test can easily be made, please
let me know, and I'll create a patch depending on if PATH_MAX is
defined or not.

The attached patch fixes these build problems.


Attachment (004-hurd.patch): text/x-patch, 2037 bytes
Tim Dengel | 29 Sep 23:19 2014

Bug#763397: cinnamon-bluetooth: Fails to install due to dependency issue

Package: cinnamon-bluetooth
Version: 3.8.4-2
Severity: important

Dear Maintainer,

   * What led up to the situation?
     I was trying to install cinnamon-bluetooth via 'aptitude install cinnamon-bluetooth'
   * What exactly did you do (or not do) that was effective (or
     See above.
   * What was the outcome of this action?
     Installation failed, because cinnamon-bluetooth depends on libgnome-bluetooth11 (>= 3.4.0), which is
a virtual package.
   * What outcome did you expect instead?
     I expected aptitude to select a package that provides libgnome-bluetooth11 to install, but there seems to
be none. But it seems more likely that the dependency itself is a mistake, since packages.debian.org only
lists it for 4 unofficial architectures.

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (1700, 'testing'), (1600, 'unstable'), (650, 'stable'), (550, 'oldstable'), (500,
'stable-updates'), (500, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.3 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
(Continue reading)