Report forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>: Bug#559814; Package hamlib.
(Mon, 07 Dec 2009 05:00:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>.
(Mon, 07 Dec 2009 05:00:15 GMT) (full text, mbox, link).
From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-3736 local privilege escalation
Date: Sun, 6 Dec 2009 23:57:54 -0500
Package: hamlib
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736http://security-tracker.debian.org/tracker/CVE-2009-3736
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>: Bug#559814; Package hamlib.
(Sat, 12 Dec 2009 23:10:00 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(Sat, 12 Dec 2009 23:10:00 GMT) (full text, mbox, link).
Hi all,
It has come to my attention that a lot of maintainers are simply adding
a build-depends on libltdl3-dev to try to solve this problem. This is
not a sufficient solution since your package will still use the
embedded libtool code copy. You need to add '--without-included-ltdl'
to your configure arguments to do this right.
A verification, but not really a sufficient proof, is that
'ldd <your binaries>' shows that the system libtool is being used.
On another note, if your package is affected in either stable or
oldstable, it also must be fixed. The security team has determined
that this issue is not sufficiently severe to warrant DSAs for the
embedding packages, so instead, you should coordinate a proposed-update
with the release team.
Once you have fixed the problem in unstable (or even before that if
you desire), please open new bugs for stable/oldstable to track the
problem there (if your package is affected).
Thank you for working on this issue.
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>: Bug#559814; Package hamlib.
(Sat, 23 Jan 2010 22:42:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefano Zacchiroli <zack@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(Sat, 23 Jan 2010 22:42:13 GMT) (full text, mbox, link).
tags 559814 + help
thanks
I'm looking for advice / testers for #559814 (one of the dreaded
"vulnerable embedded copy of ltdl").
The bug is against hamlib, which is orphaned but has at least one binary
package with high popcon (about 300).
The bug seems to be fixed with new upstream release 1.2.10 which has
recent version of ltdl. Also, with such a recent version come flexible
autoconf macros that make it easy to link against the system ltdl
library, hereby avoiding similar problems in the future. On the
contrary, the Debian version (1.2.9) has 5-year old autoconf macros
which hinder linking against the system library [1].
I'd like to upload new upstream to fix the security / RC bug, but I
don't intend to take over maintenance of the package, nor I _use_
it. Can please some user of the library get in touch with me with a test
case or something so that we avoid screwing up a lib? dd-list of
maintainers of reverse deps is reported at the bottom of this mail [2].
I'll then take care of doing a QA upload of the new usptream, together
with some misc QA fixes.
Of course it would be even better if someone steps up as a volunteer
maintainer for hamlib (hint, hint).
Cheers.
[1] I've *almost* managed to do that, but the resulting .diff.gz is as
big as the .orig due to re-autotoolization, ... quite pointless if
you ask me.
[2] Debian Hamradio Maintainers <debian-hams@lists.debian.org>
fldigi
Hamish Moffatt <hamish@debian.org>
fldigi (U)
gmfsk
Patrick Ouellette <pouelle@debian.org>
fldigi (U)
Jaime Robles <jaime@debian.org>
fldigi (U)
klog
--
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..| . |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime
Added tag(s) help.
Request was from Stefano Zacchiroli <zack@debian.org>
to control@bugs.debian.org.
(Sat, 23 Jan 2010 22:42:21 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>: Bug#559814; Package hamlib.
(Wed, 17 Feb 2010 03:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Kamal Mostafa <kamal@whence.com>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(Wed, 17 Feb 2010 03:57:05 GMT) (full text, mbox, link).
After discussion with Steve Conklin (who filed an ITA for 'hamlib' a few
months ago) we have determined that I will volunteer to adopt and
maintain 'hamlib' instead of him.
For reference, I am a ham radio operator (KA6MAL), I do use hamlib
regularly, and I have developed applications which use the library.
I have packaged the new upstream release (hamlib 1.2.10) which I propose
for review and upload by a kindly DD:
http://www.whence.com/debian/proposed/hamlib_1.2.10-1.dsc
This package includes my fix for bug 559814 (CVE-2009-3736 local libltdl
privilege escalation), and minor Python 2.6 changes from Ubuntu.
I wasn't sure what to do with the debian/control "Uploaders:" field. As
a placeholder, I set it to the debian-hams@lists.debian.org list address
-- I expect that it will be changed by the actual uploader:
Uploaders: Debian Hamradio Maintainers <debian-hams@lists.debian.org>
This is my first experience with maintenance of a package at Debian, so
I am not at all sure that I'm following the proper procedures here. Any
guidance will be much appreciated.
Thanks,
-Kamal Mostafa <kamal@whence.com>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>: Bug#559814; Package hamlib.
(Wed, 17 Feb 2010 08:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefano Zacchiroli <zack@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(Wed, 17 Feb 2010 08:36:04 GMT) (full text, mbox, link).
Cc: 556098@bugs.debian.org, debian-hams@lists.debian.org,
559814@bugs.debian.org, Steve Conklin <steve@conklinhouse.com>
Subject: Re: ITA: hamlib / new version for upload
Date: Wed, 17 Feb 2010 09:32:17 +0100
On Tue, Feb 16, 2010 at 07:53:53PM -0800, Kamal Mostafa wrote:
> http://www.whence.com/debian/proposed/hamlib_1.2.10-1.dsc
Thanks a lot, I'll review this shortly and get back to you.
Cheers.
--
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..| . |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>: Bug#559814; Package hamlib.
(Wed, 17 Feb 2010 10:30:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefano Zacchiroli <zack@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(Wed, 17 Feb 2010 10:30:08 GMT) (full text, mbox, link).
On Tue, Feb 16, 2010 at 07:53:53PM -0800, Kamal Mostafa wrote:
> I wasn't sure what to do with the debian/control "Uploaders:" field. As
> a placeholder, I set it to the debian-hams@lists.debian.org list address
> -- I expect that it will be changed by the actual uploader:
>
> Uploaders: Debian Hamradio Maintainers <debian-hams@lists.debian.org>
>
> This is my first experience with maintenance of a package at Debian, so
> I am not at all sure that I'm following the proper procedures here. Any
> guidance will be much appreciated.
So, I've just checked your package and it looks generally OK to me. I'll
proceed to upload it to DELAYED/1, just to give other people a bit of
time to react in case there are reservations.
The few comments I've are as follows, please consider them in future
uploads:
- I've switched your Maintainer/Uploaders line, to match the best
practices on that. Maintainer is the official contact address (the
mailing list) and Uploaders is the list of people usually *working*
(not just doing the final upload, despite the name) on the package,
hence you in this case. Please port the change to your working copy of
the packaging.
- You install a couple more .so files than in the past, however these
new .so are not versioned, I believe it is an upstream choice, but you
should discuss with them whether this is really intended or not.
- As hamlib has a homepage (the sourceforce page), you should declare it
in debian/control using the "Homepage" field, check the developer's
reference for details. If you use some version control system to
maintain the packaging, you should declare that too using the Vcs-*
fields (again, devref has details about that).
- There are quite a lot of lintian warnings, you should fix them. Most
of them are missing ${misc:Depends} substvar that are recommended if
you use debhelper (as you do) in the packaging; please add them.
Thanks for your work!
--
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..| . |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime
Added tag(s) pending.
Request was from Stefano Zacchiroli <zack@debian.org>
to control@bugs.debian.org.
(Wed, 17 Feb 2010 12:42:10 GMT) (full text, mbox, link).
Reply sent
to Kamal Mostafa <kamal@whence.com>:
You have taken responsibility.
(Thu, 18 Feb 2010 10:54:05 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Thu, 18 Feb 2010 10:54:05 GMT) (full text, mbox, link).
Source: hamlib
Source-Version: 1.2.10-1
We believe that the bug you reported is fixed in the latest version of
hamlib, which is due to be installed in the Debian FTP archive:
hamlib_1.2.10-1.diff.gz
to main/h/hamlib/hamlib_1.2.10-1.diff.gz
hamlib_1.2.10-1.dsc
to main/h/hamlib/hamlib_1.2.10-1.dsc
hamlib_1.2.10.orig.tar.gz
to main/h/hamlib/hamlib_1.2.10.orig.tar.gz
libhamlib++-dev_1.2.10-1_amd64.deb
to main/h/hamlib/libhamlib++-dev_1.2.10-1_amd64.deb
libhamlib-dev_1.2.10-1_amd64.deb
to main/h/hamlib/libhamlib-dev_1.2.10-1_amd64.deb
libhamlib-doc_1.2.10-1_all.deb
to main/h/hamlib/libhamlib-doc_1.2.10-1_all.deb
libhamlib-utils_1.2.10-1_amd64.deb
to main/h/hamlib/libhamlib-utils_1.2.10-1_amd64.deb
libhamlib2++c2_1.2.10-1_amd64.deb
to main/h/hamlib/libhamlib2++c2_1.2.10-1_amd64.deb
libhamlib2-perl_1.2.10-1_amd64.deb
to main/h/hamlib/libhamlib2-perl_1.2.10-1_amd64.deb
libhamlib2-tcl_1.2.10-1_amd64.deb
to main/h/hamlib/libhamlib2-tcl_1.2.10-1_amd64.deb
libhamlib2_1.2.10-1_amd64.deb
to main/h/hamlib/libhamlib2_1.2.10-1_amd64.deb
python-libhamlib2_1.2.10-1_amd64.deb
to main/h/hamlib/python-libhamlib2_1.2.10-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 559814@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kamal Mostafa <kamal@whence.com> (supplier of updated hamlib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 16 Feb 2010 18:56:10 -0800
Source: hamlib
Binary: libhamlib2 libhamlib2++c2 libhamlib-dev libhamlib++-dev libhamlib2-perl libhamlib2-tcl python-libhamlib2 libhamlib-utils libhamlib-doc
Architecture: source amd64 all
Version: 1.2.10-1
Distribution: unstable
Urgency: low
Maintainer: Debian Hamradio Maintainers <debian-hams@lists.debian.org>
Changed-By: Kamal Mostafa <kamal@whence.com>
Description:
libhamlib++-dev - Development library to control radio transceivers and receivers
libhamlib-dev - Development library to control radio transceivers and receivers
libhamlib-doc - Documentation for the hamlib radio control library
libhamlib-utils - Utilities to support the hamlib radio control library
libhamlib2 - Run-time library to control radio transceivers and receivers
libhamlib2++c2 - Run-time library to control radio transceivers and receivers
libhamlib2-perl - Run-time library to control radio transceivers and receivers
libhamlib2-tcl - Run-time library to control radio transceivers and receivers
python-libhamlib2 - Run-time library to control radio transceivers and receivers
Closes: 556098559814
Changes:
hamlib (1.2.10-1) unstable; urgency=low
.
* New upstream release.
* New maintainer: Kamal Mostafa <kamal@whence.com> (Closes: #556098).
* Use system libltdl not old internal copy CVE-2009-3736 (Closes: #559814):
- Build-depend on libltdl3-dev
- configure, Makefile.am, Makefile.in: skip internal libltdl build
* Enable hamlib USB support: configure with LIBUSB_LIBS predefined.
* Enable hamlib Tcl bindings: configure with --enable-tcl-binding.
* Debian Standards-Version bump to 3.8.4.
* Python 2.6 transition [Michael Bienia <geser@ubuntu.com>].
Checksums-Sha1:
6289a72f2169c0a22bcd5a50779040286b2b01d7 1310 hamlib_1.2.10-1.dsc
c8ea2cafc8286805aa815d37e72857286db93d88 1799309 hamlib_1.2.10.orig.tar.gz
dfc709540e46febb2025a314d75d0524372e79be 8408 hamlib_1.2.10-1.diff.gz
1d02b29b722452ac3335a0ccf633121c3505e485 425488 libhamlib2_1.2.10-1_amd64.deb
e77595d8aeea75d721326e3bc38edde5d2211cdb 21386 libhamlib2++c2_1.2.10-1_amd64.deb
acbc6e1dbefe6fbaa21185770efad45a951a520a 461994 libhamlib-dev_1.2.10-1_amd64.deb
8e06697fb547f624874e49da9e4965922241fc64 23278 libhamlib++-dev_1.2.10-1_amd64.deb
280027055b9221034bdaa31aaf334fcc33f532e1 307412 libhamlib2-perl_1.2.10-1_amd64.deb
2ee4cf83a875d3a8b10cf555dea024780e2ff779 333364 libhamlib2-tcl_1.2.10-1_amd64.deb
61e180e6f8f7ad26a2e11454ab63612f82da04e0 294960 python-libhamlib2_1.2.10-1_amd64.deb
c9463a8b0a7cb0a5da2c515c1a44a5538f4d90bb 137696 libhamlib-utils_1.2.10-1_amd64.deb
67acbc5d09b5cbeaafa3c4f6613dd43c12514514 565614 libhamlib-doc_1.2.10-1_all.deb
Checksums-Sha256:
6a50831304050da3f7d3335c2c149e040767ff3c24a25ccbccaddfe932bd680a 1310 hamlib_1.2.10-1.dsc
9b50825666519b0b86469f1988a0de09ce2ffc08fa221f9aa40d18c7b7f6c651 1799309 hamlib_1.2.10.orig.tar.gz
7aaa80c13d8d6c566a6e6eab4ae3df742864f50bd46ad3ab385c513f258521c7 8408 hamlib_1.2.10-1.diff.gz
d2ae7bbd304fb72033f5cdd75b7c41d2962e47322dc76b0d1211d169ea31b7ab 425488 libhamlib2_1.2.10-1_amd64.deb
4aea434311b06e173846d81676f02253810549313b6678dde137d40f62047ece 21386 libhamlib2++c2_1.2.10-1_amd64.deb
15f34f2c7f95b967132f51c6acf8d115e4a5c1a1c85edcce189f137c7872c504 461994 libhamlib-dev_1.2.10-1_amd64.deb
987f61a74e4ba3b5bc0b75b5d3734d0513be75fa0ef37ab2177ec46088c3dd32 23278 libhamlib++-dev_1.2.10-1_amd64.deb
512f1aaee79f4ff61c8f884e80d462880d2e974f89582ccd2d3b534188a26410 307412 libhamlib2-perl_1.2.10-1_amd64.deb
8b16d7f20adc336571733688dad8a062c59e63967aa3a7dd4fdd75258b4d38b9 333364 libhamlib2-tcl_1.2.10-1_amd64.deb
d0865ecf3d7e0f960dc918e6421710785fbeeb4667b337b32ce8b6b121308297 294960 python-libhamlib2_1.2.10-1_amd64.deb
c0ac077661630dfe3e2d90548cc82e175f10c973ac5151a6ead661f75c8458f1 137696 libhamlib-utils_1.2.10-1_amd64.deb
b0863f8c0557d2c6b4e5a333703683c4ad0db7d1b86a1569324d6e431cedc5a1 565614 libhamlib-doc_1.2.10-1_all.deb
Files:
aec8932c10c1dd9638a9db737005882e 1310 hamradio optional hamlib_1.2.10-1.dsc
29f0d30779a8ffe0444eb523a6ad8344 1799309 hamradio optional hamlib_1.2.10.orig.tar.gz
b83c46b72fad3ff9ce97977b407df85c 8408 hamradio optional hamlib_1.2.10-1.diff.gz
1644484ada430798122723ec674eb27a 425488 libs optional libhamlib2_1.2.10-1_amd64.deb
f2a595a6f93c444763fc0b7bc63d18d9 21386 libs optional libhamlib2++c2_1.2.10-1_amd64.deb
1b96c7177149c4a83c1524292a236d08 461994 libdevel optional libhamlib-dev_1.2.10-1_amd64.deb
d35a06c04645f67164d71f651f5263df 23278 libdevel optional libhamlib++-dev_1.2.10-1_amd64.deb
42ab2de99b1ce504795c122ca00bb9cc 307412 perl optional libhamlib2-perl_1.2.10-1_amd64.deb
854023b7f6a6966b67d0091e2f054c8f 333364 interpreters optional libhamlib2-tcl_1.2.10-1_amd64.deb
522151484c8a9d4a17d0ebfd61881930 294960 python optional python-libhamlib2_1.2.10-1_amd64.deb
348f0c5ef64462814a55573d9e056bf8 137696 hamradio optional libhamlib-utils_1.2.10-1_amd64.deb
a80da727373e85d1aeeecdfa3e9085e1 565614 doc optional libhamlib-doc_1.2.10-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLe8Zm1cqbBPLEI7wRAol0AJ9agnEwDsZ+G9hnAyBaAv3n1kipJACfX9I0
p8K3RMc7W6tUkf4EsUBrPDU=
=G4RU
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Hamradio Maintainers <debian-hams@lists.debian.org>: Bug#559814; Package hamlib.
(Thu, 02 Dec 2010 01:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Kamal Mostafa <kamal@whence.com>:
Extra info received and forwarded to list. Copy sent to Debian Hamradio Maintainers <debian-hams@lists.debian.org>.
(Thu, 02 Dec 2010 01:57:03 GMT) (full text, mbox, link).
Dear security team-
I'm the DM maintainer for the package 'hamlib' (I am also currently working
through the of becoming a DD). Regarding this bug (a mass-filed CVE against
libtool):
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559814CVE-2009-3736 local privilege escalation
I fixed this problem for hamlib in unstable (and upstream) some time ago.
I have now constructed a fix package for hamlib in stable, for which I ask
permission to upload to stable-security. The fix package has been
reviewed by Gunnar Wolf, who has kindly agreed to upload it pending
approval.
The affected package in stable (lenny) is
hamlib (1.2.7.1-1)
My fix package bears the following changelog entry, which explains the
changes. Note also that I updated the Maintainer/Uploaders/DM-Upload-Allowed
fields to reflect the current maintainer status for this package.
hamlib (1.2.7.1-1+lenny1) stable-security; urgency=high
* Fix CVE-2009-3736 local privilege escalation (Closes: #559814):
- Use system libltdl not old internal copy
- Build-depend on libltdl3-dev
- configure, Makefile.am: skip internal libltdl build
* New maintainer: Kamal Mostafa <kamal@whence.com> (Closes: #556098).
I have built and tested this fix on a fresh lenny system.
For your review, here is the debdiff (minus the re-generated files configure
and Makefile.in):
http://www.whence.com/debian/proposed/hamlib+lenny1/hamlib+lenny1.patch
My fix packages are available here:
http://www.whence.com/debian/proposed/hamlib+lenny1
Thanks,
-Kamal
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Hamradio Maintainers <debian-hams@lists.debian.org>: Bug#559814; Package hamlib.
(Thu, 02 Dec 2010 12:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Hamradio Maintainers <debian-hams@lists.debian.org>.
(Thu, 02 Dec 2010 12:03:07 GMT) (full text, mbox, link).
Hi,
* Kamal Mostafa <kamal@whence.com> [2010-12-02 03:07]:
> Dear security team-
>
> I'm the DM maintainer for the package 'hamlib' (I am also currently working
> through the of becoming a DD). Regarding this bug (a mass-filed CVE against
> libtool):
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559814
> CVE-2009-3736 local privilege escalation
>
> I fixed this problem for hamlib in unstable (and upstream) some time ago.
> I have now constructed a fix package for hamlib in stable, for which I ask
> permission to upload to stable-security. The fix package has been
> reviewed by Gunnar Wolf, who has kindly agreed to upload it pending
> approval.
[...]
This issue doesn't warrant a DSA. Could you please upload this to
stable-proposed-updates[0]?
Cheers
Nico
[0] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Hamradio Maintainers <debian-hams@lists.debian.org>: Bug#559814; Package hamlib.
(Fri, 03 Dec 2010 21:24:09 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Hamradio Maintainers <debian-hams@lists.debian.org>.
(Fri, 03 Dec 2010 21:24:09 GMT) (full text, mbox, link).
Hi Kamal,
On Thu, 2010-12-02 at 12:58 +0100, Nico Golde wrote:
> This issue doesn't warrant a DSA. Could you please upload this to
> stable-proposed-updates[0]?
>
> Cheers
> Nico
> [0] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
I see that the updated package has now been uploaded. At first glance
the diff looks okay, but for any future uploads please bear in mind the
Developers Reference section which Nico mentioned above, specifically
the request to discuss the upload on debian-release first and to ensure
that the SRMs are happy with the patch before uploading.
Thanks for your work on fixing this issue.
Regards,
Adam
Reply sent
to Kamal Mostafa <kamal@whence.com>:
You have taken responsibility.
(Sat, 04 Dec 2010 01:57:06 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Sat, 04 Dec 2010 01:57:06 GMT) (full text, mbox, link).
Subject: Bug#559814: fixed in hamlib 1.2.7.1-1+lenny1
Date: Sat, 04 Dec 2010 01:56:00 +0000
Source: hamlib
Source-Version: 1.2.7.1-1+lenny1
We believe that the bug you reported is fixed in the latest version of
hamlib, which is due to be installed in the Debian FTP archive:
hamlib_1.2.7.1-1+lenny1.diff.gz
to main/h/hamlib/hamlib_1.2.7.1-1+lenny1.diff.gz
hamlib_1.2.7.1-1+lenny1.dsc
to main/h/hamlib/hamlib_1.2.7.1-1+lenny1.dsc
libhamlib++-dev_1.2.7.1-1+lenny1_amd64.deb
to main/h/hamlib/libhamlib++-dev_1.2.7.1-1+lenny1_amd64.deb
libhamlib-dev_1.2.7.1-1+lenny1_amd64.deb
to main/h/hamlib/libhamlib-dev_1.2.7.1-1+lenny1_amd64.deb
libhamlib-doc_1.2.7.1-1+lenny1_all.deb
to main/h/hamlib/libhamlib-doc_1.2.7.1-1+lenny1_all.deb
libhamlib-utils_1.2.7.1-1+lenny1_amd64.deb
to main/h/hamlib/libhamlib-utils_1.2.7.1-1+lenny1_amd64.deb
libhamlib2++c2_1.2.7.1-1+lenny1_amd64.deb
to main/h/hamlib/libhamlib2++c2_1.2.7.1-1+lenny1_amd64.deb
libhamlib2-perl_1.2.7.1-1+lenny1_amd64.deb
to main/h/hamlib/libhamlib2-perl_1.2.7.1-1+lenny1_amd64.deb
libhamlib2-tcl_1.2.7.1-1+lenny1_amd64.deb
to main/h/hamlib/libhamlib2-tcl_1.2.7.1-1+lenny1_amd64.deb
libhamlib2_1.2.7.1-1+lenny1_amd64.deb
to main/h/hamlib/libhamlib2_1.2.7.1-1+lenny1_amd64.deb
python-libhamlib2_1.2.7.1-1+lenny1_amd64.deb
to main/h/hamlib/python-libhamlib2_1.2.7.1-1+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 559814@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kamal Mostafa <kamal@whence.com> (supplier of updated hamlib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 15 Nov 2010 10:54:26 -0800
Source: hamlib
Binary: libhamlib2 libhamlib2++c2 libhamlib-dev libhamlib++-dev libhamlib2-perl libhamlib2-tcl python-libhamlib2 libhamlib-utils libhamlib-doc
Architecture: source amd64 all
Version: 1.2.7.1-1+lenny1
Distribution: stable
Urgency: high
Maintainer: Debian Hamradio Maintainers <debian-hams@lists.debian.org>
Changed-By: Kamal Mostafa <kamal@whence.com>
Description:
libhamlib++-dev - Development library to control radio transceivers and receivers
libhamlib-dev - Development library to control radio transceivers and receivers
libhamlib-doc - Documentation for the hamlib radio control library
libhamlib-utils - Utilities to support the hamlib radio control library
libhamlib2 - Run-time library to control radio transceivers and receivers
libhamlib2++c2 - Run-time library to control radio transceivers and receivers
libhamlib2-perl - Run-time library to control radio transceivers and receivers
libhamlib2-tcl - Run-time library to control radio transceivers and receivers
python-libhamlib2 - Run-time library to control radio transceivers and receivers
Closes: 556098559814
Changes:
hamlib (1.2.7.1-1+lenny1) stable; urgency=high
.
* Fix CVE-2009-3736 local privilege escalation (Closes: #559814):
- Use system libltdl not old internal copy
- Build-depend on libltdl3-dev
- configure, Makefile.am: skip internal libltdl build
* New maintainer: Kamal Mostafa <kamal@whence.com> (Closes: #556098).
Checksums-Sha1:
369d36064ff1f1cfa771d82d2d387e06b25b71e8 2088 hamlib_1.2.7.1-1+lenny1.dsc
fb71ff4a416d1283d9731b56e54ee16cb1348c73 114869 hamlib_1.2.7.1-1+lenny1.diff.gz
cd33b900914cc1da485bb8d29a4865322ac8b8d4 353016 libhamlib2_1.2.7.1-1+lenny1_amd64.deb
07bb40103070e5525442613b4c023515154a6546 21486 libhamlib2++c2_1.2.7.1-1+lenny1_amd64.deb
4a288e5333df03e521507e26e00fb55d3866f205 727048 libhamlib-dev_1.2.7.1-1+lenny1_amd64.deb
87c7de3b7097c5022f49bbeff278fc9c06978dec 23886 libhamlib++-dev_1.2.7.1-1+lenny1_amd64.deb
eef566a76c9875d4dfc1ea6eb3512323ce99acab 283488 libhamlib2-perl_1.2.7.1-1+lenny1_amd64.deb
fed472c74e3bfbdc219275857bc0bc5611b05a1c 157716 libhamlib2-tcl_1.2.7.1-1+lenny1_amd64.deb
55d4d4a5bf6381520c706bf592312b98419608c7 286936 python-libhamlib2_1.2.7.1-1+lenny1_amd64.deb
f4c40b11be894c9ab95000a8c32043e43d1ae4cb 117018 libhamlib-utils_1.2.7.1-1+lenny1_amd64.deb
1f889fb5a8216300c4ec01c869fd32087bc36c49 411492 libhamlib-doc_1.2.7.1-1+lenny1_all.deb
Checksums-Sha256:
9a3bc175f37e95bb30b0345b8c4001ceedbde922a22daeb38bfc3db913df92fc 2088 hamlib_1.2.7.1-1+lenny1.dsc
377b0a99497964d6d42a346484b7687de26f60b7320041f3f909adb8dc02762e 114869 hamlib_1.2.7.1-1+lenny1.diff.gz
54e2b0827b0162cfdbd6e6c89f0a178d4ab822b4ebbb4ba530968750a6b9b07a 353016 libhamlib2_1.2.7.1-1+lenny1_amd64.deb
72b89fa8055e3de1ae7a967371a2d1762933a6ad90455127555a953441cebb9c 21486 libhamlib2++c2_1.2.7.1-1+lenny1_amd64.deb
56f89218931c3912d4398fec6bd08393b6e5f1d0d877406825eea992e5dbc6be 727048 libhamlib-dev_1.2.7.1-1+lenny1_amd64.deb
9d307c1659502f1599e726f3b24d21dc78b0a5fefbc7c052f303cffe66f46809 23886 libhamlib++-dev_1.2.7.1-1+lenny1_amd64.deb
77fc84f10172703145d2cc5b352cb6ff4e2038b62fd917950cc02dcee5419931 283488 libhamlib2-perl_1.2.7.1-1+lenny1_amd64.deb
699846b7a7ff7f9f5085881d04f1cc00b324c20494add887c58b7a0d9a7a82c5 157716 libhamlib2-tcl_1.2.7.1-1+lenny1_amd64.deb
bbfd1884034903cbf7b390a48c8b0b305eaf680ded1e2b0b82af656f08139e32 286936 python-libhamlib2_1.2.7.1-1+lenny1_amd64.deb
a612f9fc0421490c5706650df0d28852874d9d7ae205ed0ce95b90dcd638af33 117018 libhamlib-utils_1.2.7.1-1+lenny1_amd64.deb
5cf9af528c51c412fc2febd8243b00d18038989b20ccc70918d0c2719d63e9bd 411492 libhamlib-doc_1.2.7.1-1+lenny1_all.deb
Files:
edc4325efa3f304562339a8a1aa24b78 2088 hamradio optional hamlib_1.2.7.1-1+lenny1.dsc
5ec4adbb89ac4c7ad9e9588d0d16e95f 114869 hamradio optional hamlib_1.2.7.1-1+lenny1.diff.gz
dbf093d3da1f846357f728fb93e87332 353016 libs optional libhamlib2_1.2.7.1-1+lenny1_amd64.deb
e2080ddeb51a37c5e65af5eb8889d599 21486 libs optional libhamlib2++c2_1.2.7.1-1+lenny1_amd64.deb
aeedb1796a52af0f2cebea74a9b34388 727048 libdevel optional libhamlib-dev_1.2.7.1-1+lenny1_amd64.deb
7a0f20aae2227b2357d4d752cb8a3b8c 23886 libdevel optional libhamlib++-dev_1.2.7.1-1+lenny1_amd64.deb
856c726abcc89aec014a6eea18283718 283488 perl optional libhamlib2-perl_1.2.7.1-1+lenny1_amd64.deb
7f5e7f42d33af511b3a8c727a814da7f 157716 interpreters optional libhamlib2-tcl_1.2.7.1-1+lenny1_amd64.deb
7f3d7636b3b1c422bd0174506fe5cf46 286936 python optional python-libhamlib2_1.2.7.1-1+lenny1_amd64.deb
4eb5e8344e202249d149a25551993371 117018 hamradio optional libhamlib-utils_1.2.7.1-1+lenny1_amd64.deb
1b5fef5ddf03b51b7ceda374643ec8d5 411492 doc optional libhamlib-doc_1.2.7.1-1+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJM+UkmAAoJEGc6A+TB25IfJxcP/jZUOuyCzp7fP/DtO6ZzR5rS
5uAlphN/mIkx8yClIjJKVnotwGYpr736M8W9eF1aMQh3TTnQ1Wt7v/WvPy5ORja5
gqvBK/T7hO9eluy4HPt0Fas+iYoHR7DVoHkpH1TTHvHUow4+Q+ar0niTvwrIlz/y
EAPbNOMI1g4ng1BSJez+zwQWDWVhaFi8jcen0yDdmOmxNHyBgx9cDNq6oUB30lBg
yUccz6/nBNL81MtKXj9eqo5kbgdH7+9OtUz8C7lBRvtTSQ5lcf+kSNvgR0LS5p8S
MepcxzcPCGxDX57hC9PKkxnBCxOuHMJ0RlZyesFdwqAmmbIbs31uFa6/4nZvl/RK
j+EeAaG1xS501fYCH1yWkjSUtJE/W3GALmHEDO4kmlBDHJRj3FfYHMAfNHCPtCnC
a2+9Id+5zaPe5BNhZvU9iHeD7VXkG0nUe4kibwosjfGxK0sBpystMHK4t5+23Qhx
sv552pETG8Kclz9T93T3JOD9clh9GNIDF/b2GXvG7SDCs9LZUeKpIHRDSUw8pKEo
r99jW48WDnHrtS8cuT4/fcMomUGx+bygPrqn1LwTsV5U4vNF61rfeUJ8/9I1cVPA
R5yrCWG0t4NdEBVZ2pwt0ZvXxSo/c+pIpdnDloHPbsy67M6fmyaSwdB7ErxUlndV
9BtFxlqHhB2LDKQ07ii1
=XsMI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 23 Jan 2011 07:31:27 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.