Debian Bug report logs - #654442
pu: package erlang/14.a-dfsg-3squeeze1

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Sergei Golovan <sgolovan@nes.ru>

Date: Tue, 3 Jan 2012 18:51:02 UTC

Severity: normal

Tags: squeeze

Fixed in version 6.0.4

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#654442; Package release.debian.org. (Tue, 03 Jan 2012 18:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sergei Golovan <sgolovan@nes.ru>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 03 Jan 2012 18:51:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sergei Golovan <sgolovan@nes.ru>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package erlang/14.a-dfsg-3squeeze1
Date: Tue, 03 Jan 2012 22:49:33 +0400
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi!

I'd like to fix CVE-2011-0766 (see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628456 for details) in a
point update. The debdiff for a new version is attached.

-- System Information:
Debian Release: 6.0.3
  APT prefers proposed-updates
  APT policy: (990, 'proposed-updates'), (990, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686-bigmem (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
[erlang_14.a-dfsg-3_14.a-dfsg-3squeeze1.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#654442; Package release.debian.org. (Thu, 12 Jan 2012 18:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sergei Golovan <sgolovan@nes.ru>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 12 Jan 2012 18:54:03 GMT) Full text and rfc822 format available.

Message #10 received at 654442@bugs.debian.org (full text, mbox):

From: Sergei Golovan <sgolovan@nes.ru>
To: 654442@bugs.debian.org
Subject: Re: Bug#654442: pu: package erlang/14.a-dfsg-3squeeze1
Date: Thu, 12 Jan 2012 22:50:36 +0400
[Message part 1 (text/plain, inline)]
Ping?

Also, I've prepared a patch for oldstable.

-- 
Sergei Golovan
[erlang_12.b.3-dfsg-4_12.b.3-dfsg-4lenny1.diff (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#654442; Package release.debian.org. (Thu, 12 Jan 2012 20:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 12 Jan 2012 20:18:03 GMT) Full text and rfc822 format available.

Message #15 received at 654442@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Sergei Golovan <sgolovan@nes.ru>, 654442@bugs.debian.org
Subject: Re: Bug#654442: pu: package erlang/14.a-dfsg-3squeeze1
Date: Thu, 12 Jan 2012 21:15:18 +0100
On Tue, Jan  3, 2012 at 22:49:33 +0400, Sergei Golovan wrote:

[...]
> ++static ERL_NIF_TERM strong_rand_mpint_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
> ++{/* (Bytes, TopMask, BottomMask) */    
> ++    unsigned bits;
> ++    BIGNUM *bn_rand;
> ++    int top, bottom;
> ++    unsigned char* data;
> ++    unsigned dlen;
> ++    ERL_NIF_TERM ret;
> ++    if (!enif_get_uint(env, argv[0], &bits)
> ++        || !enif_get_int(env, argv[1], &top)
> ++        || !enif_get_int(env, argv[2], &bottom)) {
> ++        return enif_make_badarg(env);
> ++    }
> ++    if (! (top == -1 || top == 0 || top == 1) ) {
> ++        return enif_make_badarg(env);
> ++    }
> ++    if (! (bottom == 0 || bottom == 1) ) {
> ++        return enif_make_badarg(env);
> ++    }
> ++
> ++    bn_rand = BN_new();
> ++    if (! bn_rand ) {
> ++        return enif_make_badarg(env);

badarg seems a bit weird here, it's got nothing to do with its args?

> ++    }
> ++
> ++    /* Get a (bits) bit random number */
> ++    if (!BN_rand(bn_rand, bits, top, bottom)) {
> ++        ret = atom_false;
> ++    }
> ++    else {
> ++        /* Copy the bignum into an erlang mpint binary. */
> ++        dlen = BN_num_bytes(bn_rand);
> ++        data = enif_make_new_binary(env, dlen+4, &ret);
> ++        put_int32(data, dlen);
> ++        BN_bn2bin(bn_rand, data+4);
> ++        ERL_VALGRIND_MAKE_MEM_DEFINED(data+4, dlen);
> ++    }
> ++    BN_free(bn_rand);
> ++
> ++    return ret;
> ++}
> + 
> + static int get_bn_from_mpint(ErlNifEnv* env, ERL_NIF_TERM term, BIGNUM** bnp)
> + {
[...]
> +--- erlang-14.a-dfsg.orig/lib/ssh/src/ssh_bits.erl
> ++++ erlang-14.a-dfsg/lib/ssh/src/ssh_bits.erl
> +@@ -34,7 +34,7 @@
> + %% integer utils
> + -export([isize/1]).
> + -export([irandom/1, irandom/3]).
> +--export([random/1, random/3]).
> ++-export([random/1]).
> + -export([xor_bits/2, fill_bits/2]).
> + -export([i2bin/2, bin2i/1]).
> + 

Am I reading this right that random/3 gets unexported?  Is this safe
(i.e. are you sure this was always unused)?

Cheers,
Julien




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#654442; Package release.debian.org. (Fri, 13 Jan 2012 05:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sergei Golovan <sgolovan@nes.ru>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 13 Jan 2012 05:30:03 GMT) Full text and rfc822 format available.

Message #20 received at 654442@bugs.debian.org (full text, mbox):

From: Sergei Golovan <sgolovan@nes.ru>
To: Julien Cristau <jcristau@debian.org>, 654442@bugs.debian.org
Subject: Re: Bug#654442: pu: package erlang/14.a-dfsg-3squeeze1
Date: Fri, 13 Jan 2012 09:27:21 +0400
On Fri, Jan 13, 2012 at 12:15 AM, Julien Cristau <jcristau@debian.org> wrote:
> On Tue, Jan  3, 2012 at 22:49:33 +0400, Sergei Golovan wrote:
>> ++    bn_rand = BN_new();
>> ++    if (! bn_rand ) {
>> ++        return enif_make_badarg(env);
>
> badarg seems a bit weird here, it's got nothing to do with its args?

It's a copy&paste from https://github.com/erlang/otp/commit/f228601de45c5

The behavior is the same as in the current Erlang versions (14.b.4 in
wheezy, 15.b in sid).

>> + -export([irandom/1, irandom/3]).
>> +--export([random/1, random/3]).
>> ++-export([random/1]).
>> + -export([xor_bits/2, fill_bits/2]).
>> + -export([i2bin/2, bin2i/1]).
>> +
>
> Am I reading this right that random/3 gets unexported?  Is this safe
> (i.e. are you sure this was always unused)?

Yes, random/3 was never called outside ssh_bits module. The patch not
only unexports it but also removes it completely.

-- 
Sergei Golovan




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#654442; Package release.debian.org. (Fri, 13 Jan 2012 19:36:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 13 Jan 2012 19:36:06 GMT) Full text and rfc822 format available.

Message #25 received at 654442@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Sergei Golovan <sgolovan@nes.ru>, 654442@bugs.debian.org
Subject: Re: Bug#654442: pu: package erlang/14.a-dfsg-3squeeze1
Date: Fri, 13 Jan 2012 20:34:03 +0100
[Message part 1 (text/plain, inline)]
On Fri, Jan 13, 2012 at 09:27:21 +0400, Sergei Golovan wrote:

> Yes, random/3 was never called outside ssh_bits module. The patch not
> only unexports it but also removes it completely.
> 
Alright, please go ahead with the upload then.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#654442; Package release.debian.org. (Fri, 13 Jan 2012 19:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sergei Golovan <sgolovan@nes.ru>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 13 Jan 2012 19:39:06 GMT) Full text and rfc822 format available.

Message #30 received at 654442@bugs.debian.org (full text, mbox):

From: Sergei Golovan <sgolovan@nes.ru>
To: Julien Cristau <jcristau@debian.org>
Cc: 654442@bugs.debian.org
Subject: Re: Bug#654442: pu: package erlang/14.a-dfsg-3squeeze1
Date: Fri, 13 Jan 2012 23:36:27 +0400
On Fri, Jan 13, 2012 at 11:34 PM, Julien Cristau <jcristau@debian.org> wrote:
> On Fri, Jan 13, 2012 at 09:27:21 +0400, Sergei Golovan wrote:
>
>> Yes, random/3 was never called outside ssh_bits module. The patch not
>> only unexports it but also removes it completely.
>>
> Alright, please go ahead with the upload then.

Does it make sense to upload into oldstable also?

-- 
Sergei Golovan




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#654442; Package release.debian.org. (Fri, 13 Jan 2012 20:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sergei Golovan <sgolovan@nes.ru>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 13 Jan 2012 20:42:03 GMT) Full text and rfc822 format available.

Message #35 received at 654442@bugs.debian.org (full text, mbox):

From: Sergei Golovan <sgolovan@nes.ru>
To: Julien Cristau <jcristau@debian.org>
Cc: 654442@bugs.debian.org
Subject: Re: Bug#654442: pu: package erlang/14.a-dfsg-3squeeze1
Date: Sat, 14 Jan 2012 00:39:49 +0400
On Fri, Jan 13, 2012 at 11:34 PM, Julien Cristau <jcristau@debian.org> wrote:
> Alright, please go ahead with the upload then.

Done.

-- 
Sergei Golovan




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#654442; Package release.debian.org. (Sat, 14 Jan 2012 10:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 14 Jan 2012 10:42:12 GMT) Full text and rfc822 format available.

Message #40 received at 654442@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Sergei Golovan <sgolovan@nes.ru>, 654442@bugs.debian.org
Subject: Re: Bug#654442: pu: package erlang/14.a-dfsg-3squeeze1
Date: Sat, 14 Jan 2012 11:38:37 +0100
[Message part 1 (text/plain, inline)]
On Fri, Jan 13, 2012 at 23:36:27 +0400, Sergei Golovan wrote:

> On Fri, Jan 13, 2012 at 11:34 PM, Julien Cristau <jcristau@debian.org> wrote:
> > On Fri, Jan 13, 2012 at 09:27:21 +0400, Sergei Golovan wrote:
> >
> >> Yes, random/3 was never called outside ssh_bits module. The patch not
> >> only unexports it but also removes it completely.
> >>
> > Alright, please go ahead with the upload then.
> 
> Does it make sense to upload into oldstable also?
> 
I'm not sure it's worth it at this point, with oldstable being EOL in
less than a month.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#654442; Package release.debian.org. (Sat, 14 Jan 2012 11:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sergei Golovan <sgolovan@nes.ru>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 14 Jan 2012 11:18:04 GMT) Full text and rfc822 format available.

Message #45 received at 654442@bugs.debian.org (full text, mbox):

From: Sergei Golovan <sgolovan@nes.ru>
To: Julien Cristau <jcristau@debian.org>, 654442@bugs.debian.org
Subject: Re: Bug#654442: pu: package erlang/14.a-dfsg-3squeeze1
Date: Sat, 14 Jan 2012 15:16:29 +0400
On Sat, Jan 14, 2012 at 2:38 PM, Julien Cristau <jcristau@debian.org> wrote:
> On Fri, Jan 13, 2012 at 23:36:27 +0400, Sergei Golovan wrote:
>>
>> Does it make sense to upload into oldstable also?
>>
> I'm not sure it's worth it at this point, with oldstable being EOL in
> less than a month.

Okay then.

-- 
Sergei Golovan




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#654442; Package release.debian.org. (Sat, 14 Jan 2012 12:49:00 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 14 Jan 2012 12:49:20 GMT) Full text and rfc822 format available.

Message #50 received at 654442@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Sergei Golovan <sgolovan@nes.ru>, 654442@bugs.debian.org
Cc: Julien Cristau <jcristau@debian.org>
Subject: Re: Bug#654442: pu: package erlang/14.a-dfsg-3squeeze1
Date: Sat, 14 Jan 2012 12:39:54 +0000
tag 654442 + squeeze pending
thanks

On Sat, 2012-01-14 at 00:39 +0400, Sergei Golovan wrote:
> On Fri, Jan 13, 2012 at 11:34 PM, Julien Cristau <jcristau@debian.org> wrote:
> > Alright, please go ahead with the upload then.
> 
> Done.

Flagged for acceptance; thanks.

Regards,

Adam





Added tag(s) squeeze and pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 14 Jan 2012 12:49:51 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 6.0.4, send any further explanations to Sergei Golovan <sgolovan@nes.ru> Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 28 Jan 2012 14:06:51 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Feb 2012 07:35:30 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:31:42 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.