Search Results: "yadi"

LTS This is my sixth month of working for LTS. I was assigned 12 hrs and worked all of them.

Released DLAs

DLA 2742-1 ffmpeg_7:3.2.15-0+deb9u3

CVE-2020-22036: A heap-based Buffer Overflow vulnerability in filter_intra at libavfilter/vf_bwdif.c, which might lead to memory corruption and other potential consequences.

CVE-2020-22032: A heap-based Buffer Overflow vulnerability in gaussian_blur, which might lead to memory corruption and other potential consequences.

CVE-2020-22031: A Heap-based Buffer Overflow vulnerability in filter16_complex_low, which might lead to memory corruption and other potential consequences.

CVE-2020-22028: Buffer Overflow vulnerability in filter_vertically_8 at libavfilter/vf_avgblur.c, which could cause a remote Denial of Service.

CVE-2020-22026: Buffer Overflow vulnerability exists in the config_input function at libavfilter/af_tremolo.c, which could let a remote malicious user cause a Denial of Service.

CVE-2020-22025: A heap-based Buffer Overflow vulnerability exists in gaussian_blur at libavfilter/vf_edgedetect.c, which might lead to memory corruption and other potential consequences.

CVE-2020-22023: A heap-based Buffer Overflow vulnerabililty exists in filter_frame at libavfilter/vf_bitplanenoise.c, which might lead to memory corruption and other potential consequences.

CVE-2020-22022: A heap-based Buffer Overflow vulnerability exists in filter_frame at libavfilter/vf_fieldorder.c, which might lead to memory corruption and other potential consequences.

CVE-2020-22021: Buffer Overflow vulnerability at filter_edges function in libavfilter/vf_yadif.c, which could let a remote malicious user cause a Denial of Service.

CVE-2020-22020: Buffer Overflow vulnerability in the build_diff_map function in libavfilter/vf_fieldmatch.c, which could let a remote malicious user cause a Denial of Service.

CVE-2020-22016: A heap-based Buffer Overflow vulnerability at libavcodec/get_bits.h when writing .mov files, which might lead to memory corruption and other potential consequences.

CVE-2020-22015: Buffer Overflow vulnerability in mov_write_video_tag due to the out of bounds in libavformat/movenc.c, which could let a remote malicious user obtain sensitive information, cause a Denial of Service, or execute arbitrary code.

CVE-2020-21041: Buffer Overflow vulnerability exists via apng_do_inverse_blend in libavcodec/pngenc.c, which could let a remote malicious user cause a Denial of Service

CVE-2021-3566: The tty demuxer did not have a read_probe function assigned to it. By crafting a legitimate ffconcat file that references an image, followed by a file the triggers the tty demuxer, the contents of the second file will be copied into the output file verbatim (as long as the `-vcodec copy` option is passed to ffmpeg).

CVE-2021-38114: libavcodec/dnxhddec.c does not check the return value of the init_vlc function. Crafted DNxHD data can cause unspecified impact.

DLA 2742-2 ffmpeg_7:3.2.15-0+deb9u4 During the backporting of one of patches in CVE-2020-22021 one line was wrongly interpreted and it caused the regression during the deinterlacing process. Thanks to Jari Ruusu for the reporting the issue and for the testing of prepared update.

LTS-Meeting

I attended the Debian LTS team Jitsi-meeting (though the connection was extremely bad).

Partly participated in preparation of Debconf21 BoF Funding Projects to Improve Debian .

Debian Science Team

Partly participated in Debconf21 Debian Science BoF.

Other FLOSS activities

Reviewed many merge requests in Yade open source project, merge some of them.

Multithreading continues to be hard (although the alternatives are not really a lot better). While debugging a user issue in Nageru, I found and fixed a few races (mostly harmless in practice, though) in my own code, but also two issues that I filed patches for in Mesa. But that's not enough, it seems; there are still issues that are too subtle for me to figure out on-the-fly. But at least with those patches, I can use interlaced video sources in Nageru on Intel GPUs without segfaulting pretty much immediately. My laptop's GPU isn't fast enough to actually run the YADIF interlacer realtime in 1080p60, though, but it's nice at least not take the program down. (These things are super-sensitive to timing, of course, which is probably why I didn't see them when developing the feature a year or so ago.) As usual, NVIDIA's proprietary drivers seem to be near-flawless in this regard. I'm starting to think maybe it's about massive amounts of QA resources.

What happened in the reproducible builds effort this week: Toolchain fixes

Robert Luberda uploaded ispell/3.4.00-4 which fixes another issue with uninitialized memory in ispell hashes. Original patch by Valentin Lorentz.
Robert Luberda uploaded man2html/1.6g-8 which adds support for SOURCE_DATE_EPOCH. Original patch by akira.
gregor herrmann uploaded libdebian-copyright-perl/0.2-3 which sorts copyright files for deterministic ordering. Original patch by Reiner Herrmann.
Rafael Laboissiere uploaded octave-pkg-dev/1.3.2 which normalizes the name of the temporary build directory. This doesn't seem to be enough to make Octave packages reproducible just yet, though.
Nicolas Boulenguez uploaded gprbuild/2015-1 which sets a deterministic date to the generated source.

Packages fixed The following packages became reproducible due to changes in their build dependencies: maven-plugin-tools, norwegian, ocaml-melt, python-biom-format, rivet. The following packages became reproducible after getting fixed:

apache2/2.4.17-1 by Stefan Fritsch.
autogen/1:5.18.6-3 by Andreas Metzler.
debian-timeline/37 by Chris Lamb.
fonty-rg/0.6 uploaded by Radovan Garab k, original patch by Chris Lamb.
foxeye/0.10.2-2 by Andriy Grytsenko.
hsqldb/2.3.3+dfsg2-1 by Markus Koschany.
jasperreports/6.1.1+dfsg-1 uploaded by Markus Koschany, fix by Emmanuel Bourg.
libmath-base-convert-perl/0.11-2 uploaded by Salvatore Bonaccorso, original patch by Reiner Herrmann.
libsdl2-gfx/1.0.1+dfsg-2 uploaded by Manuel A. Fernandez Montecelo, original patch by Reiner Herrmann.
libsdl2/2.0.2+dfsg1-8 uploaded by Gianfranco Costamagna, patch by Reiner Herrmann.
linux/4.2.5-1 by Ben Hutchings.
litl/0.1.7+dfsg-1 by Samuel Thibault, original patch by Chris Lamb.
python-keystoneclient/1:1.7.1-4 by Thomas Goirand.
sphinxbase/0.8+5prealpha-1 by Samuel Thibault.
tatan/1.0.dfsg1-6 uploaded by Markus Koschany, original patch by Reiner Herrmann.
v4l2loopback/0.9.1-4 uploaded by IOhannes m zm lnig, original patch.
yadifa/2.1.4-2 uploaded by Markus Schade, original patch by Reiner Herrmann.

Some uploads fixed some reproducibility issues but not all of them:

lcov/1.12-2 by Alastair McKinstry, original patch by Reiner Herrmann.
libsdl1.2/1.2.15-12 uploaded by Manuel A. Fernandez Montecelo, original patch by Reiner Herrmann.
metview/4.5.7-1 by Alastair McKinstry.
mumble/1.2.10-2 by Christopher Knadle.

The following package is currently failing to build from source but should now be reproducible:

p4vasp/0.3.29+dfsg-2 uploaded by Graham Inggs, original patch by Reiner Herrmann.

Patches submitted which have not made their way to the archive yet:

#803501 on fdroidserver by Reiner Herrmann: add support for SOURCE_DATE_EPOCH to docs/gendocs.sh and normalizes tarball permissions. Sent upstream.
#803547 on bbswitch by Reiner Herrmann: tell tar to normalize the permissions.
#803583 on ndiswrapper by Reiner Herrmann: tell tar to normalize the permissions.
#803601 on xtables-addons by Reiner Herrmann: tell tar to normalize the permissions.
#803603 on usb-modeswitch-data by Reiner Herrmann: tell tar to normalize the permissions.

reproducible.debian.net A quick update on current statistics: testing is at 85% of packages tested reproducible with our modified packages, unstable on armhf caught up with amd64 with 80%. The schroot name used for running diffoscope when testing OpenWrt, NetBSD, Coreboot, and Arch Linux has been fixed. (h01ger, Mattia Rizzolo) Documentation update Paul Gevers documented timestamps in unit files created by the Free Pascal Compiler. reproducible-builds.org is now live. It contains a comprehensive documentation on all aspects that have been identified so far of what we call reproducible builds . It makes room for pointers to projects working on reproducible builds, news, dedicated tools, and community events. Package reviews 206 reviews have been removed, 171 added and 196 updated this week. Chris Lamb reported 28 failing to build from source issues. New issues identified this week: timestamps_in_pdf_content, different_encoding_in_html_by_docbook_xsl, timestamps_in_ppu_generated_by_fpc, method_may_never_be_called_in_documentation_generated_by_javadoc. Misc. Andrei Borzenkov has proposed a fix for uninitialized memory in GRUB's mkimage. Uninitialized memory is one source of hard to track down reproducibility errors. Holger Levsen presented the efforts on reproduible builds at Festival de Software Libre in Puerto Vallarta, Mexico.

What happened in the reproducible builds effort this week: Media coverage Motherboard published an article on the project inspired by the talk at the Chaos Communication 15. Journalists sadly rarely pick their headlines. The sensationalist How Debian Is Trying to Shut Down the CIA got started a few rants here and there. One from OpenBSD developper Ted Unangst lead to a good email contact and some thorough comments. Toolchain fixes

Emmanuel Bourg uploaded maven-ant-helper/7.11 which improved the reproducibility of the Javadoc by removing the timestamps and using the English locale.
Thomas Schmitt uploaded libisoburn/1.4.0-2 which adds to the ISO image creator xorriso new flags for -alter_date to avoid update ctimes. Report by Daniel Kahn Gillmor.
Florian Schlichting uplodaded libmodule-build-perl/0.421400-2 which makes linked file ordering deterministic. Original patch by Niko Tyni.

The modified version of gettext has been removed from the experimental toolchain. Fixing individual package seems a better approach for now. Chris Lamb sent two patches for abi-compliance-checker: one to drop the timestamp from generated HTML reports and another to make umask and timestamps deterministic in the abi tarball. Bugs submitted by Dhole lead to a discussion on the best way to adapt pod2man now that we have SOURCE_DATE_EPOCH specified. There is really a whole class of issues that are currently undiscovered waiting for tests running on a different date. This is likely to should happen soon. Chris Lamb uploaded a new version of debhelper in the reproducible repository, cherry-picking a fix for interactions between ddebs and udebs. Packages fixed The following packages became reproducible due to changes in their build dependencies: aspic, django-guardian, erlang-sqlite3, etcd, libnative-platform-java, mingw-ocaml, nose2, oar, obexftp, py3cairo, python-dugong, python-secretstorage, python-setuptools, qct, qdox, recutils, s3ql, wine. The following packages became reproducible after getting fixed:

bochs/2.6-4 by Santiago Vila.
codec2/0.4-3 by A. Maitland Bottoms.
coquelicot/0.9.4-1 by Lunar.
criticalmass/1:1.0.0-3 by Santiago Vila.
ekg/1:1.9~pre+r2855-3 by Santiago Vila.
eterm/0.9.6-3 by Santiago Vila.
fbi/2.10-2 by Moritz Muehlenhoff.
fsvs/1.2.6-2 by Santiago Vila.
glhack/1.2-3 by Santiago Vila.
httraqt/1.4.6-2 by Anton Gladky.
libapache-authznetldap-perl/0.07-6 by gregor herrmann, original patch by Dhole.
libkinosearch1-perl/1.01-3 uploaded by Florian Schlichting, original patch by Niko Tyni.
liblucy-perl/0.3.3-6 uploaded by Florian Schlichting, original patch by Niko Tyni.
slony1-2/2.2.4-1 by Christoph Berg.
slrn/1.0.2-3 uploaded by Moritz Muehlenhoff, original patch by Dmitry Bogatov.
svtplay-dl/0.10.2015.08.24-1 uploaded by Olof Johansson, fixed upstream.
swh-plugins/0.4.15+1-8 uploaded by Jarom r Mike , original patch by Chris Lamb.
sysstat/11.1.6-2 uploaded by Robert Luberda, original patch by Chris Lamb.
uhd/3.9.0-3 by A. Maitland Bottoms.
volk/1.1-3 by A. Maitland Bottoms.
yadifa/2.1.3-2 uploaded by Markus Schade, original patch by Santiago Vila.

Some uploads fixed some reproducibility issues but not all of them:

dict-jargon/4.4.7-3 uploaded by Ruben Molina, original patch by Dhole.
ferret-vis/6.9.3-3 uploaded by Alastair McKinstry, original patch by Chris Lamb.

Patches submitted which have not made their way to the archive yet:

#798366 on lilo by Dmitry Bogatov: remove usage of __TIME__ and __DATE__ macros.
#798557 on libapache-dbi-perl by Dhole: set date of the manpage to the latest debian/changelog entry.
#798776 on testdisk by upstream!

reproducible.debian.net The configuration of all remote armhf and amd64 nodes in now finished. The remaining reproducibility tests running on the Jenkins host has been removed. armhf results and graphs are now visible in dashboard. We can now test the whole archive in 2-3 weeks using the current 12 amd64 jobs and 3 months using the current 6 armhf builders. We will be looking at improving the armhf sitation, maybe using more native systems or via arm64. (h01ger) The Jenkins UI is now more responsive since all jobs building packages have been moved to remote hosts. (h01ger) A new job has been added to collect information about build nodes to be included in the variation table. (h01ger) The currently scheduled page has been split for amd64 and armhf. They now give an overview (refreshed every minute, thanks to Chris Lamb) of the packages currently being tested. (h01ger) Several cleanup and bugfixes have been made, especially in the remote building and maintenance scripts. They should now be more robust against network problems. The automatic scheduler is now also run closer to when schroots and pbuilders are updated. (h01ger, mapreri) Package reviews 16 reviews have been removed, 54 added and 55 updated this week. Santiago Vila renamed lc_messages_randomness with the more descriptive different_pot_creation_date_in_gettext_mo_files. New issues added this week: timestamps_in_reports_generated_by_abi_compliance_checker, umask_and_timestamp_variation_in_tgz_generated_by_abi_compliance_checker, and timestamps_added_by_blast2. 23 new FTBFS bugs have been filled by Chris Lamb, and Niko Tyni. Misc. Red Hat developper Mike McLean had a talk at Flock 2015 about reproducible builds in Koji. Slides and video recording are available. Koji is the build infrastructure used by Fedora, Red Hat and other distributions. It already keeps track of the environment used for a given build, so the required changes for handling the environment are smaller than the ones in Debian. Fedora is still missing a team effort to fix non-determinism in the package builds, but it is great to see Fedora moving forward.

* LDTP (aka Linux Desktop Testing Project) has released 0.9.0. Download it. Debian packages will be there soon (temporary at mentors). * Ayttm 0.5.0+10 is in Debian too! I have changed upstream minor version from -10 to +10 to avoid confusion with Debian revision number. Thanks to mones for upload and tips. * Late but, we submitted joint proposal for Project Days at Foss.in for ‘Debian and Ubuntu‘. I hope that it will be accepted and we will have great time/fun. Thanks to Teknofreak, Soumyadip and others for help in drafting proposal.

* As Jaldhar announced at Debian-IN mailing list, Ikiwiki has been setup (obvious, by him only!) on Debian-IN Page. Still some minor issue need to be solved (Unfortunately, I know only very basic of perl!). You can login with your Alioth username and can change relevant things there. Today, I updated aspell-bn,or,pa,ta,te packages (~~upload due~~), And made it Lintian-Free for Debian-IN Packages

(And yes, Thanks to Soumyadip) Update: Jaldhar’s mail hit to mailing-list after my blog post. Here it is.

Gar! It looks like life's not so rosy after all with this blog. YULblog, the Montreal blog aggregator, apparently uses TrackBack for updating the aggregator. So I'm going to have to build some kind of trackback system into WiLiKi. At some point I should probably collect my customizations for WiLiKi into a nice WikiBlog? add-on -- but there's still a lot Todo before that'd be ready. On the same subject, it seems that I'm getting more and more frequent WikiSpam on the About This Site page. I'm going to have to start instituting some anti-spam measures. Using regexps to refuse submissions with blacklisted URLs works very well for Wikitravel (see wt:Wikitravel:Spam filter), so I'm tempted to try it here. tag: wiliki trackback yulblog aggregator wikispam wikitravel spam filter

Piknik missed We were going to head to Piknic Electronik yesterday -- we had a great time a few weeks ago, and Piknik is such a harbinger of Montreal summer -- but Amita June is going through some freaky personal schedule issues, and she wouldn't take an afternoon nap. By the time to leave for the Parc, she was wiggin' out from sleep deprivation, and we couldn't really force her to go out to the island and dance to big fun beats. Which was kind of a bummer, since our friends Meg and Patti were out there, and it would have been good to see them. They came by on Friday night for Pizza Night Chez les Bads, and we talked about Ignition 2006 (yes, Montreal Burners, it is going to happen... I think) and kids and dancing and weddings and fun. Amita June and Meg get along like gang-busters; they have a lot of fun together. So instead of going out to the Island Amita June and I went across the street to Parc La Fontaine and played in the baby pools right next to the playground. How is that for lucky? We have two huge pools, about 18 inches deep, right across the street, next to the baby playground. Oh, and there's a good bar a block and a half away. This is the greatest apartment ever. We moved in this time last year, and I feel so at home here now. So many important things have happened to us in the last year -- Amita June, Wikitravel -- and this apartment has been a part of it. We're going to look for a house to buy in the fall, but right now this feels like home. tag: 1481 rue rachel parc la fontaine amitajune pizza night meg patti piknik electronik parc jean drapeau montreal home

Two months I almost forgot that it's my two-month blogiversary. Yes, I just made that word up. And it's months in the French Revolutionary Calendar, not, like, real months. But close. tag: french revolutionary calendar blogs

My mom For those of you who asked: yes, my Mom's doing great. She was bit by a rattlesnake last week (!), but now she's back on her feet, the swelling is down, and she's doing all the stuff she did before. Good for her; she's pretty resilient. tag: mom rattlesnake recovery bite

Microburst I now officially have a new phobia, since a Quebec woman was recently killed in her trailer by a microburst. Apparently a wp:microburst is a localized gust of wind that can reach speeds of 100 kph, kind of like a tornado. Unlike a tornado, a microburst doesn't spin around -- it goes straight down. It's usually accompanied by rain, and can be devastating. These freak winds happen several times a year in Quebec. Great. tags: quebec microburst death trailer wind

OpenID My current work project is enabling single-signon for all the language versions of Wikitravel. My preferred method for this is OpenID, since it will allow sign-on not only to Wikitravel language versions, but in the future other sites as well. So I'm writing an extension for MediaWiki to allow logging in to MediaWiki with an OpenID URL, and for making MW an authentication server for other sites. I realize this is a little roundabout for Wikitravel's needs, but for interfacing with new partner World66, as well as other MW sites like Wikipedia or Wikia servers, it'd be fantastic. I'm using the great OpenID Enabled libraries from JanRain. They're working out pretty well, although they're a little flaky around the Yadis edges. Given that I don't really care about Yadis -- sorry, LID and inames -- having to deal with those errors is pretty annoying. Even so, I managed to get a working consumer-side system going today. It was pretty exciting logging into my development machine for the first time with an OpenID, and having it work. Hooray for OpenID! tags: openid mediawiki php lid openid enabled inames yadis wikitravel

I've got a IBM Thinkpad R50e. It's a very nice laptop, with a lovely keyboard. It does, however, have one farily large issue, as I discovered last night.
The control and alt keys are a little too easy to press at the same time. Therefore, it's very easy to press ctrl+alt+backspace when you've just spent an hour creating some minutes for a SPI board meeting and haven't saved your changes yet.

So, thanks to Priyadi Iman Nurcahyo's blog, I've added this to /etc/X11/xorg.conf:

Section "Serverflags"
Option "DontZap"      "yes"
EndSection

Section "Serverflags"
Option "DontZap"      "yes"
EndSection