Bug#780154: marked as done (unblock: oss4/4.2-build2010-2)

To: Ivo De Decker <ivodd@debian.org>
Subject: Bug#780154: marked as done (unblock: oss4/4.2-build2010-2)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 09 Mar 2015 22:57:10 +0000
Message-id: <[🔎] handler.780154.D780154.142594159824609.ackdone@bugs.debian.org>
References: <20150309225310.GB23708@ugent.be> <[🔎] 20150309212221.GA14280@type.youpi.perso.aquilenet.fr>

Your message dated Mon, 9 Mar 2015 23:53:11 +0100
with message-id <20150309225310.GB23708@ugent.be>
and subject line Re: Bug#780154: unblock: oss4/4.2-build2010-2
has caused the Debian Bug report #780154,
regarding unblock: oss4/4.2-build2010-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
780154: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780154
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: oss4/4.2-build2010-2
From: Samuel Thibault <sthibault@debian.org>
Date: Mon, 9 Mar 2015 22:22:21 +0100
Message-id: <[🔎] 20150309212221.GA14280@type.youpi.perso.aquilenet.fr>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package oss4

A security issue was filed against the usb drivers contained in the oss4
package, and was pung again late January as #775662, but maintainers of
that part of the package didn't seem to have discussed with upstream
about it.  Considering how many issues there are in there, I tend not to
trust the module at all.  In upload oss4/4.2-build2010-2, I have thus
just disabled the usb module, see attached debdiff.

unblock oss4/4.2-build2010-2

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

-- 
Samuel
<A>  mr  -  remove the home of correct users who accidentally enter mr
<A>        instead of rm

diff -Nru oss4-4.2-build2010/debian/changelog oss4-4.2-build2010/debian/changelog
--- oss4-4.2-build2010/debian/changelog	2014-11-22 16:22:36.000000000 +0100
+++ oss4-4.2-build2010/debian/changelog	2015-03-09 20:27:33.000000000 +0100
@@ -1,3 +1,10 @@
+oss4 (4.2-build2010-2) unstable; urgency=medium
+
+  * Disable USB drivers, which insufficiently validate USB device descriptors.
+    (Closes: #775662)
+
+ -- Samuel Thibault <sthibault@debian.org>  Mon, 09 Mar 2015 20:16:31 +0100
+
 oss4 (4.2-build2010-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru oss4-4.2-build2010/debian/oss4-dkms.dkms.in oss4-4.2-build2010/debian/oss4-dkms.dkms.in
--- oss4-4.2-build2010/debian/oss4-dkms.dkms.in	2014-10-23 22:47:36.000000000 +0200
+++ oss4-4.2-build2010/debian/oss4-dkms.dkms.in	2015-03-09 20:07:55.000000000 +0100
@@ -1,7 +1,7 @@
 PACKAGE_NAME="oss4"
 PACKAGE_VERSION="_VERSION_"
 BUILT_MODULE_NAME[0]="osscore"
-BUILT_MODULE_NAME[1]="oss_usb"
+BUILT_MODULE_NAME[1]="oss_sbpci"
 BUILT_MODULE_NAME[2]="oss_sbxfi"
 BUILT_MODULE_NAME[3]="oss_via823x"
 BUILT_MODULE_NAME[4]="oss_geode"
@@ -31,7 +31,8 @@
 BUILT_MODULE_NAME[28]="oss_audiopci"
 BUILT_MODULE_NAME[29]="oss_ymf7xx"
 BUILT_MODULE_NAME[30]="oss_cmpci"
-BUILT_MODULE_NAME[31]="oss_sbpci"
+# This module insufficiently validates USB device descriptors, thus disabled.
+#BUILT_MODULE_NAME[31]="oss_usb"
 BUILT_MODULE_LOCATION[0]="core/"
 BUILT_MODULE_LOCATION[1]="drivers/"
 BUILT_MODULE_LOCATION[2]="drivers/"
@@ -63,7 +64,7 @@
 BUILT_MODULE_LOCATION[28]="drivers/"
 BUILT_MODULE_LOCATION[29]="drivers/"
 BUILT_MODULE_LOCATION[30]="drivers/"
-BUILT_MODULE_LOCATION[31]="drivers/"
+#BUILT_MODULE_LOCATION[31]="drivers/"
 DEST_MODULE_LOCATION[0]="/updates/dkms/"
 DEST_MODULE_LOCATION[1]="/updates/dkms/"
 DEST_MODULE_LOCATION[2]="/updates/dkms/"
@@ -95,7 +96,7 @@
 DEST_MODULE_LOCATION[28]="/updates/dkms/"
 DEST_MODULE_LOCATION[29]="/updates/dkms/"
 DEST_MODULE_LOCATION[30]="/updates/dkms/"
-DEST_MODULE_LOCATION[31]="/updates/dkms/"
+#DEST_MODULE_LOCATION[31]="/updates/dkms/"
 AUTOINSTALL=yes
 MAKE[0]="make -C ${kernel_source_dir} SUBDIRS=${dkms_tree}/${PACKAGE_NAME}/${PACKAGE_VERSION}/build/core modules && \
          make -C ${dkms_tree}/${PACKAGE_NAME}/${PACKAGE_VERSION}/build/drivers osscore_symbols.inc && \

--- End Message ---

--- Begin Message ---

To: Samuel Thibault <sthibault@debian.org>, 780154-done@bugs.debian.org

Subject: Re: Bug#780154: unblock: oss4/4.2-build2010-2

From: Ivo De Decker <ivodd@debian.org>

Date: Mon, 9 Mar 2015 23:53:11 +0100

Message-id: <20150309225310.GB23708@ugent.be>

In-reply-to: <[🔎] 20150309212221.GA14280@type.youpi.perso.aquilenet.fr>

References: <[🔎] 20150309212221.GA14280@type.youpi.perso.aquilenet.fr>
Hi,

On Mon, Mar 09, 2015 at 10:22:21PM +0100, Samuel Thibault wrote:
> Please unblock package oss4

Unblocked (and disabled my removal hint for now).

Once kfreebsd is removed from jessie, I'll reinstate the removal hint.

Cheers,

Ivo
--- End Message ---

Reply to:

References:
- Bug#780154: unblock: oss4/4.2-build2010-2
  - From: Samuel Thibault <sthibault@debian.org>

Prev by Date: Bug#780150: marked as done (RM: python-cream/0.5.3-1)
Next by Date: Bug#780154: unblock: oss4/4.2-build2010-2
Previous by thread: Bug#780154: unblock: oss4/4.2-build2010-2
Next by thread: Bug#780154: unblock: oss4/4.2-build2010-2
Index(es):
- Date
- Thread