Debian
xine-lib package

FTBFS: xine-lib debian/rules contains a bashism

Bug #25182 reported by Debian Bug Importer
6
Affects Status Importance Assigned to Milestone
xine-lib (Debian)
Fix Released
Unknown
xine-lib (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Automatically imported from Debian bug report #337996 http://bugs.debian.org/337996

See original description

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #337996 http://bugs.debian.org/337996

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Mon, 7 Nov 2005 13:45:38 -0500
From: Christopher Martin <email address hidden>
To: <email address hidden>
Subject: FTBFS: xine-lib debian/rules contains a bashism

--nextPart2327829.4oZV6imF3u
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Package: xine-lib
Version: 1.0.1-1.3
Severity: serious

xine-lib's debian/rules contains the following:

mv debian/tmp/usr/share/doc/xine/{faq,README*} \
 debian/libxine1/usr/share/doc/libxine1

This fails with dash as sh, since it doesn't understand {faq,README*}. The=
=20
easiest fix would be to move the faq and README* separately, as follows:

mv debian/tmp/usr/share/doc/xine/faq \
 debian/libxine1/usr/share/doc/libxine1
mv debian/tmp/usr/share/doc/xine/README* \
 debian/libxine1/usr/share/doc/libxine1

Cheers,
Christopher Martin

--nextPart2327829.4oZV6imF3u
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Signed by Christopher Martin <email address hidden>

iD8DBQBDb6DbU+gWW+vtsysRAitSAJ9NLKxhUJ6Fa50dU6hzUVxIRp7magCgjYaI
7pWIsdSpWirlrHmCGkZd9m4=
=A57V
-----END PGP SIGNATURE-----

--nextPart2327829.4oZV6imF3u--

Revision history for this message
In , Thijs Kinkhorst (kink) wrote : Re: #332919 Still not fixed

On Tue, 2005-11-22 at 23:31 +0100, Jérôme Marant wrote:
> Hi,
>
> I've just noticed that this security bug has not been fixed:
>
> #332919: CAN-2005-2967: Format string vulnerability in xine-lib's CDDB response parsing
>
> Any action taken?

This bug has been addressed for stable in DSA-863, it's only etch/sid
which have to be fixed. The package has two maintainers, but I can't
trace recent activity for any of them.

I've prepared updated packages for xine-lib, which fix this security
issue and the FTBFS-bug. They thus fix 2 RC bugs (or 3 if you count
merged separately). The diff is attached, the updated packages can be
found here: http://www.a-eskwadraat.nl/~kink/xine-lib/

Since I can't upload them myself, maybe someone else can review and
upload?

regards,
Thijs

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (3.9 KiB)

Message-Id: <email address hidden>
Date: Wed, 23 Nov 2005 10:33:33 +0100
From: Thijs Kinkhorst <email address hidden>
To: <email address hidden>, <email address hidden>, <email address hidden>,
 =?ISO-8859-1?Q?J=E9r=F4me?= Marant <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>
Subject: Re: #332919 Still not fixed

--=-4kijn+3twrPUuoRosIth
Content-Type: multipart/mixed; boundary="=-QaeWL16TumS5KjBRZHzH"

--=-QaeWL16TumS5KjBRZHzH
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Tue, 2005-11-22 at 23:31 +0100, J=E9r=F4me Marant wrote:
> Hi,
>=20
> I've just noticed that this security bug has not been fixed:
>=20
> #332919: CAN-2005-2967: Format string vulnerability in xine-lib's CDDB =
 response parsing
>=20
> Any action taken?

This bug has been addressed for stable in DSA-863, it's only etch/sid
which have to be fixed. The package has two maintainers, but I can't
trace recent activity for any of them.

I've prepared updated packages for xine-lib, which fix this security
issue and the FTBFS-bug. They thus fix 2 RC bugs (or 3 if you count
merged separately). The diff is attached, the updated packages can be
found here: http://www.a-eskwadraat.nl/~kink/xine-lib/

Since I can't upload them myself, maybe someone else can review and
upload?

regards,
Thijs

--=-QaeWL16TumS5KjBRZHzH
Content-Disposition: attachment; filename=xine-lib_CVE-2005-2967.diff
Content-Type: text/x-patch; name=xine-lib_CVE-2005-2967.diff; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: base64

ZGlmZiAtdSB4aW5lLWxpYi0xLjAuMS9kZWJpYW4vcnVsZXMgeGluZS1saWItMS4wLjEvZGViaWFu
L3J1bGVzDQotLS0geGluZS1saWItMS4wLjEvZGViaWFuL3J1bGVzDQorKysgeGluZS1saWItMS4w
LjEvZGViaWFuL3J1bGVzDQpAQCAtOTcsOCArOTcsMTAgQEANCiAJZGhfaW5zdGFsbCAtLWF1dG9k
ZXN0DQogCWRoX2luc3RhbGxkb2NzDQogCSN1Z2x5IGhhY2ssIGRvY3VtZW50YXRpb24gc2hvdWxk
IG5ldmVyIGhhdmUgYmVlbiBpbiAvdS9zL2QveGluZS8uLi4NCi0JbXYgZGViaWFuL3RtcC91c3Iv
c2hhcmUvZG9jL3hpbmUve2ZhcSxSRUFETUUqfSBcDQotICAgICAgICAgICBkZWJpYW4vbGlieGlu
ZTEvdXNyL3NoYXJlL2RvYy9saWJ4aW5lMQ0KKwltdiBkZWJpYW4vdG1wL3Vzci9zaGFyZS9kb2Mv
eGluZS9mYXEgXA0KKwkJZGViaWFuL2xpYnhpbmUxL3Vzci9zaGFyZS9kb2MvbGlieGluZTENCisJ
bXYgZGViaWFuL3RtcC91c3Ivc2hhcmUvZG9jL3hpbmUvUkVBRE1FKiBcDQorCQlkZWJpYW4vbGli
eGluZTEvdXNyL3NoYXJlL2RvYy9saWJ4aW5lMQ0KIAlkaF9pbnN0YWxsY2hhbmdlbG9ncyAtayBD
aGFuZ2VMb2cNCiAJZGhfbGluaw0KIAlkaF9zdHJpcA0KZGlmZiAtdSB4aW5lLWxpYi0xLjAuMS9k
ZWJpYW4vY2hhbmdlbG9nIHhpbmUtbGliLTEuMC4xL2RlYmlhbi9jaGFuZ2Vsb2cNCi0tLSB4aW5l
LWxpYi0xLjAuMS9kZWJpYW4vY2hhbmdlbG9nDQorKysgeGluZS1saWItMS4wLjEvZGViaWFuL2No
YW5nZWxvZw0KQEAgLTEsMyArMSwxMiBAQA0KK3hpbmUtbGliICgxLjAuMS0xLjQpIHVuc3RhYmxl
OyB1cmdlbmN5PWhpZ2gNCisNCisgICogTm9uLW1haW50YWluZXIgdXBsb2FkIGZvciBSQy0oc2Vj
dXJpdHktKWJ1Z3MuDQorICAqIEFwcGx5IHBhdGNoIGZyb20gVWxmIEhhcm5oYW1tYXIgZml4aW5n
IGEgZm9ybWF0IHN0cmluZyB2dWxuZXJhYmlsaXR5DQorICAgIGluIENEREIgcmVzcG9uc2UgcGFy
c2luZyAoQ1ZFLTIwMDUtMjk2NywgQ2xvc2VzOiAjMzMyOTE5LCAjMzMzNjgyKS4NCisgICogRml4
IGJhc2hpc20gaW4gZGViaWFuL3J1bGVzIGNhdXNpbmcgYSBGVEJGUyAoQ2xvc2VzOiAjMzM3OTk2
KS4NCisNCisgLS0gVGhpanMgS2lua2hvcnN0IDxraW5rQHNxdWlycmVsbWFpbC5vcmc+ICBXZWQs
IDIzIE5vdiAyMDA1IDA5OjQyOjM5ICswMTAwDQorDQogeGluZS1saWIgKDEuMC4xLTEuMykg...

Read more...

Revision history for this message
In , Thijs Kinkhorst (kink) wrote : Fixed in NMU of xine-lib 1.0.1-1.4

tag 332919 + fixed
tag 333682 + fixed
tag 337996 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 23 Nov 2005 09:42:39 +0100
Source: xine-lib
Binary: libxine-dev libxine1
Architecture: source i386
Version: 1.0.1-1.4
Distribution: unstable
Urgency: high
Maintainer: Siggi Langauf <email address hidden>
Changed-By: Thijs Kinkhorst <email address hidden>
Description:
 libxine-dev - the xine video player library, development packages
 libxine1 - the xine video/media player library, binary files
Closes: 332919 333682 337996
Changes:
 xine-lib (1.0.1-1.4) unstable; urgency=high
 .
   * Non-maintainer upload for RC-(security-)bugs.
   * Apply patch from Ulf Harnhammar fixing a format string vulnerability
     in CDDB response parsing (CVE-2005-2967, Closes: #332919, #333682).
   * Fix bashism in debian/rules causing a FTBFS (Closes: #337996).
Files:
 4f201c064f874cd28cd3fc1494157435 1103 libs optional xine-lib_1.0.1-1.4.dsc
 9f48de634d231a863a1cc48b19a1480b 97462 libs optional xine-lib_1.0.1-1.4.diff.gz
 41e688e695473119bb6102417e4d3075 108838 libdevel optional libxine-dev_1.0.1-1.4_i386.deb
 864da56df34734b732f07d16f8358bfd 4431800 libs optional libxine1_1.0.1-1.4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: GnuPG key at <http://thomas.viehmann.net/>

iD8DBQFDhZ3zriZpaaIa1PkRAnNzAKCbMfg6nPo7MGaGP+wuQTc4Z+HvMQCfWb1H
yedfa5GWYm6Tpn073+l+qGc=
=QsWX
-----END PGP SIGNATURE-----

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 24 Nov 2005 04:17:07 -0800
From: Thijs Kinkhorst <email address hidden>
To: <email address hidden>
Cc: Thijs Kinkhorst <email address hidden>, Siggi Langauf <email address hidden>
Subject: Fixed in NMU of xine-lib 1.0.1-1.4

tag 332919 + fixed
tag 333682 + fixed
tag 337996 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 23 Nov 2005 09:42:39 +0100
Source: xine-lib
Binary: libxine-dev libxine1
Architecture: source i386
Version: 1.0.1-1.4
Distribution: unstable
Urgency: high
Maintainer: Siggi Langauf <email address hidden>
Changed-By: Thijs Kinkhorst <email address hidden>
Description:
 libxine-dev - the xine video player library, development packages
 libxine1 - the xine video/media player library, binary files
Closes: 332919 333682 337996
Changes:
 xine-lib (1.0.1-1.4) unstable; urgency=high
 .
   * Non-maintainer upload for RC-(security-)bugs.
   * Apply patch from Ulf Harnhammar fixing a format string vulnerability
     in CDDB response parsing (CVE-2005-2967, Closes: #332919, #333682).
   * Fix bashism in debian/rules causing a FTBFS (Closes: #337996).
Files:
 4f201c064f874cd28cd3fc1494157435 1103 libs optional xine-lib_1.0.1-1.4.dsc
 9f48de634d231a863a1cc48b19a1480b 97462 libs optional xine-lib_1.0.1-1.4.diff.gz
 41e688e695473119bb6102417e4d3075 108838 libdevel optional libxine-dev_1.0.1-1.4_i386.deb
 864da56df34734b732f07d16f8358bfd 4431800 libs optional libxine1_1.0.1-1.4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: GnuPG key at <http://thomas.viehmann.net/>

iD8DBQFDhZ3zriZpaaIa1PkRAnNzAKCbMfg6nPo7MGaGP+wuQTc4Z+HvMQCfWb1H
yedfa5GWYm6Tpn073+l+qGc=
=QsWX
-----END PGP SIGNATURE-----

Sebastian Dröge (slomo)
Changed in xine-lib:
status: Unconfirmed → Fix Released
status: Unconfirmed → Fix Released
Revision history for this message
In , Reinhard Tartler (siretart) wrote : Bug#337996: fixed in xine-lib 1.1.1-1
Download full text (3.6 KiB)

Source: xine-lib
Source-Version: 1.1.1-1

We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:

libxine-dev_1.1.1-1_i386.deb
  to pool/main/x/xine-lib/libxine-dev_1.1.1-1_i386.deb
libxine1_1.1.1-1_i386.deb
  to pool/main/x/xine-lib/libxine1_1.1.1-1_i386.deb
xine-lib_1.1.1-1.diff.gz
  to pool/main/x/xine-lib/xine-lib_1.1.1-1.diff.gz
xine-lib_1.1.1-1.dsc
  to pool/main/x/xine-lib/xine-lib_1.1.1-1.dsc
xine-lib_1.1.1.orig.tar.gz
  to pool/main/x/xine-lib/xine-lib_1.1.1.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <email address hidden> (supplier of updated xine-lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 19 Feb 2006 18:34:51 +0100
Source: xine-lib
Binary: libxine-dev libxine1
Architecture: source i386
Version: 1.1.1-1
Distribution: unstable
Urgency: low
Maintainer: Siggi Langauf <email address hidden>
Changed-By: Reinhard Tartler <email address hidden>
Description:
 libxine-dev - the xine video player library, development packages
 libxine1 - the xine video/media player library, binary files
Closes: 288189 315986 318838 320317 323276 325960 326935 326936 327203 328168 328184 328265 328454 332919 337996 337997 338000 342208 345499 346488 347162 353150
Changes:
 xine-lib (1.1.1-1) unstable; urgency=low
 .
   * New upstream release! (Closes: #326936, #353150, #332919)
 .
   [ Reinhard Tartler ]
     - adding myself to uploaders
     - Remove build dependencies on xlibs-dev, as well as alternatives on
       xlibs-dev-static. Debian is on its way towards X11R7!
       (Closes: #337997, #346488, #345499, #342208, #347162)
     - Rechecking the long list of NMUs. Thanks to all submitters!
 .
   [ Darren Salt ]
     - Add debian/watch file for uscan.
     - Convert debian/copyright to UTF-8.
     - Add build-deps on libxv-dev and libvcdinfo-dev.
     - Bump standards version to 3.6.2
     - Make "post-Sarge"-tagged changes to debian/rules and strip debian/tmp/
       from debian/*.install.
     - Remove *.gmo on clean (Just In Case). (Closes: #338000)
     - Do a little preparation for a possible -dbg package.
 .
   * Acknowledge NMUs.
     - Backports and gcc 4.0 fixes dropped since they're already in this version.
       Closes: #288189, #318838
     - slang transition: Closes: #315986
     - aalib transition: Closes: #320317, #323276
     - flac transition: Closes: #325960
     - fix of dependency generation script debian/shlibdeps.sh:
       Closes: #326935, #327203, #328168, #328184, #328265, #328454
     - fix bashism in debian/rules: Closes: #337996
Files:
 3a7bb1c29296533f933ba4d3a5023d3a 1109 libs optional xine-lib_1.1.1-1.dsc
 b1f42602c...

Read more...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.