Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: mercurial

mercurial (4.8.2-1ubuntu4) eoan; urgency=medium * SECURITY UPDATE: Write to arbitrary files outside a repository by using symlinks in subrepositories - debian/patches/CVE-2019-3902-1.patch: subrepo: extend path auditing test to include more weird patterns (SEC) - debian/patches/CVE-2019-3902-2.patch: subrepo: prohibit variable expansion on creation of hg subrepo (SEC) - debian/patches/CVE-2019-3902-3.patch: subrepo: reject potentially unsafe subrepo paths (BC) (SEC) - CVE-2019-3902 -- Mike Salvatore <mike.salvatore@canonical.com> Tue, 30 Jul 2019 15:42:49 -0400 mercurial (4.8.2-1ubuntu3) disco; urgency=medium * Drop test dependency on monotone (Closes: #919924) -- Graham Inggs <ginggs@ubuntu.com> Tue, 05 Mar 2019 06:33:36 +0000 mercurial (4.8.2-1ubuntu2) disco; urgency=medium * Use --jobs 4 in autopkgtest to speed it up * Fix Breaks to mercurial-git (<< 0.8.12-1~) as intended in the previous upload. Thanks to Graham Inggs. -- Balint Reczey <rbalint@ubuntu.com> Wed, 16 Jan 2019 15:42:22 +0700 mercurial (4.8.2-1ubuntu1) disco; urgency=medium * Blacklist tests failing on Ubuntu LXC autopkgtest runners * Bump versioned Breaks on mercurial-git (<< 0.8.12-1~) -- Graham Inggs <ginggs@ubuntu.com> Fri, 11 Jan 2019 16:51:02 +0000

Modifications :
  1. Download patch debian/patches/CVE-2019-3902-1.patch
  2. Download patch debian/tests/control

    --- 4.8.2-1/debian/tests/control 2019-01-08 11:09:47.000000000 +0000 +++ 4.8.2-1ubuntu4/debian/tests/control 2019-03-05 06:33:32.000000000 +0000 @@ -1,3 +1,3 @@ Tests: testsuite -Depends: @, zip, unzip, netbase, python-subversion, monotone, cvs, bzr, tla, gcc, python2.7-dev, less +Depends: @, zip, unzip, netbase, python-subversion, cvs, bzr, tla, gcc, python2.7-dev, less Restrictions: allow-stderr
  3. Download patch debian/patches/CVE-2019-3902-2.patch
  4. Download patch debian/patches/CVE-2019-3902-3.patch

    --- 4.8.2-1/debian/patches/CVE-2019-3902-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ 4.8.2-1ubuntu4/debian/patches/CVE-2019-3902-3.patch 2019-07-30 19:42:49.000000000 +0000 @@ -0,0 +1,90 @@ +# HG changeset patch +# User Yuya Nishihara <yuya@tcha.org> +# Date 1546953576 -32400 +# Tue Jan 08 22:19:36 2019 +0900 +# Branch stable +# Node ID 83377b4b4ae0e9a6b8e579f7b0a693b8cf5c3b10 +# Parent 6c10eba6b9cddab020de49fd4fabcb2cadcd85d0 +subrepo: reject potentially unsafe subrepo paths (BC) (SEC) + +In addition to the previous patch, this prohibits '~', '$nonexistent', etc. +for any subrepo types. I think this is safer, and real-world subrepos wouldn't +use such (local) paths. + +diff -r 6c10eba6b9cd -r 83377b4b4ae0 mercurial/subrepo.py +--- a/mercurial/subrepo.py Tue Jan 08 22:07:45 2019 +0900 ++++ b/mercurial/subrepo.py Tue Jan 08 22:19:36 2019 +0900 +@@ -115,6 +115,10 @@ + vfs.unlink(vfs.reljoin(dirname, f)) + + def _auditsubrepopath(repo, path): ++ # sanity check for potentially unsafe paths such as '~' and '$FOO' ++ if path.startswith('~') or '$' in path or util.expandpath(path) != path: ++ raise error.Abort(_('subrepo path contains illegal component: %s') ++ % path) + # auditor doesn't check if the path itself is a symlink + pathutil.pathauditor(repo.root)(path) + if repo.wvfs.islink(path): +diff -r 6c10eba6b9cd -r 83377b4b4ae0 tests/test-audit-subrepo.t +--- a/tests/test-audit-subrepo.t Tue Jan 08 22:07:45 2019 +0900 ++++ b/tests/test-audit-subrepo.t Tue Jan 08 22:19:36 2019 +0900 +@@ -279,8 +279,9 @@ + on clone (and update) with various substitutions: + + $ hg clone -q main main2 ++ abort: subrepo path contains illegal component: $SUB ++ [255] + $ ls main2 +- $SUB + + $ SUB=sub1 hg clone -q main main3 + abort: subrepo path contains illegal component: $SUB +@@ -363,8 +364,9 @@ + Test tilde + ---------- + +-The leading tilde may be expanded to $HOME, but it's a valid subrepo path. +-However, we might want to prohibit it as it seems potentially unsafe. ++The leading tilde may be expanded to $HOME, but it can be a valid subrepo ++path in theory. However, we want to prohibit it as there might be unsafe ++handling of such paths. + + on commit: + +@@ -373,15 +375,32 @@ + $ hg init './~' + $ echo '~ = ~' >> .hgsub + $ hg ci -qAm 'add subrepo "~"' +- $ ls +- ~ ++ abort: subrepo path contains illegal component: ~ ++ [255] ++ ++prepare tampered repo (including the commit above): ++ ++ $ hg import --bypass -qm 'add subrepo "~"' - <<'EOF' ++ > diff --git a/.hgsub b/.hgsub ++ > new file mode 100644 ++ > --- /dev/null ++ > +++ b/.hgsub ++ > @@ -0,0 +1,1 @@ ++ > +~ = ~ ++ > diff --git a/.hgsubstate b/.hgsubstate ++ > new file mode 100644 ++ > --- /dev/null ++ > +++ b/.hgsubstate ++ > @@ -0,0 +1,1 @@ ++ > +0000000000000000000000000000000000000000 ~ ++ > EOF + $ cd .. + + on clone (and update): + + $ hg clone -q tilde tilde2 +- $ ls tilde2 +- ~ ++ abort: subrepo path contains illegal component: ~ ++ [255] + + Test direct symlink traversal + -----------------------------
  5. Download patch debian/control

    --- 4.8.2-1/debian/control 2019-01-08 11:09:47.000000000 +0000 +++ 4.8.2-1ubuntu4/debian/control 2019-01-16 08:42:22.000000000 +0000 @@ -1,7 +1,8 @@ Source: mercurial Section: vcs Priority: optional -Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org> Uploaders: Vincent Danjean <vdanjean@debian.org>, Javi Merino <vicho@debian.org>, @@ -53,7 +54,7 @@ Breaks: hgsubversion (<< 1.8.7+1517-b3e41b0d50a2-1), hgview-common (<< 1.8.1), mercurial-crecord (<= 0.20140626-1), - mercurial-git (<= 0.8.3-1), + mercurial-git (<< 0.8.12-1~), qct (<< 1.7-2~), Description: easy-to-use, scalable distributed version control system Mercurial is a fast, lightweight Source Control Management system designed
  6. Download patch debian/mercurial.autopkgtest_blacklist

    --- 4.8.2-1/debian/mercurial.autopkgtest_blacklist 1970-01-01 00:00:00.000000000 +0000 +++ 4.8.2-1ubuntu4/debian/mercurial.autopkgtest_blacklist 2019-01-11 16:51:02.000000000 +0000 @@ -0,0 +1,35 @@ +# test-clonebundles.t fails in the reproducible-builds setup due to no +# name resolution: +# --- /build/mercurial-3.7.2/tests/test-clonebundles.t +# +++ /build/mercurial-3.7.2/tests/test-clonebundles.t.err +# @@ -52,7 +52,7 @@ +# $ echo 'http://does.not.exist/bundle.hg' > server/.hg/clonebundles.manifest +# $ hg clone http://localhost:$HGPORT 404-url +# applying clone bundle from http://does.not.exist/bundle.hg +# - error fetching bundle: (.* not known|getaddrinfo failed) (re) +# + error fetching bundle: Temporary failure in name resolution +# abort: error applying bundle +# (if this error persists, consider contacting the server operator or disable clone bundles via "--config ui.clonebundles=false") +# [255] +# +# ERROR: test-clonebundles.t output changed +test-clonebundles.t + +# upstream don't run this test and it only fails when pyflakes is installed +test-check-pyflakes.t + +# This test tries to test combinations of configurations involving TLS 1.0/1.1, +# but these are disabled by default in unstable now, so none of the test +# scenarios are possible to correctly construct. +test-https.t + +# These tests are flaky, still need to investigate why: +test-commandserver.t +test-largefiles.t +test-wireproto-exchangev2.t + +# The following lines are appended to a copy of debian/mercurial.test_blacklist + +# These tests fail on Ubuntu LXC autopkgtest runners +test-merge-tools.t +test-http-bad-server.t
  7. Download patch debian/tests/testsuite

    --- 4.8.2-1/debian/tests/testsuite 2019-01-08 11:09:47.000000000 +0000 +++ 4.8.2-1ubuntu4/debian/tests/testsuite 2019-01-16 08:42:08.000000000 +0000 @@ -2,4 +2,4 @@ set -ex -exec make tests TESTFLAGS="--verbose --timeout 1440 --with-hg=/usr/bin/hg --blacklist=$(pwd)/debian/mercurial.test_blacklist" +exec make tests TESTFLAGS="--verbose --timeout 1440 --jobs 4 --with-hg=/usr/bin/hg --blacklist=$(pwd)/debian/mercurial.autopkgtest_blacklist"
  8. Download patch debian/patches/series

    --- 4.8.2-1/debian/patches/series 2019-01-08 11:17:29.000000000 +0000 +++ 4.8.2-1ubuntu4/debian/patches/series 2019-07-30 19:42:49.000000000 +0000 @@ -5,3 +5,6 @@ proposed_upstream__correct-zeroconf-doc deb_specific__disable_libdir_replacement.patch for_upstream__dont_rm_usr_bin_python_when_running_testsuite.patch deb_specific__fix_fhs_paths.patch +CVE-2019-3902-1.patch +CVE-2019-3902-2.patch +CVE-2019-3902-3.patch

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: python-hypothesis

python-hypothesis (4.36.2-0ubuntu1) focal; urgency=medium * New upstream version. -- Matthias Klose <doko@ubuntu.com> Sat, 19 Oct 2019 15:16:04 +0200

Modifications :
  1. Download patch debian/patches/0001-Remove-reference-to-remote-image-in-docs.patch

    --- 4.36.2-1/debian/patches/0001-Remove-reference-to-remote-image-in-docs.patch 2019-11-19 10:51:38.000000000 +0000 +++ 4.36.2-0ubuntu1/debian/patches/0001-Remove-reference-to-remote-image-in-docs.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,21 +0,0 @@ -From: Nicolas Dandrimont <olasd@debian.org> -Date: Tue, 19 Nov 2019 11:51:20 +0100 -Subject: Remove reference to remote image in docs - ---- - hypothesis-python/docs/community.rst | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/hypothesis-python/docs/community.rst b/hypothesis-python/docs/community.rst -index 7ba1a3f..a3e3f4b 100644 ---- a/hypothesis-python/docs/community.rst -+++ b/hypothesis-python/docs/community.rst -@@ -22,8 +22,6 @@ If you would like to cite Hypothesis, please consider `our suggested citation - If you like repo badges, we suggest the following badge, which you can add - with reStructuredText or Markdown, respectively: - --.. image:: https://img.shields.io/badge/hypothesis-tested-brightgreen.svg -- - .. code:: restructuredtext - - .. image:: https://img.shields.io/badge/hypothesis-tested-brightgreen.svg
  2. Download patch debian/compat

    --- 4.36.2-1/debian/compat 1970-01-01 00:00:00.000000000 +0000 +++ 4.36.2-0ubuntu1/debian/compat 2018-09-24 11:44:50.000000000 +0000 @@ -0,0 +1 @@ +11
  3. Download patch debian/control

    --- 4.36.2-1/debian/control 2019-11-19 10:39:40.000000000 +0000 +++ 4.36.2-0ubuntu1/debian/control 2018-09-24 11:47:07.000000000 +0000 @@ -6,7 +6,7 @@ Uploaders: Tristan Seligmann <mithrandi@debian.org>, Vincent Bernat <bernat@debian.org>, Build-Depends: - debhelper-compat (= 11), + debhelper (>= 11), dh-python, pypy, pypy-attr,
  4. Download patch debian/patches/series

    --- 4.36.2-1/debian/patches/series 2019-11-19 10:51:38.000000000 +0000 +++ 4.36.2-0ubuntu1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -0001-Remove-reference-to-remote-image-in-docs.patch

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: python-nacl

python-nacl (1.3.0-2ubuntu1) focal; urgency=medium * Fix build with new hypothesis version. -- Matthias Klose <doko@ubuntu.com> Fri, 18 Oct 2019 18:27:45 +0000

Modifications :
  1. Download patch debian/rules

    --- 1.3.0-2/debian/rules 2018-11-05 13:48:39.000000000 +0000 +++ 1.3.0-2ubuntu1/debian/rules 2019-10-18 18:27:45.000000000 +0000 @@ -5,7 +5,6 @@ export DH_VERBOSE=1 export PYBUILD_NAME=nacl export PYBUILD_TEST_PYTEST=1 export PYBUILD_TEST_ARGS={dir}/tests/ -export HYPOTHESIS_DATABASE_FILE = $(CURDIR)/debian/hypothesis export PYTHONDONTWRITEBYTECODE=1
  2. Download patch debian/patches/series

    --- 1.3.0-2/debian/patches/series 2018-11-05 18:24:44.000000000 +0000 +++ 1.3.0-2ubuntu1/debian/patches/series 2019-10-18 18:27:45.000000000 +0000 @@ -1 +1,2 @@ slow_health_checks.patch +480.patch
  3. Download patch debian/patches/480.patch

    --- 1.3.0-2/debian/patches/480.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.3.0-2ubuntu1/debian/patches/480.patch 2019-10-18 18:27:45.000000000 +0000 @@ -0,0 +1,29 @@ +From af2d8c241872318baba42d7f5fbfb1869de91baa Mon Sep 17 00:00:00 2001 +From: Valentin Heidelberger <github@valentinsblog.com> +Date: Thu, 27 Sep 2018 22:36:34 +0200 +Subject: [PATCH] Remove average_size hypothesis setting from test_bindings.py + +--- + tests/test_bindings.py | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/tests/test_bindings.py b/tests/test_bindings.py +index 22930cc7..d7951a21 100644 +--- a/tests/test_bindings.py ++++ b/tests/test_bindings.py +@@ -306,7 +306,6 @@ def test_unpad_not_padded(): + + + @given(binary(min_size=0, +- average_size=128, + max_size=2049), + integers(min_value=16, + max_value=256) +@@ -320,7 +319,6 @@ def test_pad_sizes(msg, bl_sz): + + + @given(binary(min_size=0, +- average_size=128, + max_size=2049), + integers(min_value=16, + max_value=256)
  1. mercurial
  2. python-hypothesis
  3. python-nacl