These are bugs to consider at SIPB's RC-bug-squashing hackathon for Lenny.
Bug list dumped early 2008-12-12. The pipeline was
$ cd /mit/debathena/debian-bts && ./get_bugs | sort | ./bugs-format-trac
Please sort into useful/not useful, add notes, etc.
All acted on! See the "Stuff we did" sections below.
Stuff we did
Fixed by SIPB!
"cdrom: Most of the system's files have a future timestamp causing at least update/config problems."
(closed by wdaher)
"python-hid: hid module will not import since python policy transition"
"racoon - Fails after upgrade: symbol lookup error: /usr/sbin/racoon: undefined symbol: libipsec_opt"
(fixed by broder)
"libipsec0 packaged in ipsec-tools without development headers"
(downgraded by hartmans)
"[nvidia-glx] Quietly drops support for several chipsets"
(downgraded by nelhage)
"open-iscsi: no login using amd64"
(quentin reassigned; Bastian Blank then lowered priority)
"sysprof-module-source: doesn't compile on AMD64 arch (wrong register names)"
(patch added by andersk)
"splashy: Splashy fails to install due to missing default theme"
(fix suggestion added by ecprice with help from tabbott and fawkes)
"crash rtorrent by scgi-interface (function: 'fi.get_filename_last')"
(submitted patch that disables broken RPC; leaving to maintainer to decide if this is what he wants to do)
"/init exports MODPROBE_OPTIONS=-qb"
(patch added by price)
"zekr depends on libxul0d"
(mako tweaked and sponsored fix by Asheesh Laroia)
Waiting on feedback
"cannot unlock screen during etch -> lenny transition"
(hartmans added comment)
"dk-filter reliably crashes upon connection from postfix"
(quentin couldn't reproduce)
"asterisk: Very frequent segfaults on startup"
(quentin couldn't reproduce)
"fenix: not 64 bit clean"
(ezyang observed upstream's website looks ~dead)
Fun stuff to read
You might enjoy reading these, but they may not be good targets to fix.
"otrs2 - makes files in /usr writable by non-root"
"wordpress can be subject of delayed attacks via cookies"
For this one, the actual flamewar is off the bug report log.
"longstanding DFSG violations in linux-2.6 package"
"gnu-fdisk: wipes out MBR when used on GPT partitions"
Would have been fun
Entertaining to read but sadly already fixed.
"auctex: reuses old logfile on emacsen upgrades, enabling symlink attack"
Examples to live up to
"bind9: Fails to start due to SIGSEGV"
This bug sat unfixed for months. Then someone attacked it in a bug-squashing party,
got the first reproducible testcase, and sent that upstream, which swiftly produced a fix.
Someone please explain what's going on (Debian Project-wise) in these bugs.
"ITA: mol-drivers-linux -- The Mac-on-Linux emulator - drivers for Linux"
(Note: The bug is for someone to take over maintainership. They did. Then when the bug gets automatically archived, they reply saying to keep it? I (price) don't understand.)
Not so ripe for us to fix
If you have the relevant hardware you could help a lot.
"installation: Problems with dual booting Dell D600 with winXP pro in the first partition (hd0, 0). After installing the Dell Etch Beta 3, Windows fails to boot and I get the blue screen of death."
"cdrom: Etch does not detect CD-ROM on Acer Aspire 7100"
"ruby1.9: FTBFS on hppa: make: * [all] Segmentation fault"
"jfsutils: Bus Error when running fsck.jfs on sparc"
"installation-reports: Lenny b2 install on ThinkPad X61 - fails to detect hard disk"
"grub-installer fails on a FSC Primergy RX300 with a level 5 RAID"
May be a lot of work
"rtorrent: random crash"
(Reproducing this seems to require runnin 20+ torrents for a ~day)
Please read these reports and figure out what category they belong in. Or make a new category.
"nvidia-glx-legacy-96xx-dev: /usr/lib/libGL.so symlink broken"
"Updating to lenny failed when NetworkManager got updated"
"Mozilla Thunderbird Multiple Vulnerabilities"
"xine-lib: CVE-2008-5242 heap-based buffer overflow"
"xine-lib: CVE-2008-5246 heap overflow"
"ffmpeg-debian: Several security issues"
These are very recent and presumably will get dealt with by the
package maintainers without help.
If you're bored you might look through and see if some are interesting
anyway. Also feel free to draw the line at some other time; I (price)
picked December 1, arbitrarily.
"Freeze when installing GRUB on XFS boot partition"
(Note: just re-opened 2008-12-12)
"ignores "LockXLock yes" setting in /etc/hibernate/common.conf (e.g. does not lock the screen)"
"Package installation results in license violation"
"Missing sources for d-i components/kernel of etch-n-half images"
"cryptsetup: Sometimes initrd ends up missing conf/conf.d/cryptroot file in it"
"mldonkey-server: mlnet does not start, logs syntax error in downloads.ini"
"openoffice.org-writer: OOo 2.4.x openinig OOo 3 files doesn't show text (2.x implements standard wrong)"
"mdadm: initramfs-tools script is broken, system with root on RAID won't boot"
"mazegaki conversion cannot be used"
"audacity: munmap_chunk(): invalid pointer: 0x00000000026f4eb0"
"sun-java5: New upstream release fixes several security issues"
"xine-lib: CVE-2008-5234 heap overflow in atom parsing"
"wodim: Cannot load media. Cannot init drive."
"ftp.debian.org: gcc-4.2-base is not really required"
"ipmitool: Several init script problems due to wrong pidfile name"
"convert crash on sparc during compilation of djvulibre (work on x86-64)"
"iodbc: Segfaults when asking for the available DSNs"
"Handling of conflicting conffiles broken"
"f2c: does not translate properly in EMT64 machines"
"merkaartor: crash on startup: QPaintEngine::setSystemClip: Should not be change
"ppp: USB Modem removal after PPP exits kills keyboard"
"adtxenlvm: initscript assumes eth0"
These look like good progress is being made and they'll get fixed
soon. Do we need a DD to do an NMU on any of these?
"CVE-2007-3215: phpmailer issue (embedded code-copy)"
"Can't parse packages.debian.org output anymore"
"release-notes: Where's the license?"
"document procedure to recover from "/dev/hda became /dev/sda" boot failure"
(Note: looks done, just not closed.)
"tuxguitar: hard-codes dependencies on libraries"
"libjs-jquery: Should compile jquery.min.js and jquery.pack.js from jquery.js"
"initramfs-tools: Wrong check for udevadm in functions"
(No maintainer activity since it was reported 2 weeks ago; One-line patch attached.)
"mdadm segfault on --assemble --force with raid10"
Seems to be fixed and uploaded, but got reopened for some reason?
374644 in xine-ui
"xine-ui: ctrl/shift key press emulation implementation broken"
(Note: There's a patch that may be good enough -- blocking on some guy responding)
"/etc/init.d/snmpd start reports error if already running"
(Note: fixed, waiting on an upload?)
"CVE-2008-5305: TWiki SEARCH variable allows arbitrary shell command execution"
"phpPgAdmin: Local File Inclusion Vulnerability"
"bind9: bind crashes with a list for allow-update"
"send_requested_reply="true" allows all non-reply messages"
"wireshark: DoS caused by sending a SMTP request with large content"
"etch -> lenny minimal chrrot upgrade fails due to Conflicts/Pre-Depends loop"
"AWT_TOOLKIT=MToolkit causes java to segfault on amd64"
"etch->lenny upgrade left the system in broken state"
"libexif-gtk-dev: References no longer existing libXcursor.la"
"oss-compat: modules are not loaded"
Not much of use one can do
(waiting on reporter to reproduce)
"installation-reports: Grub error: not a regular file..."
(this one looks like it'll be removed from Lenny or have amd64 disabled)
"Fails to work on amd64"
(this one looks the maintainer has labeled unreproducible)
"amule-daemon: causes OOM's by leaking lots of memory"
(waiting on upstream)
"Yet another boilerplate change"
"kicker: crashes on startup"
"moodle: html2text.php is not DFSG-free"
"quagga: zebra ignores routes added via command line"
"maintainer address bounces"
(trivial fix may cause regression, may punt)
"initiatorname.iscsi should maybe not be in /etc"
(legal issue involving non-free file)
"clamav-getfiles: piuparts test fails: eicar.com md5sum mismatch, file needs downloading"
"CVE-2008-5312/3: mailscanner might allow local users to overwrite arbitrary files via a symlink attack"
"smarty: Non-free logo included in package"
Special team bugs
These bugs are probably not good targets because the work involved with them at this point is to be done by someone on a special Debian team.
"Packages might enter the archive from security without source"
"libept0 should have priority important"
"python2.5 should have priority standard"
"libsqlite3-0 should have priority standard"
"libkeyutils1 should have priority standard"
"libldap-2.4-2 should have priority standard"
"[Priorities] libustr-1.0-1 -> standard"
"python-sepolgen should have priority standard"
"libxml2 should have priority standard"
"python2.5-minimal should have priority standard"
"libisccfg40 should have priority standard"
"libisccc40 should have priority standard"
"libedit2 should have priority standard"
"libgssglue1 must have priority standard"
"ucf must have priority standard"
"libpci3 must have priority standard"
"sarge images have syslinux binaries without source"
"FPC: copyright infringement in pre 2.2.2 sources"
"RM: astrolog/stable -- RoQA; orphaned long time, non-free, contains potentially undistributable code"
This one is fixed in experimental:
"epiphany-webkit: Crashes at startup whenever I go to a site."