site  contact  subhomenews

Which DEB is the culprit?

August 03, 2013 — BarryK
These are the DEBs from Ubuntu 'precise-updates' repo that got upgraded since the release of Precise Puppy 5.6.1 back in May, and were in the 5.6.5 build of Precise:

curl_7.22.0-3ubuntu4.1_i386.deb				      |	curl_7.22.0-3ubuntu4.2_i386.deb

libcurl3_7.22.0-3ubuntu4.1_i386.deb | libcurl3_7.22.0-3ubuntu4.2_i386.deb
libcurl3-gnutls_7.22.0-3ubuntu4.1_i386.deb | libcurl3-gnutls_7.22.0-3ubuntu4.2_i386.deb
libcurl4-openssl-dev_7.22.0-3ubuntu4.1_i386.deb | libcurl4-openssl-dev_7.22.0-3ubuntu4.2_i386.deb
libdbus-1-3_1.4.18-1ubuntu1.3_i386.deb | libdbus-1-3_1.4.18-1ubuntu1.4_i386.deb
libdbus-1-dev_1.4.18-1ubuntu1.3_i386.deb | libdbus-1-dev_1.4.18-1ubuntu1.4_i386.deb
libdmx-dev_1.1.1-1_i386.deb | libdmx-dev_1.1.1-1ubuntu0.1_i386.deb
libdmx1_1.1.1-1_i386.deb | libdmx1_1.1.1-1ubuntu0.1_i386.deb
libdrm-dev_2.4.43-0ubuntu0.0.1_i386.deb | libdrm-dev_2.4.43-0ubuntu0.0.2_i386.deb
libdrm-intel1_2.4.43-0ubuntu0.0.1_i386.deb | libdrm-intel1_2.4.43-0ubuntu0.0.2_i386.deb
libdrm-nouveau1a_2.4.43-0ubuntu0.0.1_i386.deb | libdrm-nouveau1a_2.4.43-0ubuntu0.0.2_i386.deb
libdrm-radeon1_2.4.43-0ubuntu0.0.1_i386.deb | libdrm-radeon1_2.4.43-0ubuntu0.0.2_i386.deb
libdrm2_2.4.43-0ubuntu0.0.1_i386.deb | libdrm2_2.4.43-0ubuntu0.0.2_i386.deb
libfs-dev_1.0.3-1_i386.deb | libfs-dev_1.0.3-1ubuntu0.1_i386.deb
libfs6_1.0.3-1_i386.deb | libfs6_1.0.3-1ubuntu0.1_i386.deb
libgl1-mesa-dev_8.0.4-0ubuntu0.5_i386.deb | libgl1-mesa-dev_8.0.4-0ubuntu0.6_i386.deb
libgl1-mesa-dri_8.0.4-0ubuntu0.5_i386.deb | libgl1-mesa-dri_8.0.4-0ubuntu0.6_i386.deb
libgl1-mesa-glx_8.0.4-0ubuntu0.5_i386.deb | libgl1-mesa-glx_8.0.4-0ubuntu0.6_i386.deb
libglapi-mesa_8.0.4-0ubuntu0.5_i386.deb | libglapi-mesa_8.0.4-0ubuntu0.6_i386.deb
libglu1-mesa_8.0.4-0ubuntu0.5_i386.deb | libglu1-mesa_8.0.4-0ubuntu0.6_i386.deb
libglu1-mesa-dev_8.0.4-0ubuntu0.5_i386.deb | libglu1-mesa-dev_8.0.4-0ubuntu0.6_i386.deb
libgnutls-dev_2.12.14-5ubuntu3.3_i386.deb | libgnutls-dev_2.12.14-5ubuntu3.4_i386.deb
libgnutls26_2.12.14-5ubuntu3.3_i386.deb | libgnutls26_2.12.14-5ubuntu3.4_i386.deb
libldap-2.4-2_2.4.28-1.1ubuntu4.2_i386.deb | libldap-2.4-2_2.4.28-1.1ubuntu4.3_i386.deb
libldap2-dev_2.4.28-1.1ubuntu4.2_i386.deb | libldap2-dev_2.4.28-1.1ubuntu4.3_i386.deb
libpulse0_1.1-0ubuntu15.2_i386.deb | libpulse0_1.1-0ubuntu15.3_i386.deb
libssl-dev_1.0.1-4ubuntu5.9_i386.deb | libssl-dev_1.0.1-4ubuntu5.10_i386.deb
libssl1.0.0_1.0.1-4ubuntu5.9_i386.deb | libssl1.0.0_1.0.1-4ubuntu5.10_i386.deb
libtiff4_3.9.5-2ubuntu1.4_i386.deb | libtiff4_3.9.5-2ubuntu1.5_i386.deb
libtiff4-dev_3.9.5-2ubuntu1.4_i386.deb | libtiff4-dev_3.9.5-2ubuntu1.5_i386.deb
libx11-6_1.4.99.1-0ubuntu2_i386.deb | libx11-6_1.4.99.1-0ubuntu2.1_i386.deb
libx11-data_1.4.99.1-0ubuntu2_all.deb | libx11-data_1.4.99.1-0ubuntu2.1_all.deb
libx11-dev_1.4.99.1-0ubuntu2_i386.deb | libx11-dev_1.4.99.1-0ubuntu2.1_i386.deb
libx11-xcb-dev_1.4.99.1-0ubuntu2_i386.deb | libx11-xcb-dev_1.4.99.1-0ubuntu2.1_i386.deb
libx11-xcb1_1.4.99.1-0ubuntu2_i386.deb | libx11-xcb1_1.4.99.1-0ubuntu2.1_i386.deb
libxcb-dri2-0_1.8.1-1ubuntu0.1_i386.deb | libxcb-dri2-0_1.8.1-1ubuntu0.2_i386.deb
libxcb-dri2-0-dev_1.8.1-1ubuntu0.1_i386.deb | libxcb-dri2-0-dev_1.8.1-1ubuntu0.2_i386.deb
libxcb-glx0_1.8.1-1ubuntu0.1_i386.deb | libxcb-glx0_1.8.1-1ubuntu0.2_i386.deb
libxcb-glx0-dev_1.8.1-1ubuntu0.1_i386.deb | libxcb-glx0-dev_1.8.1-1ubuntu0.2_i386.deb
libxcb-render0_1.8.1-1ubuntu0.1_i386.deb | libxcb-render0_1.8.1-1ubuntu0.2_i386.deb
libxcb-render0-dev_1.8.1-1ubuntu0.1_i386.deb | libxcb-render0-dev_1.8.1-1ubuntu0.2_i386.deb
libxcb-shape0_1.8.1-1ubuntu0.1_i386.deb | libxcb-shape0_1.8.1-1ubuntu0.2_i386.deb
libxcb-shape0-dev_1.8.1-1ubuntu0.1_i386.deb | libxcb-shape0-dev_1.8.1-1ubuntu0.2_i386.deb
libxcb-shm0_1.8.1-1ubuntu0.1_i386.deb | libxcb-shm0_1.8.1-1ubuntu0.2_i386.deb
libxcb-shm0-dev_1.8.1-1ubuntu0.1_i386.deb | libxcb-shm0-dev_1.8.1-1ubuntu0.2_i386.deb
libxcb1_1.8.1-1ubuntu0.1_i386.deb | libxcb1_1.8.1-1ubuntu0.2_i386.deb
libxcb1-dev_1.8.1-1ubuntu0.1_i386.deb | libxcb1-dev_1.8.1-1ubuntu0.2_i386.deb
libxcursor-dev_1.1.12-1_i386.deb | libxcursor-dev_1.1.12-1ubuntu0.1_i386.deb
libxcursor1_1.1.12-1_i386.deb | libxcursor1_1.1.12-1ubuntu0.1_i386.deb
libxext-dev_1.3.0-3build1_i386.deb | libxext-dev_1.3.0-3ubuntu0.1_i386.deb
libxext6_1.3.0-3build1_i386.deb | libxext6_1.3.0-3ubuntu0.1_i386.deb
libxfixes-dev_5.0-4ubuntu4_i386.deb | libxfixes-dev_5.0-4ubuntu4.1_i386.deb
libxfixes3_5.0-4ubuntu4_i386.deb | libxfixes3_5.0-4ubuntu4.1_i386.deb
libxi-dev_1.6.0-0ubuntu2_i386.deb | libxi-dev_1.6.0-0ubuntu2.1_i386.deb
libxi6_1.6.0-0ubuntu2_i386.deb | libxi6_1.6.0-0ubuntu2.1_i386.deb
libxinerama-dev_1.1.1-3build1_i386.deb | libxinerama-dev_1.1.1-3ubuntu0.1_i386.deb
libxinerama1_1.1.1-3build1_i386.deb | libxinerama1_1.1.1-3ubuntu0.1_i386.deb
libxrandr-dev_1.3.2-2ubuntu0.1_i386.deb | libxrandr-dev_1.3.2-2ubuntu0.2_i386.deb
libxrandr2_1.3.2-2ubuntu0.1_i386.deb | libxrandr2_1.3.2-2ubuntu0.2_i386.deb
libxrender-dev_0.9.6-2build1_i386.deb | libxrender-dev_0.9.6-2ubuntu0.1_i386.deb
libxrender1_0.9.6-2build1_i386.deb | libxrender1_0.9.6-2ubuntu0.1_i386.deb
libxres-dev_1.0.5-1_i386.deb | libxres-dev_1.0.5-1ubuntu0.1_i386.deb
libxres1_1.0.5-1_i386.deb | libxres1_1.0.5-1ubuntu0.1_i386.deb
libxt-dev_1.1.1-2build1_i386.deb | libxt-dev_1.1.1-2ubuntu0.1_i386.deb
libxt6_1.1.1-2build1_i386.deb | libxt6_1.1.1-2ubuntu0.1_i386.deb
libxtst-dev_1.2.0-4_i386.deb | libxtst-dev_1.2.0-4ubuntu0.1_i386.deb
libxtst6_1.2.0-4_i386.deb | libxtst6_1.2.0-4ubuntu0.1_i386.deb
libxv-dev_1.0.6-2build1_i386.deb | libxv-dev_1.0.6-2ubuntu0.1_i386.deb
libxv1_1.0.6-2build1_i386.deb | libxv1_1.0.6-2ubuntu0.1_i386.deb
libxvmc-dev_1.0.6-1ubuntu2_i386.deb | libxvmc-dev_1.0.6-1ubuntu2.1_i386.deb
libxvmc1_1.0.6-1ubuntu2_i386.deb | libxvmc1_1.0.6-1ubuntu2.1_i386.deb
libxxf86dga-dev_1.1.2-1_i386.deb | libxxf86dga-dev_1.1.2-1ubuntu0.1_i386.deb
libxxf86dga1_1.1.2-1_i386.deb | libxxf86dga1_1.1.2-1ubuntu0.1_i386.deb
libxxf86vm-dev_1.1.1-2build1_i386.deb | libxxf86vm-dev_1.1.1-2ubuntu0.1_i386.deb
libxxf86vm1_1.1.1-2build1_i386.deb | libxxf86vm1_1.1.1-2ubuntu0.1_i386.deb
mesa-common-dev_8.0.4-0ubuntu0.5_i386.deb | mesa-common-dev_8.0.4-0ubuntu0.6_i386.deb
openssl_1.0.1-4ubuntu5.9_i386.deb | openssl_1.0.1-4ubuntu5.10_i386.deb
xserver-xorg-video-openchrome_0.2.904+svn1050-1_i386.deb | xserver-xorg-video-openchrome_0.2.904+svn1050-1ubuntu0.1_i386

78 of them. One of those upgrades has introduced the non-US keyboard layout problem. Which one, do you reckon?

I guess, if we have a shortlist, I will run Precise 5.6.5 and then install the older DEBs in the shortlist, until (hopefully) the keyboard layout bug goes away.


Not updated
Username: Iguleder
Barry, are you sure about this? Look [url=]here - this package hasn't changed at all since the release of Ubuntu 12.04. Maybe you can narrow down this list, if we find more packages like this one.

Ubuntu bug
Username: Terryphi
"There is a longstanding unfixed Ubuntu bug identified as being in gnome-control-center (but is it?) As Precise Puppy does not include gnome-control-center it does not seem relevant. Anyway, here is the link: I use a fully updated version of Linux Mint 13 (based on Ubuntu Precise) with Mate desktop and it does not have, nor ever has had, non-US keyboard layout problems. Are any of the debs gnome related?

Re libxi version
Username: BarryK
"Iguleder, Yes, I am certain. Look here: Unfortunately, is often [b]wrong!!![/b] In this case, if you look at 'libxi6' at, it shows [b]nothing[/b] in the 'precise-updates' category. But there is an update. Take another one, the 'curl' package. It shows up in 'precise-updates', but not the latest one. It seems that only lists the packages in 'precise-updates' at the time of the last official sub-version release. But, those may [b]not even be in the repo anymore[/b]. For example, lookup 'curl' in, in 'precise-updates', it is listed as: [i]7.22.0-3ubuntu4.1[/i] Now go to the repo: curl_7.22.0-3ubuntu4_i386.deb curl_7.22.0-3ubuntu4.2_i386.deb ...only the original 'precise' DEB and the latest is there, [b]not[/b] the one listed at!!! I have encountered this before, and I always take the info at with a grain of salt.

Missing DEB
Username: BarryK
"Look at this stupid database: It has a download button to download 'curl_7.22.0-3ubuntu4.1_i386.deb', but when you try to download it, there is an error, because the package is no longer on the repo. The thing is, it hasn't been there for quite some time. At least 3 weeks, maybe a lot more.

re: stupid database
Username: L 18 L
" wrote: [i]Note that in some browsers you will need to tell your browser you want the file saved to a file. For example, in Firefox or Mozilla, you should hold the Shift key when you click on the URL.[/i] I have hold the [b]shift[/b] key and was able to download from

which deb is the culprit?
Username: charlie6
"Hi, imho debs related to mesa-8.0.4 might be eliminated; they are not present in upup-Raring-3.9.9.x which has mesa-9.1.3 instead; charlie

which deb is the culprit?
Username: charlie6
"re-Hi ... using the commmand line: [code]# pkg-config --modversion lib-to-be-checked[/code] are present in upup-Raring-3.9.9.x and therefore ,imho ,[u][b]might[/b][/u] be źinnocented╗: libcurl-7.26 lbdrm-2.4.40 libpulse-2,0 libtiff,so,5 hope this helps charlie

Stick with own work
Username: ted dog
"This is what I feared, once puppylinux took on the task of 'pup-i-fying' other distros we would inherent their unsolved bugs, and take an effort to fix them. I see common theme to the types of bugs you are solving, take a look at squashfs and the overlay methods for slower than expected file decompression, small files suffer the worst due to packing many together as a group to save compression size. There was an issue with wh.files that experienced same second access correction in a puppy spinoff

non-US kb layout
Username: FeodorF
"precise-5.7.1.iso 03-Aug-2013 00:32 156M German 'ń÷Ř▀' works fine over here. (Manual frugal mode and live-cd mode too.) Different problem - Retrovol Surround Jack Mode should be set to 'Independent' by default. ('No sound' issue on older boxes.)

DEB culprit found
Username: BarryK
"L18L, The 'precise-updates' curl DEB may still exist on some mirrors. OK, for anyone who is interested, I have found the DEB that is causing the non-US keyboard problem. It is the upgrade from: [i]libx11-6_1.4.99.1-0ubuntu2_i386.deb[/i] to: [i]libx11-6_1.4.99.1-0ubuntu2.1_i386.deb[/i] I don't know why. I have got other stuff to do today.

libx11-6 changelog
Username: BarryK
"This is the changelog, all submitted by one guy. I have sent him an email. [code]libx11 (2: precise-security; urgency=low * SECURITY UPDATE: denial of service and possible code execution via incorrect memory size calculations - debian/patches/CVE-2013-1981.patch: fix multiple integer overflows. - CVE-2013-1981 * SECURITY UPDATE: denial of service and possible code execution via incorrect length and bounds checking - debian/patches/CVE-2013-1997.patch: properly calculate lengths. - CVE-2013-1997 * SECURITY UPDATE: denial of service and possible code execution via stack overflow from recursive #include - debian/patches/CVE-2013-2004.patch: set limit on depth. - CVE-2013-2004 * debian/patches/001_hide_xeatdatawords.diff: Hide _XEatDataWords by default. [/code]

libX11-6 bug
Username: pemasu
"I can confirm that the original precise version fixes the bug also in Upup Raring. I tested all the libX* .debs, but I chose to test debian wheezy packages believing they are fine. The bug was there also and also in debian sid atm. Thank you. One nasty bug trashed. Sticking on own packages. Well, there are tens of thousands packages in ubuntu repositories, using launchpad stuff, I have managed to use Netflix, just got Gnuradio starting....without need to compile the stuff from the start. The real big bonus is that you get development headers .debs easily for your own compiles if you want to compile app with less dependencies, or there is not suitable update available. Only big minus is the ubuntu style to split everything to the small packages. It makes things hard. And there should be easy Puppy way to get control file dependencies information extracted and in use, when you install apps from ppa launchpad repositories. Now I have to do that manually. Like for grooveoff.

libx11 patch bug
Username: BarryK
"For the record, this is the patch that causes the non-US keyboard layout bug: [i]CVE-2013-1997.patch[/i]

Re libx11 bug
Username: BarryK
"Note also, I have sent an email to the guy who created that patch. Hopefully he will see what the problem is. URL:

libX11 patch to fix non-US keyboard
Username: BarryK
"The author of the CVE-2013-1997.patch sent a rather arrogant reply, and stated that he would do nothing. So, very reluctantly I set about isolating the bug in his patch. Eventually I found it, and created a patch to revert it: [code]diff -Naur libX11-1.6.1ORIG/src/xkb/XKBGetMap.c libX11-1.6.1/src/xkb/XKBGetMap.c --- libX11-1.6.1ORIG/src/xkb/XKBGetMap.c 2013-07-30 12:30:01.000000000 +0800 +++ libX11-1.6.1/src/xkb/XKBGetMap.c 2013-08-16 20:32:07.000000000 +0800 @@ -212,8 +212,9 @@ KeySym * newSyms; int tmp; - if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > map->num_syms) - return BadLength; + //BK this was in 'CVE-2013-1997.patch', but it breaks non-US keyboard layout in Puppy Linux... + //if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > map->num_syms) + // return BadLength; oldMap = &map->key_sym_map[rep->firstKeySym]; for (i=0;i<(int)rep->nKeySyms;i++,oldMap++) { newMap= (xkbSymMapWireDesc *) [/code] I tested this with libX11 version as used in Ubuntu Precise Pangolin, also with the latest release, 1.6.1. In both bases, the bug was fixed. I was p... I mean, miffed, by the reply I had received from that guy, however I have sent a very polite email, with my fix. I have suggested that he either submit my patch to libX11 git, or modify that code in his patch so that it does not break non-US keyboards.

Progress, maybe
Username: BarryK
"Ah, good, after my email pointing out the offending code lines, the author of 'CVE-2013-1997' has replied in a more helpful way. He says that he cannot remove a bounds-check security patch, and no other distros have reported this bug, but he will take a look at it.

non-US keyboard bug solved
Username: BarryK
"I got off to a bad start with the author of 'CVE-2013-1997' as Puppy is still using the deprecated 'kbd' driver, so he didn't want to know about it. Note, almost all other distros have dropped it in favour of the 'evdev' driver. Anyway, after I had isolated the offending lines, he became helpful, and sent me a patch to test. I am pleased to report that the patch worked. This is it: [code]diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c index c73e655..a24ddd8 100644 --- a/src/xkb/XKBGetMap.c +++ b/src/xkb/XKBGetMap.c @@ -147,15 +147,16 @@ _XkbReadKeySyms(XkbReadBufferPtr buf,XkbDescPtr xkb,xkbGetMapReply *rep) { register int i; XkbClientMapPtr map; +int size = xkb->max_key_code + 1; + + if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > size) + return BadLength; map= xkb->map; if (map->key_sym_map==NULL) { register int offset; - int size = xkb->max_key_code + 1; XkbSymMapPtr oldMap; xkbSymMapWireDesc *newMap; - if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > size) - return BadLength; map->key_sym_map= _XkbTypedCalloc(size,XkbSymMapRec); if (map->key_sym_map==NULL) return BadAlloc; @@ -212,8 +213,6 @@ XkbClientMapPtr map; KeySym * newSyms; int tmp; - if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > map->num_syms) - return BadLength; oldMap = &map->key_sym_map[rep->firstKeySym]; for (i=0;i<(int)rep->nKeySyms;i++,oldMap++) { newMap= (xkbSymMapWireDesc *) -- [/code] I applied the patch to pristine libX11 1.6.1 source, and the bug was gone. I have reported success to Alan, and he will likely be submitting the patch to libX11 git. So, it will take awhile before it filters down to distro packages. I have let Marc, one of the Ubuntu developers, know about this fix, so hopefully he will be backporting it to 'precise-updates' after it becomes official. I have been a few days on this, gotta get onto other stuff!

Tags: puppy