[Secure-testing-team] Bug#747532: iceowl-extension: aptitude dist-upgrade fails due to wrong use of Conflicts:

Jonas Smedegaard dr at jones.dk
Fri May 9 16:18:52 UTC 2014 

Package: iceowl-extension
Version: 24.0~b3-1
Severity: critical
Justification: breaks unrelated software

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Source package iceweasel used to build both of binary packages
iceowl-extension and calendar-timezones.

Since 24.0~b3-1 binary package calendar-timezones was dropped,
iceowl-extension has had provides/replaces/conflicts against
calendar-timezones, with the following in changelog:

 remove package calendar-timezones. The calendar-timezones related files
 are now inside the lightning package.

According to Debian Policy § 7.4, breaks should used "when moving a file
from one package to another", whereas conflicts should be used "when two
packages provide the same file and will continue to do so".

I believe in this case the conflicts should be changed to breaks.


This bug may seem rather harmless in itself, but since stable-security
has included 24.5.0-1~deb7u1, systems with iceowl-extension installed
will fail to auto-upgrade systems (e.g. with unattended-upgrades or by
executing "aptitude upgrade") and if executing "aptitude dist-upgrade"
the default solution is to remove iceowl-extension rather than to
remove calendar-timezones as was intended.

I therefore - at least for stable - consider this as "breaks unrelated
software" and therefore tag it as critical.

Concretely, the Debian Blend DebianParl was critically affected by is in
that the non-auto-resolvable conflict caused other security updates to
not get applied, including an upgrade to enigmail resulting in Icedove
silently stopping to auto-sign emails as configured.

 - Jonas

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQF8BAEBCgBmBQJTbP/oXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ3NjQ4ODQwMTIyRTJDNTBFQzUxRDQwRTI0
RUMxQjcyMjM3NEY5QkQ2AAoJEE7BtyI3T5vW5sQH/A4osWwfgqVihlhpLNuJ9ogS
EAtY/5QmYDmPLDh/sQIBcIY2LKvcV62V/5rwbX/d+lbe/2QY/+iy2BU8gS1JVohN
huCM+zzkHOrzQ5Of5cPsON3lQ5CXarjkaRwq9iFIB8LFyuVSVHxZvtsowpNJPfAp
G7BGaYp0OcDuoFBdx+Ong0cK4Fd6iVkpgmLy9DKN8NtTJl/13q4MmSBj3mWNtHNO
A4jFuKAhmg2w3AxFSawTJI25iiIoLGBW9N6E5/xEUYjCPGwOoK3P19x2VgyfCVJu
AfCwr+xhLzyz5IGUJ/0MNinWBFjIIMHpC96meyFG/lDBx8YE50Y2NNd98D7ohDE=
=EjXE
-----END PGP SIGNATURE-----

More information about the Secure-testing-team mailing list