Hi Mark, On Tue, Jul 02, 2019 at 10:10:21PM +0200, Salvatore Bonaccorso wrote: > Hey Mark! > > On Mon, Jul 01, 2019 at 12:33:06AM +0200, Mark Wielaard wrote: > > Hi Salvatore, > > > > On Sun, 2019-06-30 at 19:28 +0200, Salvatore Bonaccorso wrote: > > > Testing and feedback appreciated. > > > > > > it is not very helpfull I think, because I do not have a good testing > > > corpus. What I did is to apply the patch on top of our current > > > 1.0.6-9.1 (which has the issue after fixing CVE-2019-12900), and > > > tested it with the problematic file from > > > > > https://developer.nvidia.com/embedded/dlc/l4t-jetson-xavier-driver-package-31-1-0 > > > . > > > > > > But apart from that I do not have at them moment better feedback :( > > > > That is already great feedback thanks. > > > > But you are right that it would be good to have a better testing > > corpus. It isn't much, but I have setup an initial bzip2 test suite: > > https://sourceware.org/git/?p=bzip2-tests.git;a=summary > > > > It is a little bare bones right now, but the README will hopefully help > > to see how to run it on some other collection of .bz2 files. > > > > It does already contain a testcase that still fails with the proposed > > patch. It is a really odd corner case, but since we accepted it in the > > past, we should really make sure it works in the future too. > > > > I'll discuss an alternative patch upstream. > > Thanks. For context here in the bug, the alternative apporach patch is > posted at https://sourceware.org/ml/bzip2-devel/2019-q2/msg00035.html > .
The patch seems to have evolved to https://sourceware.org/ml/bzip2-devel/2019-q3/msg00007.html. Were there any more issues found? Should downstream distros who picked up the CVE-2019-12900 safely include this patch? Regards, Salvatore
