On 13-11-15 12:41, Sebastiaan Couwenberg wrote: > On 13-11-15 11:59, Johan Van de Wauw wrote: >> Op 13/11/2015 om 11:52 schreef Sebastiaan Couwenberg: >>> On 13-11-15 11:46, Sebastiaan Couwenberg wrote: >>>> On 13-11-15 06:45, Salvatore Bonaccorso wrote: >>>>> On Thu, Nov 12, 2015 at 10:31:55PM +0100, Sebastiaan Couwenberg >>>>> wrote: >>>>>> Dear Security Team, >>>>>> >>>>>> The patch to fix multiple vulnerabilities identified by >>>>>> American Fuzzy Lop reported in #781228 caused a regressed as >>>>>> reported in the GDAL issue tracker: >>>>>> >>>>>> https://trac.osgeo.org/gdal/ticket/6200 >>>>>> >>>>>> The change to fix this regression was included in freexl >>>>>> (1.0.1-1~exp1), but not in the security updates for jessie >>>>>> (1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1). >>>>>> >>>>>> I've prepared updates to fix this regression for jessie & >>>>>> wheezy, see the attached debdiffs. >>>>>> >>>>>> Are these regression fixes appropriate for upload to >>>>>> {wheezy,jessie}-security or should they be uploaded to >>>>>> proposed-updates instead? >>>>> Since the regression was introduced via a DSA, we might address >>>>> this regression trough af follow-up DSA: >>>>> >>>>> s/UNRELEASED/wheezy-security/ and urgency=high set or >>>>> respectively jessie-security for the second one. >>>>> >>>>> With the above changes please go ahead with your upload to >>>>> security-master. >>>>> >>>>> Thanks for your work and pinging us about the regression. >>>> Thanks for the quick feedback, >>>> >>>> I've set the distribution and urgency as appropriate for security >>>> uploads and uploaded both to security-master. >>> We also need this regression fix uploaded for Ubuntu trusty & vivid. >>> >>> Shall I also do those, or can you take care of the uploads for Ubuntu? >>> >>> Please note that besides afl-vulnerabilitities-regression.patch we may >>> also want to include 32bit-multiplication-overflow.patch in the >>> update, this issue hasn't been fixed in Ubuntu yet. >> I was watching this tread. I'll propose ubuntu patches. > > I've prepared updates for Ubuntu in git, but I've not followed up on the > bug report or IRC yet as documented in: > > https://wiki.ubuntu.com/StableReleaseUpdates#regressions > > I'll update LP#1437087 with pointers to the fixes shortly.
See: https://bugs.launchpad.net/ubuntu/+source/freexl/+bug/1437087/comments/11 Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
