On 2016-10-27 06:45:37, Emilio Pozuelo Monfort wrote: > Hi Antoine, > > On 26/10/16 19:43, Antoine Beaupré wrote: >> Hi Santiago (and others), >> >> I have prepared a wheezy LTS security upload for tre here: >> >> https://people.debian.org/~anarcat/debian/wheezy-lts/ >> >> The debdiff is attached to this message. I have also sent the ported >> patch to the following bug report: > > +tre (0.8.0-3+deb7u1) UNRELEASED; urgency=high > + > + * Non-maintainer upload by the Security Team. > + * new patch to fix CVE-2016-8859 > + > + -- Antoine Beaupré <anar...@debian.org> Wed, 26 Oct 2016 13:04:31 -0400 > > Probably s/Security/LTS/.
Good catch, I had that fixed correctly after sending the debdiff, sorry for the confusion. >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842169 >> >> I am not sure how to perform tests against tre, unfortunately, so I am >> not in a good position to test that package. > > I don't know if there is a test case for this overflow, I haven't seen one, unfortunately. > but at the very least, > you could do some basic testing on tre-agrep, which seems like a grep clone, > and > make sure the basics still work? Yeah, I just did that and basics seem to work: root@angela:/var/cache/archive/wheezy# tre-agrep linux /etc/motd root@angela:/var/cache/archive/wheezy# tre-agrep Linux /etc/motd The programs included with the Debian GNU/Linux system are free software; Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent root@angela:/var/cache/archive/wheezy# tre-agrep -i -2 Linux /etc/motd The programs included with the Debian GNU/Linux system are free software; Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent root@angela:/var/cache/archive/wheezy# tre-agrep -i -2 unix /etc/motd The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent Not sure what "unix" is matching in that second line, but it's not a regression. Fun little program, I didn't know about it. :) I ended up enabling the test suite in the package, as discussed in the other part of the thread. I have uploaded the result. Thanks for the feedback! A. -- Choose a job you love and you will never have to work a day in your life. - Confucius
