Utkarsh Gupta <utka...@debian.org> writes: > On Mon, Oct 5, 2020 at 3:03 AM Brian May <b...@debian.org> wrote: >> I also had a look at CVE-2020-9283 (no DSA) - an invalid public key can >> cause a panic - however I feel this is not really a security issue. > > But still, in case you can include a fix for this in this upload, > that'd be great!
I wasn't sure it was going to be worth it? $ patch --dry-run -p1 < ../CVE-2020-9283.patch checking file ssh/keys.go Hunk #1 succeeded at 494 with fuzz 1 (offset -68 lines). Hunk #2 FAILED at 584. Hunk #3 FAILED at 840. Hunk #4 succeeded at 807 with fuzz 2 (offset -57 lines). Hunk #5 FAILED at 903. Hunk #6 FAILED at 1056. Hunk #7 FAILED at 1309. 5 out of 7 hunks FAILED Looking at this again, it looks like it should be trivial to apply #2, #5, and #6 manually. Not sure why these didn't apply automatically. Which just leaves #3 - may not be required - and #7 - which only patches a comment. -- Brian May <b...@debian.org>
