Hi Sylvain, On Wed, Oct 12, 2022 at 03:45:11PM +0200, Sylvain Beucler wrote: > I'll give it some testing on my buster system.
Thank you. I take the absense of a further reponse as "nothing broke". > A couple things I noticed right now: > > - dist in debian/changelog should be 'buster-security' (not 'buster') Thank you. Updated. > - debdiff|diffstat shows spurious '.pc' work files from quilt > (plus a change in a patches/README which maybe adds more noise than it helps > in a security upload, but that's a matter of taste) Yeah, I noticed them as well after performing all the builds (including armhf) and left them in as a canary to see whether anyone even opens the .debdiff. ;) Thank you for the review! > - a methodology point: if there's some uncertainty on CVE-2016-10228 (note: > which is a 2020 fix really), that neither secteam nor the maintainers > decided to fix in other Debian dists, maybe it's not worth the risk to fix > it in LTS. > I read your note that other distros (ubuntu, redhat) did so though, > contacting the maintainers could help evaluate the risk better. Yeah. I'm fixing quite a number of issues that were not previously considered. Even though these were non-trivial to fix, I believe that we should fix them. Leaving them as is would mean that character conversion involving untrusted inputs is not supported at all. Seems like a hard sell, right? My understanding now is that the only user of these private symbols is iconv itself. So you'd have to run the new iconv (i.e. libc-bin unpacked) with the old libc6 or vice versa. A relatively unlikely race condition to win. It shouldn't affect long-running processes as the dynamically loaded conversion modules themselves don't use the affected private symbols. Given my own tests on this, I will go ahead and upload the butser lts. Other changes: * Fixed iconv test to work with old transliteration. * Understood iconv test failure: It's actually testing the wrong thing. Building it twice (with the previous build installed) makes the test succeed. Documented rather than fixed. * Fixed conformance tests. -lrt should not require symbols from -lpthread. Vendored the affected function. * Fixed setting of error code in clnt_create. Fault in backporting by me. Helmut
