On Wed, Oct 26, 2022 at 11:05:05PM -0400, Jérôme Charaoui wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian....@packages.debian.org > Usertags: pu > > [ Reason ] > I would like to upload powerline-gitstatus to stable to fix CVE-2022-42906. > I have consulted with the security team and they suggested we make the fix > available via the next point release. > > [ Impact ] > powerline-gitstatus/1.3.1 and earlier versions are susceptible to code > execution via malicious repository. Note that the malicious repository must > be obtained other than by "git clone". > > [ Tests ] > The package has no autopkgtests. It has been tested manually. > > [ Risks ] > The changeset between 1.3.1 and 1.3.2 is small. The risk is low that > a new bug or security issue is introduced. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > The fix for CVE-2022-42906 is straightforward: it simply appends the > argument "-C core.fsmonitor=" to the git command. Aside from that, a simple > program option was added (untracked_not_dirty) and the README is updated. > > [Other info] > As I expect a positive response, I will be uploading the package shortly. > > > -- Jerome
> diff -Nru powerline-gitstatus-1.3.1/debian/changelog > powerline-gitstatus-1.3.2/debian/changelog > --- powerline-gitstatus-1.3.1/debian/changelog 2020-07-08 > 16:17:05.000000000 -0400 > +++ powerline-gitstatus-1.3.2/debian/changelog 2022-10-26 > 22:54:03.000000000 -0400 > @@ -1,3 +1,10 @@ > +powerline-gitstatus (1.3.2-1+deb11u1) bullseye; urgency=medium > + > + * New upstream version 1.3.2 > + - Fix command injection via malicious repository config (CVE-2022-42906) > + > + -- Jérôme Charaoui <jer...@riseup.net> Wed, 26 Oct 2022 22:54:03 -0400 > + > powerline-gitstatus (1.3.1-2) unstable; urgency=medium The former proposed update was to just cherry-pick the needed change, so the version number 1.3.1-2+deb11u1. But if you propose to import 1.3.2 instread, then you need to pick 1.3.2-1~deb11u1 or 1.3.2-0+deb11u1 here, to have it sorting before the version which hit the archive as 1.3.2-1. In fact, if you just import a new upstream version on top of the current packaging then I would go for 1.3.2-0+deb11u1. If it is OTOH merely a rebuild of the upper-suite version then 1.3.2-1~deb11u1. In your case I think both of the ones is perfectly reasonable. Hope that helps, Regards, Salvatore
