Wheezy update of libonig?
Hello Jörg, The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of libonig: https://security-tracker.debian.org/tracker/source-package/libonig Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libonig updates for the LTS releases. Thank you very much. Raphaël Hertzog, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Wheezy update of pngquant?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of pngquant: https://security-tracker.debian.org/tracker/CVE-2016-5735 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of pngquant updates for the LTS releases. Thank you very much. Raphaël Hertzog, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: testing bind9 for Wheezy LTS
Hi, On Sat, May 20, 2017 at 04:57:52PM +0200, Thorsten Alteholz wrote: > Hi everybody, > > I uploaded version 9.8.4.dfsg.P1-6+nmu2+deb7u16 of bind9 to: > > https://people.debian.org/~alteholz/packages/wheezy-lts/bind9/amd64/ > > Please give it a try and tell me about any problems you met. I've tested the package on a nameserver authoritive for some zones also using dnssec and on a caching configuration using IPv4 and IPv6 with no ill effects so far. Cheers, -- Guido > > Thanks! > Thorsten > > > > * Dns64 with "break-dnssec yes;" can result in a assertion failure. > (CVE-2017-3136) > * Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190. > If not cherry-picking this change the fix for CVE-2017-3137 can cause an > assertion failure to appear in name.c. > * Some chaining (CNAME or DNAME) responses to upstream queries could trigger > assertion failures (CVE-2017-3137) > * Reimplement: Some chaining (CNAME or DNAME) responses to upstream queries > could trigger assertion failures. (CVE-2017-3137) > * Fix regression introduced when handling CNAME to referral below the > current domain > * 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138) > > >
Patch proposal for CVE-2017-6960 in Wheezy (/Jessie)
Hi,
I have prepared a patch for apng2gif 1.5.
Testing did not reveal any problem, but I'm sure it can still be
improved.
Could anybody take a look at it ?
Debdiff for wheezy is in attachment (a test package for wheezy is also
available here[0]).
This patch should also fix the issue in Jessie, but I did not test it.
I can build a test package if needed.
Cheers,
Hugo
[0] https://people.debian.org/~hle/lts/apng2gif_1.5-1+deb7u1_amd64.changes
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
diff -Nru apng2gif-1.5/debian/changelog apng2gif-1.5/debian/changelog
--- apng2gif-1.5/debian/changelog 2012-03-11 08:50:30.0 +0100
+++ apng2gif-1.5/debian/changelog 2017-05-25 13:49:46.0 +0200
@@ -1,3 +1,11 @@
+apng2gif (1.5-1+deb7u1) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2017-6960: Integer overflow resulting in a heap-based
+buffer over-read in the LoadAPNG function.
+
+ -- Hugo Lefeuvre Thu, 25 May 2017 13:49:46 +0200
+
apng2gif (1.5-1) unstable; urgency=low
* New upstream release (Closes: #663412).
diff -Nru apng2gif-1.5/debian/patches/CVE-2017-6960.patch
apng2gif-1.5/debian/patches/CVE-2017-6960.patch
--- apng2gif-1.5/debian/patches/CVE-2017-6960.patch 1970-01-01
01:00:00.0 +0100
+++ apng2gif-1.5/debian/patches/CVE-2017-6960.patch 2017-05-25
13:49:46.0 +0200
@@ -0,0 +1,48 @@
+Author: Hugo Lefeuvre
+Subject: Fix integer overflow in the LoadAPNG function.
+ The LoadAPNG function is affected by an integer overflow resulting in a
+ heap-based buffer over-read (CVE-2017-6960).
+ .
+ In this patch, we add a check before the memory allocation in order to prevent
+ from integer overflows. Thus, if passed image has too large width or height,
we
+ exit cleanly with "Error: Image size unsupported".
+ .
+ The image is considered "invalid" if
+ (h > UINT_MAX/(4*(frames+1))) or
+ (w > UINT_MAX/(4*(frames+1))) or
+ w > UINT_MAX/(4*(frames+1)*h) or
+ h > UINT_MAX/(4*(frames+1)*w
+ .
+ This is because we want the function to abort if
+ w*h*4*(frames+1) > UINT_MAX
+ <=> w*h > UINT_MAX/(4*(frames+1)) (we assume that frames+1 always stays
+ positive)
+ <=> w > UINT_MAX/(4*(frames+1)*h) or h > UINT_MAX/(4*(frames+1)*w)
+ .
+ The (h > UINT_MAX/(4*(frames+1))) or (w > UINT_MAX/(4*(frames+1))) check
+ prevents from an integer overflow when calculating (4*(frames+1)*h and
+ (4*(frames+1)*w (not sufficient to fix the issue, however).
+Bug-Debian: http://bugs.debian.org/854367
+--- a/apng2gif.c 2017-05-25 16:26:22.972280904 +0200
b/apng2gif.c 2017-05-25 16:28:19.544156335 +0200
+@@ -31,6 +31,7 @@
+ #include
+ #include
+ #include
++#include
+ #include "zlib.h"
+
+ #define PNG_DISPOSE_OP_NONE0x00
+@@ -607,6 +608,12 @@
+ * operations will make it impossible, then we'll use RGBA version
instead.
+ */
+
++if((h > UINT_MAX/(4*(frames+1))) || (w > UINT_MAX/(4*(frames+1))) ||
++ (w > UINT_MAX/(4*(frames+1)*h)) || (h > UINT_MAX/(4*(frames+1)*w ))) {
++printf("Error: Image size unsupported\n");
++break;
++}
++
+ outrow1 = w; /* output coltype = input coltype */
+ outrow2 = w*4;/* output coltype = RGBA */
+ outimg1 = h*outrow1;
diff -Nru apng2gif-1.5/debian/patches/series apng2gif-1.5/debian/patches/series
--- apng2gif-1.5/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++ apng2gif-1.5/debian/patches/series 2017-05-25 13:49:46.0 +0200
@@ -0,0 +1 @@
+CVE-2017-6960.patch
signature.asc
Description: PGP signature
Re: testing bind9 for Wheezy LTS
Hi Guido, On Thu, 25 May 2017, Guido Günther wrote: I've tested the package on a nameserver authoritive for some zones also using dnssec and on a caching configuration using IPv4 and IPv6 with no ill effects so far. thanks a lot for testing, your results are good to know. Thorsten
Re: Wheezy update of kde4libs?
Hi Maxy,
> > Would you like to take care of this yourself?
>
> Currently no, sorry. If you manage to work on this, please send me the
> diff or the format-patch queue so I can record the upload in our vcs.
I don't have a format-patch-formatted patch (:P), but please find attached the
debdiff that I have just uploaded.
Cheers,
Emilio
diff -Nru kde4libs-4.8.4/debian/changelog kde4libs-4.8.4/debian/changelog
--- kde4libs-4.8.4/debian/changelog 2016-07-25 15:13:22.0 +0200
+++ kde4libs-4.8.4/debian/changelog 2017-05-23 21:10:51.0 +0200
@@ -1,3 +1,15 @@
+kde4libs (4:4.8.4-4+deb7u3) wheezy-security; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Sanitize URLs before passing them to FindProxyForURL (CVE-2017-6410)
+(Closes: #856890)
+ * Verify that whoever is calling us is actually who he says he is
+(CVE-2017-8422)
+ * Don't show passwords contained in HTTP URLs in error messages
+(CVE-2013-2074)
+
+ -- Emilio Pozuelo Monfort Tue, 23 May 2017 21:10:51 +0200
+
kde4libs (4:4.8.4-4+deb7u2) wheezy-security; urgency=medium
* Add new patch: cve-2016-6232.patch
diff -Nru kde4libs-4.8.4/debian/files kde4libs-4.8.4/debian/files
--- kde4libs-4.8.4/debian/files 1970-01-01 01:00:00.0 +0100
+++ kde4libs-4.8.4/debian/files 2017-05-23 21:10:51.0 +0200
@@ -0,0 +1 @@
+kde4libs_4.8.4-4+deb7u3_source.buildinfo libs optional
diff -Nru kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-1.patch
kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-1.patch
--- kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-1.patch1970-01-01
01:00:00.0 +0100
+++ kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-1.patch2017-05-23
21:10:51.0 +0200
@@ -0,0 +1,38 @@
+From 65d736dab592bced4410ccfa4699de89f78c96ca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Gr=C3=A9gory=20Oestreicher?=
+Date: Wed, 8 May 2013 23:16:00 +0200
+Subject: Don't show passwords contained in HTTP URLs in error messages BUG:
+ 319428
+
+---
+ kioslave/http/http.cpp | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp
+index 2d139a9..129fc7b 100644
+--- a/kioslave/http/http.cpp
b/kioslave/http/http.cpp
+@@ -3056,7 +3056,7 @@ try_again:
+ ; // Ignore error
+ } else {
+ if (!sendErrorPageNotification()) {
+-error(ERR_INTERNAL_SERVER, m_request.url.url());
++error(ERR_INTERNAL_SERVER, m_request.url.prettyUrl());
+ return false;
+ }
+ }
+@@ -3072,9 +3072,9 @@ try_again:
+ // Tell that we will only get an error page here.
+ if (!sendErrorPageNotification()) {
+ if (m_request.responseCode == 403)
+-error(ERR_ACCESS_DENIED, m_request.url.url());
++error(ERR_ACCESS_DENIED, m_request.url.prettyUrl());
+ else
+-error(ERR_DOES_NOT_EXIST, m_request.url.url());
++error(ERR_DOES_NOT_EXIST, m_request.url.prettyUrl());
+ return false;
+ }
+ } else if (m_request.responseCode >= 301 && m_request.responseCode<= 303)
{
+--
+cgit v0.11.2
+
diff -Nru kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-2.patch
kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-2.patch
--- kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-2.patch1970-01-01
01:00:00.0 +0100
+++ kde4libs-4.8.4/debian/patches/CVE-2013-2074-part-2.patch2017-05-23
21:10:51.0 +0200
@@ -0,0 +1,36 @@
+From 898135a59d91184692ed1bcee8bb4c6d80d6f7b9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Gr=C3=A9gory=20Oestreicher?=
+Date: Wed, 15 May 2013 21:56:29 +0200
+Subject: Continue hiding passwords in URLs displayed to the user The fix
+ introduced by 65d736da missed two usages of url() instead of prettyUrl().
+ Thanks to Kevin Kofler for spotting those. BUG: 319428
+
+---
+ kioslave/http/http.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp
+index 129fc7b..0c887bd 100644
+--- a/kioslave/http/http.cpp
b/kioslave/http/http.cpp
+@@ -1581,7 +1581,7 @@ QString HTTPProtocol::davError( int code /* = -1 */,
const QString &_url )
+
+ QString url = _url;
+ if ( !url.isNull() )
+-url = m_request.url.url();
++url = m_request.url.prettyUrl();
+
+ QString action, errorString;
+ int errorCode = ERR_SLAVE_DEFINED;
+@@ -3464,7 +3464,7 @@ endParsing:
+ KUrl u(m_request.url, locationStr);
+ if(!u.isValid())
+ {
+-error(ERR_MALFORMED_URL, u.url());
++error(ERR_MALFORMED_URL, u.prettyUrl());
+ return false;
+ }
+
+--
+cgit v0.11.2
+
diff -Nru kde4libs-4.8.4/debian/patches/CVE-2017-6410.diff
kde4libs-4.8.4/debian/patches/CVE-2017-6410.diff
--- kde4libs-4.8.4/debian/patches/CVE-2017-6410.diff1970-01-01
01:00:00.0 +0100
+++ kde4libs-4.8.4/debian/p
Re: Firefox ESR large text file rendering problem
On 08/05/17 09:05, Jari Ruusu wrote: > On 5/7/17, Marc SCHAEFER wrote: >> I cannot reproduce that problem on: >> >> $ cat /etc/debian_version >> 7.11 >> >> firefox 52.1.1-ESR, installed manually from >> http://ftp.mozilla.org/pub/firefox/releases/52.1.1esr/linux-x86_64/en-US/firefox-52.1.1esr.tar.bz2 > > I can confirm that the Mozilla pre-compiled version works OK. But the Debian > pre-compiled stable or LTS version (45.9.0-ESR) does fail when when those > "offmainthread" setting are default TRUE. Self compiled version fails too, > same as Debian pre-compiled version. > > The difference seem to be that Mozilla pre-compiled version embeds one more > shared library. This is the diff of "ls *.so" files between self compiled > and mozilla pre-compiled version: > > --- foo1.txt2017-05-08 09:56:45.0 +0300 > +++ foo2.txt2017-05-08 09:56:51.0 +0300 > @@ -2,6 +2,7 @@ > liblgpllibs.so > libmozavcodec.so > libmozavutil.so > +libmozgtk.so > libmozsandbox.so > libmozsqlite3.so > libnspr4.so > > The menus also look little bit different on mozilla pre-compiled version. The difference is that the mozilla binaries are built against GTK+ 3, whereas the Debian 45esr binaries are built against GTK+ 2. I don't know whether that in itself causes the bug that you reported. What about your 52 builds? Were those built against GTK+ 2 or 3? I am building 52.1esr on wheezy now [1], which will be built against GTK+ 3 when we upload it (45esr is now discontinued, so we'll upload 52esr with the next round of updates in about three weeks). I'll test it and see if that helps. Cheers, Emilio [1] I had a build around, but removed it on a quest to free some disk space.
Re: Wheezy update of libonig?
Hello Raphael, Hello LTS team, Am Donnerstag, den 25.05.2017, 12:40 +0200 schrieb Raphael Hertzog: > Hello Jörg, > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of libonig: > https://security-tracker.debian.org/tracker/source-package/libonig > > Would you like to take care of this yourself? > I have the "wheezy-security" update ready, upload it this evening to mentors and mail it to my mentor. Please can someone change the dla-needed.txt file? [...] CU Jörg -- New: GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB 30EE 09F8 9F3C 8CA1 D25D GPG key (long) : 09F89F3C8CA1D25D GPG Key: 8CA1D25D CAcert Key S/N : 0E:D4:56 Old pgp Key: BE581B6E (revoked since 2014-12-31). Jörg Frings-Fürst D-54470 Lieser Threema: SYR8SJXB Wire: @joergfringsfuerst IRC: j_...@freenode.net j_...@oftc.net My wish list: - Please send me a picture from the nature at your home. signature.asc Description: This is a digitally signed message part
Re: Firefox ESR large text file rendering problem
On 5/25/17, Emilio Pozuelo Monfort wrote: > What about your 52 builds? Were those built against GTK+ 2 or 3? I have tried both. Also tried different compiler versions, different optimization levels, with and without jemalloc. firefox-52.1.2 compiled on Debian-7 "wheezy" GTK+ 3 ==> FAIL firefox-52.1.2 compiled on Debian-8 "jessie" GTK+ 3 ==> FAIL -- Jari Ruusu 4096R/8132F189 12D6 4C3A DCDA 0AA4 27BD ACDF F073 3C80 8132 F189
libonig/5.9.1-1+deb7u1 (CVE-2017-922[4-9])
Hello Vincent,
I have a bugfix release ready for a review.
My changes:
libonig (5.9.1-1+deb7u1) wheezy-security; urgency=high
* New debian/patches/0500-CVE-2017-922[4-9].patch:
- Cherrypicked from upstream to correct:
+ CVE-2017-9224 (Closes: #863312)
+ CVE-2017-9226 (Closes: #863314)
+ CVE-2017-9227 (Closes: #863315)
+ CVE-2017-9228 (Closes: #863316)
+ CVE-2017-9229 (Closes: #863318)
* debian/control:
- Add myself as maintainer.
Build with pdebuild are ok. The test with the newest lintian has a lot
of warnings.
The package is uploaded to mentors[1]. The debdiff is attached.
Please can you review it?
Many thanks.
CU
Jörg
[1]
https://mentors.debian.net/debian/pool/main/libo/libonig/libonig_5.9.1-1+deb7u1.dsc
--
New:
GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB 30EE 09F8 9F3C 8CA1 D25D
GPG key (long) : 09F89F3C8CA1D25D
GPG Key: 8CA1D25D
CAcert Key S/N : 0E:D4:56
Old pgp Key: BE581B6E (revoked since 2014-12-31).
Jörg Frings-Fürst
D-54470 Lieser
Threema: SYR8SJXB
Wire: @joergfringsfuerst
IRC: j_...@freenode.net
j_...@oftc.net
My wish list:
- Please send me a picture from the nature at your home.
diff -Nru libonig-5.9.1/debian/changelog libonig-5.9.1/debian/changelog
--- libonig-5.9.1/debian/changelog 2008-01-07 11:46:27.0 +0100
+++ libonig-5.9.1/debian/changelog 2017-05-25 22:01:47.0 +0200
@@ -1,3 +1,17 @@
+libonig (5.9.1-1+deb7u1) wheezy-security; urgency=high
+
+ * New debian/patches/0500-CVE-2017-922[4-9].patch:
+- Cherrypicked from upstream to correct:
+ + CVE-2017-9224 (Closes: #863312)
+ + CVE-2017-9226 (Closes: #863314)
+ + CVE-2017-9227 (Closes: #863315)
+ + CVE-2017-9228 (Closes: #863316)
+ + CVE-2017-9229 (Closes: #863318)
+ * debian/control:
+- Add myself as maintainer.
+
+ -- Jörg Frings-Fürst Thu, 25 May 2017 22:01:47 +0200
+
libonig (5.9.1-1) unstable; urgency=low
[ Max Kellermann ]
diff -Nru libonig-5.9.1/debian/control libonig-5.9.1/debian/control
--- libonig-5.9.1/debian/control 2008-01-07 11:46:27.0 +0100
+++ libonig-5.9.1/debian/control 2017-05-25 22:00:56.0 +0200
@@ -1,8 +1,7 @@
Source: libonig
Section: libs
Priority: extra
-Maintainer: Max Kellermann
-Uploaders: Alexander Wirt
+Maintainer: Jörg Frings-Fürst
Homepage: http://www.geocities.jp/kosako3/oniguruma/
Build-Depends: debhelper (>= 5), autotools-dev
Standards-Version: 3.7.3
diff -Nru libonig-5.9.1/debian/patches/0500-CVE-2017-922[4-9].patch libonig-5.9.1/debian/patches/0500-CVE-2017-922[4-9].patch
--- libonig-5.9.1/debian/patches/0500-CVE-2017-922[4-9].patch 1970-01-01 01:00:00.0 +0100
+++ libonig-5.9.1/debian/patches/0500-CVE-2017-922[4-9].patch 2017-05-25 21:29:11.0 +0200
@@ -0,0 +1,121 @@
+Correct CVE-2017-922[4-9]
+ Fix mutilple invalid pointer dereference, out-of-bounds write memory
+ corruption and stack buffer overflow,
+Origin: Cheerypicked from upstream
+Bug: https://github.com/kkos/oniguruma/issues/[55|56|57|58|59|60]
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=86331[2|3|4|5|6|8]
+Forwarded: not-needed
+Last-Update: 2017-05-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: libonig-5.9.1/regexec.c
+===
+--- libonig-5.9.1.orig/regexec.c
libonig-5.9.1/regexec.c
+@@ -1425,14 +1425,9 @@ match_at(regex_t* reg, const UChar* str,
+ break;
+
+ case OP_EXACT1: MOP_IN(OP_EXACT1);
+-#if 0
+ DATA_ENSURE(1);
+ if (*p != *s) goto fail;
+ p++; s++;
+-#endif
+- if (*p != *s++) goto fail;
+- DATA_ENSURE(0);
+- p++;
+ MOP_OUT;
+ break;
+
+@@ -3130,6 +3125,8 @@ forward_search_range(regex_t* reg, const
+ }
+ else {
+ UChar *q = p + reg->dmin;
++
++ if (q >= end) return 0; /* fail */
+ while (p < q) p += enclen(reg->enc, p);
+ }
+ }
+@@ -3209,18 +3206,25 @@ forward_search_range(regex_t* reg, const
+ }
+ else {
+ if (reg->dmax != ONIG_INFINITE_DISTANCE) {
+- *low = p - reg->dmax;
+- if (*low > s) {
+- *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
+- *low, (const UChar** )low_prev);
+- if (low_prev && IS_NULL(*low_prev))
+- *low_prev = onigenc_get_prev_char_head(reg->enc,
+- (pprev ? pprev : s), *low);
++if (p - str < reg->dmax) {
++ *low = (UChar* )str;
++ if (low_prev)
++*low_prev = onigenc_get_prev_char_head(reg->enc, str, *low);
+ }
+ else {
+- if (low_prev)
+- *low_prev = onigenc_get_prev_char_head(reg->enc,
+- (pprev ? pprev : str), *low);
++ *low = p - reg->dmax;
++ if (*low > s) {
++*low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
++ *low, (const UChar** )low_prev);
++if (low_prev && IS_NULL(*low_prev))
++ *low_prev = onigenc_g
Re: libonig/5.9.1-1+deb7u1 (CVE-2017-922[4-9])
Hi Jörg, On Thu, May 25, 2017 at 1:23 PM, Jörg Frings-Fürst wrote: > Hello Vincent, > > I have a bugfix release ready for a review. > > My changes: > > libonig (5.9.1-1+deb7u1) wheezy-security; urgency=high > > * New debian/patches/0500-CVE-2017-922[4-9].patch: > - Cherrypicked from upstream to correct: > + CVE-2017-9224 (Closes: #863312) > + CVE-2017-9226 (Closes: #863314) > + CVE-2017-9227 (Closes: #863315) > + CVE-2017-9228 (Closes: #863316) > + CVE-2017-9229 (Closes: #863318) > * debian/control: > - Add myself as maintainer. > > Build with pdebuild are ok. The test with the newest lintian has a lot > of warnings. > > The package is uploaded to mentors[1]. The debdiff is attached. > > Please can you review it? In your upload to mentors.d.n, why has the source tarball been changed and versioned as if libonig was a native package (it's not)? Also, if I'm not mistaken, it doesn't look like your CVE patch is actually applied when I attempt to build your package. Have you updated dla-needed.txt, obtained a DLA id and prepared an announcement for debian-lts-announce, as described in [1]? Regards, Vincent [1] https://wiki.debian.org/LTS/Development
