Bug#778753: cabextract: Directory traversal (CVE pending)

2015-04-02 Thread Moritz Mühlenhoff
On Fri, Feb 20, 2015 at 09:25:56PM -0500, Eric Sharkey wrote: > On Thu, Feb 19, 2015 at 5:38 AM, Moritz Muehlenhoff wrote: > > Upstream fix is here: > > http://sourceforge.net/p/libmspack/code/217 > > > > Since unstable has a more recent version than testing, could you make > > a targeted jessie u

Bug#778753: cabextract: Directory traversal (CVE pending)

2015-03-05 Thread Moritz Mühlenhoff
On Sat, Feb 21, 2015 at 08:10:11AM -0500, Eric Sharkey wrote: > On Sat, Feb 21, 2015 at 3:35 AM, Salvatore Bonaccorso > wrote: > > Btw, please do not upload to security-master without prior > > coordination with the security-team, see > > https://www.debian.org/doc/manuals/developers-reference/pk

Bug#778753: cabextract: Directory traversal (CVE pending)

2015-02-21 Thread Eric Sharkey
On Sat, Feb 21, 2015 at 3:35 AM, Salvatore Bonaccorso wrote: > Btw, please do not upload to security-master without prior > coordination with the security-team, see > https://www.debian.org/doc/manuals/developers-reference/pkgs.html#s5.6.4 I'm familiar with the developers' reference. Since this

Bug#778753: cabextract: Directory traversal (CVE pending)

2015-02-21 Thread Salvatore Bonaccorso
Hi Eric, On Fri, Feb 20, 2015 at 09:25:56PM -0500, Eric Sharkey wrote: > On Thu, Feb 19, 2015 at 5:38 AM, Moritz Muehlenhoff wrote: > > Upstream fix is here: > > http://sourceforge.net/p/libmspack/code/217 > > > > Since unstable has a more recent version than testing, could you make > > a targete

Bug#778753: cabextract: Directory traversal (CVE pending)

2015-02-20 Thread Eric Sharkey
On Thu, Feb 19, 2015 at 5:38 AM, Moritz Muehlenhoff wrote: > Upstream fix is here: > http://sourceforge.net/p/libmspack/code/217 > > Since unstable has a more recent version than testing, could you make > a targeted jessie upload with this patch? I've written a new patch from scratch to fix cabex

Bug#778753: cabextract: Directory traversal (CVE pending)

2015-02-19 Thread Eric Sharkey
I'm looking at upstream's patch now. It's not going to apply cleanly to 1.4 and there's some stuff in there that looks a little off to me. I'll follow up with Stuart. Eric -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact li

Bug#778753: cabextract: Directory traversal (CVE pending)

2015-02-19 Thread Moritz Muehlenhoff
Package: cabextract Severity: important Tags: security Justification: user security hole Please see http://www.openwall.com/lists/oss-security/2015/02/18/3 for the CVE request. Upstream fix is here: http://sourceforge.net/p/libmspack/code/217 Since unstable has a more recent version than testing