Hi Markus, On Mon, May 09, 2016 at 05:09:30PM +0200, Markus Koschany wrote: > Hello Roberto, welcome on board! > Thanks! > Am 08.05.2016 um 05:34 schrieb Roberto C. Sánchez: > > Hi All, > > > > I'm still "in-training" and I thought I would attempt to prepare an > > upload of the icu package for wheezy. > > > > The package is here: https://people.debian.org/~roberto/ > > dsc - https://people.debian.org/~roberto/icu_4.8.1.1-12+deb7u4.dsc > > debdiff - https://people.debian.org/~roberto/icu_4.8.1.1-12+deb7u3_deb7u4.diff > > I couldn't download the package with dget -x because the original > tarball is currently missing, so I used the debdiff. > I seem to have overlooked the original tarball. I went ahead and uploaded it so that the .dsc is retrievable with dget. > > I would appreciate a review of the package by someone knowledgable > > and experienced with LTS support to make sure I handled it correctly. > > Please read on for details of the steps I took. > > > > Based on the information I found on the security tracker, there are > > three vulnerabilities affecting icu in wheezy: CVE-2015-2632, > > CVE-2015-4844, and CVE-2016-0494. > > > > I pulled the patch for CVE-2015-2632 from the icu package in unstable, > > which has been fixed. > > That's a sensible approach. In this case the patch applied cleanly for > the version in Wheezy but sometimes you have to be more careful when the > code is considerably different. > I understand. > > I pulled the patch for CVE-2015-4844 from the upstream jdk8u project > > (based on the commit reference in openjdk-8's debian/changelog). I > > confirmed that this fix matched what was done by upstream in their > > subversion repository. > > > > I pulled the patch for CVE-2016-0494 from the upstream jdk8u project > > (based on the commit reference in openjdk-8's debian/changelog). I > > attempted to confirm this fix in upstream's subversion repository, but > > it appears to not have been fixed upstream yet. > > Antoine (anarcat) fixed this issue for Squeeze LTS and he also left some > comments at > > https://ssl.icu-project.org/trac/ticket/12020 > > He also changed the runConfigure script and his patch for CVE-2016-0494 > looks different to me. Perhaps you should contact him (or he will simply > respond to this message because he is subscribed too), discuss this > patch with him and ask him why his approach contains more changes than > the original upstream commit at > > http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f556d4c82ef1 > OK. I likely will not be able to do anything with this today, so if he responds then I will follow his guidance. Otherwise, I'll have another look tomorrow and then contact Antoine. > > I built the package in a wheezy chroot, signed the resulting package, > > and uploaded it (along with the debdiff between the prior version and my > > updated package) to the above location. > > That's fine. You don't have to upload a new revision to > people.debian.org but it is a useful approach if you want to get more > feedback for your patches. You could also: > > * Check the output of the test suite (if it exists) > * Write your own tests or ask upstream for advice how to test the issue > * Contact upstream and ask for code reviews > * Try the reproducer with the old and new version (if it exists) > * Install the package, do some smoke testing and try to verify if the > update didn't introduce any regressions > I'll attempt some of these tomorrow as well. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature