Re: Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?

To: Goswin von Brederlow <goswin-v-b@web.de>
Cc: team@security.debian.org, debian-devel@lists.debian.org, dr@jones.dk
Subject: Re: Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?
From: Nico Golde <nico@ngolde.de>
Date: Sun, 14 Dec 2008 21:03:44 +0100
Message-id: <[🔎] 20081214200344.GB4053@ngolde.de>
Mail-followup-to: Goswin von Brederlow <goswin-v-b@web.de>, team@security.debian.org, debian-devel@lists.debian.org, dr@jones.dk
In-reply-to: <[🔎] 87skoqeijt.fsf@frosties.localdomain>
References: <[🔎] 87skoqeijt.fsf@frosties.localdomain>

Ccing maintainer.

Hi,
* Goswin von Brederlow <goswin-v-b@web.de> [2008-12-14 20:14]:
> I run reprepro to create a local mirror for lenny, lenny-security and
> sid. Since I have it setup to put all 3 into a common pool I noticed
> the following:
[...] 
> As you can see Lenny-Security has a different orig.tar.gz than
> Lenny/Sid. This creates a problem for my reprepro as it detects a
> size/md5sum mismatch, aborts and sends me an angry mail. But more
> importantly this prevents the security update from entering Lenny:
> 
> 20081106164710|process-unchecked|rejected|uw-imap_2007b~dfsg-4+lenny1_amd64.changes
> 
> Rejected: md5sum and/or size mismatch on existing copy of uw-imap_2007b~dfsg.orig.tar.gz.
> Rejected: can not overwrite existing copy of 'uw-imap_2007b~dfsg.orig.tar.gz' already in the archive.

This update was unfortunately a bit problematic, to make the 
story short uw-imap was uploaded as 7:2007b~dfsg-4 but we 
then requested to upload this as -3+lenny1 to mark it as a 
security update and to prevent broken updates in case 
7:2007d~dfsg-1 gets rejected from NEW (in -3+lenny1 is also 
the upstream tarball change).

Unfortunately -3+lenny1 was rejected on klecker because the 
orig.tar.gz of the old build was still lying around in the 
queue. As we can not use the same version twice on klecker 
-4+lenny1 was uploaded as a rebuild of -3+lenny1 and the 
upstream tarball change was overlooked in that chaos.

> As it is the vulnerable version of uw-imap will remain in Lenny and
> Lenny will have a known security bug that is totaly avoidable. From
> the timestamp above you can see that this problem has been around over
> a month.
> 
> Does anyone care?

Yes.

I see two possibilities here, one option is to get 
8:2007b~dfsg-1 unblocked and let this migrate to lenny 
(there is some weird SONAME change though) or to reupload a 
+lenny2 version to testing-security again.

Opinions?

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpMJ7zzpcZRc.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?
  - From: José Luis Tallón <jltallon@adv-solutions.net>

References:
- Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?
  - From: Goswin von Brederlow <goswin-v-b@web.de>

Prev by Date: Re: First call for votes for the Lenny release GR
Next by Date: Re: First call for votes for the Lenny release GR
Previous by thread: Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?
Next by thread: Re: Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?
Index(es):
- Date
- Thread