Bug#877043: stretch-pu: package weechat/1.6-1+deb9u2
On Thu, 2017-09-28 at 07:53 +0200, Salvatore Bonaccorso wrote:
> Hi Adam,
>
> On Thu, Sep 28, 2017 at 06:43:59AM +0100, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> >
> > On Thu, 2017-09-28 at 05:02 +0200, Salvatore Bonaccorso wrote:
> > > weechat in stretch is affected by CVE-2017-14727, tracked as
> > > #876553.
> > >
> > > > * logger: call strftime before replacing buffer local
> > > > variables
> > > > (CVE-2017-14727) (Closes: #876553)
> > >
> > > https://weechat.org/news/98/20170923-Version-1.9.1-security-relea
> > > se/
> > >
> > > Attached proposed debdiff for the stretch point release.
> > >
> >
> > There's quite a bit of noise in such a small diff. :-( I appreciate
> > why, though.
>
> Yes I can understand, you are a bit unahppy with me with that regard.
> I followed upstream, which renamed several of the mask_* pointers and
> added a new one for one more operation and shuffled around.
>
> I prefered to rather follow upstream here, hope I can convince you.
>
> or did you mean something else?
No problem; I wasn't unhappy with you. Following upstream's diff makes
perfect sense, it's just unfortunate that they ended up with a patch
that was significantly larger than the actual change. In their
position, I'm not sure I'd have wanted to be having to add "mask_2.5"
type variables just to avoid the rename though.
Apologies if that wasn't clear.
Regards,
Adam
Reply to: