Re: icu package and debdiff [new contributor, first attempt]

To: Roberto C. Sánchez <roberto@connexer.com>
Cc: debian-lts@lists.debian.org
Subject: Re: icu package and debdiff [new contributor, first attempt]
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Thu, 19 May 2016 13:24:01 -0400
Message-id: <[🔎] 87y476neq6.fsf@angela.anarcat.ath.cx>
In-reply-to: <[🔎] 20160512190719.GA22066@connexer.com>
References: <[🔎] 20160508033413.GA3238@connexer.com> <[🔎] 5730A82A.5050608@debian.org> <[🔎] 20160512190719.GA22066@connexer.com>

On 2016-05-12 15:07:19, Roberto C. Sánchez wrote:
> Hi Antoine,
>
> On Mon, May 09, 2016 at 05:09:30PM +0200, Markus Koschany wrote:
>> Hello Roberto, welcome on board!
>> 
>> Am 08.05.2016 um 05:34 schrieb Roberto C. Sánchez:
>> 
>> > I pulled the patch for CVE-2015-4844 from the upstream jdk8u project
>> > (based on the commit reference in openjdk-8's debian/changelog).  I
>> > confirmed that this fix matched what was done by upstream in their
>> > subversion repository.
>> > 
>> > I pulled the patch for CVE-2016-0494 from the upstream jdk8u project
>> > (based on the commit reference in openjdk-8's debian/changelog).  I
>> > attempted to confirm this fix in upstream's subversion repository, but
>> > it appears to not have been fixed upstream yet.
>> 
>> Antoine (anarcat) fixed this issue for Squeeze LTS and he also left some
>> comments at
>> 
>> https://ssl.icu-project.org/trac/ticket/12020
>> 
>> He also changed the runConfigure script and his patch for CVE-2016-0494
>> looks different to me. Perhaps you should contact him (or he will simply
>> respond to this message because he is subscribed too), discuss this
>> patch with him and ask him why his approach contains more changes than
>> the original upstream commit at
>> 
>> http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f556d4c82ef1
>> 
>
> Do you think you might have some time to review the icu updated I
> prepared for wheezy?
>
> https://people.debian.org/~roberto/icu_4.8.1.1-12+deb7u4.dsc
> https://people.debian.org/~roberto/icu_4.8.1.1-12+deb7u3_deb7u4.diff
>
> I would appreciate your feedback, particularly on the patch for
> CVE-2016-0494.

Nitpicking: "Origin:" could be "upstream", or maybe "vendor" for those
patches. For CVE-2016-0494, specifically, there's this upstream bug
report which I contributed to:

http://bugs.icu-project.org/trac/ticket/12020

Well, it's the same bug than CVE-2015-4844, basically, since
CVE-2016-0494 was introduced as part of the CVE-2015-4844.

I think it's useful for upstream if you share those backported patches
as well, unless they are trivial. It might be useful to send a ping to
our Ubuntu friends since they have the same version on their side.

More importantly, as Markus mentionned earlier, there is an extra change
to modify the compile flags to properly fix this issue:

http://bugs.icu-project.org/trac/ticket/12020#comment:6

Here's an additional change I did on the rules file:

diff -Nru icu-4.4.1/debian/rules icu-4.4.1/debian/rules
--- icu-4.4.1/debian/rules	2016-01-10 07:34:05.000000000 -0500
+++ icu-4.4.1/debian/rules	2016-01-30 14:42:45.000000000 -0500
@@ -7,7 +7,7 @@
 # variables' names with l_.

 l_SONAME := 44
-l_CFLAGS := -g -Wall
+l_CFLAGS := -g -Wall -fno-strict-overflow
 ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
 	l_CFLAGS += -O0
 else

The rules file change significantly between the two debian releases: you
may want to add it to DEB_CONFIGURE_USER_FLAGS instead.

It is important to understand exactly what's going on in those bugs:
just porting the patches is one thing, but you need to be careful when
you discard chunks. In particular, the above chunk in the squeeze
package was important because of the upstream comment here:

http://bugs.icu-project.org/trac/ticket/12020#comment:4

I have to admit it's not something that I would have thought of myself,
but since upstream noticed that, I think it's important for us to follow
suite!

I think that covers it from my end. The icu package is a difficult
target! Oracle doesn't help us when they disclose vulnerabilities in
Java, which ICU is a part of, yet the upstream is distinct and has to
play catchup to a large secretive corporation.

I am not even sure the changes are complete even with the
above. Upstream ICU refers to the following bug:

http://bugs.icu-project.org/trac/ticket/12276

... where they link to another secret ticket. Maybe it would be useful
to share your work there and ask for feedback. Last time they took a few
days to give feedback, so they seem pretty responsive.

I won't be able to provide further feedback over a week, if at all. I
hope you are able to complete this challenging upload successfully!

Good luck!

A.

PS: i had originally garbage-collected my squeeze packages from
people.debian.org because I forgot about this issue. i have put them
back on:

https://people.debian.org/~anarcat/debian/squeeze-lts/

-- 
By now the computer has moved out of the den and into the rest of your
life. It will consume all of your spare time, and even your vacation,
if you let it. It will empty your wallet and tie up your thoughts. It
will drive away your family. Your friends will start to think of you
as a bore. And what for?
                       - The True Computerist by Tom Pittman

Reply to:

Follow-Ups:
- Re: icu package and debdiff [new contributor, first attempt]
  - From: Roberto C. Sánchez <roberto@connexer.com>

References:
- icu package and debdiff [new contributor, first attempt]
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: icu package and debdiff [new contributor, first attempt]
  - From: Markus Koschany <apo@debian.org>
- Re: icu package and debdiff [new contributor, first attempt]
  - From: Roberto C. Sánchez <roberto@connexer.com>

Prev by Date: Re: Xen 4.1.6.1 backport + Ubuntu patches ready for testing (take 3)
Next by Date: Re: icu package and debdiff [new contributor, first attempt]
Previous by thread: Re: icu package and debdiff [new contributor, first attempt]
Next by thread: Re: icu package and debdiff [new contributor, first attempt]
Index(es):
- Date
- Thread