Hi I am looking at fixing CVE-2022-26981 [1] in Stretch, and have a patch backported from upstream in the LTS salsa repository (it was recently pushed upstream) [2] - Would you like me to handle it or do you want to take care of it yourselves? I can make a PR in your salsa repo if you would like my backported fix there. Also - I am looking at fixing CVE-2018-17294 [3], but that seems a bit harder - the fix for later versions [4] checks for input->length, but earlier versions doesn't use input as an InString, but simply as a widechar pointer, which makes things harder. Do you have a solution for this? -- Andreas Rönnquist mailinglists@gusnan.se gusnan@debian.org 1: https://security-tracker.debian.org/tracker/CVE-2022-26981 2: https://salsa.debian.org/lts-team/packages/liblouis/-/commit/ab65c13095f600feed9b5371cc23a82f8a46f19c 3: https://security-tracker.debian.org/tracker/CVE-2018-17294 4: https://github.com/liblouis/liblouis/commit/5e4089659bb49b3095fa541fa6387b4c40d7396e
Attachment:
pgp6BUJ_CYc8m.pgp
Description: OpenPGP digital signatur