Bug#776186: busybox: CVE-2014-9645

To: Michael Tokarev <mjt@tls.msk.ru>
Cc: 776186@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, Michael Gilbert <mgilbert@debian.org>
Subject: Bug#776186: busybox: CVE-2014-9645
From: Cyril Brulebois <kibi@debian.org>
Date: Wed, 4 Mar 2015 17:10:26 +0100
Message-id: <[🔎] 20150304161026.GM14036@mraw.org>
Reply-to: Cyril Brulebois <kibi@debian.org>, 776186@bugs.debian.org
In-reply-to: <[🔎] 54F6CC0D.2090607@msgid.tls.msk.ru>
References: <CANTw=MPWWRiDAxH-2KQ90p-+hvkA9bmH5e6fqs25mGHsRL_36A@mail.gmail.com> <20150126034927.GF16622@mraw.org> <[🔎] 20150302152813.GC1651@inutil.org> <[🔎] 20150302165357.GC12916@mraw.org> <[🔎] 54F6CC0D.2090607@msgid.tls.msk.ru>

Michael Tokarev <mjt@tls.msk.ru> (2015-03-04):
> 02.03.2015 19:53, Cyril Brulebois wrote:
> > […]
> I was calling you that because of a single word you used - intrusive -
> for changes which are a) very localized to d/rules (touching a little
> place of it) and b) not affecting anything you care, and especially
> not affecting the resulting binaries in any way. And the changes which
> were made way before freeze, the package hasn't been unblocked because
> of old/buggy glibc installed on some buildds.  And ofcourse I stand
> by my words.  Note that much bigger and more intrusive changes were
> accepted after the freeze.

Meh.

> > I guess someone with enough time could stack this extra change on top of
> > the jessie branch, and either let it stay there, or upload the package
> > at the same time.
> > 
> > Sorry, I lost track of that extra fix and didn't think of it when Mehdi
> > proposed NMUing it for the first CVE fix.
> 
> And now someone please tell me why to do all this.  From a package with
> a willing maintainer who cared about the package, from a package which
> was in good shape and with all the changes carefully selected for jessie,
> to basically an unmaintained package with no one having time to maintain
> and no one who cares, exactly the way it was over the years, and which
> required a lot of work to get it in some more or less good shape.

Looking at the just uploaded -15, I don't understand what you tried to
do there.

In the meanwhile I had been included Michael's proposed fix for
CVE-2014-9645 aka. #776186, as opposed to CVE-2014-4607 aka. #768945,
and successfully testing it in a d-i context.

Since you updated the master branch with what got uploaded, I've pushed
my local branch as pu/776186. I have the same changes for the jessie
branch, and initially planned on first getting stuff into unstable, let
it be tested for a while there, then consider tpu-ing.

Feel free to incorporate bits of the said branch and upload again to
unstable; I can then deal with the jessie part later.

Mraw,
KiBi.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#776186: busybox: CVE-2014-9645
  - From: Michael Tokarev <mjt@tls.msk.ru>

References:
- Bug#776186: busybox: CVE-2014-9645
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Bug#776186: busybox: CVE-2014-9645
  - From: Cyril Brulebois <kibi@debian.org>
- Bug#776186: busybox: CVE-2014-9645
  - From: Michael Tokarev <mjt@tls.msk.ru>

Prev by Date: Bug#778773: [PATCH] Likely fix for crash
Next by Date: Bug#776186: busybox: CVE-2014-9645
Previous by thread: Bug#776186: busybox: CVE-2014-9645
Next by thread: Bug#776186: busybox: CVE-2014-9645
Index(es):
- Date
- Thread