Bug#776186: busybox: CVE-2014-9645

To: Cyril Brulebois <kibi@debian.org>
Cc: 776186@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, Michael Gilbert <mgilbert@debian.org>
Subject: Bug#776186: busybox: CVE-2014-9645
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Wed, 04 Mar 2015 19:20:29 +0300
Message-id: <[🔎] 54F730CD.7000107@msgid.tls.msk.ru>
Reply-to: Michael Tokarev <mjt@tls.msk.ru>, 776186@bugs.debian.org
In-reply-to: <[🔎] 20150304161026.GM14036@mraw.org>
References: <CANTw=MPWWRiDAxH-2KQ90p-+hvkA9bmH5e6fqs25mGHsRL_36A@mail.gmail.com> <20150126034927.GF16622@mraw.org> <[🔎] 20150302152813.GC1651@inutil.org> <[🔎] 20150302165357.GC12916@mraw.org> <[🔎] 54F6CC0D.2090607@msgid.tls.msk.ru> <[🔎] 20150304161026.GM14036@mraw.org>

04.03.2015 19:10, Cyril Brulebois wrote:

> Looking at the just uploaded -15, I don't understand what you tried to
> do there.

I didn't upload -15, I just tried to clean up what's left
before I retire, and - unintentionally - pushed things to
git.d.o.  It was my mistake.  More, we have 2 branches, one
master and one debian-unstable, I now don't remember anymore
which is which, my local debian-unstable was set to track
master, yet the d-unstable changes were in debian-unstable
branch, not in master branch.

Now, since you apparently pulled the changes already, should
I keep it this (unreleased but committed) way, or should I
push -f without my last changes?

> In the meanwhile I had been included Michael's proposed fix for
> CVE-2014-9645 aka. #776186, as opposed to CVE-2014-4607 aka. #768945,
> and successfully testing it in a d-i context.
> 
> Since you updated the master branch with what got uploaded, I've pushed

I updated debian-unstable branch long time ago.  I don't remember
why I didn't use master, -- probably because previous maintainer
left it that way, when all development happens in debian-unstable
branch not in master branch.  It was my mistake.  I just wanted
to ensure nothing's left in my local repo before I officially step
out of busybox maintainership.

> my local branch as pu/776186. I have the same changes for the jessie
> branch, and initially planned on first getting stuff into unstable, let
> it be tested for a while there, then consider tpu-ing.
> 
> Feel free to incorporate bits of the said branch and upload again to
> unstable; I can then deal with the jessie part later.

I don't understand what you're saying.  I created a mess in git repo
today which I didn't want to create, I apologize for that and am asking
for advise about what to do with it.  It is not a new upload, I didn't
plan to make uploads really.  But I completely lost understanding of
your intentions, -- it was already completely unclear for me why do
you do all this complex things (branching off some earlier revision
rewriting history, etc) when the solution is much much simpler.  Now
I don't understand anything at all.

Thanks,

/mjt

Reply to:

Follow-Ups:
- Bug#776186: busybox: CVE-2014-9645
  - From: Cyril Brulebois <kibi@debian.org>

References:
- Bug#776186: busybox: CVE-2014-9645
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Bug#776186: busybox: CVE-2014-9645
  - From: Cyril Brulebois <kibi@debian.org>
- Bug#776186: busybox: CVE-2014-9645
  - From: Michael Tokarev <mjt@tls.msk.ru>
- Bug#776186: busybox: CVE-2014-9645
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Bug#776186: busybox: CVE-2014-9645
Next by Date: Bug#778773: [PATCH] Likely fix for crash
Previous by thread: Bug#776186: busybox: CVE-2014-9645
Next by thread: Bug#776186: busybox: CVE-2014-9645
Index(es):
- Date
- Thread