[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Regression caused by fix for Bug#781228: freexl: Multiple vulnerabilities

Op 13/11/2015 om 11:52 schreef Sebastiaan Couwenberg:
Hash: SHA512

Hi Johan,

On 13-11-15 11:46, Sebastiaan Couwenberg wrote:
On 13-11-15 06:45, Salvatore Bonaccorso wrote:
On Thu, Nov 12, 2015 at 10:31:55PM +0100, Sebastiaan Couwenberg
Dear Security Team,

The patch to fix multiple vulnerabilities identified by
American Fuzzy Lop reported in #781228 caused a regressed as
reported in the GDAL issue tracker:


The change to fix this regression was included in freexl
(1.0.1-1~exp1), but not in the security updates for jessie
(1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1).

I've prepared updates to fix this regression for jessie &
wheezy, see the attached debdiffs.

Are these regression fixes appropriate for upload to
{wheezy,jessie}-security or should they be uploaded to
proposed-updates instead?
Since the regression was introduced via a DSA, we might address
this regression trough af follow-up DSA:

s/UNRELEASED/wheezy-security/ and urgency=high set or
respectively jessie-security for the second one.

With the above changes please go ahead with your upload to

Thanks for your work and pinging us about the regression.
Thanks for the quick feedback,

I've set the distribution and urgency as appropriate for security
uploads and uploaded both to security-master.
We also need this regression fix uploaded for Ubuntu trusty & vivid.

Shall I also do those, or can you take care of the uploads for Ubuntu?

Please note that besides afl-vulnerabilitities-regression.patch we may
also want to include 32bit-multiplication-overflow.patch in the
update, this issue hasn't been fixed in Ubuntu yet.
I was watching this tread. I'll propose ubuntu patches.

Kind Regards,

Reply to: