[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Regression caused by fix for Bug#781228: freexl: Multiple vulnerabilities



On 13-11-15 11:59, Johan Van de Wauw wrote:
> Op 13/11/2015 om 11:52 schreef Sebastiaan Couwenberg:
>> On 13-11-15 11:46, Sebastiaan Couwenberg wrote:
>>> On 13-11-15 06:45, Salvatore Bonaccorso wrote:
>>>> On Thu, Nov 12, 2015 at 10:31:55PM +0100, Sebastiaan Couwenberg
>>>> wrote:
>>>>> Dear Security Team,
>>>>>
>>>>> The patch to fix multiple vulnerabilities identified by
>>>>> American Fuzzy Lop reported in #781228 caused a regressed as
>>>>> reported in the GDAL issue tracker:
>>>>>
>>>>> https://trac.osgeo.org/gdal/ticket/6200
>>>>>
>>>>> The change to fix this regression was included in freexl
>>>>> (1.0.1-1~exp1), but not in the security updates for jessie
>>>>> (1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1).
>>>>>
>>>>> I've prepared updates to fix this regression for jessie &
>>>>> wheezy, see the attached debdiffs.
>>>>>
>>>>> Are these regression fixes appropriate for upload to
>>>>> {wheezy,jessie}-security or should they be uploaded to
>>>>> proposed-updates instead?
>>>> Since the regression was introduced via a DSA, we might address
>>>> this regression trough af follow-up DSA:
>>>>
>>>> s/UNRELEASED/wheezy-security/ and urgency=high set or
>>>> respectively jessie-security for the second one.
>>>>
>>>> With the above changes please go ahead with your upload to
>>>> security-master.
>>>>
>>>> Thanks for your work and pinging us about the regression.
>>> Thanks for the quick feedback,
>>>
>>> I've set the distribution and urgency as appropriate for security
>>> uploads and uploaded both to security-master.
>> We also need this regression fix uploaded for Ubuntu trusty & vivid.
>>
>> Shall I also do those, or can you take care of the uploads for Ubuntu?
>>
>> Please note that besides afl-vulnerabilitities-regression.patch we may
>> also want to include 32bit-multiplication-overflow.patch in the
>> update, this issue hasn't been fixed in Ubuntu yet.
> I was watching this tread. I'll propose ubuntu patches.

I've prepared updates for Ubuntu in git, but I've not followed up on the
bug report or IRC yet as documented in:

https://wiki.ubuntu.com/StableReleaseUpdates#regressions

I'll update LP#1437087 with pointers to the fixes shortly.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1


Reply to: