[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Regression caused by fix for Bug#781228: freexl: Multiple vulnerabilities

On 13-11-15 12:41, Sebastiaan Couwenberg wrote:
> On 13-11-15 11:59, Johan Van de Wauw wrote:
>> Op 13/11/2015 om 11:52 schreef Sebastiaan Couwenberg:
>>> On 13-11-15 11:46, Sebastiaan Couwenberg wrote:
>>>> On 13-11-15 06:45, Salvatore Bonaccorso wrote:
>>>>> On Thu, Nov 12, 2015 at 10:31:55PM +0100, Sebastiaan Couwenberg
>>>>> wrote:
>>>>>> Dear Security Team,
>>>>>> The patch to fix multiple vulnerabilities identified by
>>>>>> American Fuzzy Lop reported in #781228 caused a regressed as
>>>>>> reported in the GDAL issue tracker:
>>>>>> https://trac.osgeo.org/gdal/ticket/6200
>>>>>> The change to fix this regression was included in freexl
>>>>>> (1.0.1-1~exp1), but not in the security updates for jessie
>>>>>> (1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1).
>>>>>> I've prepared updates to fix this regression for jessie &
>>>>>> wheezy, see the attached debdiffs.
>>>>>> Are these regression fixes appropriate for upload to
>>>>>> {wheezy,jessie}-security or should they be uploaded to
>>>>>> proposed-updates instead?
>>>>> Since the regression was introduced via a DSA, we might address
>>>>> this regression trough af follow-up DSA:
>>>>> s/UNRELEASED/wheezy-security/ and urgency=high set or
>>>>> respectively jessie-security for the second one.
>>>>> With the above changes please go ahead with your upload to
>>>>> security-master.
>>>>> Thanks for your work and pinging us about the regression.
>>>> Thanks for the quick feedback,
>>>> I've set the distribution and urgency as appropriate for security
>>>> uploads and uploaded both to security-master.
>>> We also need this regression fix uploaded for Ubuntu trusty & vivid.
>>> Shall I also do those, or can you take care of the uploads for Ubuntu?
>>> Please note that besides afl-vulnerabilitities-regression.patch we may
>>> also want to include 32bit-multiplication-overflow.patch in the
>>> update, this issue hasn't been fixed in Ubuntu yet.
>> I was watching this tread. I'll propose ubuntu patches.
> I've prepared updates for Ubuntu in git, but I've not followed up on the
> bug report or IRC yet as documented in:
> https://wiki.ubuntu.com/StableReleaseUpdates#regressions
> I'll update LP#1437087 with pointers to the fixes shortly.



Kind Regards,


 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Reply to: