On Wed, 2015-01-28 at 13:39 +1300, Andrew Bartlett wrote: > On Tue, 2015-01-27 at 23:47 +0100, Nicolas Chipaux wrote: > > Hello folks, > > > > For our internal use at Gandi.net, we created a source package for eglibc > > with the fix for the CVE 2015-0235 taken from the eglibc package from > > Debian wheezy 2.13-38+deb7u7 : any/cvs-gethostbyname.diff. In order to > > release quickly, we disabled the test in this patch during the build. > > > > You can find the three files of the source package at this URL : > > http://as29169.net/debian/ > > I'm also looking at this, the thing I'm stuck on is creating a test that > verified the patch was correctly included. That is, the test in the > patch isn't enough to show the issue in the old code. There's a test in the disclosure here (section 4): http://www.openwall.com/lists/oss-security/2015/01/27/9 Ben. -- Ben Hutchings Teamwork is essential - it allows you to blame someone else.
Description: This is a digitally signed message part