Ben Hutchings 於 2015年12月31日 06:37 寫道:
> On Wed, 2015-12-30 at 20:19 +0800, Ying-Chun Liu (PaulLiu) wrote:
> [...]
>> I've made a patch. As attachment.
>
> I don't think it's a complete fix, as it doesn't check that there's
> enough space for the terminating null (or shift sequence, where
> needed).
Hi Ben,
I think I do fix it. I use ">" so it always keep 1 byte for the
terminating null.
Also I've modified the shift sequence macros. So it also checks there.
>
>> Should I just push it to unstable? Or I need to do some further steps
>> before that?
>
> You should probably coordinate with maintainers of other affected
> packages, e.g. claws-mail. There is an upstream fix for claws-mail,
> although it's not quite right (see my comment on security-tracker).
>
OK. I'll see how the upstream fixes it. And I'll fix there. To avoid
code divergence.
>> I didn't see any bug numbers against macopix package for CVE-2015-8614.
>> What's the best next step?
>
> So far as I know it's not necessary to create a bug report, though
> there's no harm in doing so.
>
> Ben.
>
Yours,
Paul
--
PaulLiu (劉穎駿)
E-mail: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Attachment:
signature.asc
Description: OpenPGP digital signature