[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

libidn test packages [resent]



(Fixed list address, sorry for the duplicate.)

Hi,

I have looked at porting the security fixes on the libidn package from
squeeze to wheezy. As usual, signed test packages are available here:

https://people.debian.org/~anarcat/debian/wheezy-lts/

And a debdiff is available for review by the security team:


The remaining of this email is about how the patches were generated and
which changes were performed.

Some patches were not necessary anymore (as some of the squeeze code was
backported from squeeze), but there are still patches required:

--- libidn-1.15/debian/patches/series   2015-08-11 17:34:03.000000000 -0400
+++ libidn-1.25/debian/patches/series   2016-04-12 14:26:31.118447183 -0400
@@ -1,6 +1,5 @@
+fix_encoding.patch
 libidn-stringprep_utf8_to_ucs4-now-rejects-invalid-utf-8-cve-2015-2059.patch
-gnulib-update-to-include-unistr-u8-check.patch
-autoreconf.patch
-gnulib-generate-iconv_open-solaris.h.patch
 fix_utf8_error_handling.patch
 fix_utf8_error_handling-testcase.patch
+autoreconf.patch

This was all pretty painful: some of the wheezy patches would not apply
at all on Wheezy. In particular, the gnulib one was doing sweeping
changes:

 228 files changed, 26279 insertions(+), 3404 deletions(-)

... and had virtually *no* chunk apply correctly. so i decided to ignore
the gnulib update, and actually filed a bug against libidn to remove the
gnulib code copies (#820816).

So I changed the first patch for CVE-2015-2059 to actually include the
u8-check that the second patch was introducing. This makes a patch that
more closely monitor upstream, and avoid the messy gnulib import chaos
that is happening in that package.

In other words, the new patch does most of the work regarding gnulib,
while the autoreconf patch takes care of regenerating the autoconf
toolchain correctly, so we don't need to regenerate the *whole* gnulib
toolchain.

I also needed to cherry-pick another patch from upstream to fix some
tests that would break under the new checks introduced by the security
fixes.

I have not tested the packages for compliance or vulnerability, but the
internal test suite works.

A.

-- 
By now the computer has moved out of the den and into the rest of your
life. It will consume all of your spare time, and even your vacation,
if you let it. It will empty your wallet and tie up your thoughts. It
will drive away your family. Your friends will start to think of you
as a bore. And what for?
                       - The True Computerist by Tom Pittman


Reply to: