libidn test packages [resent]

To: debian-lts@lists.debian.org
Cc: team@security.debian.org
Subject: libidn test packages [resent]
From: Antoine Beaupré <anarcat@debian.org>
Date: Tue, 12 Apr 2016 15:20:04 -0400
Message-id: <[🔎] 87zisyvdln.fsf@angela.anarcat.ath.cx>
In-reply-to: <877fg2lk6i.fsf@angela.anarcat.ath.cx>
References: <877fg2lk6i.fsf@angela.anarcat.ath.cx>

(Fixed list address, sorry for the duplicate.)

Hi,

I have looked at porting the security fixes on the libidn package from
squeeze to wheezy. As usual, signed test packages are available here:

https://people.debian.org/~anarcat/debian/wheezy-lts/

And a debdiff is available for review by the security team:


The remaining of this email is about how the patches were generated and
which changes were performed.

Some patches were not necessary anymore (as some of the squeeze code was
backported from squeeze), but there are still patches required:

--- libidn-1.15/debian/patches/series   2015-08-11 17:34:03.000000000 -0400
+++ libidn-1.25/debian/patches/series   2016-04-12 14:26:31.118447183 -0400
@@ -1,6 +1,5 @@
+fix_encoding.patch
 libidn-stringprep_utf8_to_ucs4-now-rejects-invalid-utf-8-cve-2015-2059.patch
-gnulib-update-to-include-unistr-u8-check.patch
-autoreconf.patch
-gnulib-generate-iconv_open-solaris.h.patch
 fix_utf8_error_handling.patch
 fix_utf8_error_handling-testcase.patch
+autoreconf.patch

This was all pretty painful: some of the wheezy patches would not apply
at all on Wheezy. In particular, the gnulib one was doing sweeping
changes:

 228 files changed, 26279 insertions(+), 3404 deletions(-)

... and had virtually *no* chunk apply correctly. so i decided to ignore
the gnulib update, and actually filed a bug against libidn to remove the
gnulib code copies (#820816).

So I changed the first patch for CVE-2015-2059 to actually include the
u8-check that the second patch was introducing. This makes a patch that
more closely monitor upstream, and avoid the messy gnulib import chaos
that is happening in that package.

In other words, the new patch does most of the work regarding gnulib,
while the autoreconf patch takes care of regenerating the autoconf
toolchain correctly, so we don't need to regenerate the *whole* gnulib
toolchain.

I also needed to cherry-pick another patch from upstream to fix some
tests that would break under the new checks introduced by the security
fixes.

I have not tested the packages for compliance or vulnerability, but the
internal test suite works.

A.

-- 
By now the computer has moved out of the den and into the rest of your
life. It will consume all of your spare time, and even your vacation,
if you let it. It will empty your wallet and tie up your thoughts. It
will drive away your family. Your friends will start to think of you
as a bore. And what for?
                       - The True Computerist by Tom Pittman

Reply to:

Follow-Ups:
- Re: libidn test packages [resent]
  - From: Alessandro Ghedini <ghedo@debian.org>

Prev by Date: Re: imagemagick
Next by Date: Re: working for wheezy-security until wheezy-lts starts
Previous by thread: Re: Xen updates for wheezy ready for testing
Next by thread: Re: libidn test packages [resent]
Index(es):
- Date
- Thread