[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: icu package and debdiff [new contributor, first attempt]

Hello Roberto, welcome on board!

Am 08.05.2016 um 05:34 schrieb Roberto C. Sánchez:
> Hi All,
> I'm still "in-training" and I thought I would attempt to prepare an
> upload of the icu package for wheezy.
> The package is here: https://people.debian.org/~roberto/
> dsc - https://people.debian.org/~roberto/icu_4.8.1.1-12+deb7u4.dsc
> debdiff - https://people.debian.org/~roberto/icu_4.8.1.1-12+deb7u3_deb7u4.diff

I couldn't download the package with dget -x because the original
tarball is currently missing, so I used the debdiff.

> I would appreciate a review of the package by someone knowledgable
> and experienced with LTS support to make sure I handled it correctly.
> Please read on for details of the steps I took.
> Based on the information I found on the security tracker, there are
> three vulnerabilities affecting icu in wheezy: CVE-2015-2632,
> CVE-2015-4844, and CVE-2016-0494.
> I pulled the patch for CVE-2015-2632 from the icu package in unstable,
> which has been fixed.

That's a sensible approach. In this case the patch applied cleanly for
the version in Wheezy but sometimes you have to be more careful when the
code is considerably different.

> I pulled the patch for CVE-2015-4844 from the upstream jdk8u project
> (based on the commit reference in openjdk-8's debian/changelog).  I
> confirmed that this fix matched what was done by upstream in their
> subversion repository.
> I pulled the patch for CVE-2016-0494 from the upstream jdk8u project
> (based on the commit reference in openjdk-8's debian/changelog).  I
> attempted to confirm this fix in upstream's subversion repository, but
> it appears to not have been fixed upstream yet.

Antoine (anarcat) fixed this issue for Squeeze LTS and he also left some
comments at


He also changed the runConfigure script and his patch for CVE-2016-0494
looks different to me. Perhaps you should contact him (or he will simply
respond to this message because he is subscribed too), discuss this
patch with him and ask him why his approach contains more changes than
the original upstream commit at


> I built the package in a wheezy chroot, signed the resulting package,
> and uploaded it (along with the debdiff between the prior version and my
> updated package) to the above location.

That's fine. You don't have to upload a new revision to
people.debian.org but it is a useful approach if you want to get more
feedback for your patches. You could also:

* Check the output of the test suite (if it exists)
* Write your own tests or ask upstream for advice how to test the issue
* Contact upstream and ask for code reviews
* Try the reproducer with the old and new version (if it exists)
* Install the package, do some smoke testing and try to verify if the
  update didn't introduce any regressions



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: