On Wed, Oct 05, 2016 at 05:51:52PM +0200, Bálint Réczey wrote: > Note that the last update to Wheezy LTS's package already fixed several > vulnerabilities: > https://lists.debian.org/debian-lts-announce/2016/09/msg00028.html > > You can still fix other open issues which you find reasonable to fix. I have backported the patches I wrote for a Stable update of dwarfutils to the current Wheezy LTS package (20120410-2+deb7u1). I was unable to reproduce the following issues: CVE-2016-5043 CVE-2016-5041 CVE-2016-5040 CVE-2016-5037 CVE-2016-5035 CVE-2016-5033 CVE-2016-5032 CVE-2016-5030 CVE-2016-5028 CVE-2016-5027 I wrote patches for: CVE-2016-5042 CVE-2016-5039 CVE-2016-5038 CVE-2016-5036 CVE-2016-5034 CVE-2016-2091 CVE-2016-2050 CVE-2015-8750 CVE-2015-8538 I was able to reproduce the following issues, but they appear to have been fixed by the above patches: CVE-2016-5044 CVE-2016-5031 CVE-2016-5029 I would appreciate it if someone could verify those findings by testing the package. I have attached the Debdiff as well as the tests I collected from various places that are supposed to reproduce the security issues mentioned above. Further tests can be found here: https://sourceforge.net/p/libdwarf/regressiontests/ci/master/tree/ If there are no objections, I plan to upload the package one week from now on Sunday, October 16, 2016. If there are any objections, or if you'd like more time to review the changes, I will delay the upload, of course. Regards, Fabian
Attachment:
dwarfutils.debdiff.xz
Description: application/xz
Attachment:
tests.tar.xz
Description: application/xz