Re: CVE-2014-9862 Fixed in bsdiff 4.3-17 / Wheezy backport of bsdiff?
On Tue, Nov 01, 2016 at 08:08:47PM +0200, Jari Aalto wrote:
> On 2016-11-01 15:12, Guido Günther wrote:
> | Hello dear maintainer(s),
> | the Debian LTS team would like to fix the security issues which are
> | currently open in the Wheezy version of bsdiff:
> | https://security-tracker.debian.org/tracker/CVE-2014-9862
> | feel free to just prepare an updated source package and send it to
> | firstname.lastname@example.org (via a debdiff, or with an URL pointing
> | to the source package, or even with a pointer to your packaging
> | repository), and the members of the LTS team will take care of the
> | rest.
> | Indicate clearly whether you have tested the updated package
> | or not.
> Guido and Team,
> This security issue has been fixed in the latest package:
> bsdiff (4.3-17) unstable; urgency=medium
> * debian/patches
> - (20): New. Closes: CVE-2014-9862
> Description: No check for negative values on the number of bytes to
> read from the "diff" and "extra" streams, allowing an attacker
> controlling the patch file to write at arbitrary locations in the
> The change is trivial in the included patch.
> Sources in "gbp buildpackage" layout are available at:
> # https://anonscm.debian.org/git/collab-maint/bsdiff.git
> debcheckout bsdiff
> # Target commit id to build
> 2016-10-29 63f1e4c jari.aalto debian/changelog: (4.3-17) Closes: CVE-2014-9862
> I have ran a preliminary OK test build with pbuilder set to wheezy
> on amd64. I have not tested to install or run the *.deb on wheezy.
> Let me know if I can be of more help,
We can handle the test on wheezy and the upload and DLA, thanks a lot!