Here is why: On Sun, Apr 30, Mattia Rizzolo: > On Sun, Apr 30, 2017 at 01:40:13AM +0200, Markus Koschany wrote: > > Am 29.04.2017 um 23:50 schrieb Mattia Rizzolo: > > > Hi Markus. > > > > > > Thank you for the upload! > > > > > > Although, I'd have liked if you sent me a debdiff before uploading it, > > > if nothing else becase I am planning to do an upload to unstable fixing > > > a first round a CVEs, and I would have liked to do something similar for > > > all the suites... > > > > You're welcome. When I saw that nobody worked on libpodofo in Wheezy, > > even some CVEs got marked as no-dsa, I decided to step up and fix what > > could be reasonably fixed in time. I forgot that you would have > > preferred to look over the changes, sorry about that, I will remember > > that for the next time. > > Anyhow, upstream has no consideration for ABI stability (feels like they > taking breaking ABI every single new release as a feature…) so every > cherry pick from upstream has to be checked in this regard (all the > commits till now are fine, IIRC). QED. You LTS upload broke libpodofo ABI. The symbol _ZNK6PoDoFo7PdfPage25GetInheritedKeyFromObjectEPKcPKNS_9PdfObjectE@Base as present in the wheezy version (libpodofo0.9.0_0.9.0-1.1+b1_amd64.deb) became _ZNK6PoDoFo7PdfPage25GetInheritedKeyFromObjectEPKcPKNS_9PdfObjectEi@Base in wheezy-security (libpodofo0.9.0_0.9.0-1.1+deb7u1_amd64.deb). Now, I do not know what's LTS policy about silent ABI breakage, but I doubt you are OK with that. That's in particular caused by https://anonscm.debian.org/git/collab-maint/libpodofo.git/tree/debian/patches/CVE-2017-5852.patch?h=debian/0.9.0-1.1%2bdeb7u1#n123 - const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject ) const; + const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject, int depth = 0 ) const; ATM, I don't know how to fix that CVE without breaking the ABI. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Attachment:
signature.asc
Description: PGP signature