[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Accepted libpodofo 0.9.0-1.1+deb7u1 (source amd64) into oldstable

Here is why:

On Sun, Apr 30, Mattia Rizzolo:
> On Sun, Apr 30, 2017 at 01:40:13AM +0200, Markus Koschany wrote:
> > Am 29.04.2017 um 23:50 schrieb Mattia Rizzolo:
> > > Hi Markus.
> > > 
> > > Thank you for the upload!
> > > 
> > > Although, I'd have liked if you sent me a debdiff before uploading it,
> > > if nothing else becase I am planning to do an upload to unstable fixing
> > > a first round a CVEs, and I would have liked to do something similar for
> > > all the suites...
> > 
> > You're welcome. When I saw that nobody worked on libpodofo in Wheezy,
> > even some CVEs got marked as no-dsa, I decided to step up and fix what
> > could be reasonably fixed in time. I forgot that you would have
> > preferred to look over the changes, sorry about that, I will remember
> > that for the next time.
> Anyhow, upstream has no consideration for ABI stability (feels like they
> taking breaking ABI every single new release as a feature…) so every
> cherry pick from upstream has to be checked in this regard (all the
> commits till now are fine, IIRC).


You LTS upload broke libpodofo ABI.  The symbol
as present in the wheezy version (libpodofo0.9.0_0.9.0-1.1+b1_amd64.deb)
in wheezy-security (libpodofo0.9.0_0.9.0-1.1+deb7u1_amd64.deb).

Now, I do not know what's LTS policy about silent ABI breakage, but I
doubt you are OK with that.

That's in particular caused by

-    const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject ) const; 
+    const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject, int depth = 0 ) const;

ATM, I don't know how to fix that CVE without breaking the ABI.

                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

Attachment: signature.asc
Description: PGP signature

Reply to: