Re: patch / CVE-2018-1000156

To: Brian May <bam@debian.org>, debian-lts@lists.debian.org
Subject: Re: patch / CVE-2018-1000156
From: Chris Lamb <lamby@debian.org>
Date: Thu, 12 Apr 2018 08:53:38 +0100
Message-id: <[🔎] 1523519618.1511292.1335320400.322CD2BB@webmail.messagingengine.com>
In-reply-to: <[🔎] 87zi28ap3m.fsf@silverfish.pri>
References: <[🔎] 87zi28ap3m.fsf@silverfish.pri>

Brian,

> Not sure I understand this comment from dla-needed.txt:

Sorry, I did not see your comment until now.

> The patch - good version at [..] doesn't touch the files noted
> above.

The patch adds a call to make_tempfile (or similar) which uses
utility functions from these aforementioned files, which in turn
uses utility functions in yet other files.

However, those files/utilities are not part of the older wheezy
version, hence I followed "rabbit hole" of porting them over.  I
would usually be happy to backport the odd utility function or two
for a security release, but this descended into far too much code
to be aesthetically pleasing or safe.

(As I noted -- mostly to myself, alas -- we could potentially use a
less-safe version to essentially avoid pulling in many changes, if
any.)



Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Reply to:

References:
- patch / CVE-2018-1000156
  - From: Brian May <bam@debian.org>

Prev by Date: patch / CVE-2018-1000156
Next by Date: Re: calibre / CVE-2018-7889
Previous by thread: patch / CVE-2018-1000156
Next by thread: qemu(-kvm) packages ready for testing
Index(es):
- Date
- Thread