Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
- To: Roberto C. Sánchez <roberto@debian.org>
- Cc: debian-lts@lists.debian.org, debian-security@lists.debian.org, Debian Security Team <team@security.debian.org>, holmgren@debian.org, 914632@bugs.debian.org
- Subject: Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 30 Dec 2018 09:38:57 +0100
- Message-id: <[🔎] 20181230083857.GA14157@eldamar.local>
- Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org, debian-security@lists.debian.org, Debian Security Team <team@security.debian.org>, holmgren@debian.org, 914632@bugs.debian.org
- In-reply-to: <[🔎] 20181229152439.lbmgvtkaqv2chow5@santiago.connexer.com>
- References: <[🔎] 20181223032718.2zxlwl6fybebsdgh@santiago.connexer.com> <[🔎] 20181229152439.lbmgvtkaqv2chow5@santiago.connexer.com>
Hi Roberto,
On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote:
> On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote:
> > [note: I am not subscribed to debian-security; please keep me or
> > debian-lts addressed on replies]
> >
> > If this seems like a sensible approach, I propose to apply the attached
> > patch to uw-imap 8:2007f~dfsg-5 (the current stretch/buster/sid version)
> > to create version 8:2007f~dfsg-6 for upload to sid and eventual
> > inclusion in stretch (perhaps via a point release) and then also in
> > parallel create a 8:2007f~dfsg-4+deb8u1 package for upload to jessie.
> >
> > Please reply with your comments. In particular, feedback from the
> > security team on the appropriateness of this for a stable point release
> > and my suggested route for the update to take to get there would be very
> > useful.
> >
>
> Hi all,
>
> Since Tomas and Ola have reviewed the patch and we have had some
> discussion which makes it seem like this is the most sensible approach
> to the vulnerability given the constraints, I wonder if the Security
> team could weigh in.
>
> I have forwarded my initial message and the patch to Magnus Holngren
> (the uw-imap maintainer) and also added him as a recipient of this
> message, as he may wish to be the one to upload to unstable and
> coordinate the future point release inclusion.
>
> I ask for some indication now from the security team and/or the
> maintainer since I don't think it makes sense to fix this only in jessie
> and not in stretch/buster/sid.
There is an alternative approach wich was raised by Magnus in the
respective bug: https://bugs.debian.org/914632#12 (and see followup
from Moritz).
Regards,
Salvatore
Reply to: