Re: RFC: proposed fix for CVE-2018-19518 in uw-imap

[Salvatore Bonaccorso <carnil@debian.org>]

Hi Roberto,

On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote:
> On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote:
> > [note: I am not subscribed to debian-security; please keep me or
> > debian-lts addressed on replies]
> > 
> > If this seems like a sensible approach, I propose to apply the attached
> > patch to uw-imap 8:2007f~dfsg-5 (the current stretch/buster/sid version)
> > to create version 8:2007f~dfsg-6 for upload to sid and eventual
> > inclusion in stretch (perhaps via a point release) and then also in
> > parallel create a 8:2007f~dfsg-4+deb8u1 package for upload to jessie.
> > 
> > Please reply with your comments.  In particular, feedback from the
> > security team on the appropriateness of this for a stable point release
> > and my suggested route for the update to take to get there would be very
> > useful.
> > 
> 
> Hi all,
> 
> Since Tomas and Ola have reviewed the patch and we have had some
> discussion which makes it seem like this is the most sensible approach
> to the vulnerability given the constraints, I wonder if the Security
> team could weigh in.
> 
> I have forwarded my initial message and the patch to Magnus Holngren
> (the uw-imap maintainer) and also added him as a recipient of this
> message, as he may wish to be the one to upload to unstable and
> coordinate the future point release inclusion.
> 
> I ask for some indication now from the security team and/or the
> maintainer since I don't think it makes sense to fix this only in jessie
> and not in stretch/buster/sid.

There is an alternative approach wich was raised by Magnus in the
respective bug: https://bugs.debian.org/914632#12 (and see followup
from Moritz).

Regards,
Salvatore