Re: LTS/subversion note
On Thu, Aug 15, 2019 at 08:39:02AM -0700, Chris Lamb wrote:
> Hi Roberto,
>
> > I decided to take a shot fixing CVE-2018-11782 and CVE-2019-0203 for
> > subversion in jessie. You had made the following note in
> > dla-needed.txt:
> >
> > subversion
> > NOTE: 20190804: For (at least) CVE-2018-11782 the svn_err_trace that
> > is in the diff has not been added yet. (lamby)
> […]
> > In any event, what puzzled me was your mention of svn_err_trace in the
> > diff. I found no such function or type in either diff.
>
> Another very quick glance suggests that it was "svn_error_trace".
>
Yes, I made the connection after looking over the patch more closely.
> I apologise if I misled you into thinking you should focus your time and
> energy on that.
>
No need to apologize. There was no time or energy wasted.
> ... but this makes me ponder that my notes tend to be scribbled quite
> quickly, the only goal of them being to potentially save someone (or
> myself) some time looking in the right place or perhaps confirming
> their own investigation, rather than being something that can be 110%
> trusted or otherwise treated as gospel. I'd rather write a note,
> however unconfirmed, than not, if you see what I mean.
>
I definitely see what you mean. In this case, I took the note as a
starting point, very quickly found that it was a "dead end," emailed you
the question to ensure I hand't missed something, went about my normal
process of examining the upstream advisories and patches, then stumbled
upon the svn_error_trace reference. When I arrived at that I then
realized that your note was in reference to that.
Either way, the note was helpful in the end, so thanks for taking the
time to make it.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: