Re: LTS/subversion note
On Thu, Aug 15, 2019 at 08:39:02AM -0700, Chris Lamb wrote:
> Hi Roberto,
> > I decided to take a shot fixing CVE-2018-11782 and CVE-2019-0203 for
> > subversion in jessie. You had made the following note in
> > dla-needed.txt:
> > subversion
> > NOTE: 20190804: For (at least) CVE-2018-11782 the svn_err_trace that
> > is in the diff has not been added yet. (lamby)
> > In any event, what puzzled me was your mention of svn_err_trace in the
> > diff. I found no such function or type in either diff.
> Another very quick glance suggests that it was "svn_error_trace".
Yes, I made the connection after looking over the patch more closely.
> I apologise if I misled you into thinking you should focus your time and
> energy on that.
No need to apologize. There was no time or energy wasted.
> ... but this makes me ponder that my notes tend to be scribbled quite
> quickly, the only goal of them being to potentially save someone (or
> myself) some time looking in the right place or perhaps confirming
> their own investigation, rather than being something that can be 110%
> trusted or otherwise treated as gospel. I'd rather write a note,
> however unconfirmed, than not, if you see what I mean.
I definitely see what you mean. In this case, I took the note as a
starting point, very quickly found that it was a "dead end," emailed you
the question to ensure I hand't missed something, went about my normal
process of examining the upstream advisories and patches, then stumbled
upon the svn_error_trace reference. When I arrived at that I then
realized that your note was in reference to that.
Either way, the note was helpful in the end, so thanks for taking the
time to make it.
Roberto C. Sánchez