Re: Bug#914632: RFC: proposed fix for CVE-2018-19518 in uw-imap
Hi Magnus,
On Sun, Feb 24, 2019 at 08:28:00PM +0100, Magnus Holmgren wrote:
> söndag 30 december 2018 kl. 09:38:57 CET skrev Salvatore Bonaccorso:
> > There is an alternative approach wich was raised by Magnus in the
> > respective bug: https://bugs.debian.org/914632#12 (and see followup
> > from Moritz).
>
> So, is it OK to upload this (assuming there's no code out there that actually
> uses SET_RSHPATH or SET_SSHPATH)?
>
> (By no longer defining RSHPATH, rshpath doesn't get set by the following code
> and tcp_aopen() will return NIL without doing anything.
>
> #ifdef RSHPATH /* rsh path defined yet? */
> if (!rshpath) rshpath = cpystr (RSHPATH);
> #endif
Can you adress the issue first in unstable and make sure it can reach
buster? After that a stretch update can be targeted, should go
actually via an upcoming stretch point release (we marked the issue
no-dsa earlier).
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
Thanks for your work on the issue!
Regards,
Salvatore
Reply to: