[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#914632: RFC: proposed fix for CVE-2018-19518 in uw-imap

Hi Magnus,

On Sun, Feb 24, 2019 at 08:28:00PM +0100, Magnus Holmgren wrote:
> söndag 30 december 2018 kl. 09:38:57 CET skrev  Salvatore Bonaccorso:
> > There is an alternative approach wich was raised by Magnus in the
> > respective bug: https://bugs.debian.org/914632#12 (and see followup
> > from Moritz).
> 
> So, is it OK to upload this (assuming there's no code out there that actually 
> uses SET_RSHPATH or SET_SSHPATH)?
> 
> (By no longer defining RSHPATH, rshpath doesn't get set by the following code 
> and tcp_aopen() will return NIL without doing anything.
> 
> #ifdef RSHPATH			/* rsh path defined yet? */
>   if (!rshpath) rshpath = cpystr (RSHPATH);
> #endif

Can you adress the issue first in unstable and make sure it can reach
buster? After that a stretch update can be targeted, should go
actually via an upcoming stretch point release (we marked the issue
no-dsa earlier).

https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable

Thanks for your work on the issue!

Regards,
Salvatore
Reply to: