slirp / CVE-2020-7039 / CVE-2020-8608

To: debian-lts@lists.debian.org
Subject: slirp / CVE-2020-7039 / CVE-2020-8608
From: Brian May <brian@linuxpenguins.xyz>
Date: Wed, 12 Aug 2020 08:55:43 +1000
Message-id: <[🔎] 87r1sceqs0.fsf@silverfish.pri>

I am seriously thinking that slirp from unstable should be ported as is
from sid to buster and stretch. This is not a new upstream version, it
has bug fixes and security updates only. Probably the same changes I
would have to make myself in fact. Such as replacing sprintf calls with
snprintf calls for example.

This would fix CVE-2020-7039 and provide the prerequisite to fixing
CVE-2020-8608.

Only thing, I am not sure what to do with the versioning:

stretch 1:1.0.17-8
buster  1:1.0.17-8
sid     1:1.0.17-10

In fact, because stretch and buster has the same version, does this mean
I can't make any security uploads to stretch?

On the other hand the security team has marked both these as no-DSA, in
buster meaning maybe I should do the same thing too?
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Reply to:

Follow-Ups:
- Re: slirp / CVE-2020-7039 / CVE-2020-8608
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
Next by Date: Re: slirp / CVE-2020-7039 / CVE-2020-8608
Previous by thread: Re: roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
Next by thread: Re: slirp / CVE-2020-7039 / CVE-2020-8608
Index(es):
- Date
- Thread