Re: slirp / CVE-2020-7039 / CVE-2020-8608
On Wed, Aug 12, 2020 at 08:55:43AM +1000, Brian May wrote:
> I am seriously thinking that slirp from unstable should be ported as is
> from sid to buster and stretch. This is not a new upstream version, it
> has bug fixes and security updates only. Probably the same changes I
> would have to make myself in fact. Such as replacing sprintf calls with
> snprintf calls for example.
>
> This would fix CVE-2020-7039 and provide the prerequisite to fixing
> CVE-2020-8608.
>
> Only thing, I am not sure what to do with the versioning:
>
> stretch 1:1.0.17-8
> buster 1:1.0.17-8
> sid 1:1.0.17-10
>
> In fact, because stretch and buster has the same version, does this mean
> I can't make any security uploads to stretch?
>
> On the other hand the security team has marked both these as no-DSA, in
> buster meaning maybe I should do the same thing too?
I would ask the Security Team if they are open to considering taking
1:1.0.17-10 into buster. The version would be 1:1.0.17-10~deb10u1. If
they agree, then you could subsequently upload to stretch with version
1:1.0.17-10~deb9u1. If they are not open to considering it, then it
seems that the only viable course of action is the mark them no-dsa.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: