Re: slirp / CVE-2020-7039 / CVE-2020-8608
On 12/08/2020 01:04, Roberto C. Sánchez wrote:
> On Wed, Aug 12, 2020 at 08:55:43AM +1000, Brian May wrote:
>> I am seriously thinking that slirp from unstable should be ported as is
>> from sid to buster and stretch. This is not a new upstream version, it
>> has bug fixes and security updates only. Probably the same changes I
>> would have to make myself in fact. Such as replacing sprintf calls with
>> snprintf calls for example.
>>
>> This would fix CVE-2020-7039 and provide the prerequisite to fixing
>> CVE-2020-8608.
>>
>> Only thing, I am not sure what to do with the versioning:
>>
>> stretch 1:1.0.17-8
>> buster 1:1.0.17-8
>> sid 1:1.0.17-10
>>
>> In fact, because stretch and buster has the same version, does this mean
>> I can't make any security uploads to stretch?
>>
>> On the other hand the security team has marked both these as no-DSA, in
>> buster meaning maybe I should do the same thing too?
>
> I would ask the Security Team if they are open to considering taking
> 1:1.0.17-10 into buster. The version would be 1:1.0.17-10~deb10u1. If
> they agree, then you could subsequently upload to stretch with version
> 1:1.0.17-10~deb9u1. If they are not open to considering it, then it
> seems that the only viable course of action is the mark them no-dsa.
Even if it's no-dsa, it can still be updated in buster via stable-proposed-updates.
Cheers,
Emilio
Reply to: