[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Request for patch review (brotli)

On Sun, Oct 25, 2020 at 02:04:30PM -0400, Roberto C. Sánchez wrote:
> Hi fellow LTS folks,
> I am working on the update for brotli as it relates to CVE-2020-8927.
> The upstream Git project contains a commit [0] which fixes the issue
> along with several other issues in the same commit.  However, there does
> not appear to be any available information regarding the specifics of
> the vulnerability nor is there a PoC that can be used to validate the
> fix.  There also appears to be no prior iteration of the PR which
> contains the changes in separate commits.
> That said, I have done my best to exclude the parts of the upstream
> commit that do not appear related to CVE-2020-8927 and then to backport
> the remainder to brotli as it exists in stretch.  I would like it if
> someone else could review the attached patch, comparing it to the
> upstream commit, and provide feedback on the completeness of the patch.
> Please make sure to follow-up with a reply to the list before reviewing
> so that there is not duplicate work on this.

Since two weeks have elapsed since I made my request, I intend to upload
the brotli package within the next 24 hours.



Roberto C. Sánchez

Reply to: