Re: Request for patch review (brotli)
On Sun, Oct 25, 2020 at 02:04:30PM -0400, Roberto C. Sánchez wrote:
> Hi fellow LTS folks,
>
> I am working on the update for brotli as it relates to CVE-2020-8927.
> The upstream Git project contains a commit [0] which fixes the issue
> along with several other issues in the same commit. However, there does
> not appear to be any available information regarding the specifics of
> the vulnerability nor is there a PoC that can be used to validate the
> fix. There also appears to be no prior iteration of the PR which
> contains the changes in separate commits.
>
> That said, I have done my best to exclude the parts of the upstream
> commit that do not appear related to CVE-2020-8927 and then to backport
> the remainder to brotli as it exists in stretch. I would like it if
> someone else could review the attached patch, comparing it to the
> upstream commit, and provide feedback on the completeness of the patch.
>
> Please make sure to follow-up with a reply to the list before reviewing
> so that there is not duplicate work on this.
>
Since two weeks have elapsed since I made my request, I intend to upload
the brotli package within the next 24 hours.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: