Re: RFR: openscad update

To: Helmut Grohne <helmut@subdivi.de>, debian-lts@lists.debian.org
Subject: Re: RFR: openscad update
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Mon, 27 Jun 2022 10:45:34 +0200
Message-id: <[🔎] d51d92fd-8ff9-1c9b-d907-d24ae520112a@debian.org>
In-reply-to: <[🔎] YrSAMaON1VxPiTI3@alf.mars>
References: <[🔎] YrSAMaON1VxPiTI3@alf.mars>

On 23/06/2022 17:01, Helmut Grohne wrote:

Hi,

I've been looking into updating openscad in buster to fix CVE-2022-0496
and CVE-2022-0497. They're already fixed in bullseye and later. They are
input sanitization issues and CVE-2022-0496 needed a little porting of
the patch. I verified that the provided PoCs for CVE-2022-0496 do
trigger in an asan/ubsan build and no longer trigger after applying the
patch. The provided PoC for CVE-2022-0497 did not trigger in an
asan/ubsan build, but the fix is quite obvious and the PoC looks quite
sensitive to the memory layout, so that's unsurprising. Beyond the
build-time test suite, autopkgtests also pass.

Given the buster -> LTS transition, I'm unsure where to upload this to.
Adam's mail seems to indicate that it's late for the point release.

What mail? afaik the plan is to have a buster point release before the busterhandover to the LTS team, sometime around August, so it shouldn't be too late tofix this in buster-pu.


Cheers,
Emilio

Reply to:

References:
- RFR: openscad update
  - From: Helmut Grohne <helmut@subdivi.de>

Prev by Date: Re: RFR: openscad update
Next by Date: What to do with sox
Previous by thread: Re: RFR: openscad update
Next by thread: Re: RFR: openscad update
Index(es):
- Date
- Thread