Re: Review libsoup2.4 for bullseye

To: Andreas Henriksson <andreas@fatal.se>
Cc: debian-lts@lists.debian.org
Subject: Re: Review libsoup2.4 for bullseye
From: Adrian Bunk <bunk@debian.org>
Date: Tue, 22 Apr 2025 20:20:35 +0300
Message-id: <[🔎] aAfP4z6GpqrTjz7D@localhost>
In-reply-to: <[🔎] nmwqguf3lggjnkhmbthjbap72ck44ci2q46v5d3mrwzyk2qtnp@zcyycmk377uv>
References: <[🔎] nmwqguf3lggjnkhmbthjbap72ck44ci2q46v5d3mrwzyk2qtnp@zcyycmk377uv>

On Tue, Apr 22, 2025 at 01:31:07PM +0200, Andreas Henriksson wrote:
> Hello,

Hi Andreas,

>...
> I've also pulled additional
> commits adding testcases (but some are still disabled, because they need
> porting to the older libsoup 2.74 APIs), and I'm now at a published
> building package.
>...
> I'd like to ask both for opinions and help with backporting testcases.
> If you have any guidance to share on how to decide how much effort is
> worth putting into manually backporting testcase code (with the
> possibility of me introducing bugs), please share.
>...

I would aim for every CVE to verify both that the issue was present 
before the fix, and that it is fixed with the fix.

That's easy when a PoC or testcase reproduces the problem,
when neither is available (or is available but does not
trigger the problem) a more thorough reading of the code
is usually needed.

Most of these libsoup CVEs come with a PoC, and they should be tried.

I wouldn't spend too much effort on additionally backporting testcases 
when it has already been verified with the PoC that an issue was present 
and is now fixed.

> Regards,
> Andreas Henriksson
>...

cu
Adrian

Reply to:

Follow-Ups:
- Re: Review libsoup2.4 for bullseye
  - From: Andreas Henriksson <andreas@fatal.se>

References:
- Review libsoup2.4 for bullseye
  - From: Andreas Henriksson <andreas@fatal.se>

Prev by Date: Review libsoup2.4 for bullseye
Next by Date: linux-image-6.1-* in Debian Bookworm
Previous by thread: Review libsoup2.4 for bullseye
Next by thread: Re: Review libsoup2.4 for bullseye
Index(es):
- Date
- Thread