Bug#635549: Stable update of hplip for CVE-2011-2722 (#635549) ?

To: Didier Raboud <odyx@debian.org>
Cc: debian-release@lists.debian.org, pkg-hpijs-devel@lists.alioth.debian.org, 635549@bugs.debian.org
Subject: Bug#635549: Stable update of hplip for CVE-2011-2722 (#635549) ?
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Thu, 01 Dec 2011 20:17:07 +0000
Message-id: <[🔎] 1322770627.5000.7.camel@hathi.jungle.funky-badger.org>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 635549@bugs.debian.org
In-reply-to: <201111251458.57010.odyx@debian.org>
References: <201111251458.57010.odyx@debian.org>

On Fri, 2011-11-25 at 14:58 +0100, Didier Raboud wrote:
> after taking a closer look to #635549 and an IRC chat with the Security 
> people, I propose to upload hplip to stable with the following changelog 
> entry: 
> 
>     hplip (3.10.6-2+squeeze0) stable; urgency=low

Why "+squeeze0"?  +squeeze1 is more conventional.

>       * Fix CVE-2011-2722 "Insecure tempfile handling" by patching the culprit
>         code out. (Closes: #635549)

I'm assuming the debug code isn't likely to be used that often?  The
upstream bug (<URL:https://bugs.launchpad.net/hplip/+bug/809904>)
implies that they were looking at replacing the code with a mkstemp()
call, rather than removing it.  If it's basically unused then patching
it out should be okay though.

fwiw, my MUA failed to verify the signature on your mail.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#635549: Stable update of hplip for CVE-2011-2722 (#635549) ?
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Next by Date: Bug#650758: gutenprint-locales: Why ship po files in binary packages?
Next by thread: Bug#635549: Stable update of hplip for CVE-2011-2722 (#635549) ?
Index(es):
- Date
- Thread