Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
On Thu, Apr 05, 2007 at 12:59:04AM +0200, Florian Ernst wrote:
> On Wed, Apr 04, 2007 at 03:42:13PM -0700, Steve Langasek wrote:
> > On Thu, Apr 05, 2007 at 12:21:52AM +0200, Florian Ernst wrote:
> > > On the other hand, the toolchain is frozen for quite some time and
> > > identical both in testing and unstable, and blender_2.42a-6 which is
> > > identical code-wise to -5etch1 has built on all archs, including mips
> > > and sparc, without any problems.
> > Please refresh my memory, is there some reason we don't want to accept -6
> > from unstable into etch?
> <http://lists.debian.org/debian-release/2007/03/msg00677.html> lists
> your reasons. So far I assumed they still apply.
Ok, note that I wrote there that:
If the package is not "a releasable version on [64-bit] systems", then the
binaries should be removed from the release, not just documented.
No one has responded to the important point here, which is that *we should
not ship broken binaries on 64-bit systems*; the -5etch1 package is
certainly no better than -6 in this respect, AFAICS both versions still have
an undeclared grave bug because they both ship binaries on ia64/alpha/amd64
that are known not to be usable.
> In the light of the recent issues, would you prefer a -7 upload
> reverting everything from -6 except for the one-liner to fix
> CVE-2007-1253 (thus being identical to -5etch1)?
The rest is not all that important, in either direction; I think you've
misused debian/NEWS here, and I don't consider documenting a package's
uselessness on an architecture to be an appropriate "fix", but the main
point in that mail was that the security fix described didn't sound
high-priority to me and that you should check with the security team.
Since the security team acked this change (though via the t-p-u queue, meh),
I have no further reason not to accept -6 in from unstable, so unblocked
now.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply to: