Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py

To: Florian Ernst <florian_ernst@gmx.net>
Cc: debian-release@lists.debian.org
Subject: Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
From: Steve Langasek <vorlon@debian.org>
Date: Wed, 4 Apr 2007 16:40:24 -0700
Message-id: <[🔎] 20070404234024.GA20124@dario.dodds.net>
Mail-followup-to: Florian Ernst <florian_ernst@gmx.net>, debian-release@lists.debian.org
In-reply-to: <[🔎] 20070404225903.GD10498@rechenknecht.dynip.yawsp.de>
References: <20070327195016.GA3552@galadriel.inutil.org> <20070328103412.GC4885@rechenknecht.dynip.yawsp.de> <[🔎] 4613E241.3070504@debian.org> <[🔎] 20070404202947.GA10498@rechenknecht.dynip.yawsp.de> <[🔎] 46140D24.8040307@debian.org> <[🔎] 20070404210511.GB10498@rechenknecht.dynip.yawsp.de> <[🔎] 461414D2.9000008@debian.org> <[🔎] 20070404222152.GC10498@rechenknecht.dynip.yawsp.de> <[🔎] 20070404224213.GL10433@dario.dodds.net> <[🔎] 20070404225903.GD10498@rechenknecht.dynip.yawsp.de>

On Thu, Apr 05, 2007 at 12:59:04AM +0200, Florian Ernst wrote:
> On Wed, Apr 04, 2007 at 03:42:13PM -0700, Steve Langasek wrote:
> > On Thu, Apr 05, 2007 at 12:21:52AM +0200, Florian Ernst wrote:
> > > On the other hand, the toolchain is frozen for quite some time and
> > > identical both in testing and unstable, and blender_2.42a-6 which is
> > > identical code-wise to -5etch1 has built on all archs, including mips
> > > and sparc, without any problems.

> > Please refresh my memory, is there some reason we don't want to accept -6
> > from unstable into etch?

> <http://lists.debian.org/debian-release/2007/03/msg00677.html> lists
> your reasons. So far I assumed they still apply.

Ok, note that I wrote there that:

  If the package is not "a releasable version on [64-bit] systems", then the
  binaries should be removed from the release, not just documented.

No one has responded to the important point here, which is that *we should
not ship broken binaries on 64-bit systems*; the -5etch1 package is
certainly no better than -6 in this respect, AFAICS both versions still have
an undeclared grave bug because they both ship binaries on ia64/alpha/amd64
that are known not to be usable.

> In the light of the recent issues, would you prefer a -7 upload
> reverting everything from -6 except for the one-liner to fix
> CVE-2007-1253 (thus being identical to -5etch1)?

The rest is not all that important, in either direction; I think you've
misused debian/NEWS here, and I don't consider documenting a package's
uselessness on an architecture to be an appropriate "fix", but the main
point in that mail was that the security fix described didn't sound
high-priority to me and that you should check with the security team.

Since the security team acked this change (though via the t-p-u queue, meh),
I have no further reason not to accept -6 in from unstable, so unblocked
now.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to:

Follow-Ups:
- blender: 64-bit problem, #417889 and blender/2.42a-7
  - From: Cyril Brulebois <cyril.brulebois@enst-bretagne.fr>

References:
- Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
  - From: Luk Claes <luk@debian.org>
- Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
  - From: Florian Ernst <florian_ernst@gmx.net>
- Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
  - From: Luk Claes <luk@debian.org>
- Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
  - From: Florian Ernst <florian_ernst@gmx.net>
- Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
  - From: Luk Claes <luk@debian.org>
- Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
  - From: Florian Ernst <florian_ernst@gmx.net>
- Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
  - From: Steve Langasek <vorlon@debian.org>
- Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
  - From: Florian Ernst <florian_ernst@gmx.net>

Prev by Date: Re: Bug#416658: not-yet-RC fix for mdadm
Next by Date: Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
Previous by thread: Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
Next by thread: blender: 64-bit problem, #417889 and blender/2.42a-7
Index(es):
- Date
- Thread