[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: Re: New version of bzip2 for etch

Dear Release Team,

I'm in the process to close #471670: a security bug on bzip2 which fixes a
denial of service via a crafted file. I fix it on sid thanks to Santiago
Ruano, which is the co-maintainer of bzip2.

Then i build a package for stable and send it to the security team, however 
they says that since no code injection is possible, is not consider a
security problem (see attached mail for details).

After a while i expect more responses and decided to upload to
stable-proposed, but since this is my first upload to stable i'd like to
ask for some help and guidelines to prepare a correct package.

I use the 1.0.3-6 version and applied _just_ the patch that fix the bug,
and add the same entries from the sid changelog to the new stable
changelog, i built and test it on a pristine etch system and everything
seems to be ok. However i'm building it again and expect to publish the
final version tomorrow early.

There some things that i'd like to know also, and i appreciate if you give
me a hint about it: What other things should i check to create a correct 
package for etch? and what is the regular process? should i contact my
usual sponsor or send it to you? (i'm not a DD yet)

And at last, here is the link of the .dsc in case you want to check the

[1] http://debian.eviled.org/svn/bzip2/build-area/bzip2_1.0.3-7.dsc

Thanks you _so_ much,

 : :' :      Luis
 `. `'       http://eviled.org
--- Begin Message ---
Hi Luis,

> I'm in the process of closing #471670, a security bug in bzip2.
> I've been working with the co-maintainer (santiago), and finished the NMU
> for sid, currently i'm working on closing the bug on etch and sarge.
> Here is the links with the [1].dsc, the [2].diff.gz and the [3]orig source
> of the package for etch. The only change was made in the bzlib_private.h
> and bzlib.c files. I build the package on an etch pbuilder and everything
> seems to be fine.
> Currently i'm checking the package on an etch chroot and trying to check if
> the bug is resolved for etch, however this is my first security update, so
> i really appreciate any kind of help that you gave me.

Thanks for preparing a package, but I don't believe this warrants a
security update. Since no code injection is possible I'd consider this
rather a regular application bug than a security problem. Unless someone
else from the Security Team disagrees or if I should miss something
important I'd propose to push this as a bugfix into a stable point update.


--- End Message ---

Attachment: signature.asc
Description: Digital signature

Reply to: