Dear Release Team, I'm in the process to close #471670: a security bug on bzip2 which fixes a denial of service via a crafted file. I fix it on sid thanks to Santiago Ruano, which is the co-maintainer of bzip2. Then i build a package for stable and send it to the security team, however they says that since no code injection is possible, is not consider a security problem (see attached mail for details). After a while i expect more responses and decided to upload to stable-proposed, but since this is my first upload to stable i'd like to ask for some help and guidelines to prepare a correct package. I use the 1.0.3-6 version and applied _just_ the patch that fix the bug, and add the same entries from the sid changelog to the new stable changelog, i built and test it on a pristine etch system and everything seems to be ok. However i'm building it again and expect to publish the final version tomorrow early. There some things that i'd like to know also, and i appreciate if you give me a hint about it: What other things should i check to create a correct package for etch? and what is the regular process? should i contact my usual sponsor or send it to you? (i'm not a DD yet) And at last, here is the link of the .dsc in case you want to check the package. [1] http://debian.eviled.org/svn/bzip2/build-area/bzip2_1.0.3-7.dsc Thanks you _so_ much, -- .''`. : :' : Luis `. `' http://eviled.org `-
--- Begin Message ---
- To: Luis Uribe <acme@eviled.org>
- Cc: team@security.debian.org
- Subject: Re: New version of bzip2 for etch
- From: Moritz Muehlenhoff <jmm@inutil.org>
- Date: Sat, 12 Apr 2008 12:41:56 +0200
- Message-id: <20080412104155.GA3396@galadriel.inutil.org>
- In-reply-to: <20080412023402.GA6639@volatile>
- References: <20080412023402.GA6639@volatile>
Hi Luis, > I'm in the process of closing #471670, a security bug in bzip2. > > I've been working with the co-maintainer (santiago), and finished the NMU > for sid, currently i'm working on closing the bug on etch and sarge. > > Here is the links with the [1].dsc, the [2].diff.gz and the [3]orig source > of the package for etch. The only change was made in the bzlib_private.h > and bzlib.c files. I build the package on an etch pbuilder and everything > seems to be fine. > > Currently i'm checking the package on an etch chroot and trying to check if > the bug is resolved for etch, however this is my first security update, so > i really appreciate any kind of help that you gave me. Thanks for preparing a package, but I don't believe this warrants a security update. Since no code injection is possible I'd consider this rather a regular application bug than a security problem. Unless someone else from the Security Team disagrees or if I should miss something important I'd propose to push this as a bugfix into a stable point update. Cheers, Moritz
--- End Message ---
Attachment:
signature.asc
Description: Digital signature