Re: backport of CVE-2010-3364 to vips/nip2 in testing

To: Jay Berkenbilt <qjb@debian.org>
Cc: debian-release@lists.debian.org
Subject: Re: backport of CVE-2010-3364 to vips/nip2 in testing
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 23 Oct 2010 17:20:17 +0100
Message-id: <[🔎] 1287850817.16686.14386.camel@hathi.jungle.funky-badger.org>
In-reply-to: <[🔎] 20101010152905.0286673313.qww314159@soup>
References: <[🔎] 20101010152905.0286673313.qww314159@soup>

On Sun, 2010-10-10 at 15:29 -0400, Jay Berkenbilt wrote:
> The bug reported in bug 598296 is the security vulnerability
> CVE-2010-3364.  The bug was reported against vips 7.22, but it actually
> affects both vips and nip2, and it is present in all previous versions.
> Its fix is a simple change to some wrapper shell scripts.  The versions
> currently in unstable include upstream's fix to the bug, but the
> unstable versions have no possibility of migrating to testing since they
> are new upstream versions and depend on other things that are not going
> to transition.
>
> I have prepared new versions for testing, but as per your
> instructions, I have not uploaded them. (Anyway, I don't have a clean
> testing chroot set up at the moment, though I can always make one.)
> I'm attaching my diffs to this email.

Sorry for the delay in getting back to you about this.

Personally, I'd just have used ${foo:+foo} as you mentioned in #598296,
but if you'd prefer to use upstream's fix then that's fine; please go
ahead with the uploads to tpu.

Regards,

Adam

Reply to:

References:
- backport of CVE-2010-3364 to vips/nip2 in testing
  - From: Jay Berkenbilt <qjb@debian.org>

Prev by Date: Re: advice for syncevolution in squeeze
Next by Date: Bug#601125: unblock: alsa-driver/1.0.23+dfsg-2
Previous by thread: backport of CVE-2010-3364 to vips/nip2 in testing
Next by thread: backport of CVE-2010-3364 to vips/nip2 in stable
Index(es):
- Date
- Thread