Bug#685961: pu: package alpine/2.00+dfsg-6+squeeze1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi stable release team,
(This is my first stable proposed update, so if I get a process item wrong,
please pardon me and help me correct it. Thanks!)
Bug #653238 describes a crasher bug, possibly a security vulnerability, in
alpine. The security team has indicated on the bug that they're not going to
open a Debian Security Advisory for the alpine bug, and indicate, "You/the
maintainer may choose to fix it in (old)stable through a point update, or leave
it at this." I choose to update stable through a point update.
I've prepared a minimal package update that adds the patch that fixes the
issue. I've tested that it builds fine in a stable pbuilder; before uploading,
I have tested it on a machine running stable, where it works fine.
I wanted to get your approval to upload the package to stable.
As a footnote: I believe the process on my end is:
* Get y'all's approval
* Upload the package using "dput ftp-master alpine_2.00+dfsg-6+squeeze1.dsc"
(with a binary package, as usual in Debian)
* Watch it flow through into squeeze-updates with no further effort from me
If I have some of that wrong, then let me know. I've read the documentation and
believe I understand, but want to be careful to not mess anything up.
Thanks!
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.4-trunk-amd64 (SMP w/4 CPU cores)
diff -u alpine-2.00+dfsg/debian/changelog alpine-2.00+dfsg/debian/changelog
--- alpine-2.00+dfsg/debian/changelog
+++ alpine-2.00+dfsg/debian/changelog
@@ -1,3 +1,10 @@
+alpine (2.00+dfsg-6+squeeze1) squeeze; urgency=low
+
+ * Fix a crash in the embedded copy of UW-IMAP, CVE-2008-5514.
+ (Closes: #653238)
+
+ -- Asheesh Laroia <asheesh@asheesh.org> Sun, 26 Aug 2012 16:58:01 -0700
+
alpine (2.00+dfsg-6) unstable; urgency=low
* Add diversion for pico and remove conflict with nano.
diff -u alpine-2.00+dfsg/debian/patches/series alpine-2.00+dfsg/debian/patches/series
--- alpine-2.00+dfsg/debian/patches/series
+++ alpine-2.00+dfsg/debian/patches/series
@@ -9,0 +10 @@
+60_fix_embedded_uw_imap.patch
only in patch2:
unchanged:
--- alpine-2.00+dfsg.orig/debian/patches/60_fix_embedded_uw_imap.patch
+++ alpine-2.00+dfsg/debian/patches/60_fix_embedded_uw_imap.patch
@@ -0,0 +1,21 @@
+diff -urN alpine-2.00/imap/src/c-client/rfc822.c alpine-2.00.fixed/imap/src/c-client/rfc822.c
+--- alpine-2.00/imap/src/c-client/rfc822.c 2008-06-04 11:46:10.000000000 -0700
++++ alpine-2.00.fixed/imap/src/c-client/rfc822.c 2012-08-26 17:12:39.678307877 -0700
+@@ -1351,6 +1351,7 @@
+
+ static long rfc822_output_char (RFC822BUFFER *buf,int c)
+ {
++ if ((buf->cur == buf->end) && !rfc822_output_flush (buf)) return NIL;
+ *buf->cur++ = c; /* add character, soutr buffer if full */
+ return (buf->cur == buf->end) ? rfc822_output_flush (buf) : LONGT;
+ }
+@@ -1374,7 +1375,8 @@
+ len -= i;
+ }
+ /* soutr buffer now if full */
+- if (len && !rfc822_output_flush (buf)) return NIL;
++ if ((len || (buf->cur == buf->end)) && !rfc822_output_flush (buf))
++ return NIL;
+ }
+ return LONGT;
+ }
Reply to: