Re: jessie-pu: package libiberty/20161017-1+deb8u1
2016-10-17 21:48 GMT+02:00 Adam D. Barratt <firstname.lastname@example.org>:
> Please file this as an appropriately-tagged bug against
> release.debian.org; mails to the list have a tendency to get lost.
thanks for the review. I used a reportbug, but it
did not send a mail to email@example.com. Will repeat the
>> Also libiberty is statically linked against "ht" which is also
>> should be updated in order to fix same CVEs, becuase ht used
>> embedded copy of libiberty (#840358).
> I'm slightly confused here. libiberty is statically linked against
> something that embeds libiberty? That seems somewhat circular.
ht contained a vulnerable embedded copy of libiberty. I stripped it
out and built ht against fixed libiberty, which is now statically linked
So, for the proper fixing of all CVEs in Jessie and potentially in Wheezy
one need to backport the newest libiberty and then upload the stripped
version of ht.
> From a very quick look:
> +libiberty (20161017-1+deb8u1) jessie-proposed-updates; urgency=medium
> +libiberty (20161017-1) unstable; urgency=medium
> That's broken. The upload to stable needs to have a lower version than
libiberty (20161017-1~deb8u1) will that work?
> diff -Nru libiberty-20141014/debian/compat libiberty-20161017/debian/compat
> --- libiberty-20141014/debian/compat 2013-11-16 20:38:52.000000000 +0100
> +++ libiberty-20161017/debian/compat 2016-02-15 20:15:24.000000000 +0100
> @@ -1 +1 @@
> -Build-Depends: debhelper (>= 8.0.0), autotools-dev
> -Standards-Version: 3.9.6
> +Build-Depends: debhelper (>= 9), autotools-dev
> That's not an acceptable change for a stable update.
Ok, I will revert it.
> The debdiff also doesn't appear to contain any changes outside of
> debian/, which makes it impossible to review.
I filtered it because the full diff is over 40k lines, which is unreadable.
To fix those CVEs we need to backport the complete new version.