Bug#853760: marked as done (unblock: bzip2/1.0.6-8.1)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#853760: marked as done (unblock: bzip2/1.0.6-8.1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 31 Jan 2017 20:33:15 +0000
Message-id: <[🔎] handler.853760.D853760.148589464015219.ackdone@bugs.debian.org>
References: <df9a606f-9db4-282b-0b67-9f53c9e13666@thykier.net> <[🔎] 148588092634.9436.9086806690925968982.reportbug@eldamar.local>

Your message dated Tue, 31 Jan 2017 20:29:00 +0000
with message-id <df9a606f-9db4-282b-0b67-9f53c9e13666@thykier.net>
and subject line Re: Bug#853760: unblock: bzip2/1.0.6-8.1
has caused the Debian Bug report #853760,
regarding unblock: bzip2/1.0.6-8.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
853760: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853760
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: bzip2/1.0.6-8.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 31 Jan 2017 17:42:06 +0100
Message-id: <[🔎] 148588092634.9436.9086806690925968982.reportbug@eldamar.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package bzip2

Ben Hutchings fixed #827744 (CVE-2016-3189) for bzip2 via a NMU to
unstable. Could you please unblock bzip2 to have the fix included in
stretch.

Changelog:

>bzip2 (1.0.6-8.1) unstable; urgency=medium
>
>  * Non-maintainer upload.
>  * bzip2recover: Fix potential use-after-free, Closes: #827744 (CVE-2016-3189)
>
> -- Ben Hutchings <ben@decadent.org.uk>  Sun, 29 Jan 2017 18:30:31 +0000

unblock bzip2/1.0.6-8.1

Attached is the debdiff against the version currently in testing.

Regards,
Salvatore

diff -Nru bzip2-1.0.6/debian/changelog bzip2-1.0.6/debian/changelog
--- bzip2-1.0.6/debian/changelog	2015-05-19 21:37:53.000000000 +0200
+++ bzip2-1.0.6/debian/changelog	2017-01-29 19:30:31.000000000 +0100
@@ -1,3 +1,10 @@
+bzip2 (1.0.6-8.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * bzip2recover: Fix potential use-after-free, Closes: #827744 (CVE-2016-3189)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sun, 29 Jan 2017 18:30:31 +0000
+
 bzip2 (1.0.6-8) unstable; urgency=medium
 
   * Remove Jorge Ernesto Guevara Cuenca from Uploaders, as agreed with him.
diff -Nru bzip2-1.0.6/debian/patches/bzip2recover-CVE-2016-3189.patch bzip2-1.0.6/debian/patches/bzip2recover-CVE-2016-3189.patch
--- bzip2-1.0.6/debian/patches/bzip2recover-CVE-2016-3189.patch	1970-01-01 01:00:00.000000000 +0100
+++ bzip2-1.0.6/debian/patches/bzip2recover-CVE-2016-3189.patch	2017-01-29 19:30:31.000000000 +0100
@@ -0,0 +1,17 @@
+Author: Jakub Martisko <jamartis@redhat.com>
+Date: Wed, 30 Mar 2016 10:22:27 +0200
+Description: bzip2recover: Fix potential use-after-free
+Origin: https://bugzilla.redhat.com/attachment.cgi?id=1169843&action=edit
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-3189
+Bug-Debian: https://bugs.debian.org/827744
+
+--- a/bzip2recover.c
++++ b/bzip2recover.c
+@@ -472,6 +472,7 @@ Int32 main ( Int32 argc, Char** argv )
+             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+             bsPutUInt32 ( bsWr, blockCRC );
+             bsClose ( bsWr );
++            outFile = NULL;
+          }
+          if (wrBlock >= rbCtr) break;
+          wrBlock++;
diff -Nru bzip2-1.0.6/debian/patches/series bzip2-1.0.6/debian/patches/series
--- bzip2-1.0.6/debian/patches/series	2014-07-26 17:46:24.000000000 +0200
+++ bzip2-1.0.6/debian/patches/series	2017-01-29 19:30:31.000000000 +0100
@@ -1,3 +1,4 @@
 10-bzip2.1.patch
 20-legacy.patch
 30-bzip2-harden.patch
+bzip2recover-CVE-2016-3189.patch

--- End Message ---

--- Begin Message ---

To: Salvatore Bonaccorso <carnil@debian.org>, 853760-done@bugs.debian.org

Subject: Re: Bug#853760: unblock: bzip2/1.0.6-8.1

From: Niels Thykier <niels@thykier.net>

Date: Tue, 31 Jan 2017 20:29:00 +0000

Message-id: <df9a606f-9db4-282b-0b67-9f53c9e13666@thykier.net>

In-reply-to: <[🔎] 148588092634.9436.9086806690925968982.reportbug@eldamar.local>

References: <[🔎] 148588092634.9436.9086806690925968982.reportbug@eldamar.local>
Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Please unblock package bzip2
> 
> Ben Hutchings fixed #827744 (CVE-2016-3189) for bzip2 via a NMU to
> unstable. Could you please unblock bzip2 to have the fix included in
> stretch.
> 
> Changelog:
> 
>> bzip2 (1.0.6-8.1) unstable; urgency=medium
>>
>>  * Non-maintainer upload.
>>  * bzip2recover: Fix potential use-after-free, Closes: #827744 (CVE-2016-3189)
>>
>> -- Ben Hutchings <ben@decadent.org.uk>  Sun, 29 Jan 2017 18:30:31 +0000
> 
> unblock bzip2/1.0.6-8.1
> 
> Attached is the debdiff against the version currently in testing.
> 
> Regards,
> Salvatore
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#853760: unblock: bzip2/1.0.6-8.1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Processed: net-snmp will stay with 1.0 for stretch
Next by Date: Processed (with 1 error): ipmitool
Previous by thread: Bug#853760: unblock: bzip2/1.0.6-8.1
Next by thread: Re: [Pkg-nagios-devel] Bug#851585: icinga2-ido-mysql: fails to upgrade from 'jessie': mysql said: ERROR 1067 (42000) at line 10: Invalid default value for 'status_update_time'
Index(es):
- Date
- Thread