Bug#861535: marked as done (unblock: file/1:5.30-1 (was: Seeking pre-approval to upload new file upstream version for stretch))

To: Niels Thykier <niels@thykier.net>
Subject: Bug#861535: marked as done (unblock: file/1:5.30-1 (was: Seeking pre-approval to upload new file upstream version for stretch))
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 07 May 2017 12:33:06 +0000
Message-id: <[🔎] handler.861535.D861535.149416031826950.ackdone@bugs.debian.org>
References: <190a5ce3-bf97-2fd3-2270-f02201cfd6ec@thykier.net> <1493552205@msgid.manchmal.in-ulm.de>

Your message dated Sun, 07 May 2017 12:31:00 +0000
with message-id <190a5ce3-bf97-2fd3-2270-f02201cfd6ec@thykier.net>
and subject line Re: Bug#861535: unblock: file/1:5.30-1
has caused the Debian Bug report #861535,
regarding unblock: file/1:5.30-1 (was: Seeking pre-approval to upload new file upstream version for stretch)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
861535: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861535
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: unblock: file/1:5.30-1 (was: Seeking pre-approval to upload new file upstream version for stretch)
From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date: Sun, 30 Apr 2017 14:13:41 +0200
Message-id: <1493552205@msgid.manchmal.in-ulm.de>
In-reply-to: <1486761330@msgid.manchmal.in-ulm.de>
References: <1486761330@msgid.manchmal.in-ulm.de>

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Hello,

please unblock file 1:5.30-1 I've uploaded to unstable.

Short version:

This upload

* fixes several issues in 1:5.29-3, including an assertion failure
  triggerable from certain files,
* includes more than twenty(!) commits from the upstream git since the
  5.30 release that, by their description, seem prudent to include
  security-wise, and
* otherwise tries hard to not change the detection of files.


A bit longer:

There are a few issues in the stretch version of file (1:5.29-3) that
in my opinion make it unfit for release. The most important one is an
easily triggerable crash (assertion failure) I found a while ago,
upstream was alerted in private. This issue was introduced in version
1:5.29-1 and is not public yet, at least not from my side.

The delta between 1:5.29-3 and upstream's 5.30 release is pretty small:
These are bug fixes like for the one mentioned above, several changes
that seem to address issues, some documentation and/or not affecting the
execution. There are two changes that introduce new features, I've
reverted them to reduce the impact (also, they looked somewhat fishy).
Initially, forwarding to 5.30 promised a smaller and better arranged
debian/patches/.

Since upstream's 5.30 release however, there have been a lot of commits
that address more issues, usually they contain a remark "oss-fuzz", so
appearently somebody has spent quite some time searching for flawed
code. One commit contains a remark "Although I can't reproduce it"
which implies at least some of the other commits fix an exploitable
issue. So I decided the cherry-pick *all* of them plus prerequisites in
the hope this will avoid some security uploads during the stretch life
cycle. They all can be found in debian/patches/, one patch per commit.


As with every upload of file, I ran a test on a huge collection of
files in order to detect unexpected changes. I have to admit there are
some minor ones: For some files not all the gory details are shown any
longer, basic detection still works. These were introduced by the
changes that should fix issues in the code.

Additional details, like discussion of every single change between
1:5.29-3 and 1:5.30-1 available upon request.

Regards,

    Christoph

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

To: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>, 861535-done@bugs.debian.org

Subject: Re: Bug#861535: unblock: file/1:5.30-1

From: Niels Thykier <niels@thykier.net>

Date: Sun, 07 May 2017 12:31:00 +0000

Message-id: <190a5ce3-bf97-2fd3-2270-f02201cfd6ec@thykier.net>

In-reply-to: <1493552205@msgid.manchmal.in-ulm.de>

References: <1486761330@msgid.manchmal.in-ulm.de> <1493552205@msgid.manchmal.in-ulm.de>
Christoph Biedl:
> Package: release.debian.org
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> Severity: normal
> 
> Hello,
> 
> please unblock file 1:5.30-1 I've uploaded to unstable.
> 
> Short version:
> 
> This upload
> 
> * fixes several issues in 1:5.29-3, including an assertion failure
>   triggerable from certain files,
> * includes more than twenty(!) commits from the upstream git since the
>   5.30 release that, by their description, seem prudent to include
>   security-wise, and
> * otherwise tries hard to not change the detection of files.
> 
> 
> [...]
> 
> Regards,
> 
>     Christoph
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

Prev by Date: Bug#861973: marked as done (unblock: unattended-upgrades/0.93.1+nmu1)
Next by Date: Processed: retitle 861900
Previous by thread: Bug#861985: marked as done (unblock: variety/0.6.3-5 (pre-upload approval))
Next by thread: Processed: retitle 861900
Index(es):
- Date
- Thread