Bug#863562: jessie-pu: package libonig/5.9.5-3.2

To: Cyril Brulebois <kibi@debian.org>, 863562@bugs.debian.org
Cc: Jörg Frings-Fürst <debian@jff-webhosting.net>
Subject: Bug#863562: jessie-pu: package libonig/5.9.5-3.2
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 15 Jul 2017 22:47:05 +0100
Message-id: <[🔎] 1500155225.5317.228.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 863562@bugs.debian.org
In-reply-to: <20170628002553.GA6234@mraw.org>
References: <149598951902.4649.574268925272911060.reportbug@merkur> <20170628002553.GA6234@mraw.org>

Control: tags -1 + pending

On Wed, 2017-06-28 at 02:25 +0200, Cyril Brulebois wrote:
> Control: tag -1 confirmed
> 
> Hi Jörg,
> 
> Jörg Frings-Fürst <debian@jff-webhosting.net> (2017-05-28):
> > I have the release 5.9.5-3.2+deb8u1 with fixes for the CVE's:
> > 
> >  CVE-2017-9224
> >  CVE-2017-9226
> >  CVE-2017-9227
> >  CVE-2017-9228
> >  CVE-2017-9229
> > 
> > ready, The debdiff is attached.
> 
> It seems there was some kind of coordination with the security team,
> since I see “no-dsa” mentioned in the security tracker, but feel free
> to mention this upfront in your next pu requests.
> 
> A few remarks:
>  - patch -p1 was unhappy with the debian/patches/series update. :)
>  - funny things, using square brackets in filenames.
> 
> I suspect it would have been nice to have separate patches for each
> bug fix, in case someone needs to dig into one or another, but oh
> well, having them all lumped together isn't that bad.
> 
> A few comments:
> > diff -Nru libonig-5.9.5/debian/changelog libonig-5.9.5/debian/changelog
> > --- libonig-5.9.5/debian/changelog	2014-12-28 12:11:12.000000000 +0100
> > +++ libonig-5.9.5/debian/changelog	2017-05-28 16:59:55.000000000 +0200
> > @@ -1,3 +1,15 @@
> > +libonig (5.9.5-3.2+deb8u1) stable; urgency=medium
> 
> Please always use codenames, and target jessie instead.
> 
> > +  * New debian/patches/0500-CVE-2017-922[4-9].patch:
> > +    - Cherrypicked from upstream to correct:
> > +      + CVE-2017-9224 (Closes: #863312)
> > +      + CVE-2017-9226 (Closes: #863314)
> > +      + CVE-2017-9227 (Closes: #863315)
> > +      + CVE-2017-9228 (Closes: #863316)
> > +      + CVE-2017-9229 (Closes: #863318)
> > +
> > + -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Sun, 28 May 2017 16:59:55 +0200
> 
> […]
> 
> > --- libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch	1970-01-01 01:00:00.000000000 +0100
> > +++ libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch	2017-05-26 07:07:41.000000000 +0200
> > @@ -0,0 +1,121 @@
> > +Correct CVE-2017-922[4-9]
> > + Fix mutilple invalid pointer dereference, out-of-bounds write memory 
> > + corruption and stack buffer overflow,
> > +Origin: Cheerypicked from upstream
> 
> (multiple & cherrypicked)
> 
> With the target distribution (and maybe typos) fixed, feel free to
> upload; thanks.

Uploaded and flagged for acceptance.

Regards,

Adam

Reply to:

Prev by Date: Processed: Re: Bug#862891: jessie-pu: package flightgear/3.0.0-5+deb8u2
Next by Date: Processed: Re: Bug#863562: jessie-pu: package libonig/5.9.5-3.2
Previous by thread: Bug#865537: stretch-pu: plasma 5.8.7 LTS pre-approval
Next by thread: Processed: Re: Bug#863562: jessie-pu: package libonig/5.9.5-3.2
Index(es):
- Date
- Thread