Bug#976423: buster-pu: package pngcheck/2.3.0-7
Hi David,
On Fri, Dec 04, 2020 at 05:22:03PM -0500, David da Silva Polverari wrote:
> Package: release.debian.org
> Severity: important
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> Hi,
>
> A global buffer overflow vulnerability was found by Red Hat on
> pngcheck-2.4.0 [1]. It was found and reported by the Debian Security
> Team that the vulnerability also affects the versions found on the
> Debian archive [2].
>
> The bug was already fixed on unstable [2]. I have prepared a revision
> for buster-security for pngcheck/2.3.0-7 with the backported changes
> from unstable. The proposed update builds correctly on a minimal
> up-to-date buster chroot.
>
> I didn't coordinate with the security team, as the vulnerability is
> marked "no-dsa" in the Debian Security Tracker [3].
>
> If the update is deemed correct, I can make it available on mentors, and
> open an RFS as I don't have uploading rights.
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1902011
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976350
> [3] https://security-tracker.debian.org/tracker/CVE-2020-27818
>
> Regards,
> Polverari
> diff -Nru pngcheck-2.3.0/debian/changelog pngcheck-2.3.0/debian/changelog
> --- pngcheck-2.3.0/debian/changelog 2013-06-26 09:28:27.000000000 +0000
> +++ pngcheck-2.3.0/debian/changelog 2020-12-04 21:22:18.000000000 +0000
> @@ -1,3 +1,10 @@
> +pngcheck (2.3.0-7+deb10u1) buster-security; urgency=high
For the update via the point release, the target distribution needs to
be set to 'buster' (vs. buster-security).
Regards,
Salvatore
Reply to: