On 2021-12-05 21:30:14, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: carnil@debian.org,anarcat@debian.org
>
> Hi SRM,
>
> isync in bullseye is affected by CVE-2021-3657[1]. Upstream is
> providing as well explicit patches for the 1.3.x series. That said, I
> could not explicitly thest the package for the CVE is question.
>
> But I'm X-Debbugs-CC'ing Antoine which might additionally be able to
> expose the package for bullseye to some real situation testing.
Hi!
So unfortunately I don't have a reproducer for CVE-2021-3657. I was able
to trigger CVE-2021-3657 (#999804) with 1.4+, but I didn't have crashes
when running 1.3 in bullseye.
I did test a build of 1.3.0-2.2+deb11u1 based on carnil's debdiff, and
it compiles fine, which is a good start. :)
It also seems to sync correctly: I'm testing a full sync now which
should complete within an hour. So far so good.
a.
--
Rock journalism is people who can't write, interviewing people who can't
talk, in order to provide articles for people who can't read.
- Frank Zappa
Attachment:
signature.asc
Description: PGP signature