Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1

To: Timo Röhling <timo@gaussglocke.de>
Cc: 1021130@bugs.debian.org
Subject: Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Fri, 14 Oct 2022 13:04:58 +0100
Message-id: <[🔎] 8c641e7a9f0f12f75d6bcde3302b82ada345f465.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1021130@bugs.debian.org
In-reply-to: <[🔎] 20221014115822.qgmor3klsqjxj7ce@mail.gaussglocke.de>
References: <[🔎] 166473229121.76870.7625158437602863429.reportbug@roehling2.fkie.fraunhofer.de> <[🔎] 166473229121.76870.7625158437602863429.reportbug@roehling2.fkie.fraunhofer.de> <[🔎] 476f04211de36ba896c57a5781c350f563f4df1b.camel@adam-barratt.org.uk> <[🔎] 30ffa534963799eb1966dbd09add1d8ea690ceb8.camel@adam-barratt.org.uk> <[🔎] 20221014115822.qgmor3klsqjxj7ce@mail.gaussglocke.de> <[🔎] 166473229121.76870.7625158437602863429.reportbug@roehling2.fkie.fraunhofer.de>

On Fri, 2022-10-14 at 13:58 +0200, Timo Röhling wrote:
> * Adam D. Barratt <adam@adam-barratt.org.uk> [2022-10-14 12:53]:
> > On Fri, 2022-10-14 at 11:53 +0100, Adam D. Barratt wrote:
> > > Control: tags -1 + confirmed
> > > 
> > > On Sun, 2022-10-02 at 19:38 +0200, Timo Röhling wrote:
> > > > The update fixes two vulnerabilities with low priority, i.e.
> > > > the security team has decided not to issue a DSA.
> > > > 
> > > > [ Impact ]
> > > > CVE-2022-34300: Heap overflow in DecodePixelData
> > > > CVE-2022-38529: Heap overflow in rleUncompress
> > > > 
> > > 
> > > +  * Fix low-priority vulnerabilities
> > > 
> > > I'm not sure I'd use that wording in a changelog personally -
> > > more
> > > likely just "fix security issues" or "backport fixes" or similar
> > > -
> > > but
> > > it's up to you.
> > 
> > Hmmm. The debdiff you've uploaded is rather larger than I was
> > expecting, or was proposed.
> > 
> > That appears to be (which I should have spotted earlier) because
> > stable
> > has 1.0.0+dfsg-1 and your upload is based on 1.0.*1*+dfsg-1.
> Is there something we can do about this?
> Should I prepare a new upload with 1.0.1+really1.0.0, for instance?

There's a holding queue in front of proposed-updates, so the upload
isn't in the archive yet.

Assuming the diff would be similar to that initially proposed, you can
simply prepare and upload 1.0.0+dfsg-1+deb11u1 and we can sort things
out from there.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1
  - From: Timo Röhling <roehling@debian.org>

References:
- Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1
  - From: Timo Röhling <roehling@debian.org>
- Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1
  - From: Timo Röhling <timo@gaussglocke.de>

Prev by Date: Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1
Next by Date: Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1
Previous by thread: Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1
Next by thread: Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1
Index(es):
- Date
- Thread