Bug#1022860: bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1

To: Jérôme Charaoui <jerome@riseup.net>
Cc: 1022860@bugs.debian.org
Subject: Bug#1022860: bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 27 Oct 2022 06:25:02 +0200
Message-id: <[🔎] Y1oIHhHSEmiIT5Yi@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1022860@bugs.debian.org
In-reply-to: <[🔎] 3880c0a2-2646-8095-b1fc-3c18d4abd270@riseup.net>
References: <[🔎] 3880c0a2-2646-8095-b1fc-3c18d4abd270@riseup.net> <[🔎] 3880c0a2-2646-8095-b1fc-3c18d4abd270@riseup.net>

On Wed, Oct 26, 2022 at 11:05:05PM -0400, Jérôme Charaoui wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> [ Reason ]
> I would like to upload powerline-gitstatus to stable to fix CVE-2022-42906.
> I have consulted with the security team and they suggested we make the fix
> available via the next point release.
> 
> [ Impact ]
> powerline-gitstatus/1.3.1 and earlier versions are susceptible to code
> execution via malicious repository. Note that the malicious repository must
> be obtained other than by "git clone".
> 
> [ Tests ]
> The package has no autopkgtests. It has been tested manually.
> 
> [ Risks ]
> The changeset between 1.3.1 and 1.3.2 is small. The risk is low that
> a new bug or security issue is introduced.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> The fix for CVE-2022-42906 is straightforward: it simply appends the
> argument "-C core.fsmonitor=" to the git command. Aside from that, a simple
> program option was added (untracked_not_dirty) and the README is updated.
> 
> [Other info]
> As I expect a positive response, I will be uploading the package shortly.
> 
> 
> -- Jerome

> diff -Nru powerline-gitstatus-1.3.1/debian/changelog powerline-gitstatus-1.3.2/debian/changelog
> --- powerline-gitstatus-1.3.1/debian/changelog	2020-07-08 16:17:05.000000000 -0400
> +++ powerline-gitstatus-1.3.2/debian/changelog	2022-10-26 22:54:03.000000000 -0400
> @@ -1,3 +1,10 @@
> +powerline-gitstatus (1.3.2-1+deb11u1) bullseye; urgency=medium
> +
> +  * New upstream version 1.3.2
> +    - Fix command injection via malicious repository config (CVE-2022-42906)
> +
> + -- Jérôme Charaoui <jerome@riseup.net>  Wed, 26 Oct 2022 22:54:03 -0400
> +
>  powerline-gitstatus (1.3.1-2) unstable; urgency=medium

The former proposed update was to just cherry-pick the needed change,
so the version number 1.3.1-2+deb11u1. But if you propose to import
1.3.2 instread, then you need to pick 1.3.2-1~deb11u1 or
1.3.2-0+deb11u1 here, to have it sorting before the version which hit
the archive as 1.3.2-1.

In fact, if you just import a new upstream version on top of the
current packaging then I would go for 1.3.2-0+deb11u1. If it is OTOH
merely a rebuild of the upper-suite version then 1.3.2-1~deb11u1.

In your case I think both of the ones is perfectly reasonable.

Hope that helps,

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1022860: bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1
  - From: Jérôme Charaoui <jerome@riseup.net>

References:
- Bug#1022860: bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1
  - From: Jérôme Charaoui <jerome@riseup.net>

Prev by Date: Bug#1022860: bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1
Next by Date: NEW changes in stable-new
Previous by thread: Bug#1022860: bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1
Next by thread: Bug#1022860: bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1
Index(es):
- Date
- Thread