Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: dpkg@packages.debian.org
Control: affects -1 + src:dpkg
Hi!
Please pre-approve the dpkg 1.21.22 upload.
[ Reason ]
I got a report for a segfault privately (as the reporter was unsure
whether this constituted a security issue, which IMO it does not),
which is rather easy to trigger for packages that are known to dpkg,
but are not installed, such as virtual packages or references from
Recommends or Suggests.
I've also cherry picked a translation addition that was already in git
HEAD (targeting 1.22.x).
[ Impact ]
An easy to trigger segfault, which also affects dpkg 1.20.x (for which
I'll be preparing a stable release request).
[ Tests ]
The test suite has been updated to cover this case. And it's also easy
to reproduce with dpkg-query, for example on a minimal chroot, with:
$ dpkg-query -f '${source:Upstream-Version}\n' -W firefox-esr
Segmentation fault (core dumped)
[ Risks ]
The fix is trivial, so the risk seems low to me.
[ Checklist ]
[√] all changes are documented in the d/changelog
[√] I reviewed all changes and I approve them
[√] attach debdiff against the package in testing
[ Other info ]
(I had in mind also including an addition for the riscv32 port, but
given that there's no consensus among the porters about its ABI or
even its mere existence, and time is running out, I'll postpone that,
and might include it instead in a future stable release if necessary.)
Attached the unfiltered debdiff, you might want to filterdiff with:
xzcat dpkg-1.21.21-1.21.22.debdiff.xz |
filterdiff --exclude '*.po' --exclude '*.pot' \
--exclude '*/man/*/*.pod' \
--exclude '*/testsuite' --exclude '*/at/*.m4' \
--exclude '*/configure'
unblock dpkg/1.21.22
Thanks,
Guillem
Attachment:
dpkg-1.21.21-1.21.22.debdiff.xz
Description: application/xz