Bug#1116947: bookworm-pu: package u-boot/2023.01+dfsg-2+deb12u2

To: Daniel Leidert <dleidert@debian.org>, 1116947@bugs.debian.org
Subject: Bug#1116947: bookworm-pu: package u-boot/2023.01+dfsg-2+deb12u2
From: Vagrant Cascadian <vagrant@debian.org>
Date: Tue, 30 Sep 2025 20:48:33 -0700
Message-id: <[🔎] 87cy77cmem.fsf@wireframe>
Reply-to: Vagrant Cascadian <vagrant@debian.org>, 1116947@bugs.debian.org
In-reply-to: <[🔎] 175927901359.295312.6998744359702935620.reportbug@localhost>
References: <[🔎] 175927901359.295312.6998744359702935620.reportbug@localhost> <[🔎] 175927901359.295312.6998744359702935620.reportbug@localhost>

On 2025-10-01, Daniel Leidert wrote:
> [ Reason ]
>
> The CVEs CVE-2024-57254 to CVE-2024-57259 have been fixed in Sid, stable, LTS,
> and ELTS. They have not yet been fixed in Bookworm. This upload intends to
> close this gap.

Thank you for working on this!


> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog

There was an added gbp.conf file that is undocumented, and not used in
the other Debian packaging branches, and I do not think it is
appropriate to add it to the bookworm branches now. Please remove it.
(and I guess re-upload if necessary?)


> diff -Nru u-boot-2023.01+dfsg/debian/changelog u-boot-2023.01+dfsg/debian/changelog
> --- u-boot-2023.01+dfsg/debian/changelog	2024-04-19 00:00:21.000000000 +0200
> +++ u-boot-2023.01+dfsg/debian/changelog	2025-10-01 02:06:28.000000000 +0200
> @@ -1,3 +1,24 @@
> +u-boot (2023.01+dfsg-2+deb12u2) bookworm; urgency=medium
> +
> +  * Non-maintainer upload by the Debian LTS team.
> +  * d/patches/CVE-2024-57254.patch: Add patch to fix CVE-2024-57254.
> +    - Fix an integer overflow in sqfs_inode_size (closes: 1098254).
> +  * d/patches/CVE-2024-57255.patch: Add patch to fix CVE-2024-57255.
> +    - Fix an integer overflow in sqfs_resolve_symlink (closes: #1098254).
> +  * d/patches/CVE-2024-57256.patch: Add patch to fix CVE-2024-57256.
> +    - Fix an integer overflow in ext4fs_read_symlink (closes: #1098254).
> +  * d/patches/CVE-2024-57257.patch: Add patch to fix CVE-2024-57257.
> +    - Fix a stack consumption issue in sqfs_size possible with deep symlink
> +      nesting (closes: #1098254).
> +  * d/patches/CVE-2024-57258-1.patch, d/patches/CVE-2024-57258-2.patch,
> +    d/patches/CVE-2024-57258-3.patch: Add patches to fx CVE-2024-57258.
> +    - Fix multiple integer overflows (closes: #1098254).
> +  * d/patches/CVE-2024-57259.patch: Add patch to fix CVE-2024-57259.
> +    - Fix an off-by-one error resulting in a heap memory corruption in
> +      sqfs_search_dir (closes: #1098254).
> +
> + -- Daniel Leidert <dleidert@debian.org>  Wed, 01 Oct 2025 02:06:28 +0200
> +
>  u-boot (2023.01+dfsg-2+deb12u1) bookworm; urgency=medium
>  
>    * debian/patches: Apply fix from upstream for orion-timer, affecting
> diff -Nru u-boot-2023.01+dfsg/debian/gbp.conf u-boot-2023.01+dfsg/debian/gbp.conf
> --- u-boot-2023.01+dfsg/debian/gbp.conf	1970-01-01 01:00:00.000000000 +0100
> +++ u-boot-2023.01+dfsg/debian/gbp.conf	2025-10-01 02:06:28.000000000 +0200
> @@ -0,0 +1,4 @@
> +[DEFAULT]
> +debian-branch = debian/bookworm
> +upstream-branch = upstream/bookworm
> +pristine-tar = true

The addition of gbp.conf is not documented in debian/changelog, and is
not used in previous versions of u-boot packaging in bookworm, or other
branches in Debian. Please remove it.


live well,
  vagrant

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#1116947: bookworm-pu: package u-boot/2023.01+dfsg-2+deb12u2
  - From: Daniel Leidert <dleidert@debian.org>

References:
- Bug#1116947: bookworm-pu: package u-boot/2023.01+dfsg-2+deb12u2
  - From: Daniel Leidert <dleidert@debian.org>

Prev by Date: Bug#1116951: bookworm-pu: package libcommons-lang3-java/3.12.0-2+deb12u1
Next by Date: Bug#1116947: bookworm-pu: package u-boot/2023.01+dfsg-2+deb12u2
Previous by thread: Processed: bookworm-pu: package u-boot/2023.01+dfsg-2+deb12u2
Next by thread: Bug#1116947: bookworm-pu: package u-boot/2023.01+dfsg-2+deb12u2
Index(es):
- Date
- Thread