Re: CVE-2007-4571 should not show up in the unstable latently vulnerable packages list

To: debian-security-tracker@lists.debian.org
Subject: Re: CVE-2007-4571 should not show up in the unstable latently vulnerable packages list
From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
Date: Sun, 23 Mar 2008 21:36:31 -0400
Message-id: <[🔎] 8e2a98be0803231836q168db877lfdae90176e4fbed5@mail.gmail.com>
In-reply-to: <[🔎] 87ejahtzxn.fsf@mid.deneb.enyo.de>
References: <[🔎] 8e2a98be0803102118g57facc30i2a5306a1bee2bf89@mail.gmail.com> <[🔎] 87ejahtzxn.fsf@mid.deneb.enyo.de>

> I'm a bit confused by this issue. Do we really ship two versions of the
> ALSA code in sid?

it looks like part of the alsa driver code is in the kernel and
another part is external (in the alsa-driver package).

the DSA [1] seems to indicate that there was some kind of modification
to the alsa-driver 1.0.15-1 package that fixes the issue (although the
upstream changelog.ALSA does not state this in any of the logs between
1.0.13 and 1.0.15).

curious as to whether the issue was fixed, i looked through the
1.0.16-1 source code and compared it to the DSA-1505-1 patch for etch
[2].  it looks to me like the patch is indeed applied.  i suggest
verifying with upstream that they agree that this has correctly been
done.  then the issue can be marked as fixed in sid.

thanks.

[1] http://www.debian.org/security/2008/dsa-1505
[2] http://security.debian.org/pool/updates/main/a/alsa-driver/alsa-driver_1.0.13-5etch1.diff.gz

Reply to:

References:
- CVE-2007-4571 should not show up in the unstable latently vulnerable packages list
  - From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
- Re: CVE-2007-4571 should not show up in the unstable latently vulnerable packages list
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: CVE-2007-4571 should not show up in the unstable latently vulnerable packages list
Previous by thread: Re: CVE-2007-4571 should not show up in the unstable latently vulnerable packages list
Index(es):
- Date
- Thread