Re: Wrong fixed version for cairo and CVE-2009-2044?

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Mon, 19 Apr 2010 15:46:38 +0200, Alexander Reichle-Schmehl wrote:
> [ BCCing cairo maintainers, if they would like to comment ]
> 
> Hi!
> 
> I'm maintaining the cairo backports, and according to the security 
> tracker [0], the current backport (from 1.8.8-2) should be affected by 
> CVE-2009-2044.  I checked the patches linked from [2], and it seems to 
> me, the bug is already fixed in the backported version 1.8.8-2.
> 
> The security tracker currently lists 1.8.10-3 as the package fixing that 
> version, however that package revision doesn't mention anything like 
> that in the changelog; it mostly introduced udebs at that point. (Or 
> maybe that version was taken, as it was the first upload to unstable?)
> 
> So could it be, that the security tracker is wrong?

yes, that's a possibility.  i only checked back to 1.8.10-3 since that
was the squeeze version.  i usually only check the officially supported
releases (stable, testing, and kind of unstable), so if you've found
the problem fixed in backports, we can update the tracker, but that
won't normally be checked (unless backports support becomes official).

mike