Re: CVE-2010-3205 affects textpattern package

[Moritz Mühlenhoff <jmm@inutil.org>]

On Tue, May 21, 2013 at 10:16:25PM +0100, Steven Chamberlain wrote:
> On 21/05/13 22:09, Moritz Muehlenhoff wrote:
> > Thanks, I've updated the security tracker!
> 
> Okay, thank you!
> 
> I couldn't say for sure the exploit given the CVE is real, and there's
> very little interest in the package any more (orphaned, low popcon,
> removed);  but I thought it is better to mark it as affecting until
> someone can actually show otherwise.
> 
> I assume NOT-FOR-US was meant for things not packaged at all so was
> probably an oversight in this case.

Yes, that was certainly an oversight. Most people perform the check,
whether a package is present via "apt-cache search foo" on a sid
system and if the package has been culled from the archive such mistakes
can happen.

Thanks for your diligence! If you plan to update further entries on
the tracker, just send patches. If you plan to work on it on an ongoing
basis, we can also provide you with write access.

Cheers,
        Moritz