Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
- To: Roberto C. Sánchez <firstname.lastname@example.org>
- Cc: email@example.com, firstname.lastname@example.org, Debian Security Team <email@example.com>, firstname.lastname@example.org, email@example.com
- Subject: Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
- From: Salvatore Bonaccorso <firstname.lastname@example.org>
- Date: Sun, 30 Dec 2018 09:38:57 +0100
- Message-id: <[🔎] 20181230083857.GA14157@eldamar.local>
- Mail-followup-to: Roberto C. Sánchez <email@example.com>, firstname.lastname@example.org, email@example.com, Debian Security Team <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org
- In-reply-to: <[🔎] email@example.com>
- References: <[🔎] firstname.lastname@example.org> <[🔎] email@example.com>
On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote:
> On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote:
> > [note: I am not subscribed to debian-security; please keep me or
> > debian-lts addressed on replies]
> > If this seems like a sensible approach, I propose to apply the attached
> > patch to uw-imap 8:2007f~dfsg-5 (the current stretch/buster/sid version)
> > to create version 8:2007f~dfsg-6 for upload to sid and eventual
> > inclusion in stretch (perhaps via a point release) and then also in
> > parallel create a 8:2007f~dfsg-4+deb8u1 package for upload to jessie.
> > Please reply with your comments. In particular, feedback from the
> > security team on the appropriateness of this for a stable point release
> > and my suggested route for the update to take to get there would be very
> > useful.
> Hi all,
> Since Tomas and Ola have reviewed the patch and we have had some
> discussion which makes it seem like this is the most sensible approach
> to the vulnerability given the constraints, I wonder if the Security
> team could weigh in.
> I have forwarded my initial message and the patch to Magnus Holngren
> (the uw-imap maintainer) and also added him as a recipient of this
> message, as he may wish to be the one to upload to unstable and
> coordinate the future point release inclusion.
> I ask for some indication now from the security team and/or the
> maintainer since I don't think it makes sense to fix this only in jessie
> and not in stretch/buster/sid.
There is an alternative approach wich was raised by Magnus in the
respective bug: https://bugs.debian.org/914632#12 (and see followup