Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible
On Thu, Feb 28, 2019 at 11:05:37PM +0100, Salvatore Bonaccorso wrote:
> Colin, but please double check if this is enough. A server which sends
> an additional malicious file is blocked by that (and the patch is not
> following git-dpm workflow as I'm unfamiliar with it).
Cherry-picked as follows, given an up-to-date upstream remote:
$ git-dpm checkout-patched
Switched to a new branch 'patched'
You are now in branch 'patched'
$ git cherry-pick 3d896c157c722bc47adca51a58dca859225b5874
error: could not apply 3d896c157... upstream: when checking that filenames sent by the server side
hint: after resolving the conflicts, mark the corrected paths
hint: with 'git add <paths>' or 'git rm <paths>'
hint: and commit the result with 'git commit'
[... resolve conflicts in scp.c ...]
$ git add scp.c
$ git cherry-pick --continue
[... in the above, edit the commit message to add DEP-3 headers ...]
$ git-dpm update-patches
$ dch
[... add changelog entry ...]
$ git commit --amend
[... amends git-dpm's merge commit to include changelog entry ...]
(You can combine the last three steps using "git-dpm dch". I do it this
way because I normally prefer to edit debian/changelog using my normal
editor.)
And yes, it looks OK - I'll upload it to unstable shortly.
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: