[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: If some package have serious bug and fixed on unstable and testing release, how long it will be available on stable release?

On Sat 30 Jan 2021 at 05:27:30 (+0000), Robbi Nespu wrote:
> On Fri, 29 Jan 2021 10:58:06 -0600, David Wright wrote:
> > https://security-tracker.debian.org/tracker/CVE-2021-3156
> > is a timely example of how Debian deals with such problems.
> > Note in particular the line
> > 
> >  stretch (security) 1.8.19p1-2.1+deb9u3 fixed
> > 
> > showing that stretch's version gets a fix, not an upgrade.
> How you can confirm 1.8.19p1-2.1+deb9u3 fix CVE-2021-3156?

The changelog, /usr/share/doc/sudo/changelog.Debian.gz, starts with:

  sudo (1.8.19p1-2.1+deb9u3) stretch-security; urgency=high

    * Non-maintainer upload by the Security Team.
    * Heap-based buffer overflow (CVE-2021-3156)
      - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit
      - Add sudoedit flag checks in plugin that are consistent with front-end
      - Fix potential buffer overflow when unescaping backslashes in user_args
      - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL
      - Don't assume that argv is allocated as a single flat buffer

   -- Salvatore Bonaccorso <[…]>  Sat, 23 Jan 2021 10:10:33 +0100

> I could not see source code for that version here[1], I only can find
> 1.8.19p1-2.1+deb9u2 . Do source repository for security release are
> separated?

Yes, the sources are for the current distribution, buster. As for
binaries, deb.debian.org/debian will carry the latest point release.
You need to make sure you have security.debian.org/debian-security
in your sources.list so that you receive all the security updates.

The new source is not normally available as such, but as a cumulative
set of patches. So that would be sudo_1.8.19p1-2.1+deb9u3.debian.tar.xz
for stretch.

It can sometimes be confusing for those not used to the Debian Way,
who might judge the security of a package from only the upstream
version number (ie before the hyphen).

> 1. https://sources.debian.org/src/sudo/


Reply to: