Re: Regression caused by fix for Bug#781228: freexl: Multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Johan,
On 13-11-15 11:46, Sebastiaan Couwenberg wrote:
> On 13-11-15 06:45, Salvatore Bonaccorso wrote:
>> On Thu, Nov 12, 2015 at 10:31:55PM +0100, Sebastiaan Couwenberg
>> wrote:
>>> Dear Security Team,
>>>
>>> The patch to fix multiple vulnerabilities identified by
>>> American Fuzzy Lop reported in #781228 caused a regressed as
>>> reported in the GDAL issue tracker:
>>>
>>> https://trac.osgeo.org/gdal/ticket/6200
>>>
>>> The change to fix this regression was included in freexl
>>> (1.0.1-1~exp1), but not in the security updates for jessie
>>> (1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1).
>>>
>>> I've prepared updates to fix this regression for jessie &
>>> wheezy, see the attached debdiffs.
>>>
>>> Are these regression fixes appropriate for upload to
>>> {wheezy,jessie}-security or should they be uploaded to
>>> proposed-updates instead?
>>
>> Since the regression was introduced via a DSA, we might address
>> this regression trough af follow-up DSA:
>>
>> s/UNRELEASED/wheezy-security/ and urgency=high set or
>> respectively jessie-security for the second one.
>>
>> With the above changes please go ahead with your upload to
>> security-master.
>>
>> Thanks for your work and pinging us about the regression.
>
> Thanks for the quick feedback,
>
> I've set the distribution and urgency as appropriate for security
> uploads and uploaded both to security-master.
We also need this regression fix uploaded for Ubuntu trusty & vivid.
Shall I also do those, or can you take care of the uploads for Ubuntu?
Please note that besides afl-vulnerabilitities-regression.patch we may
also want to include 32bit-multiplication-overflow.patch in the
update, this issue hasn't been fixed in Ubuntu yet.
Kind Regards,
Bas
- --
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJWRcD/AAoJEGdQ8QrojUrxJecQANnvaMmqGsXU10ILXyghNKBy
q3PkYvGar1sAH1hkan5GbmiriZQdceVcflomlSgejJeUgv/92wcmHgfoPLRJ96yb
xNP6GNywa950zeeSyuZfonAti4dfCAF7jW7P0sgxs70gSY9qsHRaCMBbomHGzhd2
OGJ2yROYDZbYCm+kPlOEc56KqONH92OVj7TSyAcD7r7UXdQUKbUXzTyC75CIWopZ
1qSWZMwt25CND81SVker1Owli6jrQV0vYhFJEhF1guZUp50uOuyMVpsgs6kLJFLX
k4z8SYPHcqshGWc0anrkqhXr08tw0d4Sal5PFn/7PAdDmpq1f7Tf7h0PD2GHHY19
oXoNTfj0LOHmML5FKPKnzj0E9tqXbvBTbJ3yLaRq79C848til5syQHyYGwkz/xcP
kQq/gXEl+nQVK2DUYXVAJTvy0/KybsEv1gEMgGTWBnjjGmylOD6ihxoCSUtQ4Ftd
Pizrm5VYUNou+H8OZ+3+Jd07yqWHPrDIO4Sqq4rDC29lpu0uzZouvtW0Y1KTBNlf
uTvQKx1Z0yDEYTTnriziPKbkrhJkuHm1k1n+fJpGmAvlOYwbqz1flbPzEZL6kt4r
mnx8wSXwFqBgojzLFMqfVYYAKHkaUmOLzgbe0Xz1kkJ1Qf3c9yFWdwAY2AHLLihR
XuORn7hsmCd0cFQUczhu
=FzIY
-----END PGP SIGNATURE-----
Reply to: