[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Regression caused by fix for Bug#781228: freexl: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Johan,

On 13-11-15 11:46, Sebastiaan Couwenberg wrote:
> On 13-11-15 06:45, Salvatore Bonaccorso wrote:
>> On Thu, Nov 12, 2015 at 10:31:55PM +0100, Sebastiaan Couwenberg 
>> wrote:
>>> Dear Security Team,
>>> 
>>> The patch to fix multiple vulnerabilities identified by
>>> American Fuzzy Lop reported in #781228 caused a regressed as
>>> reported in the GDAL issue tracker:
>>> 
>>> https://trac.osgeo.org/gdal/ticket/6200
>>> 
>>> The change to fix this regression was included in freexl 
>>> (1.0.1-1~exp1), but not in the security updates for jessie 
>>> (1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1).
>>> 
>>> I've prepared updates to fix this regression for jessie &
>>> wheezy, see the attached debdiffs.
>>> 
>>> Are these regression fixes appropriate for upload to 
>>> {wheezy,jessie}-security or should they be uploaded to 
>>> proposed-updates instead?
>> 
>> Since the regression was introduced via a DSA, we might address 
>> this regression trough af follow-up DSA:
>> 
>> s/UNRELEASED/wheezy-security/ and urgency=high set or
>> respectively jessie-security for the second one.
>> 
>> With the above changes please go ahead with your upload to 
>> security-master.
>> 
>> Thanks for your work and pinging us about the regression.
> 
> Thanks for the quick feedback,
> 
> I've set the distribution and urgency as appropriate for security 
> uploads and uploaded both to security-master.

We also need this regression fix uploaded for Ubuntu trusty & vivid.

Shall I also do those, or can you take care of the uploads for Ubuntu?

Please note that besides afl-vulnerabilitities-regression.patch we may
also want to include 32bit-multiplication-overflow.patch in the
update, this issue hasn't been fixed in Ubuntu yet.

Kind Regards,

Bas

- -- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJWRcD/AAoJEGdQ8QrojUrxJecQANnvaMmqGsXU10ILXyghNKBy
q3PkYvGar1sAH1hkan5GbmiriZQdceVcflomlSgejJeUgv/92wcmHgfoPLRJ96yb
xNP6GNywa950zeeSyuZfonAti4dfCAF7jW7P0sgxs70gSY9qsHRaCMBbomHGzhd2
OGJ2yROYDZbYCm+kPlOEc56KqONH92OVj7TSyAcD7r7UXdQUKbUXzTyC75CIWopZ
1qSWZMwt25CND81SVker1Owli6jrQV0vYhFJEhF1guZUp50uOuyMVpsgs6kLJFLX
k4z8SYPHcqshGWc0anrkqhXr08tw0d4Sal5PFn/7PAdDmpq1f7Tf7h0PD2GHHY19
oXoNTfj0LOHmML5FKPKnzj0E9tqXbvBTbJ3yLaRq79C848til5syQHyYGwkz/xcP
kQq/gXEl+nQVK2DUYXVAJTvy0/KybsEv1gEMgGTWBnjjGmylOD6ihxoCSUtQ4Ftd
Pizrm5VYUNou+H8OZ+3+Jd07yqWHPrDIO4Sqq4rDC29lpu0uzZouvtW0Y1KTBNlf
uTvQKx1Z0yDEYTTnriziPKbkrhJkuHm1k1n+fJpGmAvlOYwbqz1flbPzEZL6kt4r
mnx8wSXwFqBgojzLFMqfVYYAKHkaUmOLzgbe0Xz1kkJ1Qf3c9yFWdwAY2AHLLihR
XuORn7hsmCd0cFQUczhu
=FzIY
-----END PGP SIGNATURE-----
Reply to: