Bug#1064293: less: CVE-2022-48624

2024-04-22 Thread Salvatore Bonaccorso
Hi, On Sat, Apr 20, 2024 at 07:54:13AM -0400, P. J. McDermott wrote: > On 2024-04-19 at 15:55, Salvatore Bonaccorso wrote: > > Hi, > > > > FWIW, I'm actually preparing a security update for the two CVEs and > > for bookworm I was first planning to do a 590-2.1 reaching unstable, > > and so then

Bug#1064293: less: CVE-2022-48624

2024-04-20 Thread P. J. McDermott
On 2024-04-20 at 16:19, Christoph Anton Mitterer wrote: > On Sat, 2024-04-20 at 07:54 -0400, P. J. McDermott wrote: > > Then the salvage procedure can play out for the full 28+ days > > specified > > by developers-reference (21 days to allow the maintainer to object > > followed by a DELAYED/7

Bug#1064293: less: CVE-2022-48624

2024-04-20 Thread Christoph Anton Mitterer
On Sat, 2024-04-20 at 07:54 -0400, P. J. McDermott wrote: > Then the salvage procedure can play out for the full 28+ days > specified > by developers-reference (21 days to allow the maintainer to object > followed by a DELAYED/7 adoption upload).  I've already soft-proposed > to > salvage in bug

Bug#1064293: less: CVE-2022-48624

2024-04-20 Thread P. J. McDermott
On 2024-04-19 at 15:55, Salvatore Bonaccorso wrote: > Hi, > > FWIW, I'm actually preparing a security update for the two CVEs and > for bookworm I was first planning to do a 590-2.1 reaching unstable, > and so then 590-2.1~deb12u1 for bookworm. > > But if you want to override it with a NMU and

Bug#1064293: less: CVE-2022-48624

2024-04-19 Thread Salvatore Bonaccorso
Hi, FWIW, I'm actually preparing a security update for the two CVEs and for bookworm I was first planning to do a 590-2.1 reaching unstable, and so then 590-2.1~deb12u1 for bookworm. But if you want to override it with a NMU and proposing to salvage the package this is equally fine. Regards,

Bug#1064293: less: CVE-2022-48624

2024-04-19 Thread P. J. McDermott
On 2024-04-12 at 16:10, Christoph Anton Mitterer wrote: > Hey. > > There seems to be a somewhat similar issue reported by Jakub Wilk on > oss-security: > https://www.openwall.com/lists/oss-security/2024/04/12/5 > > where quoting causes troubles (though I couldn't replay the demo). That was

Bug#1064293: less: CVE-2022-48624

2024-04-12 Thread Christoph Anton Mitterer
Hey. There seems to be a somewhat similar issue reported by Jakub Wilk on oss-security: https://www.openwall.com/lists/oss-security/2024/04/12/5 where quoting causes troubles (though I couldn't replay the demo). Any chance to get both fixed in Debian unstable? Cheers, Chris.

Bug#1064293: less: CVE-2022-48624

2024-02-19 Thread Salvatore Bonaccorso
Source: less Version: 590-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for less. CVE-2022-48624[0]: | close_altfile in filename.c in less before 606 omits shell_quote | calls for LESSCLOSE.