On Fri, Jun 17, 2016 at 06:37:03AM +0100, Adam D. Barratt wrote: > On Fri, 2016-06-17 at 05:00 +0200, Andreas Bombe wrote: > > On Mon, Jun 13, 2016 at 09:26:52AM +0200, Petter Reinholdtsen wrote: > [...] > > > <URL: https://security-tracker.debian.org/tracker/CVE-2016-4804 > > > > <URL: https://security-tracker.debian.org/tracker/CVE-2016-4804 >. > > > > > > The issues were fixed in Wheezy by the LTS team (DLA-474-1) and is also > > > fixed in unstable. I would like to get it fixed in stable too, to get > > > it out of my debsecan list. > > > > > > The attached patch is based on the patches in wheezy, and should solve > > > the problems. > > > > > > Is it OK to upload the fix for stable? > > > > Yes, please go ahead after taking into account the remark below. Thank > > you. > > Note that Andreas is not a member of the release team.
Whoops, my misunderstanding of the context, sorry. On Fri, Jun 17, 2016 at 11:28:04AM +0200, Petter Reinholdtsen wrote: > [Petter Reinholdtsen] > > I will. But the comment below seem to indicate that the update in > > Wheezy was incomplete? > > Looking at the code, I am quite sure the Wheezy fix missed the change in > <URL: > https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7 > >. > Who should be notified about this? I didn't look closely when the wheezy update was uploaded, so it looks like it missed it. For reference, this is the original report including a test file: https://github.com/dosfstools/dosfstools/issues/12 The problem is fixed if fsck'ing that file under valgrind shows no valgrind memory errors. Crashing without valgrind is not guaranteed. Also, I wonder if the fix for https://github.com/dosfstools/dosfstools/issues/11 (which is 2aad1c83c) shouldn't also be included while we're at it. It has no CVE, the out of bounds memory access itself isn't all that bad but it might create improper date values. https://github.com/dosfstools/dosfstools/commit/2aad1c83c7d010de36afbe79c9fde22c50aa2f74 Andreas
