Hi Tom, On Tue, Apr 25, 2017 at 12:12:11AM -0700, Tom Lee wrote: > Salvatore, > > Assuming you raised this on behalf of the security team (and per > https://www.debian.org/intro/organization#security I'm assuming you are): > > For a moment I thought it might be worth applying upstream's patch as a > precaution & requesting an unblock, but it really seems like it's just a > band-aid for a specific instances of the potential bad behavior rather than > a full-throated fix. > > Per their info from the CVE: > > > This change has been shown to fix the problem in practice. However, this > > quick fix does not technically avoid undefined behavior, as the code still > > computes pointers that point to invalid locations before they are checked. > > A technically-correct solution has been implemented in the next > > commit,2ca8e41140ebc618b8fb314b393b0a507568cf21. However, as this required > > more extensive refactoring, it is not appropriate for cherry-picking, and > > will only land in versions 0.6 and up. > > > > Given that, the fact there doesn't seem to be any evidence of the > practical aspects of the CVE outside of the Apple ecosystem and the fact > we're in the middle of a freeze, I think I'm going to defer any changes > directed at a "fix" until after the freeze lifts. Does that work for you? > > Lastly: I'll work with my sponsor to get the 0.5.3.1-1 release uploaded as > soon as I can once the freeze does lift, but should we perhaps leave this > bug open until we see 0.6+ roll down from upstream with the > "technically-correct" solution?
I completely agree with you on that! Just to make clear: I just raised this to the BTS to have it tracked outside of the security-tracker and be able to record the fix once it enters unstable at some point with 0.6+. Regards and thanks a lot for your work! Salvatore
