Control: tags -1 + pending On Wed, 2017-06-28 at 02:25 +0200, Cyril Brulebois wrote: > Control: tag -1 confirmed > > Hi Jörg, > > Jörg Frings-Fürst <deb...@jff-webhosting.net> (2017-05-28): > > I have the release 5.9.5-3.2+deb8u1 with fixes for the CVE's: > > > > CVE-2017-9224 > > CVE-2017-9226 > > CVE-2017-9227 > > CVE-2017-9228 > > CVE-2017-9229 > > > > ready, The debdiff is attached. > > It seems there was some kind of coordination with the security team, > since I see “no-dsa” mentioned in the security tracker, but feel free > to mention this upfront in your next pu requests. > > A few remarks: > - patch -p1 was unhappy with the debian/patches/series update. :) > - funny things, using square brackets in filenames. > > I suspect it would have been nice to have separate patches for each > bug fix, in case someone needs to dig into one or another, but oh > well, having them all lumped together isn't that bad. > > A few comments: > > diff -Nru libonig-5.9.5/debian/changelog libonig-5.9.5/debian/changelog > > --- libonig-5.9.5/debian/changelog 2014-12-28 12:11:12.000000000 +0100 > > +++ libonig-5.9.5/debian/changelog 2017-05-28 16:59:55.000000000 +0200 > > @@ -1,3 +1,15 @@ > > +libonig (5.9.5-3.2+deb8u1) stable; urgency=medium > > Please always use codenames, and target jessie instead. > > > + * New debian/patches/0500-CVE-2017-922[4-9].patch: > > + - Cherrypicked from upstream to correct: > > + + CVE-2017-9224 (Closes: #863312) > > + + CVE-2017-9226 (Closes: #863314) > > + + CVE-2017-9227 (Closes: #863315) > > + + CVE-2017-9228 (Closes: #863316) > > + + CVE-2017-9229 (Closes: #863318) > > + > > + -- Jörg Frings-Fürst <deb...@jff-webhosting.net> Sun, 28 May 2017 > > 16:59:55 +0200 > > […] > > > --- libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch > > 1970-01-01 01:00:00.000000000 +0100 > > +++ libonig-5.9.5/debian/patches/0500-CVE-2017-922[4-9].patch > > 2017-05-26 07:07:41.000000000 +0200 > > @@ -0,0 +1,121 @@ > > +Correct CVE-2017-922[4-9] > > + Fix mutilple invalid pointer dereference, out-of-bounds write memory > > + corruption and stack buffer overflow, > > +Origin: Cheerypicked from upstream > > (multiple & cherrypicked) > > With the target distribution (and maybe typos) fixed, feel free to > upload; thanks.
Uploaded and flagged for acceptance. Regards, Adam