Hello, Salvatore Bonaccorso, le ven. 25 mai 2018 12:24:28 +0200, a ecrit: > On Fri, May 25, 2018 at 11:00:49AM +0200, Samuel Thibault wrote: > > Hello > > > > Salvatore Bonaccorso, le jeu. 24 mai 2018 16:16:16 +0200, a ecrit: > > > The following vulnerability was published for liblouis, it was > > > reported at [1], not sure if it was forwarded to upstream, can you > > > double check that? > > > > I reported it to upstream and is now fixed there. I have uploaded a > > fixed package to unstable as version 3.5.0-2. > > > > I have prepared a stable upload in > > [email protected]:a11y-team/liblouis.git in the debian-stretch branch > > > > The buffer overflow can be exploited only if one is able to feed the > > content of a braille table, which is not normally something that is > > possible, usually only the content of the text to be transcribed to > > braille can be fed, so I don't see any situation where this can really > > be a security concern, so I guess a simple stable upload would be > > enough? > > I agree, if you can prepare an update to be included in the upcoming > point release for stretch that would be great!
Ok, liblouis_3.0.0-3+deb9u2 is now in proposed-updates->stable-new , should I reportbug release.debian.org, or should the security team handle it? Samuel

