On Thu, Aug 29, 2019 at 10:28:33PM +0100, Adam D. Barratt wrote: > On Thu, 2019-08-29 at 00:04 +0200, Nicolas Braud-Santoni wrote: > > I would like to backport the fix for CVE-2019-9578 in the next point > > release > > for stretch. Please find enclosed the proposed debdiff. > > ++ /* the response has to be atleast 17 bytes, if it's more we discard > that */ > ++ if (resplen < 17) > > "at least" - it's two words. Also the first half of the comment and the > code itself imply that "more" should be "less".
Yes, I also noticed that, but chose to keep the exact same patch as upstream for simplicity / clarity. Thanks for mentionning it, though: I had forgotten to get it fixed upstream: https://github.com/Yubico/libu2f-host/pull/136 > Please go ahead. Done, thanks :) Best, nicoo
signature.asc
Description: PGP signature
