On 13-11-15 11:59, Johan Van de Wauw wrote: > Op 13/11/2015 om 11:52 schreef Sebastiaan Couwenberg: >> On 13-11-15 11:46, Sebastiaan Couwenberg wrote: >>> On 13-11-15 06:45, Salvatore Bonaccorso wrote: >>>> On Thu, Nov 12, 2015 at 10:31:55PM +0100, Sebastiaan Couwenberg >>>> wrote: >>>>> Dear Security Team, >>>>> >>>>> The patch to fix multiple vulnerabilities identified by >>>>> American Fuzzy Lop reported in #781228 caused a regressed as >>>>> reported in the GDAL issue tracker: >>>>> >>>>> https://trac.osgeo.org/gdal/ticket/6200 >>>>> >>>>> The change to fix this regression was included in freexl >>>>> (1.0.1-1~exp1), but not in the security updates for jessie >>>>> (1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1). >>>>> >>>>> I've prepared updates to fix this regression for jessie & >>>>> wheezy, see the attached debdiffs. >>>>> >>>>> Are these regression fixes appropriate for upload to >>>>> {wheezy,jessie}-security or should they be uploaded to >>>>> proposed-updates instead? >>>> Since the regression was introduced via a DSA, we might address >>>> this regression trough af follow-up DSA: >>>> >>>> s/UNRELEASED/wheezy-security/ and urgency=high set or >>>> respectively jessie-security for the second one. >>>> >>>> With the above changes please go ahead with your upload to >>>> security-master. >>>> >>>> Thanks for your work and pinging us about the regression. >>> Thanks for the quick feedback, >>> >>> I've set the distribution and urgency as appropriate for security >>> uploads and uploaded both to security-master. >> We also need this regression fix uploaded for Ubuntu trusty & vivid. >> >> Shall I also do those, or can you take care of the uploads for Ubuntu? >> >> Please note that besides afl-vulnerabilitities-regression.patch we may >> also want to include 32bit-multiplication-overflow.patch in the >> update, this issue hasn't been fixed in Ubuntu yet. > I was watching this tread. I'll propose ubuntu patches.
I've prepared updates for Ubuntu in git, but I've not followed up on the bug report or IRC yet as documented in: https://wiki.ubuntu.com/StableReleaseUpdates#regressions I'll update LP#1437087 with pointers to the fixes shortly. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
