(Fixed list address, sorry for the duplicate.) Hi,
I have looked at porting the security fixes on the libidn package from squeeze to wheezy. As usual, signed test packages are available here: https://people.debian.org/~anarcat/debian/wheezy-lts/ And a debdiff is available for review by the security team: The remaining of this email is about how the patches were generated and which changes were performed. Some patches were not necessary anymore (as some of the squeeze code was backported from squeeze), but there are still patches required: --- libidn-1.15/debian/patches/series 2015-08-11 17:34:03.000000000 -0400 +++ libidn-1.25/debian/patches/series 2016-04-12 14:26:31.118447183 -0400 @@ -1,6 +1,5 @@ +fix_encoding.patch libidn-stringprep_utf8_to_ucs4-now-rejects-invalid-utf-8-cve-2015-2059.patch -gnulib-update-to-include-unistr-u8-check.patch -autoreconf.patch -gnulib-generate-iconv_open-solaris.h.patch fix_utf8_error_handling.patch fix_utf8_error_handling-testcase.patch +autoreconf.patch This was all pretty painful: some of the wheezy patches would not apply at all on Wheezy. In particular, the gnulib one was doing sweeping changes: 228 files changed, 26279 insertions(+), 3404 deletions(-) ... and had virtually *no* chunk apply correctly. so i decided to ignore the gnulib update, and actually filed a bug against libidn to remove the gnulib code copies (#820816). So I changed the first patch for CVE-2015-2059 to actually include the u8-check that the second patch was introducing. This makes a patch that more closely monitor upstream, and avoid the messy gnulib import chaos that is happening in that package. In other words, the new patch does most of the work regarding gnulib, while the autoreconf patch takes care of regenerating the autoconf toolchain correctly, so we don't need to regenerate the *whole* gnulib toolchain. I also needed to cherry-pick another patch from upstream to fix some tests that would break under the new checks introduced by the security fixes. I have not tested the packages for compliance or vulnerability, but the internal test suite works. A. -- By now the computer has moved out of the den and into the rest of your life. It will consume all of your spare time, and even your vacation, if you let it. It will empty your wallet and tie up your thoughts. It will drive away your family. Your friends will start to think of you as a bore. And what for? - The True Computerist by Tom Pittman
