On 2016-05-12 15:07:19, Roberto C. Sánchez wrote: > Hi Antoine, > > On Mon, May 09, 2016 at 05:09:30PM +0200, Markus Koschany wrote: >> Hello Roberto, welcome on board! >> >> Am 08.05.2016 um 05:34 schrieb Roberto C. Sánchez: >> >> > I pulled the patch for CVE-2015-4844 from the upstream jdk8u project >> > (based on the commit reference in openjdk-8's debian/changelog). I >> > confirmed that this fix matched what was done by upstream in their >> > subversion repository. >> > >> > I pulled the patch for CVE-2016-0494 from the upstream jdk8u project >> > (based on the commit reference in openjdk-8's debian/changelog). I >> > attempted to confirm this fix in upstream's subversion repository, but >> > it appears to not have been fixed upstream yet. >> >> Antoine (anarcat) fixed this issue for Squeeze LTS and he also left some >> comments at >> >> https://ssl.icu-project.org/trac/ticket/12020 >> >> He also changed the runConfigure script and his patch for CVE-2016-0494 >> looks different to me. Perhaps you should contact him (or he will simply >> respond to this message because he is subscribed too), discuss this >> patch with him and ask him why his approach contains more changes than >> the original upstream commit at >> >> http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f556d4c82ef1 >> > > Do you think you might have some time to review the icu updated I > prepared for wheezy? > > https://people.debian.org/~roberto/icu_4.8.1.1-12+deb7u4.dsc > https://people.debian.org/~roberto/icu_4.8.1.1-12+deb7u3_deb7u4.diff > > I would appreciate your feedback, particularly on the patch for > CVE-2016-0494.
Nitpicking: "Origin:" could be "upstream", or maybe "vendor" for those patches. For CVE-2016-0494, specifically, there's this upstream bug report which I contributed to: http://bugs.icu-project.org/trac/ticket/12020 Well, it's the same bug than CVE-2015-4844, basically, since CVE-2016-0494 was introduced as part of the CVE-2015-4844. I think it's useful for upstream if you share those backported patches as well, unless they are trivial. It might be useful to send a ping to our Ubuntu friends since they have the same version on their side. More importantly, as Markus mentionned earlier, there is an extra change to modify the compile flags to properly fix this issue: http://bugs.icu-project.org/trac/ticket/12020#comment:6 Here's an additional change I did on the rules file: diff -Nru icu-4.4.1/debian/rules icu-4.4.1/debian/rules --- icu-4.4.1/debian/rules 2016-01-10 07:34:05.000000000 -0500 +++ icu-4.4.1/debian/rules 2016-01-30 14:42:45.000000000 -0500 @@ -7,7 +7,7 @@ # variables' names with l_. l_SONAME := 44 -l_CFLAGS := -g -Wall +l_CFLAGS := -g -Wall -fno-strict-overflow ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) l_CFLAGS += -O0 else The rules file change significantly between the two debian releases: you may want to add it to DEB_CONFIGURE_USER_FLAGS instead. It is important to understand exactly what's going on in those bugs: just porting the patches is one thing, but you need to be careful when you discard chunks. In particular, the above chunk in the squeeze package was important because of the upstream comment here: http://bugs.icu-project.org/trac/ticket/12020#comment:4 I have to admit it's not something that I would have thought of myself, but since upstream noticed that, I think it's important for us to follow suite! I think that covers it from my end. The icu package is a difficult target! Oracle doesn't help us when they disclose vulnerabilities in Java, which ICU is a part of, yet the upstream is distinct and has to play catchup to a large secretive corporation. I am not even sure the changes are complete even with the above. Upstream ICU refers to the following bug: http://bugs.icu-project.org/trac/ticket/12276 ... where they link to another secret ticket. Maybe it would be useful to share your work there and ask for feedback. Last time they took a few days to give feedback, so they seem pretty responsive. I won't be able to provide further feedback over a week, if at all. I hope you are able to complete this challenging upload successfully! Good luck! A. PS: i had originally garbage-collected my squeeze packages from people.debian.org because I forgot about this issue. i have put them back on: https://people.debian.org/~anarcat/debian/squeeze-lts/ -- By now the computer has moved out of the den and into the rest of your life. It will consume all of your spare time, and even your vacation, if you let it. It will empty your wallet and tie up your thoughts. It will drive away your family. Your friends will start to think of you as a bore. And what for? - The True Computerist by Tom Pittman
