Hi Jari, On Tue, Nov 01, 2016 at 08:08:47PM +0200, Jari Aalto wrote: > On 2016-11-01 15:12, Guido Günther wrote: > | Hello dear maintainer(s), > | > | the Debian LTS team would like to fix the security issues which are > | currently open in the Wheezy version of bsdiff: > | https://security-tracker.debian.org/tracker/CVE-2014-9862 > | > | feel free to just prepare an updated source package and send it to > | debian-lts@lists.debian.org (via a debdiff, or with an URL pointing > | to the source package, or even with a pointer to your packaging > | repository), and the members of the LTS team will take care of the > | rest. > | > | Indicate clearly whether you have tested the updated package > | or not. > > Guido and Team, > > This security issue has been fixed in the latest package: > > https://packages.qa.debian.org/b/bsdiff/news/20161030T173333Z.html > > Changes: > bsdiff (4.3-17) unstable; urgency=medium > . > * debian/patches > - (20): New. Closes: CVE-2014-9862 > Description: No check for negative values on the number of bytes to > read from the "diff" and "extra" streams, allowing an attacker > controlling the patch file to write at arbitrary locations in the > heap. > https://security-tracker.debian.org/tracker/CVE-2014-9862 > > The change is trivial in the included patch. > > Sources in "gbp buildpackage" layout are available at: > > # https://anonscm.debian.org/git/collab-maint/bsdiff.git > debcheckout bsdiff > > # Target commit id to build > 2016-10-29 63f1e4c jari.aalto debian/changelog: (4.3-17) Closes: > CVE-2014-9862 > > I have ran a preliminary OK test build with pbuilder set to wheezy[1] > on amd64. I have not tested to install or run the *.deb on wheezy. > > Let me know if I can be of more help,
We can handle the test on wheezy and the upload and DLA, thanks a lot! Cheers, -- Guido