On Tue, 14 Nov 2017, Emilio Pozuelo Monfort wrote: > Yes, that was added back then due to a regression with the fix for > https://security-tracker.debian.org/tracker/CVE-2017-3157
When you add an entry back for some reason, please document that reason... this entry in dla-needed.txt is useless if contributors don't know why it sits there. I was just assuming that it was affected by vulnerabilities and looked up the open CVE. > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3157 > > At this point, I'm not sure what the best course of action is: > - revert the patch, leaving LO vulnerable to the original problem > - leave things as is, with the annoying effect of the regression, but a safe > LO > - spend more time to try to fix the regression > > The first option is probably unacceptable. I wonder which one of the other two > is better at this point, given that wheezy will be EOL in a few months and > that > most LTS users at this point are likely for servers. Can you point us to the regression report that you got or saw ? When I look at the description of the problem, I'm tempted to revert the patch because the original problem does not look too severe. It can be used to get private data but the information leak is limited to whatever can appear in a preview and it requires precise knowledge of the location of the user's document that you want to retrieve. And then getting someone to open, modify, save a document and send it back to you is non-trivial. Still this looks bad so it also depends on how annoying the regression is. Does it affect all embedded objects ? > PS: My apologies for not dealing with this earlier. I looked at it a while ago > but couldn't fix it, and then wasn't motivated to look at it further. When I read "wasn't motivated to look at it further" I think that you should have really put the package back into the queue with the appropriate explanations. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
