On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> I prepared LTS security update for leptonlib. Please review and upload.
> You can find debdiff along with the mail.
I have reviewed and uploaded the package. While you backported the
upstream fix, I feel like their approach falls under item #2 of "The Six
Dumbest Ideas in Computer Security ": Enumerating Badness. I cannot
help but wonder if another vulnerability will be uncovered later that
uses different characters that are not being checked.
In any event, once you receive the ACCEPT notice from the archive
software you should be able to publish the DLA.
Roberto C. Sánchez