Control: tags -1 + confirmed On Wed, 2023-01-25 at 21:32 +0100, Salvatore Bonaccorso wrote: > I would like to propose to update libxpm in bullseye as well fixing > some no-dsa tagged CVEs by simply rebuilding the package which got > uploaded to unstable (without other changes apart addressing issues): > > +libxpm (1:3.5.12-1.1~deb11u1) bullseye; urgency=medium > + > + * Non-maintainer upload. > + * Rebuild for bullseye > + > + -- Salvatore Bonaccorso <[email protected]> Wed, 25 Jan 2023 > 21:19:41 +0100 > + > +libxpm (1:3.5.12-1.1) unstable; urgency=medium > + > + * Non-maintainer upload. > + * Fix CVE-2022-46285: Infinite loop on unclosed comments > + * Fix CVE-2022-44617: Runaway loop with width of 0 and enormous > height > + * configure: add --disable-open-zfile instead of requiring > -DNO_ZPIPE > + * Fix CVE-2022-4883: compression commands depend on $PATH > + * Prevent a double free in the error code path > + * Use gzip -d instead of gunzip > + * debian/rules: configure: Set explicitly runtime paths for > {,un}compress > + and gzip. >
Please go ahead. Regards, Adam
