On 2016-10-25 14:32, Andrew Shadura wrote:
On 25/10/16 15:31, Adam D. Barratt wrote:
Control: tags -1 + confirmed
On 2016-10-25 10:10, Andrew Shadura wrote:
I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695,
CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699,
CVE-2016-8700,
CVE-2016-8701, CVE-2016-8702, CVE-2016-8703.
Please find the attached debdiff.
I assume "CVE-2016-8694.patch" actually fixes all of the listed CVEs?
If
so, and assuming that the resulting package has been tested on stable,
please go ahead.
Yes, it does.
Unfortunately it appears that the uploaded package was not built in a
(purely) jessie environment, so I'm afraid that I've had to mark it to
be rejected.
Automated binary debdiffs show:
<quote>
Warning: these package names were in the second list but not in the
first:
--------------------------------------------------------------------------
libpotrace0-dbgsym
potrace-dbgsym
...
Files only in first set of .debs, found in package libpotrace0
--------------------------------------------------------------
-rwxr-xr-x root/root DEBIAN/postinst
-rwxr-xr-x root/root DEBIAN/postrm
New files in second set of .debs, found in package libpotrace0
--------------------------------------------------------------
-rw-r--r-- root/root DEBIAN/triggers
</quote>
Those changes won't happen if jessie's debhelper was used for the build.
(The fact that dak didn't reject the package itself is a known issue
with the *-debug suite checks.)
Regards,
Adam