¡Hola Roberto! El 2018-06-28 a las 08:35 -0400, Roberto C. Sánchez escribió:
I forked your Salsa project but I had difficulty figuring out the proper starting point for a branch. It looks like master contains work for both unstable and experimental in it. I did use a Git repository to do my work, but I began with importing exiv2_0.25-3.1.dsc.
You could have used debian/0.25-3.1 as a starting point and a feature specific branch for your changes, but I guess that it doesn't really makes much of a difference.
That said, I have exported the indivdual commits as patches and attached them to this mail. You can use 'git apply' on them and it should just work, except maybe for the placement of the changelog entry.
I imported these changes in the salsa repo and uploaded 0.25-4, the branch debian/stretch-security has your changes with the corresponding version for a stretch upload.
I did want to add two additional notes for your information:
1. My changes do not address CVE-2018-11037 (the only remaining open CVE against the exiv2 package in Debian), since upstream has not yet fixed it. The issue in GitHub indicates it will be fixed in 0.27.
2. I had to make some adjustments to the error handling from the newer upstream commits, as they have ported the "enforce" mechanism (similar to assert) from D and it seemed to large a change to bring in for a security update. I requested a review of my patch from upstream in GitHub (https://github.com/Exiv2/exiv2/issues/302) but have not yet received a reply. After submitting that request for review I did patches for the remaining CVEs and encountered enough other erorr handling code that I am comfortable with my approach, so I don't think it that important that upstream has not yet replied.
Interesting, thanks for the info
I will leave it up to you integrate my patches, make the upload to unstable, and coordinate the remaining transitions and advisory with the security team. You are welcome to use the DLA text I attached to the first mail, or to write your own more detailed advisory as you prefer.
Just to be clear, I wasn't trying to take over the stable upload, please go ahead with it if you want to.
Happy hacking, -- "Brilliant opportunities are cleverly disguised as insolvable problems." -- Gardener's Philosophy "The reverse is also true." -- Corollary Saludos /\/\ /\ >< `/
signature.asc
Description: PGP signature
_______________________________________________ pkg-kde-extras mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-kde-extras
