Bug#1050588: bookworm-pu: package nsis/nsis 3.08-3

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Sat, 2023-08-26 at 19:35 +0200, Christian Franke wrote:
> Please update nsis 3.08-3 to 3.09.
> 

You appear to have missed the "attach a diff of the proposed package
that you have prepared and tested on stable and intend to upload" step.
Either that, or fundamentally misunderstood the role of the Release
Team in the process.

Regards,

Adam

Bug#1050588: bookworm-pu: package nsis/nsis 3.08-3

[Christian Franke]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: n...@packages.debian.org, christian.fra...@t-online.de
Control: affects -1 + src:nsis

Please update nsis 3.08-3 to 3.09.

[ Reason ]
Generated installers contain invalid relocation information, see
Bug#1050288.  This is a regression introduced by a changed behavior
of the MinGW-w64 toolchain.
nsis 3.06.1-1 on bullseye is not affected because an older version
of the toolchain is used.
nsis-3.09-1 on trixie is not affected because NSIS upstream
addressed this problem in release 3.09.

This update also fixes security vulnerability CVE-2023-37378,
see Bug#1040880.

[ Impact ]
Large installers may work on Windows, but small installers do not.
Even if an installer works, warning messages from security scanners
may be triggered because the file is considered corrupt.

[ Tests ]
Create a small installer with makensis.
The problem is fixed if 'objdump -p' does no longer complain
"BFD: error: FILE.exe(.reloc) is too large"
and the size of the '.reloc' section is 0.
See Bug#1050288 for details.

[ Risks ]
NSIS 3.09 is the official upstream release proven to work for
some time now.