subject:"Bug#925251\: stretch\-pu\: package file\/1\:5.30\-1\+deb9u2"

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

2020-07-02 Thread Adam D. Barratt

On Mon, 2020-02-10 at 08:55 +0100, Christoph Biedl wrote:
> Salvatore Bonaccorso wrote...
> 
> > Is this still something it is worth to pursue and adress those two
> > CVEs pending for stretch or is the regression risk to high?
> 
> In my opinion it is worth to pursue it - so let me rebase upon the
> latest releas in Debian 9 ("stretch") and upload to (old)s-p-u soon,
> just after another round of regression tests. Then there's a lot of
> time to let things mature.

That doesn't seem to have happened yet, and we're a little over a week
from closing stretch before it moves to LTS.

It's up to you if you want to go ahead still, but there won't be time
for it to mature.

Regards,

Adam

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

2020-02-09 Thread Christoph Biedl

Salvatore Bonaccorso wrote...

> Is this still something it is worth to pursue and adress those two
> CVEs pending for stretch or is the regression risk to high?

In my opinion it is worth to pursue it - so let me rebase upon the
latest releas in Debian 9 ("stretch") and upload to (old)s-p-u soon,
just after another round of regression tests. Then there's a lot of time
to let things mature.

Adam (for the stable release team), can I just go ahead, or would you
like to see an updated patch first?

From the neverending story departement,

Christoph


signature.asc
Description: PGP signature

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

2020-02-07 Thread Salvatore Bonaccorso

Hi,

On Tue, Aug 20, 2019 at 11:26:33PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Thu, 2019-07-18 at 05:07 +0200, Christoph Biedl wrote:
> > Adam D. Barratt wrote...
> > 
> > > Assuming I count correctly, your mail was from approximately 6
> > > weeks
> > > before the date of the upcoming 9.9 point release.
> > 
> > This story has a tendency to fall off radar repeatedly. Perhaps we
> > can
> > eventually find a solution for this in the next days?
> 
> I guess we should just get on with it.
> 
> FWIW, we're currently about 2.5 weeks from the next point release. I
> realise that {c,sh}ould have been longer.

Is this still something it is worth to pursue and adress those two
CVEs pending for stretch or is the regression risk to high?

Regards,
Salvatore

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

2019-08-20 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Thu, 2019-07-18 at 05:07 +0200, Christoph Biedl wrote:
> Adam D. Barratt wrote...
> 
> > Assuming I count correctly, your mail was from approximately 6
> > weeks
> > before the date of the upcoming 9.9 point release.
> 
> This story has a tendency to fall off radar repeatedly. Perhaps we
> can
> eventually find a solution for this in the next days?

I guess we should just get on with it.

FWIW, we're currently about 2.5 weeks from the next point release. I
realise that {c,sh}ould have been longer.

Regards,

Adam

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

2019-07-17 Thread Christoph Biedl

Adam D. Barratt wrote...

> Assuming I count correctly, your mail was from approximately 6 weeks
> before the date of the upcoming 9.9 point release.

This story has a tendency to fall off radar repeatedly. Perhaps we can
eventually find a solution for this in the next days?

Christoph


signature.asc
Description: PGP signature

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

2019-06-09 Thread Christoph Biedl

Adam D. Barratt wrote...

> On Thu, 2019-03-21 at 20:28 +0100, Christoph Biedl wrote:
> > for an upcoming stretch point release, I'd like to contribute a new
> > version of the file package. This got a bit bigger so I'm using the
> > old style of seeking approval before uploading.
> [...]
> > So this escalated at little, and instead of picking a single commit,
> > I ended with the number of 26 ... But I am certain it's worth it.
> >
> > Still there is an increased risk of introducing regressions,
> > therefore I'd like to give that package some time to mature. Hence no
> > security release, and if there are major concerns I might agree to
> > wait until the second-next point release if the next one is less then
> > four weeks in the future.
>
> Apologies for not getting back to you sooner.

Umm, well, same here.

> > For my side, I did my usual checks, they all passed: The output of
> > file on a huge collection (>> 100k) of various files, diffing the
> > buildlogs, checking some packages that heavily depend on
> > file/libmagic. So I'm optimistic there is no change for worse.
>
> That sounds promising. Has the package been tested on any further
> systems in the meantime?

Just a little - to be honest, I'm out of ideas what else to test.

Christoph


signature.asc
Description: PGP signature

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

2019-04-14 Thread Adam D. Barratt

On Thu, 2019-03-21 at 20:28 +0100, Christoph Biedl wrote:
> for an upcoming stretch point release, I'd like to contribute a new
> version of the file package. This got a bit bigger so I'm using the
> old style of seeking approval before uploading.
[...]
> So this escalated at little, and instead of picking a single commit,
> I ended with the number of 26 ... But I am certain it's worth it.
> 
> Still there is an increased risk of introducing regressions,
> therefore I'd like to give that package some time to mature. Hence no
> security release, and if there are major concerns I might agree to
> wait until the second-next point release if the next one is less then
> four weeks in the future.

Apologies for not getting back to you sooner.

Assuming I count correctly, your mail was from approximately 6 weeks
before the date of the upcoming 9.9 point release.

> For my side, I did my usual checks, they all passed: The output of
> file on a huge collection (>> 100k) of various files, diffing the
> buildlogs, checking some packages that heavily depend on
> file/libmagic. So I'm optimistic there is no change for worse.

That sounds promising. Has the package been tested on any further
systems in the meantime?

Regards,

Adam

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

2019-03-21 Thread Christoph Biedl

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello release team,

for an upcoming stretch point release, I'd like to contribute a new
version of the file package. This got a bit bigger so I'm using the old
style of seeking approval before uploading.

Initially, there were two bugs I wanted to fix:

* #902796: /usr/lib/python2.7/dist-packages/magic.py: Aborts; too many 
arguments to str()
Some Python 2.7 code croaks over a bug in the Python bindings.

* #922968: CVE-2019-8905 CVE-2019-8907
After some discussion with the security team (Cc:) I decided to
address this in a point release.

However, while checking the latter, I realized upstream did a lot of
changes in the code since the 5.30 release which the stretch version is
based on. Changes that fix several issues of the (at least) "oh, that's
not good" category: Commit messages like "found by oss-fuzz", "found by
coverity" or "out of boundary read" suggest they are worth to pick even
if there's not an exploit around (I'm not aware of any TBH).

Additionally, some commits introduce changes that should ease applying
future fixes while not changing actual functionality, like switching to
an abstraction of type casting (CAST, RCAST).

So this escalated at little, and instead of picking a single commit, I
ended with the number of 26 ... But I am certain it's worth it.

Still there is an increased risk of introducing regressions, therefore
I'd like to give that package some time to mature. Hence no security
release, and if there are major concerns I might agree to wait until
the second-next point release if the next one is less then four weeks
in the future.

For my side, I did my usual checks, they all passed: The output of file
on a huge collection (>> 100k) of various files, diffing the buildlogs,
checking some packages that heavily depend on file/libmagic. So I'm
optimistic there is no change for worse.

Additionally, and without changing code, I've updated the description
of patches cherry-picked earlier: Adding a URL to the Origin:
information aims to ease the job of reviewers downstream and anywhere
else.

Regards,

Christoph

diff -Nru file-5.30/debian/changelog file-5.30/debian/changelog
--- file-5.30/debian/changelog  2018-06-11 23:16:09.0 +0200
+++ file-5.30/debian/changelog  2019-03-18 22:15:18.0 +0100
@@ -1,3 +1,12 @@
+file (1:5.30-1+deb9u3) stable; urgency=high
+
+  * Cherry-pick upstream commit FILE5_30-37-g8a942980 "Retain python 2
+compatibility". Closes: #902796
+  * Cherry-pick a lot of patches that fix obvious issues or seem wise
+to include. Also: Closes: #922968 [CVE-2019-8905 CVE-2019-8907]
+
+ -- Christoph Biedl   Mon, 18 Mar 2019 
22:15:18 +0100
+
 file (1:5.30-1+deb9u2) stable; urgency=high
 
   * Avoid reading past the end of buffer. Closes: #901351
diff -Nru 
file-5.30/debian/patches/cherry-pick.FILE5_30-01-g64e45647.more-cast-stuff.patch
 
file-5.30/debian/patches/cherry-pick.FILE5_30-01-g64e45647.more-cast-stuff.patch
--- 
file-5.30/debian/patches/cherry-pick.FILE5_30-01-g64e45647.more-cast-stuff.patch
2018-06-11 23:14:41.0 +0200
+++ 
file-5.30/debian/patches/cherry-pick.FILE5_30-01-g64e45647.more-cast-stuff.patch
2019-03-18 22:15:18.0 +0100
@@ -1,5 +1,5 @@
 Subject: More cast stuff
-Origin: FILE5_30-1-g64e45647
+Origin: FILE5_30-1-g64e45647 

 Upstream-Author: Christos Zoulas 
 Date: Fri Feb 10 18:14:01 2017 +
 
diff -Nru 
file-5.30/debian/patches/cherry-pick.FILE5_30-11-gb1b4efea.pr-598-off-by-one.patch
 
file-5.30/debian/patches/cherry-pick.FILE5_30-11-gb1b4efea.pr-598-off-by-one.patch
--- 
file-5.30/debian/patches/cherry-pick.FILE5_30-11-gb1b4efea.pr-598-off-by-one.patch
  2018-06-11 23:14:41.0 +0200
+++ 
file-5.30/debian/patches/cherry-pick.FILE5_30-11-gb1b4efea.pr-598-off-by-one.patch
  2019-03-18 22:15:18.0 +0100
@@ -1,5 +1,5 @@
 Subject: PR/598: Off-by-one
-Origin: FILE5_30-11-gb1b4efea
+Origin: FILE5_30-11-gb1b4efea 

 Upstream-Author: Christos Zoulas 
 Date: Tue Mar 7 22:36:10 2017 +
 
diff -Nru 
file-5.30/debian/patches/cherry-pick.FILE5_30-12-g77a7041f.prevent-reading-beyond-our-buffer-when-compacting-whitespace-oss-fuzz.patch
 
file-5.30/debian/patches/cherry-pick.FILE5_30-12-g77a7041f.prevent-reading-beyond-our-buffer-when-compacting-whitespace-oss-fuzz.patch
--- 
file-5.30/debian/patches/cherry-pick.FILE5_30-12-g77a7041f.prevent-reading-beyond-our-buffer-when-compacting-whitespace-oss-fuzz.patch
  2018-06-11 23:14:41.0 +0200
+++ 
file-5.30/debian/patches/cherry-pick.FILE5_30-12-g77a7041f.prevent-reading-beyond-our-buffer-when-compacting-whitespace-oss-fuzz.patch
  2019-03-18 22:15:18.0 +0100
@@ -1,5 +1,5 @@
 Subject: Prevent reading beyond our buffer when compacting whitespace 
(oss-fuzz)
-Origin: FILE5_30-12-g77a7041f
+

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

Bug#925251: stretch-pu: package file/1:5.30-1+deb9u2

8 matches

Site Navigation

Mail list logo

Footer information