Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi François, Salvatore, SRMs, On 20-05-11 22:14:44, François Mazen wrote: > thanks a lot for your help. The packaging repo is: > https://salsa.debian.org/mzf/zipios > > [...] Thanks for the pointer, I just did the upload. Cheers, Georg
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hello Georg, thanks a lot for your help. The packaging repo is: https://salsa.debian.org/mzf/zipios the branch for this buster patch is "fix_CVE-2019-13453_for_buster": https://salsa.debian.org/mzf/zipios/-/tree/fix_CVE-2019-13453_for_buster the last commit is: https://salsa.debian.org/mzf/zipios/-/commit/7bdc65a62cacea47e03c13e6d92157da3c11f6bd I can upload the package to mentors.d.n if needed. Just let me know. Best, François
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi, On 20-05-10 09:00:59, Salvatore Bonaccorso wrote: > Thanks for considering sponsoring it. > > Note I'm not SRM, but the upload was acked in > https://bugs.debian.org/954020#24 ACK, I agree. > Thanks François for preparing the update! Thanks from my side as well. Could you provide me a link to the packaging repository, [1] gives 404. Alternatively, could you upload the relevant files to mentors.d.n? Cheers, Georg [1] https://anonscm.debian.org/cgit/collab-maint/zipios++.git
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi Georg, On Sat, May 09, 2020 at 10:58:14PM +, Georg Faerber wrote: > Hi, > > On 20-05-09 14:02:21, François Mazen wrote: > > Adam or you, could you please upload it? > > I'm happy to upload this, but I'm unable to do a review on my own. > > Dear SRMs, if that's acceptable in this case, please let me know. Thanks for considering sponsoring it. Note I'm not SRM, but the upload was acked in https://bugs.debian.org/954020#24 Thanks François for preparing the update! Regards, Salvatore
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi, On 20-05-09 14:02:21, François Mazen wrote: > Adam or you, could you please upload it? I'm happy to upload this, but I'm unable to do a review on my own. Dear SRMs, if that's acceptable in this case, please let me know. Cheers, Georg
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi Salvatore, > The problem is just, the upload is not there. Did an error happen on > uploading? > I'm not DM, so someone has to sponsor the upload. Adam or you, could you please upload it? Thanks, François
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi Salvatore, > It's now unfortunately to late for 10.4 but did you saw the ack from > Adam? If so this can be included then in 10.5. > I'm OK for the 10.5. Should I do anything? Thanks, François
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi François, On Fri, May 08, 2020 at 05:11:30PM +0200, François Mazen wrote: > Hi Salvatore, > > > It's now unfortunately to late for 10.4 but did you saw the ack from > > Adam? If so this can be included then in 10.5. > > > > I'm OK for the 10.5. Should I do anything? The problem is just, the upload is not there. Did an error happen on uploading? $ dak ls zipios++ zipios++ | 0.1.5.9+cvs.2007.04.28-5.1 | oldoldstable | source zipios++ | 0.1.5.9+cvs.2007.04.28-6 | oldstable | source zipios++ | 0.1.5.9+cvs.2007.04.28-10 | stable | source zipios++ | 0.1.5.9+cvs.2007.04.28-11 | testing| source zipios++ | 0.1.5.9+cvs.2007.04.28-11 | unstable | source zipios++ | 0.1.5.9+cvs.2007.04.28-11 | unstable-debug | source Regards, Salvatore
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi François On Sun, Apr 12, 2020 at 10:28:56PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sun, 2020-03-15 at 20:57 +0100, François Mazen wrote: > > Please find attached the debdiff. > > > > Please go ahead. It's now unfortunately to late for 10.4 but did you saw the ack from Adam? If so this can be included then in 10.5. Regards, Salvatore
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Control: tags -1 + confirmed On Sun, 2020-03-15 at 20:57 +0100, François Mazen wrote: > Please find attached the debdiff. > Please go ahead. Regards, Adam
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Please find attached the debdiff.
Best,
François
diff -Nru zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog
--- zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog 2017-05-28 21:20:05.0 +0200
+++ zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog 2020-03-15 17:28:33.0 +0100
@@ -1,3 +1,9 @@
+zipios++ (0.1.5.9+cvs.2007.04.28-10+deb10u1) buster; urgency=high
+
+ * fix CVE-2019-13453 for Buster (Closes: #932556)
+
+ -- Francois Mazen Sun, 15 Mar 2020 17:28:33 +0100
+
zipios++ (0.1.5.9+cvs.2007.04.28-10) unstable; urgency=medium
* QA upload.
diff -Nru zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff
--- zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff 1970-01-01 01:00:00.0 +0100
+++ zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff 2020-03-15 17:28:33.0 +0100
@@ -0,0 +1,50 @@
+Description: Fix CVE-2019-13453
+Author: Francois Mazen
+Origin: https://sourceforge.net/p/zipios/news/2019/07/version-017-cve-/
+
+--- a/zipios++/zipheadio.h
b/zipios++/zipheadio.h
+@@ -9,6 +9,7 @@
+
+ #include "zipios++/ziphead.h"
+ #include "zipios++/zipios_defs.h"
++#include "zipios++/fcollexceptions.h"
+
+ namespace zipios {
+
+@@ -79,10 +80,16 @@
+ static const int buf_len = sizeof ( uint32 ) ;
+ unsigned char buf [ buf_len ] ;
+ int rsf = 0 ;
+- while ( rsf < buf_len ) {
++ std::streampos original_pos = is.tellg() ;
++ while ( rsf < buf_len && !is.eof() ) {
+ is.read ( reinterpret_cast< char * >( buf ) + rsf, buf_len - rsf ) ;
+ rsf += is.gcount () ;
+ }
++ if ( rsf != buf_len ) {
++is.seekg( original_pos ) ;
++throw InvalidStateException( "Reached end-of-file while trying to read a"
++ "Uint32; the zip archive may be corrupt." ) ;
++ }
+ return ztohl ( buf ) ;
+ }
+
+@@ -95,10 +102,16 @@
+ static const int buf_len = sizeof ( uint16 ) ;
+ unsigned char buf [ buf_len ] ;
+ int rsf = 0 ;
+- while ( rsf < buf_len ) {
++ std::streampos original_pos = is.tellg() ;
++ while ( rsf < buf_len && !is.eof() ) {
+ is.read ( reinterpret_cast< char * >( buf ) + rsf, buf_len - rsf ) ;
+ rsf += is.gcount () ;
+ }
++ if ( rsf != buf_len ) {
++is.seekg( original_pos ) ;
++throw InvalidStateException( "Reached end-of-file while trying to read a"
++ "Uint16; the zip archive may be corrupt." ) ;
++ }
+ return ztohs ( buf ) ;
+ }
+
diff -Nru zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series
--- zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series 2017-05-09 00:29:06.0 +0200
+++ zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series 2020-03-15 17:28:33.0 +0100
@@ -4,3 +4,4 @@
gcc43_fix.diff
amd64_fix.diff
pkg-config.diff
+fix_CVE-2019-13453.diff
signature.asc
Description: This is a digitally signed message part
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Control: tags -1 + moreinfo On Sun, 2020-03-15 at 20:51 +0100, Francois Mazen wrote: > I'm seeking approval to do this update in buster. > The goal is fixing the CVE-2019-13453. > https://security-tracker.debian.org/tracker/CVE-2019-13453 > You appear to have forgotten to attach the debdiff for the proposed update. Regards, Adam
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Dear Buster Release Managers, I'm seeking approval to do this update in buster. The goal is fixing the CVE-2019-13453. https://security-tracker.debian.org/tracker/CVE-2019-13453 Thanks, François -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-8-amd64 (SMP w/16 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash
