Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi François, Salvatore, SRMs, On 20-05-11 22:14:44, François Mazen wrote: > thanks a lot for your help. The packaging repo is: > https://salsa.debian.org/mzf/zipios > > [...] Thanks for the pointer, I just did the upload. Cheers, Georg
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hello Georg, thanks a lot for your help. The packaging repo is: https://salsa.debian.org/mzf/zipios the branch for this buster patch is "fix_CVE-2019-13453_for_buster": https://salsa.debian.org/mzf/zipios/-/tree/fix_CVE-2019-13453_for_buster the last commit is: https://salsa.debian.org/mzf/zipios/-/commit/7bdc65a62cacea47e03c13e6d92157da3c11f6bd I can upload the package to mentors.d.n if needed. Just let me know. Best, François
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi, On 20-05-10 09:00:59, Salvatore Bonaccorso wrote: > Thanks for considering sponsoring it. > > Note I'm not SRM, but the upload was acked in > https://bugs.debian.org/954020#24 ACK, I agree. > Thanks François for preparing the update! Thanks from my side as well. Could you provide me a link to the packaging repository, [1] gives 404. Alternatively, could you upload the relevant files to mentors.d.n? Cheers, Georg [1] https://anonscm.debian.org/cgit/collab-maint/zipios++.git
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi Georg, On Sat, May 09, 2020 at 10:58:14PM +, Georg Faerber wrote: > Hi, > > On 20-05-09 14:02:21, François Mazen wrote: > > Adam or you, could you please upload it? > > I'm happy to upload this, but I'm unable to do a review on my own. > > Dear SRMs, if that's acceptable in this case, please let me know. Thanks for considering sponsoring it. Note I'm not SRM, but the upload was acked in https://bugs.debian.org/954020#24 Thanks François for preparing the update! Regards, Salvatore
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi, On 20-05-09 14:02:21, François Mazen wrote: > Adam or you, could you please upload it? I'm happy to upload this, but I'm unable to do a review on my own. Dear SRMs, if that's acceptable in this case, please let me know. Cheers, Georg
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi Salvatore, > The problem is just, the upload is not there. Did an error happen on > uploading? > I'm not DM, so someone has to sponsor the upload. Adam or you, could you please upload it? Thanks, François
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi Salvatore, > It's now unfortunately to late for 10.4 but did you saw the ack from > Adam? If so this can be included then in 10.5. > I'm OK for the 10.5. Should I do anything? Thanks, François
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi François, On Fri, May 08, 2020 at 05:11:30PM +0200, François Mazen wrote: > Hi Salvatore, > > > It's now unfortunately to late for 10.4 but did you saw the ack from > > Adam? If so this can be included then in 10.5. > > > > I'm OK for the 10.5. Should I do anything? The problem is just, the upload is not there. Did an error happen on uploading? $ dak ls zipios++ zipios++ | 0.1.5.9+cvs.2007.04.28-5.1 | oldoldstable | source zipios++ | 0.1.5.9+cvs.2007.04.28-6 | oldstable | source zipios++ | 0.1.5.9+cvs.2007.04.28-10 | stable | source zipios++ | 0.1.5.9+cvs.2007.04.28-11 | testing| source zipios++ | 0.1.5.9+cvs.2007.04.28-11 | unstable | source zipios++ | 0.1.5.9+cvs.2007.04.28-11 | unstable-debug | source Regards, Salvatore
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Hi François On Sun, Apr 12, 2020 at 10:28:56PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sun, 2020-03-15 at 20:57 +0100, François Mazen wrote: > > Please find attached the debdiff. > > > > Please go ahead. It's now unfortunately to late for 10.4 but did you saw the ack from Adam? If so this can be included then in 10.5. Regards, Salvatore
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Control: tags -1 + confirmed On Sun, 2020-03-15 at 20:57 +0100, François Mazen wrote: > Please find attached the debdiff. > Please go ahead. Regards, Adam
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Please find attached the debdiff. Best, François diff -Nru zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog --- zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog 2017-05-28 21:20:05.0 +0200 +++ zipios++-0.1.5.9+cvs.2007.04.28/debian/changelog 2020-03-15 17:28:33.0 +0100 @@ -1,3 +1,9 @@ +zipios++ (0.1.5.9+cvs.2007.04.28-10+deb10u1) buster; urgency=high + + * fix CVE-2019-13453 for Buster (Closes: #932556) + + -- Francois Mazen Sun, 15 Mar 2020 17:28:33 +0100 + zipios++ (0.1.5.9+cvs.2007.04.28-10) unstable; urgency=medium * QA upload. diff -Nru zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff --- zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff 1970-01-01 01:00:00.0 +0100 +++ zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/fix_CVE-2019-13453.diff 2020-03-15 17:28:33.0 +0100 @@ -0,0 +1,50 @@ +Description: Fix CVE-2019-13453 +Author: Francois Mazen +Origin: https://sourceforge.net/p/zipios/news/2019/07/version-017-cve-/ + +--- a/zipios++/zipheadio.h b/zipios++/zipheadio.h +@@ -9,6 +9,7 @@ + + #include "zipios++/ziphead.h" + #include "zipios++/zipios_defs.h" ++#include "zipios++/fcollexceptions.h" + + namespace zipios { + +@@ -79,10 +80,16 @@ + static const int buf_len = sizeof ( uint32 ) ; + unsigned char buf [ buf_len ] ; + int rsf = 0 ; +- while ( rsf < buf_len ) { ++ std::streampos original_pos = is.tellg() ; ++ while ( rsf < buf_len && !is.eof() ) { + is.read ( reinterpret_cast< char * >( buf ) + rsf, buf_len - rsf ) ; + rsf += is.gcount () ; + } ++ if ( rsf != buf_len ) { ++is.seekg( original_pos ) ; ++throw InvalidStateException( "Reached end-of-file while trying to read a" ++ "Uint32; the zip archive may be corrupt." ) ; ++ } + return ztohl ( buf ) ; + } + +@@ -95,10 +102,16 @@ + static const int buf_len = sizeof ( uint16 ) ; + unsigned char buf [ buf_len ] ; + int rsf = 0 ; +- while ( rsf < buf_len ) { ++ std::streampos original_pos = is.tellg() ; ++ while ( rsf < buf_len && !is.eof() ) { + is.read ( reinterpret_cast< char * >( buf ) + rsf, buf_len - rsf ) ; + rsf += is.gcount () ; + } ++ if ( rsf != buf_len ) { ++is.seekg( original_pos ) ; ++throw InvalidStateException( "Reached end-of-file while trying to read a" ++ "Uint16; the zip archive may be corrupt." ) ; ++ } + return ztohs ( buf ) ; + } + diff -Nru zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series --- zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series 2017-05-09 00:29:06.0 +0200 +++ zipios++-0.1.5.9+cvs.2007.04.28/debian/patches/series 2020-03-15 17:28:33.0 +0100 @@ -4,3 +4,4 @@ gcc43_fix.diff amd64_fix.diff pkg-config.diff +fix_CVE-2019-13453.diff signature.asc Description: This is a digitally signed message part
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Control: tags -1 + moreinfo On Sun, 2020-03-15 at 20:51 +0100, Francois Mazen wrote: > I'm seeking approval to do this update in buster. > The goal is fixing the CVE-2019-13453. > https://security-tracker.debian.org/tracker/CVE-2019-13453 > You appear to have forgotten to attach the debdiff for the proposed update. Regards, Adam
Bug#954020: buster-pu: package zipios++/0.1.5.9+cvs.2007.04.28-10+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Dear Buster Release Managers, I'm seeking approval to do this update in buster. The goal is fixing the CVE-2019-13453. https://security-tracker.debian.org/tracker/CVE-2019-13453 Thanks, François -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-8-amd64 (SMP w/16 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash