Re: patch / CVE-2018-1000156

[Chris Lamb]

Brian,

> Not sure I understand this comment from dla-needed.txt:

Sorry, I did not see your comment until now.

> The patch - good version at [..] doesn't touch the files noted
> above.

The patch adds a call to make_tempfile (or similar) which uses
utility functions from these aforementioned files, which in turn
uses utility functions in yet other files.

However, those files/utilities are not part of the older wheezy
version, hence I followed "rabbit hole" of porting them over.  I
would usually be happy to backport the odd utility function or two
for a security release, but this descended into far too much code
to be aesthetically pleasing or safe.

(As I noted -- mostly to myself, alas -- we could potentially use a
less-safe version to essentially avoid pulling in many changes, if
any.)



Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

patch / CVE-2018-1000156

[Brian May]

Not sure I understand this comment from dla-needed.txt:

NOTE: 20180407: of a rabbit-hole with respect all the newer "safe_"
foo. I suspect if we can just avoid calling

NOTE: 20180407: make_tempfile (from src/util.c) and safe_unlink (from
src/safe.c) then we can avoid most of this. (lamby)

The patch - good version at
http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d
doesn't touch the files noted above.

What is this "rabbit-hole" being referred to?
-- 
Brian May