subject:"Bug#899014\: stretch\-pu\: package blktrace\/1.1.0\-2"

Processed: Re: Bug#899014: stretch-pu: package blktrace/1.1.0-2

2018-06-08 Thread Debian Bug Tracking System

Processing control commands:

> tags -1 + confirmed
Bug #899014 [release.debian.org] stretch-pu: package blktrace/1.1.0-2
Ignoring request to alter tags of bug #899014 to the same tags previously set

-- 
899014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899014
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#899014: stretch-pu: package blktrace/1.1.0-2

2018-06-08 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Fri, 2018-05-18 at 21:13 +0200, Bas Zoetekouw wrote:
> Hi!
> 
> > Please use 1.0.5-1+deb8u1 and as target distribution just 'jessie'.
> > Use 1.1.0-2+deb9u1 and targeting 'stretch' instead (not
> > stretch-security).
> > 
> 
> Fixed.  New debdiffs follow:
> 

Please go ahead.

Regards,

Adam

Bug#899014: stretch-pu: package blktrace/1.1.0-2

2018-05-18 Thread Bas Zoetekouw

Hi!

> Please use 1.0.5-1+deb8u1 and as target distribution just 'jessie'.
> Use 1.1.0-2+deb9u1 and targeting 'stretch' instead (not
> stretch-security).
> 

Fixed.  New debdiffs follow:


Jessie:

diff -Nru blktrace-1.0.5/debian/changelog blktrace-
1.0.5/debian/changelog
--- blktrace-1.0.5/debian/changelog 2013-05-05
14:43:17.0 +0200
+++ blktrace-1.0.5/debian/changelog 2018-05-18
21:02:54.0 +0200
@@ -1,3 +1,9 @@
+blktrace (1.0.5-1+deb8u1) jessie; urgency=high
+
+  * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695)
+
+ -- Bas Zoetekouw   Fri, 18 May 2018 15:47:57 +0200
+
 blktrace (1.0.5-1) unstable; urgency=low
 
   * New upstream release [February 2012].
diff -Nru blktrace-1.0.5/debian/patches/cve-2018-10689.patch blktrace-
1.0.5/debian/patches/cve-2018-10689.patch
--- blktrace-1.0.5/debian/patches/cve-2018-10689.patch  1970-01-
01 01:00:00.0 +0100
+++ blktrace-1.0.5/debian/patches/cve-2018-10689.patch  2018-05-
18 16:05:36.0 +0200
@@ -0,0 +1,18 @@
+Last-Update: 2018-05-16
+Forwarded: yes
+Author: Jens Axboe 
+Description: fix CVE-2018-10689: make device/devno use PATH_MAX to
avoid overflow.  Patch from https://git.kernel.org/pub/scm/linux/kernel
/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaa
c5b7
+
+Index: blktrace-1.0.5/btt/devmap.c
+===
+--- blktrace-1.0.5.orig/btt/devmap.c
 blktrace-1.0.5/btt/devmap.c
+@@ -23,7 +23,7 @@
+ 
+ struct devmap {
+   struct list_head head;
+-  char device[32], devno[32];
++  char device[PATH_MAX], devno[PATH_MAX];
+ };
+ 
+ LIST_HEAD(all_devmaps);
diff -Nru blktrace-1.0.5/debian/patches/series blktrace-
1.0.5/debian/patches/series
--- blktrace-1.0.5/debian/patches/series2012-12-23
12:30:03.0 +0100
+++ blktrace-1.0.5/debian/patches/series2018-05-18
15:56:41.0 +0200
@@ -1,2 +1,3 @@
 10_btrace_paths.patch
 spelling.patch
+cve-2018-10689.patch



Stretch:


diff -Nru blktrace-1.1.0/debian/changelog blktrace-
1.1.0/debian/changelog
--- blktrace-1.1.0/debian/changelog 2015-05-17
14:35:07.0 +0200
+++ blktrace-1.1.0/debian/changelog 2018-05-16
16:19:54.0 +0200
@@ -1,3 +1,9 @@
+blktrace (1.1.0-2+deb9u1) stretch; urgency=high
+
+  * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695)
+
+ -- Bas Zoetekouw   Wed, 16 May 2018 16:19:54 +0200
+
 blktrace (1.1.0-2) unstable; urgency=low
 
   * Upload to unstable.
diff -Nru blktrace-1.1.0/debian/patches/cve-2018-10689.patch blktrace-
1.1.0/debian/patches/cve-2018-10689.patch
--- blktrace-1.1.0/debian/patches/cve-2018-10689.patch  1970-01-
01 01:00:00.0 +0100
+++ blktrace-1.1.0/debian/patches/cve-2018-10689.patch  2018-05-
16 16:19:54.0 +0200
@@ -0,0 +1,18 @@
+Last-Update: 2018-05-16
+Forwarded: yes
+Author: Jens Axboe 
+Description: fix CVE-2018-10689: make device/devno use PATH_MAX to
avoid overflow.  Patch from https://git.kernel.org/pub/scm/linux/kernel
/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaa
c5b7
+
+diff --git a/btt/devmap.c b/btt/devmap.c
+index 0553a9e..5fc1cb2 100644
+--- a/btt/devmap.c
 b/btt/devmap.c
+@@ -23,7 +23,7 @@
+
+ struct devmap {
+   struct list_head head;
+-  char device[32], devno[32];
++  char device[PATH_MAX], devno[PATH_MAX];
+ };
+
+ LIST_HEAD(all_devmaps);
diff -Nru blktrace-1.1.0/debian/patches/series blktrace-
1.1.0/debian/patches/series
--- blktrace-1.1.0/debian/patches/series2015-03-25
08:40:33.0 +0100
+++ blktrace-1.1.0/debian/patches/series2018-05-16
16:19:54.0 +0200
@@ -4,3 +4,4 @@
 pdf-date.patch
 procnum.patch
 spelling.patch
+cve-2018-10689.patch

Bug#899014: stretch-pu: package blktrace/1.1.0-2

2018-05-18 Thread Salvatore Bonaccorso

Hi Bas,

Not a Release Team member, but some suggestions to change:

On Fri, May 18, 2018 at 04:15:10PM +0200, Bas Zoetekouw wrote:
> +blktrace (1.0.5-2) oldstable-proposed-updates; urgency=high

Please use 1.0.5-1+deb8u1 and as target distribution just 'jessie'.

Same for Stretch, 

> +blktrace (1.1.0-3) stretch-security; urgency=high

Use 1.1.0-2+deb9u1 and targeting 'stretch' instead (not
stretch-security).

Regards,
Salvatore

Bug#899014: stretch-pu: package blktrace/1.1.0-2

2018-05-18 Thread Bas Zoetekouw

clone 899014 -1
tags  899014 = stretch
tags-1 = jessie
retitle -1 jessie-pu: blktrace/1.0.5-1


Let's split this for jessie en stretch

Bug#899014: stretch-pu: package blktrace/1.1.0-2

2018-05-18 Thread Bas Zoetekouw

Package: release.debian.org
Severity: normal
Tags: stretch,jessie
User: release.debian@packages.debian.org
Usertags: pu

I would like to update blktrace in Jessie (1.0.5-1) and Stretch
(1.1.0-2) to fix a buffer overflow (CVE-2018-10689, see
https://security-tracker.debian.org/tracker/CVE-2018-10689).

I've already discussed this with the security team, and they feel this
issue doesn't warrant a DSA, be should be fixed via proposed-updates
instead.

My proposed new packages can be found at https://zoetekouw.net/Zooi/blktrace/
The debdiff are as follows:

For jessie:

diff -Nru blktrace-1.0.5/debian/changelog blktrace-1.0.5/debian/changelog
--- blktrace-1.0.5/debian/changelog 2013-05-05 14:43:17.0 +0200
+++ blktrace-1.0.5/debian/changelog 2018-05-18 15:57:31.0 +0200
@@ -1,3 +1,9 @@
+blktrace (1.0.5-2) oldstable-proposed-updates; urgency=high
+
+  * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695)
+
+ -- Bas Zoetekouw   Fri, 18 May 2018 15:47:57 +0200
+
 blktrace (1.0.5-1) unstable; urgency=low
 
   * New upstream release [February 2012].
diff -Nru blktrace-1.0.5/debian/patches/cve-2018-10689.patch 
blktrace-1.0.5/debian/patches/cve-2018-10689.patch
--- blktrace-1.0.5/debian/patches/cve-2018-10689.patch  1970-01-01 
01:00:00.0 +0100
+++ blktrace-1.0.5/debian/patches/cve-2018-10689.patch  2018-05-18 
16:05:36.0 +0200
@@ -0,0 +1,18 @@
+Last-Update: 2018-05-16
+Forwarded: yes
+Author: Jens Axboe 
+Description: fix CVE-2018-10689: make device/devno use PATH_MAX to avoid 
overflow.  Patch from 
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7
+
+Index: blktrace-1.0.5/btt/devmap.c
+===
+--- blktrace-1.0.5.orig/btt/devmap.c
 blktrace-1.0.5/btt/devmap.c
+@@ -23,7 +23,7 @@
+ 
+ struct devmap {
+   struct list_head head;
+-  char device[32], devno[32];
++  char device[PATH_MAX], devno[PATH_MAX];
+ };
+ 
+ LIST_HEAD(all_devmaps);
diff -Nru blktrace-1.0.5/debian/patches/series 
blktrace-1.0.5/debian/patches/series
--- blktrace-1.0.5/debian/patches/series2012-12-23 12:30:03.0 
+0100
+++ blktrace-1.0.5/debian/patches/series2018-05-18 15:56:41.0 
+0200
@@ -1,2 +1,3 @@
 10_btrace_paths.patch
 spelling.patch
+cve-2018-10689.patch



For Stretch:

diff -Nru blktrace-1.1.0/debian/changelog blktrace-1.1.0/debian/changelog
--- blktrace-1.1.0/debian/changelog 2015-05-17 14:35:07.0 +0200
+++ blktrace-1.1.0/debian/changelog 2018-05-16 16:19:54.0 +0200
@@ -1,3 +1,9 @@
+blktrace (1.1.0-3) stretch-security; urgency=high
+
+  * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695)
+
+ -- Bas Zoetekouw   Wed, 16 May 2018 16:19:54 +0200
+
 blktrace (1.1.0-2) unstable; urgency=low
 
   * Upload to unstable.
diff -Nru blktrace-1.1.0/debian/patches/cve-2018-10689.patch 
blktrace-1.1.0/debian/patches/cve-2018-10689.patch
--- blktrace-1.1.0/debian/patches/cve-2018-10689.patch  1970-01-01 
01:00:00.0 +0100
+++ blktrace-1.1.0/debian/patches/cve-2018-10689.patch  2018-05-16 
16:19:54.0 +0200
@@ -0,0 +1,18 @@
+Last-Update: 2018-05-16
+Forwarded: yes
+Author: Jens Axboe 
+Description: fix CVE-2018-10689: make device/devno use PATH_MAX to avoid 
overflow.  Patch from 
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7
+
+diff --git a/btt/devmap.c b/btt/devmap.c
+index 0553a9e..5fc1cb2 100644
+--- a/btt/devmap.c
 b/btt/devmap.c
+@@ -23,7 +23,7 @@
+
+ struct devmap {
+   struct list_head head;
+-  char device[32], devno[32];
++  char device[PATH_MAX], devno[PATH_MAX];
+ };
+
+ LIST_HEAD(all_devmaps);
diff -Nru blktrace-1.1.0/debian/patches/series 
blktrace-1.1.0/debian/patches/series
--- blktrace-1.1.0/debian/patches/series2015-03-25 08:40:33.0 
+0100
+++ blktrace-1.1.0/debian/patches/series2018-05-16 16:19:54.0 
+0200
@@ -4,3 +4,4 @@
 pdf-date.patch
 procnum.patch
 spelling.patch
+cve-2018-10689.patch

-- System Information:
Debian Release: 9.4
  APT prefers stable
  APT policy: (620, 'stable'), (500, 'stable-updates'), (20, 'unstable'), (10, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Processed: Re: Bug#899014: stretch-pu: package blktrace/1.1.0-2

Bug#899014: stretch-pu: package blktrace/1.1.0-2

Bug#899014: stretch-pu: package blktrace/1.1.0-2

Bug#899014: stretch-pu: package blktrace/1.1.0-2

Bug#899014: stretch-pu: package blktrace/1.1.0-2

Bug#899014: stretch-pu: package blktrace/1.1.0-2

6 matches

Site Navigation

Mail list logo

Footer information