Re: [Pkg-clamav-devel] Bug#868956: libmspack: CVE-2017-11423

2017-08-15 Thread Sebastian Andrzej Siewior
On 2017-08-15 05:55:49 [+0900], Marc Dequènes (Duck) wrote: > Quack, Hi, > I was at DebConf in Canada, so I was busy meeting people :-). > It should be done before or after flying back home. No worries. We got the two CVEs sorted out and a release in the meantime. I see an unstable upload almost

Re: [Pkg-clamav-devel] Bug#868956: libmspack: CVE-2017-11423

2017-08-14 Thread Duck
Quack, On 08/07/2017 04:22 AM, Sebastian Andrzej Siewior wrote: > Marc do plan you upload something to unstable/security soon, wait for a > new release or would you prefer someone else to NMU it with this > change? I was at DebConf in Canada, so I was busy meeting people :-). It should be done

Re: [Pkg-clamav-devel] Bug#868956: libmspack: CVE-2017-11423

2017-08-06 Thread Sebastian Andrzej Siewior
On 2017-08-06 10:22:11 [+0100], Stuart Caie wrote: > Commited a fix: > https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38 > > I'll put out a release in the near future. thank you Stuart. Marc do plan you upload something to unstable/security soon, wait for a new

Re: [Pkg-clamav-devel] Bug#868956: libmspack: CVE-2017-11423

2017-08-06 Thread Stuart Caie
On 05/08/17 10:36, Stuart Caie wrote: libmspack is wrong to convert to unsigned without checking for errors first. When I get to my computer, I'll check all calls to mspack_system read/write/seek/tell methods, to be sure this doesn't happen anywhere else. I checked all the other mspack_system

Re: [Pkg-clamav-devel] Bug#868956: libmspack: CVE-2017-11423

2017-08-05 Thread Stuart Caie
On 4 Aug 2017 7:40 am, Sebastian Andrzej Siewior wrote: > > The way I see it, the problem is that the read functions returns -1 on > error and libmspack >   https://sources.debian.net/src/libmspack/0.5-1/mspack/cabd.c/#L524 > > treats the return code as unsigned

Re: [Pkg-clamav-devel] Bug#868956: libmspack: CVE-2017-11423

2017-08-04 Thread Sebastian Andrzej Siewior
On 2017-07-23 16:52:16 [+0100], Stuart Caie wrote: > Hello, Hi Stuart, > https://github.com/kyz/libmspack/commit/3e3436af6010ac245d7a390c6798e2b81ce09191 > > 2015-05-10 Stuart Caie > > * cabd_read_string(): correct rejection of empty strings. Thanks to > > Hanno Böck for