1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL.RELEAS

  • request to send update packages for ulfius, rhonabwy and glewlwyd

    From Nicolas Mora@21:1/5 to All on Mon Sep 20 15:30:01 2021
    Hello,

    I would like to upload new versions for my packages ulfius, rhonabwy and glewlwyd in buster-updates for ulfius and bullseye-updates for the 3 of
    them.

    The goal is to fix the following bugs:

    - ulfius: CVE-2021-40540 (Bug #993851)
    - rhonabwy: Bug #993866
    - glewlwyd: CVE-2021-40818: webauthn buffer overflow (Bug #993867)

    The update packages are ready in my machine, although the glibc
    transition [1] blocks the packages to be fixed in testing for now...

    Thanks in advance for your feedback

    /Nicolas

    [1] https://tracker.debian.org/pkg/glibc

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jonathan Wiltshire@21:1/5 to Nicolas Mora on Mon Sep 20 23:10:02 2021
    Hi,

    On Mon, Sep 20, 2021 at 08:55:54AM -0400, Nicolas Mora wrote:
    I would like to upload new versions for my packages ulfius, rhonabwy and glewlwyd in buster-updates for ulfius and bullseye-updates for the 3 of
    them.

    Please see the guidance in the developer's reference [1] and use reportbug
    to submit your request(s). In particular you need to include a source
    debdiff of the proposed changes.

    1: https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

    Thanks,

    --
    Jonathan Wiltshire jmw@debian.org
    Debian Developer http://people.debian.org/~jmw

    4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Nicolas Mora@21:1/5 to All on Tue Sep 21 00:10:02 2021
    This is a multi-part message in MIME format.
    Hello Johnatan,

    Thanks for your answer, I have a couple of questions though, to make
    sure I'm in the right track before the pu window closes. It's my first
    pu upload, so I'm a little confused.

    Le 2021-09-20 à 17 h 02, Jonathan Wiltshire a écrit :

    Please see the guidance in the developer's reference [1] and use reportbug
    to submit your request(s). In particular you need to include a source
    debdiff of the proposed changes.

    I follow the dev reference to make my changes but something's not clear
    for me.

    I've opened the bug #994763 "Fix CVE-2021-40540 in bullseye", I've been answered to merge this bug with the original one (#993851) because it's
    not needed to fill a separate bug for the suites in
    which I want to fix a bug.

    So I just have to attach the debdiff files for bullseye and buster in
    the original bug #993851 ?

    See diff file attached for the debdiff I intend to post.

    After that, I can dput ftp-master the new packages. Am I correct?

    Thanks!

    /Nicolas

    diff -Nru ulfius-2.7.1/debian/changelog ulfius-2.7.1/debian/changelog
    --- ulfius-2.7.1/debian/changelog 2021-01-03 09:03:05.000000000 -0500
    +++ ulfius-2.7.1/debian/changelog 2021-09-19 15:39:39.000000000 -0400
    @@ -1,3 +1,9 @@
    +ulfius (2.7.1-1+deb11u1) bullseye; urgency=medium
    +
    + * d/patches: Fix CVE-2021-40540
    +
    + -- Nicolas Mora <babelouest@debian.org> Sun, 19 Sep 2021 15:39:39 -0400
    +
    ulfius (2.7.1-1) unstable; urgency=medium

    * New upstream release
    diff -Nru ulfius-2.7.1/debian/patches/CVE-2021-40540.patch ulfius-2.7.1/debian/patches/CVE-2021-40540.patch
    --- ulfius-2.7.1/debian/patches/CVE-2021-40540.patch 1969-12-31 19:00:00.000000000 -0500
    +++ ulfius-2.7.1/debian/patches/CVE-2021-40540.patch 2021-09-19 15:39:20.000000000 -0400
    @@ -0,0 +1,13 @@
    +Description: Fix CVE-2021-40540
    +Author: Nicolas Mora <babelouest@debian.org>
    +Forwarded: not-needed
    +--- a/src/ulfius.c
    ++++ b/src/ulfius.c
    +@@ -207,6 +207,7 @@
    + UNUSED(cls);
    +
    + if (con_info != NULL) {
    ++ memset(con_info, 0, sizeof(struct connection_info_struct));
    + con_info->callback_f
  • From Salvatore Bonaccorso@21:1/5 to Nicolas Mora on Sun Sep 26 09:30:01 2021
    Hi Nicolas

    [Disclaimer, not member of release team so no final authoritative
    answer]

    On Mon, Sep 20, 2021 at 05:42:49PM -0400, Nicolas Mora wrote:
    Hello Johnatan,

    Thanks for your answer, I have a couple of questions though, to make sure
    I'm in the right track before the pu window closes. It's my first pu upload, so I'm a little confused.

    Le 2021-09-20 à 17 h 02, Jonathan Wiltshire a écrit :

    Please see the guidance in the developer's reference [1] and use reportbug to submit your request(s). In particular you need to include a source debdiff of the proposed changes.

    I follow the dev reference to make my changes but something's not clear for me.

    I've opened the bug #994763 "Fix CVE-2021-40540 in bullseye", I've been answered to merge this bug with the original one (#993851) because it's not needed to fill a separate bug for the suites in
    which I want to fix a bug.

    This is because BTS has version tracking so you can close a bug in
    multiple versions.

    So I just have to attach the debdiff files for bullseye and buster in the original bug #993851 ?

    This might be a missunderstanding. The debdiff should be attached to
    the respecitve buster-pu and bullseye-pu bug filled for the stable
    release managers for review. The changelog entyr would close #993851
    but not the filled buster-pu and bullseye-pu bugs, which will be
    closed by SRM's once the respective point release update is issued.

    Hope this helps,

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)