Hi,
attached are proposed debdiffs for updating gtkwave to 3.3.118 in {bookworm,bullseye,buster}-security for review for a DSA
(and as preview for buster).
General notes:
As suggested by the security team in #1060407, this is a backport of a
new upstream version to fix the 82 CVEs.
I checked a handful CVEs, and they were also present in buster.
If anyone insists that I check for every single CVE whether it is also
in buster I can do that, but that would be a lot of work.
As already mentioned in #1060407, the ghwdump tool (and manpage) was
dropped in 3.3.110 from the upstream sources, and is now in ghdl-tools.
For bullseye and buster it is therefore readded.
As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3. Looking closer I realized that this is actually one tarball that
supports GTK 1+2, and one tarball that supports GTK 2+3.
I did stay at the GTK 1+2 tarball that was already used before
for bullseye and buster since there was anyway a different upstream
tarball required for the +really version that is required to avoid
creating file conflicts with ghwdump when upgrading to bookworm.
What does the security team consider the best versioning for bullseye?
In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up preferring 3.3.104+really3.3.118-0+deb11u1
debdiffs contain only changes to debian/
bookworm notes:
- version 3.3.118-0.1~deb12u1
- GTK 3, using GTK 2+3 upstream tarball
- identical file list in the binary package as before
- no changes in the runtime dependencies
- the second debdiff contains the diff to the version in sid
that was backported
- viewing a VCD file was tested
bullseye notes:
- version 3.3.104+really3.3.118-0+deb11u1
- GTK 2, using GTK 1+2 upstream tarball
- ghwdump readded
- identical file list in the binary package as before
- only diff in the runtime dependencies is from a
transitional package:
[-libgdk-pixbuf2.0-0-] {+libgdk-pixbuf-2.0-0+}
- viewing a VCD file was tested
- using ghwdump to dump information from a GHW file was tested
buster notes:
- version 3.3.98+really3.3.118-0+deb10u1
- GTK 2, using GTK 1+2 upstream tarball
- ghwdump readded
- identical file list in the binary package as before
- no changes in the runtime dependencies
- viewing a VCD file was tested
- using ghwdump to dump information from a GHW file was tested
cu
Adrian
diff -Nru gtkwave-3.3.114/debian/changelog gtkwave-3.3.118/debian/changelog
--- gtkwave-3.3.114/debian/changelog 2023-01-20 05:01:31.000000000 +0200
+++ gtkwave-3.3.118/debian/changelog 2024-03-28 08:53:47.000000000 +0200
@@ -1,3 +1,58 @@
+gtkwave (3.3.118-0.1~deb12u1) bookworm-security; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for bookworm-security.
+
+ -- Adrian Bunk <
bunk@debian.org> Thu, 28 Mar 2024 08:53:47 +0200
+
+gtkwave (3.3.118-0.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * New upstream release.
+ - Fixes multiple vulnerabilities:
+ CVE-2023-32650, CVE-2023-34087, CVE-2023-34436, CVE-2023-35004,
+ CVE-2023-35057, CVE-2023-35128, CVE-2023-35702, CVE-2023-35703,
+ CVE-2023-35704, CVE-2023-35955, CVE-2023-35956, CVE-2023-35957,
+ CVE-2023-35958, CVE-2023-35959, CVE-2023-35960, CVE-2023-35961,
+ CVE-2023-35962, CVE-2023-35963, CVE-2023-35964, CVE-2023-35969,
+ CVE-2023-35970, CVE-2023-35989, CVE-2023-35992, CVE-2023-35994,
+ CVE-2023-35995, CVE-2023-35996, CVE-2023-35997, CVE-2023-36746