[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/1] gnu: unrtf: Fix CVE-2016-10091.
From: |
Marius Bakke |
Subject: |
Re: [PATCH 1/1] gnu: unrtf: Fix CVE-2016-10091. |
Date: |
Tue, 03 Jan 2017 17:49:29 +0100 |
User-agent: |
Notmuch/0.23.4 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu) |
Leo Famulari <address@hidden> writes:
> * gnu/packages/patches/unrtf-CVE-2016-10091.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/unrtf.scm (unrtf)[source]: Use it.
[...]
> diff --git a/gnu/packages/patches/unrtf-CVE-2016-10091.patch
> b/gnu/packages/patches/unrtf-CVE-2016-10091.patch
> new file mode 100644
> index 000000000..0a58b40db
> --- /dev/null
> +++ b/gnu/packages/patches/unrtf-CVE-2016-10091.patch
> @@ -0,0 +1,224 @@
> +Fix CVE-2016-10091 (stack-based buffer overflows in cmd_* functions):
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091
> +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705
> +http://seclists.org/oss-sec/2016/q4/787
> +
> +Patch copied from Debian:
> +
> +https://anonscm.debian.org/cgit/collab-maint/unrtf.git/commit/?h=jessie&id=7500a48fb0fbad3ab963fb17560b2f90a8a485c8
> +
> +The Debian patch adapts this upstream commit so that it can be applied
> +to the 0.21.9 release tarball:
> +
> +http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406
Isn't the Debian patch the same as this upstream commit? I can't spot
the difference with a cursory glance.
> +diff --git a/debian/patches/series b/debian/patches/series
> +new file mode 100644
> +index 0000000..7868249
> +--- /dev/null
> ++++ b/debian/patches/series
> +@@ -0,0 +1 @@
> ++0001-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch
This part we surely don't need ;-)
Unless the Debian patch fixes other issues than upstream revision
3b16893a6406 I would just pick and link to that, skipping the Debian
step. WDYT?
Thanks for taking care of this!
signature.asc
Description: PGP signature