Hi,
I requested a CVE at cveform.mitre.org so we can start a discussion with
upstream on clear grounds, and possibly involve other distros :)
From https://github.com/mtrojnar/osslsigncode/compare/2.2...2.3 there
are a lot of commits that fixes memory issues, e.g.
fix double free in msi_dirent_new()
Fix more fuzzer errors
etc.
so most probably there isn't a single clean patch to apply :/
We might want to just bump to buster and bullseye to 2.3, there's only
one rdep AFAICS.
Cheers!
Sylvain Beucler
Debian LTS Team
(this week's Front-Desk person)