Re: Re: libappimage lts update
The issue was introduced in version 0.2.0-alpha here: https://github.com/AppImageCommunity/libappimage/commit/ac28b2690d921c4cf2d20a511afcf247cff04d61 So Buster is infact not vulnerable as it has version 0.1.9 and the code does not yet exist. Thank you so much for your time and sorry for the noise. Scarlett On Tue, Jan 24, 2023 at 7:48 AM Scarlett Moore wrote: > > I have done made myself very confused. That patch does not apply > though and will require further research. > I will reach out again when I am actually ready. > Sorry, > Scarlett > > > On Mon, Jan 23, 2023 at 12:00 PM Scarlett Moore > wrote: > > > > > > > > On Mon, Jan 23, 2023, 9:47 AM Utkarsh Gupta > > wrote: > >> > >> Hi Scarlett, > >> > >> On Mon, Jan 23, 2023 at 6:43 PM Scarlett Moore > >> wrote: > >> > It turns out the issue affects 0.4 or earlier. Buster has 0.9.1 which was > >> > completely rewritten C -> C++ and not affected. While I was looking > >> > forward to > >> > learning this process, I am happy libappimage is not vulnerable in > >> > Buster. > >> > >> Are you sure? Because as I see it, buster has 0.1.9 (and not 0.9.1) > >> which is < 0.4. :) > > > > > > Hah, Indeed you are right, bad case of dyslexia there. > >> > >> > >> > Now the question is how does one get this blemish removed or shown as > >> > fixed? > >> > https://security-tracker.debian.org/tracker/source-package/libappimage > >> > >> I'll be happy to show you the next steps once we confirm whether or > >> not the package is really vulnerable. Let me know what you think. TIA. > >> > > It is in fact quite vulnerable, I am ready for the next steps. > > Thank you so much. > > Scarlett > > > >> > >> > >> - u
Re: Re: libappimage lts update
I have done made myself very confused. That patch does not apply though and will require further research. I will reach out again when I am actually ready. Sorry, Scarlett On Mon, Jan 23, 2023 at 12:00 PM Scarlett Moore wrote: > > > > On Mon, Jan 23, 2023, 9:47 AM Utkarsh Gupta > wrote: >> >> Hi Scarlett, >> >> On Mon, Jan 23, 2023 at 6:43 PM Scarlett Moore >> wrote: >> > It turns out the issue affects 0.4 or earlier. Buster has 0.9.1 which was >> > completely rewritten C -> C++ and not affected. While I was looking >> > forward to >> > learning this process, I am happy libappimage is not vulnerable in Buster. >> >> Are you sure? Because as I see it, buster has 0.1.9 (and not 0.9.1) >> which is < 0.4. :) > > > Hah, Indeed you are right, bad case of dyslexia there. >> >> >> > Now the question is how does one get this blemish removed or shown as >> > fixed? >> > https://security-tracker.debian.org/tracker/source-package/libappimage >> >> I'll be happy to show you the next steps once we confirm whether or >> not the package is really vulnerable. Let me know what you think. TIA. >> > It is in fact quite vulnerable, I am ready for the next steps. > Thank you so much. > Scarlett > >> >> >> - u
Re: Re: libappimage lts update
On Mon, Jan 23, 2023, 9:47 AM Utkarsh Gupta wrote: > Hi Scarlett, > > On Mon, Jan 23, 2023 at 6:43 PM Scarlett Moore > wrote: > > It turns out the issue affects 0.4 or earlier. Buster has 0.9.1 which was > > completely rewritten C -> C++ and not affected. While I was looking > forward to > > learning this process, I am happy libappimage is not vulnerable in > Buster. > > Are you sure? Because as I see it, buster has 0.1.9 (and not 0.9.1) > which is < 0.4. :) > Hah, Indeed you are right, bad case of dyslexia there. > > > Now the question is how does one get this blemish removed or shown as > fixed? > > https://security-tracker.debian.org/tracker/source-package/libappimage > > I'll be happy to show you the next steps once we confirm whether or > not the package is really vulnerable. Let me know what you think. TIA. > > It is in fact quite vulnerable, I am ready for the next steps. Thank you so much. Scarlett > > - u >
Re: Re: libappimage lts update
Hi Scarlett, On Mon, Jan 23, 2023 at 6:43 PM Scarlett Moore wrote: > It turns out the issue affects 0.4 or earlier. Buster has 0.9.1 which was > completely rewritten C -> C++ and not affected. While I was looking forward to > learning this process, I am happy libappimage is not vulnerable in Buster. Are you sure? Because as I see it, buster has 0.1.9 (and not 0.9.1) which is < 0.4. :) > Now the question is how does one get this blemish removed or shown as fixed? > https://security-tracker.debian.org/tracker/source-package/libappimage I'll be happy to show you the next steps once we confirm whether or not the package is really vulnerable. Let me know what you think. TIA. - u
Re: Re: libappimage lts update
Hello! It turns out the issue affects 0.4 or earlier. Buster has 0.9.1 which was completely rewritten C -> C++ and not affected. While I was looking forward to learning this process, I am happy libappimage is not vulnerable in Buster. Now the question is how does one get this blemish removed or shown as fixed? https://security-tracker.debian.org/tracker/source-package/libappimage Thank you for your time, Scarlett signature.asc Description: This is a digitally signed message part.
Re: libappimage lts update
Hi Scarlett, On Sat, Jan 21, 2023 at 8:51 PM Scarlett Moore wrote: > and the CVE is not listed. I need to know how I proceed as it stated Do not > add it, frontdesk needs to. I am a maintainer of the package and I do have the > upstream fix. Thank you for reaching out. I am at the front desk this week. As Anton mentioned, please let me know whatever suits you, I'll be happy to assist. - u
Re: libappimage lts update
Hello Scarlett, thanks for your email! Please prepare a fix for the package, upload it to your salsa repo, and let us know. We will take care of adding the package to the dla-needed list and preparing all necessary steps for that. If you prefer to upload the package on your own, we can also support and consult you. Best regards. Anton Am Sa., 21. Jan. 2023 um 16:21 Uhr schrieb Scarlett Moore < scarlett.gately.mo...@gmail.com>: > Hello, > The security team pointed me here as Buster is now LTS. > I am reaching out to see if/how I should update libappimage in buster. > The bug is https://security-tracker.debian.org/tracker/CVE-2020-25265 > The upstream fix is: > https://github.com/AppImageCommunity/libappimage/pull/146 > I followed instructions here: > > https://lts-team.pages.debian.net/wiki/Development.html#claim-the-issue-in-the-security-tracker-in-dla-needed-txt > > and the CVE is not listed. I need to know how I proceed as it stated Do > not > add it, frontdesk needs to. I am a maintainer of the package and I do have > the > upstream fix. > > Thank you for any assistance in the matter. > Scarlett Moore >
libappimage lts update
Hello, The security team pointed me here as Buster is now LTS. I am reaching out to see if/how I should update libappimage in buster. The bug is https://security-tracker.debian.org/tracker/CVE-2020-25265 The upstream fix is: https://github.com/AppImageCommunity/libappimage/pull/146 I followed instructions here: https://lts-team.pages.debian.net/wiki/Development.html#claim-the-issue-in-the-security-tracker-in-dla-needed-txt and the CVE is not listed. I need to know how I proceed as it stated Do not add it, frontdesk needs to. I am a maintainer of the package and I do have the upstream fix. Thank you for any assistance in the matter. Scarlett Moore signature.asc Description: This is a digitally signed message part.