Hey Jonas! [Cc'ing security team address]
On Thu, Mar 26, 2020 at 12:13:34PM +0100, Jonas Smedegaard wrote: > Quoting Salvatore Bonaccorso (2020-03-25 21:07:13) > > Source: libunivalue > > Version: 1.0.4-2 > > Severity: important > > Tags: security upstream > > Forwarded: https://github.com/jgarzik/univalue/pull/58 > > > > Hi, > > > > The following vulnerability was published for libunivalue. > > > > CVE-2019-18936[0]: > > | UniValue::read() in UniValue before 1.0.5 allow attackers to cause a > > | denial of service (the class internal data reaches an inconsistent > > | state) via input data that triggers an error. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2019-18936 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18936 > > [1] https://github.com/jgarzik/univalue/pull/58 > > I have prepared fixed packages for stretch and buster for this issue. > > In case you want to examine my work (I how highly appreciate that!) they > are available on newly created branches debian/buster and debian/stretch > in git g...@salsa.debian.org:cryptocoin-team/libunivalue.git a.k.a. > https://salsa.debian.org/cryptocoin-team/libunivalue.git > > How do I proceed? Many thanks for working on fixes in all affected branches. I quickly skimmed over the cherry-picked patch and it looks good to me. That said though the issue looks to me more a no-DSA candidate, and could be fixed in a regular point release. Unless you feel I'm overlooking something important, can I route you there? https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions contains some information. Thank you! Regards, Salvatore
