On 2023-09-14 06:31:26 [+0100], Adam D. Barratt wrote: > On Wed, 2023-09-13 at 22:01 +0200, Sebastian Andrzej Siewior wrote: > > On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote: > > > How does this sound for an SUA? > [...] > > This sounds entirely fine to me. I don't think that it is needed to > > point out that bullseye is not affected by the second issue. > > > > Great, thanks. > > > There is also this thing regarding libclamunrar and the update to > > v6.2.10 of the bundled libbrary. I *think* it is related to > > CVE-2023-40477. Since unrar itself is only in -pu I think it is okay > > for libclamunar to follow the same fate. > > > > Just to be completely sure, "follow the same fate" here means leaving > libclamunrar in (o-)p-u until the point releases?
I mean there is no reason to push libclamunrar via d/updates if the unrar package isn't. Therefore I don't mind keeping libclamunrar in o-)p-u until the point release. It is non-free after all. > I assume the bundled library isn't used as-is in the Debian packaging, > that being why libclamunrar exists. The last time I looked the src:unrar package either didn't provide the library or something else was different. So I tried to replace it with libarchive but upstream wasn't pleased because it did not support some "newer" rar formats. But now (as of the recent CVE) I was looking again, noticed the library and noticed that clamav upstream already fiddled with their in-tree copy. However I will spent some cycles to see if the in-tree library can be used. If it works then it will lower the amount of swearing needed during packaging of a new version. > Regards, > > Adam Sebastian