Control: tags -1 -moreinfo
Control: owner -1 Thomas Gaugler <tho...@dadie.net>
Hi Adam,
I am the maintainer of Nullsoft Scriptable Install System (NSIS) and
propose the changes committed into the debian/bookworm branch on the
27th January 2024 to be released as updated nsis 3.08-3+deb12u1 packages
(<https://salsa.debian.org/debian/nsis/-/commits/debian/bookworm>).
The changes fix the security vulnerability CVE-2023-37378
(<https://security-tracker.debian.org/tracker/CVE-2023-37378>), bogus
relocation section in the installer stubs
(<https://bugs.debian.org/1050288>) and a failed to build from source
(FTBFS) bug occurring in the arm64 reproducibility build
(<https://tests.reproducible-builds.org/debian/rb-pkg/unstable/arm64/nsis.html>).
In the following I describe each commit in more detail.
2b331c4f Cherry-pick upstream commits to fix CVE-2023-37378
This commit consists of essentially the same patches as included in the
nsis 3.04-1+deb9u1 diff uploaded by the LTS Security team. Only the
Debian patch header fields differ slightly.
(<http://security.debian.org/debian-security/pool/updates/main/n/nsis/nsis_3.04-1+deb9u1.debian.tar.xz>),
(<https://lists.debian.org/debian-lts-announce/2023/07/msg00005.html>),
(<https://tracker.debian.org/news/1442453/accepted-nsis-304-1deb9u1-source-into-oldoldstable/>)
105629f0 Use common options for nsis-doc installation
In Debian Trixie additional compile flags for hardening the security
have been introduced. These flags were wrongly applied for installing
build artifacts of the documentation targets (install-examples,
install-doc and install-docs) and caused the arm64 reproducibility build
to fail. The arm64 reproducibility worked again after changing to the
common set of flags for the documentation targets build.
(<https://tests.reproducible-builds.org/debian/rb-pkg/unstable/arm64/nsis.html>)
2d1e47e8 Exclude Debian revison suffix from VER_REVISION
The nsis 3.04-1+deb9u1 diff did "Hardcode VER_REVISION to ignore deb9u1
suffix". This change takes a generic approach by utilizing the string
functions (firstword, word) of make to exclude the Debian revision
suffix from VER_REVISION.
1ec70a5e Backport upstream commit to disable stub relocations
The original fix was not effective
(<https://salsa.debian.org/debian/nsis/-/commit/f1c043cc110797e9f06718e7bc13b7163b78c550>).
This regression was pointed out in the Debian bug report #1050288
(<https://bugs.debian.org/1050288>) and the origin of this proposed
update request. These changes are the back port of the upstream commit
to disable stub relocations in newer GNU C(++) compiler versions.
f5795972 CVE-2023-37378, nsis-doc, VER_REVISION, disable relocs
This commit documents the above described changes.
---
Once we have your agreement, my uploading sponsor (OdyX) will proceed
with the upload.
Best regards,
Thomas
