On 2024-04-12 at 16:10, Christoph Anton Mitterer wrote: > Hey. > > There seems to be a somewhat similar issue reported by Jakub Wilk on > oss-security: > https://www.openwall.com/lists/oss-security/2024/04/12/5 > > where quoting causes troubles (though I couldn't replay the demo).
That was since assigned CVE-2024-32487 and Debian bug #1068938. > Any chance to get both fixed in Debian unstable? While the maintainer appears to be somewhat active elsewhere in Debian, this package hasn't seen an upload in over a year and the packaged version is getting close to three years old. (Although I found that updating to the latest upstream release version introduces new test suite and lintian issues requiring some upstream patches backported and reverted/fixed.) In my Salsa fork[1] I have updated the package (fixing CVE-2022-48624) and backported (with necessary code changes) the CVE-2024-32487 fix. I would like to adopt, co-maintain, or if necessary salvage src:less (see bug #1069280). But the procedure[2] for that requires 28 days of waiting for the maintainer to respond. Perhaps in the meantime a new upstream version NMU is warranted, or should the procedure be sped up somehow? [1]: https://salsa.debian.org/pehjota/less [2]: https://www.debian.org/doc/manuals/developers-reference/pkgs.html#how-to-salvage-a-package -- Patrick "P. J." McDermott: http://www.pehjota.net/ Lead Developer, ProteanOS: http://www.proteanos.com/ Founder and CEO, Libiquity: http://www.libiquity.com/