Hi Christine I noticed you already uploaded 1.31 fixing #699625 which is great, thanks for working on this issue and fixing it already.
There is however one unfortunate thing: 91 files changed, 28516 insertions(+), 2085 deletions(-) This is a problem as the fix needs to go to testing too, but we are in Freeze for wheezy now so the freeze policy[1] applies. [1]: http://release.debian.org/wheezy/freeze_policy.html Could you isolate the fix needed and only perform a minimal update to the package in regard to the version in testing? 1.30. I guess the release team would like to see the changes reverted and have only the bug fixed at this stage of the freeze. I assue the only needed change is the following (only shortly looked at the debdiff)? ----cut---------cut---------cut---------cut---------cut---------cut----- --- latd-1.30/llogincircuit.cc 2008-08-20 13:10:23.000000000 +0000 +++ latd-1.31/llogincircuit.cc 2013-02-04 11:54:27.000000000 +0000 @@ -92,6 +92,11 @@ else { char error[1024]; + // Truncate cmdbuf at an arbitrary point to make sure it fits into error[], otherwise it's a + // potential security problem. Debian bug #699625 + if (len > 900) + len = 900; + cmdbuf[len] = '\0'; debuglog(("Connect from invalid llogin version %s\n", cmdbuf)); sprintf(error, "llogin version %s does not match latd version " VERSION, cmdbuf); send_reply(LATCP_ERRORMSG, error, -1); ----cut---------cut---------cut---------cut---------cut---------cut----- Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
