On Thu, Aug 15, 2019 at 08:39:02AM -0700, Chris Lamb wrote: > Hi Roberto, > > > I decided to take a shot fixing CVE-2018-11782 and CVE-2019-0203 for > > subversion in jessie. You had made the following note in > > dla-needed.txt: > > > > subversion > > NOTE: 20190804: For (at least) CVE-2018-11782 the svn_err_trace that > > is in the diff has not been added yet. (lamby) > […] > > In any event, what puzzled me was your mention of svn_err_trace in the > > diff. I found no such function or type in either diff. > > Another very quick glance suggests that it was "svn_error_trace". > Yes, I made the connection after looking over the patch more closely.
> I apologise if I misled you into thinking you should focus your time and > energy on that. > No need to apologize. There was no time or energy wasted. > ... but this makes me ponder that my notes tend to be scribbled quite > quickly, the only goal of them being to potentially save someone (or > myself) some time looking in the right place or perhaps confirming > their own investigation, rather than being something that can be 110% > trusted or otherwise treated as gospel. I'd rather write a note, > however unconfirmed, than not, if you see what I mean. > I definitely see what you mean. In this case, I took the note as a starting point, very quickly found that it was a "dead end," emailed you the question to ensure I hand't missed something, went about my normal process of examining the upstream advisories and patches, then stumbled upon the svn_error_trace reference. When I arrived at that I then realized that your note was in reference to that. Either way, the note was helpful in the end, so thanks for taking the time to make it. Regards, -Roberto -- Roberto C. Sánchez