On Tue, Apr 22, 2025 at 01:31:07PM +0200, Andreas Henriksson wrote: > Hello,
Hi Andreas, >... > I've also pulled additional > commits adding testcases (but some are still disabled, because they need > porting to the older libsoup 2.74 APIs), and I'm now at a published > building package. >... > I'd like to ask both for opinions and help with backporting testcases. > If you have any guidance to share on how to decide how much effort is > worth putting into manually backporting testcase code (with the > possibility of me introducing bugs), please share. >... I would aim for every CVE to verify both that the issue was present before the fix, and that it is fixed with the fix. That's easy when a PoC or testcase reproduces the problem, when neither is available (or is available but does not trigger the problem) a more thorough reading of the code is usually needed. Most of these libsoup CVEs come with a PoC, and they should be tried. I wouldn't spend too much effort on additionally backporting testcases when it has already been verified with the PoC that an issue was present and is now fixed. > Regards, > Andreas Henriksson >... cu Adrian
