Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
Hi stable release team, (This is my first stable proposed update, so if I get a process item wrong, please pardon me and help me correct it. Thanks!) Bug #653238 describes a crasher bug, possibly a security vulnerability, in alpine. The security team has indicated on the bug that they're not going to open a Debian Security Advisory for the alpine bug, and indicate, "You/the maintainer may choose to fix it in (old)stable through a point update, or leave it at this." I choose to update stable through a point update. I've prepared a minimal package update that adds the patch that fixes the issue. I've tested that it builds fine in a stable pbuilder; before uploading, I have tested it on a machine running stable, where it works fine. I wanted to get your approval to upload the package to stable. As a footnote: I believe the process on my end is: * Get y'all's approval * Upload the package using "dput ftp-master alpine_2.00+dfsg-6+squeeze1.dsc" (with a binary package, as usual in Debian) * Watch it flow through into squeeze-updates with no further effort from me If I have some of that wrong, then let me know. I've read the documentation and believe I understand, but want to be careful to not mess anything up. Thanks! -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.4-trunk-amd64 (SMP w/4 CPU cores)
diff -u alpine-2.00+dfsg/debian/changelog alpine-2.00+dfsg/debian/changelog --- alpine-2.00+dfsg/debian/changelog +++ alpine-2.00+dfsg/debian/changelog @@ -1,3 +1,10 @@ +alpine (2.00+dfsg-6+squeeze1) squeeze; urgency=low + + * Fix a crash in the embedded copy of UW-IMAP, CVE-2008-5514. + (Closes: #653238) + + -- Asheesh Laroia <ashe...@asheesh.org> Sun, 26 Aug 2012 16:58:01 -0700 + alpine (2.00+dfsg-6) unstable; urgency=low * Add diversion for pico and remove conflict with nano. diff -u alpine-2.00+dfsg/debian/patches/series alpine-2.00+dfsg/debian/patches/series --- alpine-2.00+dfsg/debian/patches/series +++ alpine-2.00+dfsg/debian/patches/series @@ -9,0 +10 @@ +60_fix_embedded_uw_imap.patch only in patch2: unchanged: --- alpine-2.00+dfsg.orig/debian/patches/60_fix_embedded_uw_imap.patch +++ alpine-2.00+dfsg/debian/patches/60_fix_embedded_uw_imap.patch @@ -0,0 +1,21 @@ +diff -urN alpine-2.00/imap/src/c-client/rfc822.c alpine-2.00.fixed/imap/src/c-client/rfc822.c +--- alpine-2.00/imap/src/c-client/rfc822.c 2008-06-04 11:46:10.000000000 -0700 ++++ alpine-2.00.fixed/imap/src/c-client/rfc822.c 2012-08-26 17:12:39.678307877 -0700 +@@ -1351,6 +1351,7 @@ + + static long rfc822_output_char (RFC822BUFFER *buf,int c) + { ++ if ((buf->cur == buf->end) && !rfc822_output_flush (buf)) return NIL; + *buf->cur++ = c; /* add character, soutr buffer if full */ + return (buf->cur == buf->end) ? rfc822_output_flush (buf) : LONGT; + } +@@ -1374,7 +1375,8 @@ + len -= i; + } + /* soutr buffer now if full */ +- if (len && !rfc822_output_flush (buf)) return NIL; ++ if ((len || (buf->cur == buf->end)) && !rfc822_output_flush (buf)) ++ return NIL; + } + return LONGT; + }