Bug#777553: pu: package libfcgi/2.4.0-8
Control: tags -1 + pending On Thu, 2015-02-19 at 06:05 +0100, Salvatore Bonaccorso wrote: Hi Adam, hi Joe, On Wed, Feb 18, 2015 at 07:11:22PM +, Adam D. Barratt wrote: Control: tags -1 + confirmed On Mon, 2015-02-09 at 19:53 -0800, Joe Damato wrote: On Mon, Feb 9, 2015 at 1:16 PM, Salvatore Bonaccorso car...@debian.org wrote: Joe, if you get an ack from the release team on your upload for libfcgi I can happily sponsor the upload itself. How do I go about doing that? Is there a separate email list I need to ping? No, just be patient until we replied. :-) Please feel free to go ahead with the upload. I don't have a GPG key that is connected to Debian in any way. I can create a key and upload it to the MIT pgp server. Is that useful at all for the upload of my changes file? Not sure if signing with my key will help or just complicate things further. From what I read, I was under the impression that changes without signatures from GPG keys in the web of trust are not processed in the upload queue. That's correct. You'd need someone with a known key to sponsor your upload. According to his earlier mail, Salvatore is happy to do that, so you shouldn't have to do anything further. I just have uploaded the package prepared by Joe to ftp-master. Flagged for acceptance, thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777553: pu: package libfcgi/2.4.0-8
Control: tags -1 + confirmed On Mon, 2015-02-09 at 19:53 -0800, Joe Damato wrote: On Mon, Feb 9, 2015 at 1:16 PM, Salvatore Bonaccorso car...@debian.org wrote: Joe, if you get an ack from the release team on your upload for libfcgi I can happily sponsor the upload itself. How do I go about doing that? Is there a separate email list I need to ping? No, just be patient until we replied. :-) Please feel free to go ahead with the upload. I don't have a GPG key that is connected to Debian in any way. I can create a key and upload it to the MIT pgp server. Is that useful at all for the upload of my changes file? Not sure if signing with my key will help or just complicate things further. From what I read, I was under the impression that changes without signatures from GPG keys in the web of trust are not processed in the upload queue. That's correct. You'd need someone with a known key to sponsor your upload. According to his earlier mail, Salvatore is happy to do that, so you shouldn't have to do anything further. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777553: pu: package libfcgi/2.4.0-8
Hi Adam, hi Joe, On Wed, Feb 18, 2015 at 07:11:22PM +, Adam D. Barratt wrote: Control: tags -1 + confirmed On Mon, 2015-02-09 at 19:53 -0800, Joe Damato wrote: On Mon, Feb 9, 2015 at 1:16 PM, Salvatore Bonaccorso car...@debian.org wrote: Joe, if you get an ack from the release team on your upload for libfcgi I can happily sponsor the upload itself. How do I go about doing that? Is there a separate email list I need to ping? No, just be patient until we replied. :-) Please feel free to go ahead with the upload. I don't have a GPG key that is connected to Debian in any way. I can create a key and upload it to the MIT pgp server. Is that useful at all for the upload of my changes file? Not sure if signing with my key will help or just complicate things further. From what I read, I was under the impression that changes without signatures from GPG keys in the web of trust are not processed in the upload queue. That's correct. You'd need someone with a known key to sponsor your upload. According to his earlier mail, Salvatore is happy to do that, so you shouldn't have to do anything further. I just have uploaded the package prepared by Joe to ftp-master. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777553: pu: package libfcgi/2.4.0-8
On Mon, Feb 9, 2015 at 1:16 PM, Salvatore Bonaccorso car...@debian.org wrote: Hi Joe, Not member of the release team here, so not authoritative ;-). So just giving some comments. Btw, thanks for preparing the package! Thanks for your helpful comments. I have no idea what I'm doing as far as Debian standards go, so your reply is much appreciated. +libfcgi (2.4.0-8.2) wheezy-security; urgency=high The version should be 2.4.0-8.1+deb7u1. 2.4.0-8.2 cannot be used as 2.4.0-8.2 was already in the archive. For the s-t-u wheezy-security as distribution needs to be changed to wheezy. fixed both of these, see attached debdiff. Wasn't sure what to set the urgency to, so I set it to low. + * Non-maintainer upload. + * Apply path from Anton Kortunov to swap select with poll to avoid +stack smashing (See: #681591 and LP: #933417). could you please reference as well the CVE in the changelog, and close the bug: you can use Closes: #681591 to reach this. fixed both of these, as well. Joe, if you get an ack from the release team on your upload for libfcgi I can happily sponsor the upload itself. How do I go about doing that? Is there a separate email list I need to ping? I don't have a GPG key that is connected to Debian in any way. I can create a key and upload it to the MIT pgp server. Is that useful at all for the upload of my changes file? Not sure if signing with my key will help or just complicate things further. From what I read, I was under the impression that changes without signatures from GPG keys in the web of trust are not processed in the upload queue. Joe libfcgi_2.4.0-8.1_2.4.0-8.1+deb7u1.diff.gz Description: GNU Zip compressed data
Bug#777553: pu: package libfcgi/2.4.0-8
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Hi: There is a stack smashing/corruption bug in libfcgi/2.4.0-8. The bug was fixed in: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681591, however this package is currently in unstable as other changes were added as well. This bug is a security issue as you can DoS a server process quite easily. A CVE has been assigned (CVE-2012-6687): http://www.openwall.com/lists/oss-security/2015/02/07/4. Ubuntu accepted my patched version of their package into 12.04 precise-security: https://bugs.launchpad.net/ubuntu/precise/+source/libfcgi/+bug/1418778 Instructions for setting up a PoC: https://gist.github.com/ice799/abc2522397b1605a5d7f. I sent my changes to the security team who told me this should be fixed with an 's-p-u' so I am trying to follow directions found online on how to do this. I've attached a debdiff I generated against the version in stable. Let me know how else I can help. Thanks, Joe -- System Information: Debian Release: 7.6 APT prefers wheezy APT policy: (500, 'wheezy'), (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash libfcgi_2.4.0-8.1_2.4.0-8.2.diff.gz Description: GNU Zip compressed data
Bug#777553: pu: package libfcgi/2.4.0-8
Hi Joe, Not member of the release team here, so not authoritative ;-). So just giving some comments. Btw, thanks for preparing the package! diff -Nru libfcgi-2.4.0/debian/changelog libfcgi-2.4.0/debian/changelog --- libfcgi-2.4.0/debian/changelog2011-08-20 14:44:38.0 -0700 +++ libfcgi-2.4.0/debian/changelog2015-02-05 22:19:52.0 -0800 @@ -1,3 +1,11 @@ +libfcgi (2.4.0-8.2) wheezy-security; urgency=high The version should be 2.4.0-8.1+deb7u1. 2.4.0-8.2 cannot be used as 2.4.0-8.2 was already in the archive. For the s-t-u wheezy-security as distribution needs to be changed to wheezy. + * Non-maintainer upload. + * Apply path from Anton Kortunov to swap select with poll to avoid +stack smashing (See: #681591 and LP: #933417). could you please reference as well the CVE in the changelog, and close the bug: you can use Closes: #681591 to reach this. diff -Nru libfcgi-2.4.0/debian/patches/poll libfcgi-2.4.0/debian/patches/poll --- libfcgi-2.4.0/debian/patches/poll 1969-12-31 16:00:00.0 -0800 +++ libfcgi-2.4.0/debian/patches/poll 2015-02-05 22:18:28.0 -0800 @@ -0,0 +1,81 @@ +diff --git a/libfcgi/os_unix.c b/libfcgi/os_unix.c +index 73e6a7f..af35aee 100755 +--- a/libfcgi/os_unix.c b/libfcgi/os_unix.c +@@ -42,6 +42,7 @@ static const char rcsid[] = $Id: os_unix.c,v 1.37 2002/03/05 19:14:49 robs Exp Not a strict requirement but would be nice to add some patch headers to the atual patch, see http://dep.debian.net/deps/dep3/ for the patch tagging guidelines. Joe, if you get an ack from the release team on your upload for libfcgi I can happily sponsor the upload itself. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org