Package: xdelta3 Severity: grave Tags: security upstream fixed-upstream xdelta3 before 3.0.9 contains buffer overflow which allows arbitrary code execution from input files at least on some systems.
3.0.0.dfsg-1 and 3.0.8-dfsg-1 are definitly affected. 08.02.2016 в 06:57:12 +0100 Salvatore Bonaccorso написал: > On Sun, Feb 07, 2016 at 07:05:12PM +0400, Stepan Golosunov wrote: > > This appears to be fixed in xdelta3 3.0.9 and later via > > https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2 > > but not in Debian. > > > > What should be done next? Should I open a bug? > > Yes, since the commit is in the public git repo I think it is best to > open a bug in the Debian BTS. > p.s.: Just noticed there seem to be two git repositories by jmacd, the > commit is as well in > > https://github.com/jmacd/xdelta/commit/969e65d3a5d70442f5bafd726bcef47a0b48edd8 README.md says that this repository contains old data from https://code.google.com/p/xdelta. Newer code and releases are currently only in xdelta-devel.