Re: CVE-2019-14866
Hi again The new patch can be found here: http://apt.inguza.net/wheezy-security/cpio/CVE-2019-14866.patch It is not perfectly properly documented since it refers to a commit that do not contain it all. But I think you get the point anyway. // Ola On Mon, 4 Nov 2019 at 08:10, Ola Lundqvist wrote: > Hi Sergey, Thomas and cpio Debian maintainers > > I have been preparing fixes for CVE-2019-14866 for Debian oldstable and > oldoldstable. While doing that I realized that the patch mentioned here (1) > do work for amd64 but do not work for i386. > I was able to build on both amd64 and i386 but the fix obviously did not > work on i386 since I could reproduce the problem. > > I think the reason for this is that a long is 32 bit on i386 while it is > 64 bits on amd64. > > (1) https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg3.html > > The fix is very simple. Change the "long" to a "long long" in > to_out_or_error. > > With that correction it works when I build and test on i386. > Please let me know what you think. I'm going to upload a fixed package to > debian old and oldold stable tomorrow. > > Best regards > > // Ola > > -- > --- Inguza Technology AB --- MSc in Information Technology > | o...@inguza.como...@debian.org| > | http://inguza.com/Mobile: +46 (0)70-332 1551 | > --- > > -- --- Inguza Technology AB --- MSc in Information Technology | o...@inguza.como...@debian.org| | http://inguza.com/Mobile: +46 (0)70-332 1551 | ---
CVE-2019-14866
Hi Sergey, Thomas and cpio Debian maintainers I have been preparing fixes for CVE-2019-14866 for Debian oldstable and oldoldstable. While doing that I realized that the patch mentioned here (1) do work for amd64 but do not work for i386. I was able to build on both amd64 and i386 but the fix obviously did not work on i386 since I could reproduce the problem. I think the reason for this is that a long is 32 bit on i386 while it is 64 bits on amd64. (1) https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg3.html The fix is very simple. Change the "long" to a "long long" in to_out_or_error. With that correction it works when I build and test on i386. Please let me know what you think. I'm going to upload a fixed package to debian old and oldold stable tomorrow. Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology | o...@inguza.como...@debian.org| | http://inguza.com/Mobile: +46 (0)70-332 1551 | ---
Re: cpio and CVE-2019-14866 for testing
Hi Thank you. I have concluded that the patch only works on amd64, not on i386. I'll contact the maintainer. // Ola On Sun, 3 Nov 2019 at 18:03, Sylvain Beucler wrote: > Hi, > > On 29/10/2019 23:12, Ola Lundqvist wrote: > > Hi LTS contributors > > > > I have built a cpio package with CVE-2019-14866 corrected. > > According to my testing it is no longer possible to reproduce the > > problem reported in this CVE. > > > > You can find the packages I have produced here: > > http://apt.inguza.net/jessie-security/cpio > > > > The (so far rather limited) testing I have done can be found in > > README.testresult > > How to reproduce the problem can be found in the patch. It is easy to > > reproduce the problem on both jessie and wheezy. > > > > The debdiff is found in cpio.debdiff. > > > > Since cpio is a rather crucial package I would like some more people > > to test this package. At least for regression. > > I got contacted by cpio maintainer Sergey Poznyakoff > who told me he was in process of fixing it. > > You could coordinate with him and/or watch the upstream git repo for a > sanctioned patch, which should help with your testing requirements :) > > Cheers! > Sylvain > > -- --- Inguza Technology AB --- MSc in Information Technology | o...@inguza.como...@debian.org| | http://inguza.com/Mobile: +46 (0)70-332 1551 | ---
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity
hi, today I unclaimed for LTS: -ampache (Roberto C. Sánchez) -thunderbird (Emilio) and none for eLTS. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: cpio and CVE-2019-14866 for testing
Hi, On 29/10/2019 23:12, Ola Lundqvist wrote: > Hi LTS contributors > > I have built a cpio package with CVE-2019-14866 corrected. > According to my testing it is no longer possible to reproduce the > problem reported in this CVE. > > You can find the packages I have produced here: > http://apt.inguza.net/jessie-security/cpio > > The (so far rather limited) testing I have done can be found in > README.testresult > How to reproduce the problem can be found in the patch. It is easy to > reproduce the problem on both jessie and wheezy. > > The debdiff is found in cpio.debdiff. > > Since cpio is a rather crucial package I would like some more people > to test this package. At least for regression. I got contacted by cpio maintainer Sergey Poznyakoff who told me he was in process of fixing it. You could coordinate with him and/or watch the upstream git repo for a sanctioned patch, which should help with your testing requirements :) Cheers! Sylvain
RFT: Linux 3.16.76 package
I uploaded a snapshot of the jessie-security branch of linux, with the version 3.16.76-1~git20191101.154b211, to people.debian.org: https://people.debian.org/~benh/packages/jessie-security/ There are source and binaries for amd64 and i386, along with a signed .changes file. Let me know if you find any regressions from the current released version (3.16.74-1). Ben. -- Ben Hutchings The generation of random numbers is too important to be left to chance. - Robert Coveyou signature.asc Description: This is a digitally signed message part
