Bug#685961: pu: package alpine/2.00+dfsg-6+squeeze1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu
Hi stable release team,
(This is my first stable proposed update, so if I get a process item wrong,
please pardon me and help me correct it. Thanks!)
Bug #653238 describes a crasher bug, possibly a security vulnerability, in
alpine. The security team has indicated on the bug that they're not going to
open a Debian Security Advisory for the alpine bug, and indicate, "You/the
maintainer may choose to fix it in (old)stable through a point update, or leave
it at this." I choose to update stable through a point update.
I've prepared a minimal package update that adds the patch that fixes the
issue. I've tested that it builds fine in a stable pbuilder; before uploading,
I have tested it on a machine running stable, where it works fine.
I wanted to get your approval to upload the package to stable.
As a footnote: I believe the process on my end is:
* Get y'all's approval
* Upload the package using "dput ftp-master alpine_2.00+dfsg-6+squeeze1.dsc"
(with a binary package, as usual in Debian)
* Watch it flow through into squeeze-updates with no further effort from me
If I have some of that wrong, then let me know. I've read the documentation and
believe I understand, but want to be careful to not mess anything up.
Thanks!
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.4-trunk-amd64 (SMP w/4 CPU cores)
diff -u alpine-2.00+dfsg/debian/changelog alpine-2.00+dfsg/debian/changelog
--- alpine-2.00+dfsg/debian/changelog
+++ alpine-2.00+dfsg/debian/changelog
@@ -1,3 +1,10 @@
+alpine (2.00+dfsg-6+squeeze1) squeeze; urgency=low
+
+ * Fix a crash in the embedded copy of UW-IMAP, CVE-2008-5514.
+(Closes: #653238)
+
+ -- Asheesh Laroia Sun, 26 Aug 2012 16:58:01 -0700
+
alpine (2.00+dfsg-6) unstable; urgency=low
* Add diversion for pico and remove conflict with nano.
diff -u alpine-2.00+dfsg/debian/patches/series alpine-2.00+dfsg/debian/patches/series
--- alpine-2.00+dfsg/debian/patches/series
+++ alpine-2.00+dfsg/debian/patches/series
@@ -9,0 +10 @@
+60_fix_embedded_uw_imap.patch
only in patch2:
unchanged:
--- alpine-2.00+dfsg.orig/debian/patches/60_fix_embedded_uw_imap.patch
+++ alpine-2.00+dfsg/debian/patches/60_fix_embedded_uw_imap.patch
@@ -0,0 +1,21 @@
+diff -urN alpine-2.00/imap/src/c-client/rfc822.c alpine-2.00.fixed/imap/src/c-client/rfc822.c
+--- alpine-2.00/imap/src/c-client/rfc822.c 2008-06-04 11:46:10.0 -0700
alpine-2.00.fixed/imap/src/c-client/rfc822.c 2012-08-26 17:12:39.678307877 -0700
+@@ -1351,6 +1351,7 @@
+
+ static long rfc822_output_char (RFC822BUFFER *buf,int c)
+ {
++ if ((buf->cur == buf->end) && !rfc822_output_flush (buf)) return NIL;
+ *buf->cur++ = c; /* add character, soutr buffer if full */
+ return (buf->cur == buf->end) ? rfc822_output_flush (buf) : LONGT;
+ }
+@@ -1374,7 +1375,8 @@
+ len -= i;
+ }
+ /* soutr buffer now if full */
+-if (len && !rfc822_output_flush (buf)) return NIL;
++if ((len || (buf->cur == buf->end)) && !rfc822_output_flush (buf))
++ return NIL;
+ }
+ return LONGT;
+ }
Bug#685961: pu: package alpine/2.00+dfsg-6+squeeze1
Control: tags -1 + squeeze confirmed On Sun, 2012-08-26 at 18:48 -0700, Asheesh Laroia wrote: > (This is my first stable proposed update, so if I get a process item wrong, > please pardon me and help me correct it. Thanks!) Overall, it looks good; thanks. :-) > Bug #653238 describes a crasher bug, possibly a security vulnerability, in > alpine. The security team has indicated on the bug that they're not going to > open a Debian Security Advisory for the alpine bug, and indicate, "You/the > maintainer may choose to fix it in (old)stable through a point update, or > leave > it at this." I choose to update stable through a point update. I assume from reading through the bug report that the issue does not affect the version of alpine currently in wheezy / sid? If so, please add an appropriate fixed version to make this clear. > I've prepared a minimal package update that adds the patch that fixes the > issue. I've tested that it builds fine in a stable pbuilder; before uploading, > I have tested it on a machine running stable, where it works fine. Assuming my comment above about the issue not affecting wheezy and sid is correct, please feel free to go ahead with the upload, having updated the bug report as above. Oh, actually: +alpine (2.00+dfsg-6+squeeze1) squeeze; urgency=low That's fine, but there's currently a dak bug which means that "squeeze" in the distribution doesn't work; you'll need to either make it "stable", or wait for the dak bug to get fixed. (#685807) > As a footnote: I believe the process on my end is: > > * Get y'all's approval > * Upload the package using "dput ftp-master alpine_2.00+dfsg-6+squeeze1.dsc" > (with a binary package, as usual in Debian) > * Watch it flow through into squeeze-updates with no further effort from me Almost, except it'll hit proposed-updates (once a member of the release team has flagged it appropriately to dak). squeeze-updates is a particular subset of p-u which is made separately available earlier than the point release (of course p-u is publicly available anyway, but not everyone wants to enable it in their sources.list on stable machines). Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1346091950.12289.9.ca...@jacala.jungle.funky-badger.org
Bug#685961: pu: package alpine/2.00+dfsg-6+squeeze1
On Mon, 2012-08-27 at 19:25 +0100, Adam D. Barratt wrote: > Oh, actually: > > +alpine (2.00+dfsg-6+squeeze1) squeeze; urgency=low > > That's fine, but there's currently a dak bug which means that "squeeze" > in the distribution doesn't work; you'll need to either make it > "stable", or wait for the dak bug to get fixed. (#685807) Apparently the bug only affects DM uploads, so the original debdiff will be fine. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1346094449.12289.15.ca...@jacala.jungle.funky-badger.org
Bug#685961: pu: package alpine/2.00+dfsg-6+squeeze1
Control: tags -1 + pending On 27.08.2012 19:25, Adam D. Barratt wrote: On Sun, 2012-08-26 at 18:48 -0700, Asheesh Laroia wrote: Bug #653238 describes a crasher bug, possibly a security vulnerability, in alpine. The security team has indicated on the bug that they're not going to open a Debian Security Advisory for the alpine bug, and indicate, "You/the maintainer may choose to fix it in (old)stable through a point update, or leave it at this." I choose to update stable through a point update. I assume from reading through the bug report that the issue does not affect the version of alpine currently in wheezy / sid? If so, please add an appropriate fixed version to make this clear. It doesn't look like this happened yet? I've prepared a minimal package update that adds the patch that fixes the issue. I've tested that it builds fine in a stable pbuilder; before uploading, I have tested it on a machine running stable, where it works fine. Assuming my comment above about the issue not affecting wheezy and sid is correct, please feel free to go ahead with the upload, having updated the bug report as above. I checked the source of 2.02 myself to confirm that the bug is fixed there so have flagged the package for acceptance; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/f623b678b4d448ab84d4c2c12b3fb...@mail.adsl.funky-badger.org
Bug#685961: pu: package alpine/2.00+dfsg-6+squeeze1
On Wed, 29 Aug 2012, Adam D. Barratt wrote: I assume from reading through the bug report that the issue does not affect the version of alpine currently in wheezy / sid? If so, please add an appropriate fixed version to make this clear. It doesn't look like this happened yet? Just did; sorry about the delay. I've prepared a minimal package update that adds the patch that fixes the issue. I've tested that it builds fine in a stable pbuilder; before uploading, I have tested it on a machine running stable, where it works fine. Assuming my comment above about the issue not affecting wheezy and sid is correct, please feel free to go ahead with the upload, having updated the bug report as above. I checked the source of 2.02 myself to confirm that the bug is fixed there so have flagged the package for acceptance; thanks. Thank you! Sorry to make you do that check. -- Asheesh. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1208291124460.2...@rose.makesad.us
Processed: Re: Bug#685961: pu: package alpine/2.00+dfsg-6+squeeze1
Processing control commands: > tags -1 + squeeze confirmed Bug #685961 [release.debian.org] pu: package alpine/2.00+dfsg-6+squeeze1 Added tag(s) squeeze and confirmed. -- 685961: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685961 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b685961.13460920393465.transcr...@bugs.debian.org
Processed: Re: Bug#685961: pu: package alpine/2.00+dfsg-6+squeeze1
Processing control commands: > tags -1 + pending Bug #685961 [release.debian.org] pu: package alpine/2.00+dfsg-6+squeeze1 Added tag(s) pending. -- 685961: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685961 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b685961.13462423525529.transcr...@bugs.debian.org
