Control: tags -1 -moreinfo
Control: owner -1 Thomas Gaugler <tho...@dadie.net>

Hi Adam,

I am the maintainer of Nullsoft Scriptable Install System (NSIS) and propose the changes committed into the debian/bookworm branch on the 27th January 2024 to be released as updated nsis 3.08-3+deb12u1 packages (<https://salsa.debian.org/debian/nsis/-/commits/debian/bookworm>).

The changes fix the security vulnerability CVE-2023-37378 (<https://security-tracker.debian.org/tracker/CVE-2023-37378>), bogus relocation section in the installer stubs (<https://bugs.debian.org/1050288>) and a failed to build from source (FTBFS) bug occurring in the arm64 reproducibility build (<https://tests.reproducible-builds.org/debian/rb-pkg/unstable/arm64/nsis.html>).

In the following I describe each commit in more detail.

2b331c4f Cherry-pick upstream commits to fix CVE-2023-37378
This commit consists of essentially the same patches as included in the nsis 3.04-1+deb9u1 diff uploaded by the LTS Security team. Only the Debian patch header fields differ slightly.
(<http://security.debian.org/debian-security/pool/updates/main/n/nsis/nsis_3.04-1+deb9u1.debian.tar.xz>),
(<https://lists.debian.org/debian-lts-announce/2023/07/msg00005.html>),
(<https://tracker.debian.org/news/1442453/accepted-nsis-304-1deb9u1-source-into-oldoldstable/>)

105629f0 Use common options for nsis-doc installation
In Debian Trixie additional compile flags for hardening the security have been introduced. These flags were wrongly applied for installing build artifacts of the documentation targets (install-examples, install-doc and install-docs) and caused the arm64 reproducibility build to fail. The arm64 reproducibility worked again after changing to the common set of flags for the documentation targets build. (<https://tests.reproducible-builds.org/debian/rb-pkg/unstable/arm64/nsis.html>)

2d1e47e8 Exclude Debian revison suffix from VER_REVISION
The nsis 3.04-1+deb9u1 diff did "Hardcode VER_REVISION to ignore deb9u1 suffix". This change takes a generic approach by utilizing the string functions (firstword, word) of make to exclude the Debian revision suffix from VER_REVISION.

1ec70a5e Backport upstream commit to disable stub relocations
The original fix was not effective (<https://salsa.debian.org/debian/nsis/-/commit/f1c043cc110797e9f06718e7bc13b7163b78c550>). This regression was pointed out in the Debian bug report #1050288 (<https://bugs.debian.org/1050288>) and the origin of this proposed update request. These changes are the back port of the upstream commit to disable stub relocations in newer GNU C(++) compiler versions.

f5795972 CVE-2023-37378, nsis-doc, VER_REVISION, disable relocs
This commit documents the above described changes.

---

Once we have your agreement, my uploading sponsor (OdyX) will proceed with the upload.

Best regards,
Thomas

Reply via email to