Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock Severity: normal
Hello, please unblock file 1:5.30-1 I've uploaded to unstable. Short version: This upload * fixes several issues in 1:5.29-3, including an assertion failure triggerable from certain files, * includes more than twenty(!) commits from the upstream git since the 5.30 release that, by their description, seem prudent to include security-wise, and * otherwise tries hard to not change the detection of files. A bit longer: There are a few issues in the stretch version of file (1:5.29-3) that in my opinion make it unfit for release. The most important one is an easily triggerable crash (assertion failure) I found a while ago, upstream was alerted in private. This issue was introduced in version 1:5.29-1 and is not public yet, at least not from my side. The delta between 1:5.29-3 and upstream's 5.30 release is pretty small: These are bug fixes like for the one mentioned above, several changes that seem to address issues, some documentation and/or not affecting the execution. There are two changes that introduce new features, I've reverted them to reduce the impact (also, they looked somewhat fishy). Initially, forwarding to 5.30 promised a smaller and better arranged debian/patches/. Since upstream's 5.30 release however, there have been a lot of commits that address more issues, usually they contain a remark "oss-fuzz", so appearently somebody has spent quite some time searching for flawed code. One commit contains a remark "Although I can't reproduce it" which implies at least some of the other commits fix an exploitable issue. So I decided the cherry-pick *all* of them plus prerequisites in the hope this will avoid some security uploads during the stretch life cycle. They all can be found in debian/patches/, one patch per commit. As with every upload of file, I ran a test on a huge collection of files in order to detect unexpected changes. I have to admit there are some minor ones: For some files not all the gory details are shown any longer, basic detection still works. These were introduced by the changes that should fix issues in the code. Additional details, like discussion of every single change between 1:5.29-3 and 1:5.30-1 available upon request. Regards, Christoph
signature.asc
Description: Digital signature