Bug#861535: unblock: file/1:5.30-1 (was: Seeking pre-approval to upload new file upstream version for stretch)

Sun, 30 Apr 2017 05:21:34 -0700 

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock
Severity: normal

Hello,

please unblock file 1:5.30-1 I've uploaded to unstable.

Short version:

This upload

* fixes several issues in 1:5.29-3, including an assertion failure
  triggerable from certain files,
* includes more than twenty(!) commits from the upstream git since the
  5.30 release that, by their description, seem prudent to include
  security-wise, and
* otherwise tries hard to not change the detection of files.


A bit longer:

There are a few issues in the stretch version of file (1:5.29-3) that
in my opinion make it unfit for release. The most important one is an
easily triggerable crash (assertion failure) I found a while ago,
upstream was alerted in private. This issue was introduced in version
1:5.29-1 and is not public yet, at least not from my side.

The delta between 1:5.29-3 and upstream's 5.30 release is pretty small:
These are bug fixes like for the one mentioned above, several changes
that seem to address issues, some documentation and/or not affecting the
execution. There are two changes that introduce new features, I've
reverted them to reduce the impact (also, they looked somewhat fishy).
Initially, forwarding to 5.30 promised a smaller and better arranged
debian/patches/.

Since upstream's 5.30 release however, there have been a lot of commits
that address more issues, usually they contain a remark "oss-fuzz", so
appearently somebody has spent quite some time searching for flawed
code. One commit contains a remark "Although I can't reproduce it"
which implies at least some of the other commits fix an exploitable
issue. So I decided the cherry-pick *all* of them plus prerequisites in
the hope this will avoid some security uploads during the stretch life
cycle. They all can be found in debian/patches/, one patch per commit.


As with every upload of file, I ran a test on a huge collection of
files in order to detect unexpected changes. I have to admit there are
some minor ones: For some files not all the gory details are shown any
longer, basic detection still works. These were introduced by the
changes that should fix issues in the code.

Additional details, like discussion of every single change between
1:5.29-3 and 1:5.30-1 available upon request.

Regards,

    Christoph

Attachment: signature.asc
Description: Digital signature

Reply via email to