Better living through software

Ben Hutchings's diary of life and technology

Email: ben@decadent.org.uk • Twitter: @benhutchingsuk • Debian: benh • Gitweb: git.decadent.org.uk • Github: github.com/bwhacks

Tue, 02 Jun 2015

Debian LTS work, May 2015

This was my sixth month working on Debian LTS. I was assigned 10.5 hours by Freexian's Debian LTS initiative. This was less than in previous months, but I was still able to work on several packages.

dpkg

This update was almost ready to release at the end of April. I had to rebuild from the upstream tarball as released by Guillem, then uploaded and issued DLA 220-1.

tiff

This update was also almost ready to release. I hoped to get some users to test it, but didn't get any response. I uploaded and issued DLA 221-1.

ruby1.8

Ruby 1.8 had a single CVE to fix. It was already fixed in wheezy against a similar upstream version, so it took little time to apply that patch. Ruby has an extensive test suite that reassured me this wouldn't cause a regression. I uploaded and issued DLA 224-1.

p7zip

p7zip allows arbitrary file overwrite via symlinks (CVE-2015-1038) when extracting a carefully constructed archive, and this bug is not fixed upstream. This sort of bug has been identified and fixed previously in similar tools such as GNU tar, so I looked at how that handles links and tried to apply a similar change in p7zip. This was somewhat complicated by the code style (C++ with COM-style interfaces and NIH containers), but not too hard. I came up with a patch that seems to work for the versions in Debian, and have attached it to the upstream bug report for review.

linux-2.6

I reviewed the patches for Linux 2.6.32.66 - many of which were my own backports - and then integrated this update into the SVN branch. I will probably upload a new version soon, whether or not there's a high severity issue, just to avoid piling up a large number of changes in one update.

posted at: 02:40 | path: / | permanent link to this entry