From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 01 13:15:02 2017 Received: (at submit) by debbugs.gnu.org; 1 Dec 2017 18:15:02 +0000 Received: from localhost ([127.0.0.1]:40376 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKppw-0005IB-12 for submit@debbugs.gnu.org; Fri, 01 Dec 2017 13:15:02 -0500 Received: from eggs.gnu.org ([208.118.235.92]:47994) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eKpps-0005Hv-AX for submit@debbugs.gnu.org; Fri, 01 Dec 2017 13:14:54 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eKppl-0008Ty-Me for submit@debbugs.gnu.org; Fri, 01 Dec 2017 13:14:47 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:58480) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eKppl-0008Tu-Iu for submit@debbugs.gnu.org; Fri, 01 Dec 2017 13:14:45 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38962) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eKppj-0002q5-0P for guix-patches@gnu.org; Fri, 01 Dec 2017 13:14:45 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eKppf-0008Sc-HV for guix-patches@gnu.org; Fri, 01 Dec 2017 13:14:42 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:57089) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eKppf-0008S9-Am for guix-patches@gnu.org; Fri, 01 Dec 2017 13:14:39 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id E27F620ACE; Fri, 1 Dec 2017 13:14:38 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Fri, 01 Dec 2017 13:14:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=0QlkNorAwz0mJRoVozSCe3GkUmlb0C6rLstZe95L5Zg=; b=kXFy4 Bo9MOiheJDkPecjZ4G9leGA57SagNzvlfWj2y7i8qEePrH3n3mypJdYAhUB8L3My d943BR8vrcNWP1xsanqvLZ/nS+CXsGJQsERyHJC7lOBsR2O5/Wqkl5lPSjVRd+d1 JfjDA83Cbc0HWLoxWYJnbrndHb1kOg7ulfzTqc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=0QlkNorAwz0mJRoVozSCe3GkUmlb0 C6rLstZe95L5Zg=; b=ey/ZHYLlWkQR2wgMC7/ooaxQHMegpBJIfSvK7qgybUeSP D9oyHv1grGAd3V9YFt94Wv7fSQwe1Tp5QODwzJ1yW66fNjawSqxlZPiZD+2tJe3V HXNCJ8IDIC8pb0Kun3/w64nSuJshG+DeyBvBD4cwbO6zL+oWKDNq860fCjQKMPwc rDvtg+8UPix978vSwWOuvhukUn7VppRcPO4ehAjnjORlwsVEdguwmuzfP57ZJ95T 1WLucTmpfg4bp61Hlh5+hHp2EIsmgKHkBW9b2Z9PbfnzuACu5w/o8HiNsaF2aCj+ Fs3LnvJLqs/fP+2ICpSu42NQYNgEd+As5Zq7s1vRg== X-ME-Sender: Received: from jasmine.lan (unknown [172.58.200.9]) by mail.messagingengine.com (Postfix) with ESMTPA id 8A4F27FB04 for ; Fri, 1 Dec 2017 13:14:38 -0500 (EST) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: bazaar: Fix CVE-2017-14176. Date: Fri, 1 Dec 2017 13:14:34 -0500 Message-Id: <4b3e37125d709c57eb9221feab374590e7b8ac7b.1512152074.git.leo@famulari.name> X-Mailer: git-send-email 2.15.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) * gnu/packages/patches/bazaar-CVE-2017-14176.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/version-control.scm (bazaar)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/bazaar-CVE-2017-14176.patch | 166 +++++++++++++++++++++++ gnu/packages/version-control.scm | 1 + 3 files changed, 168 insertions(+) create mode 100644 gnu/packages/patches/bazaar-CVE-2017-14176.patch diff --git a/gnu/local.mk b/gnu/local.mk index 2e74c4d81..f2d30be12 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -552,6 +552,7 @@ dist_patch_DATA = \ %D%/packages/patches/awesome-reproducible-png.patch \ %D%/packages/patches/azr3.patch \ %D%/packages/patches/bash-completion-directories.patch \ + %D%/packages/patches/bazaar-CVE-2017-14176.patch \ %D%/packages/patches/bcftools-regidx-unsigned-char.patch \ %D%/packages/patches/binutils-ld-new-dtags.patch \ %D%/packages/patches/binutils-loongson-workaround.patch \ diff --git a/gnu/packages/patches/bazaar-CVE-2017-14176.patch b/gnu/packages/patches/bazaar-CVE-2017-14176.patch new file mode 100644 index 000000000..0e9083b97 --- /dev/null +++ b/gnu/packages/patches/bazaar-CVE-2017-14176.patch @@ -0,0 +1,166 @@ +Fix CVE-2017-14176: + +https://bugs.launchpad.net/bzr/+bug/1710979 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176 + +Patch copied from Debian's Bazaar package version bzr_2.7.0+bzr6619-7+deb9u1: + +https://alioth.debian.org/scm/loggerhead/pkg-bazaar/bzr/2.7/revision/4204 + +Description: Prevent SSH command line options from being specified in bzr+ssh:// URLs +Bug: https://bugs.launchpad.net/brz/+bug/1710979 +Bug-Debian: https://bugs.debian.org/874429 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14176 +Forwarded: no +Author: Jelmer Vernooij +Last-Update: 2017-11-26 + +=== modified file 'bzrlib/tests/test_ssh_transport.py' +--- old/bzrlib/tests/test_ssh_transport.py 2010-10-07 12:45:51 +0000 ++++ new/bzrlib/tests/test_ssh_transport.py 2017-08-20 01:59:20 +0000 +@@ -22,6 +22,7 @@ + SSHCorpSubprocessVendor, + LSHSubprocessVendor, + SSHVendorManager, ++ StrangeHostname, + ) + + +@@ -161,6 +162,19 @@ + + class SubprocessVendorsTests(TestCase): + ++ def test_openssh_command_tricked(self): ++ vendor = OpenSSHSubprocessVendor() ++ self.assertEqual( ++ vendor._get_vendor_specific_argv( ++ "user", "-oProxyCommand=blah", 100, command=["bzr"]), ++ ["ssh", "-oForwardX11=no", "-oForwardAgent=no", ++ "-oClearAllForwardings=yes", ++ "-oNoHostAuthenticationForLocalhost=yes", ++ "-p", "100", ++ "-l", "user", ++ "--", ++ "-oProxyCommand=blah", "bzr"]) ++ + def test_openssh_command_arguments(self): + vendor = OpenSSHSubprocessVendor() + self.assertEqual( +@@ -171,6 +185,7 @@ + "-oNoHostAuthenticationForLocalhost=yes", + "-p", "100", + "-l", "user", ++ "--", + "host", "bzr"] + ) + +@@ -184,9 +199,16 @@ + "-oNoHostAuthenticationForLocalhost=yes", + "-p", "100", + "-l", "user", +- "-s", "host", "sftp"] ++ "-s", "--", "host", "sftp"] + ) + ++ def test_openssh_command_tricked(self): ++ vendor = SSHCorpSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_sshcorp_command_arguments(self): + vendor = SSHCorpSubprocessVendor() + self.assertEqual( +@@ -209,6 +231,13 @@ + "-s", "sftp", "host"] + ) + ++ def test_lsh_command_tricked(self): ++ vendor = LSHSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_lsh_command_arguments(self): + vendor = LSHSubprocessVendor() + self.assertEqual( +@@ -231,6 +260,13 @@ + "--subsystem", "sftp", "host"] + ) + ++ def test_plink_command_tricked(self): ++ vendor = PLinkSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_plink_command_arguments(self): + vendor = PLinkSubprocessVendor() + self.assertEqual( + +=== modified file 'bzrlib/transport/ssh.py' +--- old/bzrlib/transport/ssh.py 2015-07-31 01:04:41 +0000 ++++ new/bzrlib/transport/ssh.py 2017-08-20 01:59:20 +0000 +@@ -46,6 +46,10 @@ + from paramiko.sftp_client import SFTPClient + + ++class StrangeHostname(errors.BzrError): ++ _fmt = "Refusing to connect to strange SSH hostname %(hostname)s" ++ ++ + SYSTEM_HOSTKEYS = {} + BZR_HOSTKEYS = {} + +@@ -360,6 +364,11 @@ + # tests, but beware of using PIPE which may hang due to not being read. + _stderr_target = None + ++ @staticmethod ++ def _check_hostname(arg): ++ if arg.startswith('-'): ++ raise StrangeHostname(hostname=arg) ++ + def _connect(self, argv): + # Attempt to make a socketpair to use as stdin/stdout for the SSH + # subprocess. We prefer sockets to pipes because they support +@@ -424,9 +433,9 @@ + if username is not None: + args.extend(['-l', username]) + if subsystem is not None: +- args.extend(['-s', host, subsystem]) ++ args.extend(['-s', '--', host, subsystem]) + else: +- args.extend([host] + command) ++ args.extend(['--', host] + command) + return args + + register_ssh_vendor('openssh', OpenSSHSubprocessVendor()) +@@ -439,6 +448,7 @@ + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path, '-x'] + if port is not None: + args.extend(['-p', str(port)]) +@@ -460,6 +470,7 @@ + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path] + if port is not None: + args.extend(['-p', str(port)]) +@@ -481,6 +492,7 @@ + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch'] + if port is not None: + args.extend(['-P', str(port)]) + diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index 22b296f4a..a0c80f7af 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -98,6 +98,7 @@ (uri (string-append "https://launchpad.net/bzr/" (version-major+minor version) "/" version "/+download/bzr-" version ".tar.gz")) + (patches (search-patches "bazaar-CVE-2017-14176.patch")) (sha256 (base32 "1cysix5k3wa6y7jjck3ckq3abls4gvz570s0v0hxv805nwki4i8d")))) -- 2.15.0 From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 03 09:21:46 2017 Received: (at 29526) by debbugs.gnu.org; 3 Dec 2017 14:21:46 +0000 Received: from localhost ([127.0.0.1]:42514 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eLV9O-0001RC-C6 for submit@debbugs.gnu.org; Sun, 03 Dec 2017 09:21:46 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:60035) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eLV9J-0001R2-P5 for 29526@debbugs.gnu.org; Sun, 03 Dec 2017 09:21:45 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 61C78207D1; Sun, 3 Dec 2017 09:21:41 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Sun, 03 Dec 2017 09:21:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=uM0eaxvmYjt7mxZt+rCwb1NYtx07fvxo27dfLixE4dE=; b=feTdm7M4 FkQsAC005cAsMphlyc73p7e9ztesakQ5S6cOEZqeuochZh47cf0WkZQHQAYZigyQ nguoo9Ss6soZqhbVhvIvo5DSAaxAAEXSJMEmi0HRRkLdcKNIPl2D8F3TKA4Ip44u +IO0ulBAtBtrwWOzdheZGVicxscNByxyF00d318qfXSvUdnZ8zVYQPhCbJpyXg4L vS/FAiCs7ZXFT3N8dOupHkiq+MZYbL2T1YYi4bmYwQrur7rjBJ7gtS/g3vv5cBJb ZNQN1jOzn5CIzfrqp+xsq28cwE66Is/9T8ekpJnirw/SGwaS/R8fm2fbLoMvEkuY 2B1aYuB9smn6hw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=uM0eaxvmYjt7mxZt+rCwb1NYtx07f vxo27dfLixE4dE=; b=gzfsOf8OkKMjV062GbTJmh2s7hgcmjGaPxqxCMBBOa/wb 8Q6nRb4mYx8gH2ypthd+AH0cFBowALWH67H+fp5i7tSEmWR1Cgf9Njj5839BwE0s ++r6G4YTvpvEj2A2vxneRbo6mT717Zf0QZ3Ita5V+3GVb6Ldi4OZFRwYjP+hu4Zl 7bvGKkoPUaRIz+VlMqKKSkHL06HNCBJdnBSBU1UPB1OAGPGZJiuPI577syYbGZyZ KyrSCFPG0BvfZh3S5kMQw7mhXfZqpJUttaZMIXhXegPMkn9BFwMhRv4V699nBIXe /5BpUDmkeO15nMaoM5X6dXPwFYcBrR297NTiz8NfA== X-ME-Sender: Received: from localhost (cm-84.214.173.174.getinternet.no [84.214.173.174]) by mail.messagingengine.com (Postfix) with ESMTPA id E0C67243F9; Sun, 3 Dec 2017 09:21:40 -0500 (EST) From: Marius Bakke To: Leo Famulari , 29526@debbugs.gnu.org Subject: Re: [bug#29526] [PATCH] gnu: bazaar: Fix CVE-2017-14176. In-Reply-To: <4b3e37125d709c57eb9221feab374590e7b8ac7b.1512152074.git.leo@famulari.name> References: <4b3e37125d709c57eb9221feab374590e7b8ac7b.1512152074.git.leo@famulari.name> User-Agent: Notmuch/0.25.2 (https://notmuchmail.org) Emacs/25.3.1 (x86_64-pc-linux-gnu) Date: Sun, 03 Dec 2017 15:21:39 +0100 Message-ID: <87shcrzybw.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 29526 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain Leo Famulari writes: > * gnu/packages/patches/bazaar-CVE-2017-14176.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/version-control.scm (bazaar)[source]: Use it. [...] > diff --git a/gnu/packages/patches/bazaar-CVE-2017-14176.patch b/gnu/packages/patches/bazaar-CVE-2017-14176.patch > new file mode 100644 > index 000000000..0e9083b97 > --- /dev/null > +++ b/gnu/packages/patches/bazaar-CVE-2017-14176.patch > @@ -0,0 +1,166 @@ > +Fix CVE-2017-14176: > + > +https://bugs.launchpad.net/bzr/+bug/1710979 > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176 > + > +Patch copied from Debian's Bazaar package version bzr_2.7.0+bzr6619-7+deb9u1: > + > +https://alioth.debian.org/scm/loggerhead/pkg-bazaar/bzr/2.7/revision/4204 I was looking for a fix for this a couple of days ago as well, but could not find anything in the upstream repository: https://code.launchpad.net/bzr LGTM, and thanks! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlokCHMACgkQoqBt8qM6 VPpt3gf/RNF8IqtTvdDpPw5tOQkkhPyFbLfRKkwwzWLdj0qjKK6qnShOzQMTt3kw 3Ofhq8+FZQWsmpDUvOerFX23YAHCgYtzHDOhLPl/S+vo9PBJRObjEEp+kTSDOXR1 UJI2In+dweEOJI9N2mVAfUm+t/8XBY7YseaQy/wAk2/RgFsnSq+acfb8E0AOsKAP 9g7rUOupZ+K2nz3ytZ7HT+jX9B8DUR2m6d6WkSQDi2lXpwWvx/ssrZaaNX6PoqVr KlQrGCKOiPILQ1tNv4m5bjIRUoIUHucl38B6c990n3I7p9hUt7HirQ9AnnINfWTb EHvDfcD4YMe5lvjK7y6oFbBs/tVbxQ== =whiG -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 04 13:17:37 2017 Received: (at 29526-done) by debbugs.gnu.org; 4 Dec 2017 18:17:37 +0000 Received: from localhost ([127.0.0.1]:45827 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eLvJA-000316-1v for submit@debbugs.gnu.org; Mon, 04 Dec 2017 13:17:37 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:52517) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eLvJ8-00030y-6P for 29526-done@debbugs.gnu.org; Mon, 04 Dec 2017 13:17:34 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id DC16320D0E; Mon, 4 Dec 2017 13:17:33 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Mon, 04 Dec 2017 13:17:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=DwdkW05RpnA2dwXXfnwrhhf12oT+anbO/lpkKUPwtcs=; b=fWg3w eH2PfNtp/orfM0sgjnA1lckgJxtwUIKdkLyBIT9DyLKpQ/d0+Itk73bmBt/GmlPJ x88iSqJvvG0oZimV12MhXlTRgsIqmH3sVWSMlkb6uxBZNlb4Vv5y7aOdQB5BQE90 yLPRQWK5cPZ9I6Kef+h+OCfcr3bKCAi/K4Ti2U= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=DwdkW05RpnA2dwXXfnwrhhf12oT+a nbO/lpkKUPwtcs=; b=mVcK6TJ+YNkiqmz6IdO9By4Isy5h24khm3ryne0FTS9PI srwtGxKsBukzee1kh/LC3gSGhWmfr0ZqK9rWqz1KKkwLASrkD56t4vLMn1ozO219 s68fkyuuLGMTbDubKzSSMtWKZ5JQA7AmTp33SJAh/JGel01Tc/1mvRTaolnkp3CI P7J6pWYJtdsG29QtZDnBdjGS/52borU0CQ6IDq4DfrrTVeGws8aoPBq4+0t0PyEr f5gNv+jkfByLv+JkmvxHs6Pb30Bb+ApGm4Lj93kEEk2r9eDHMXoCIBorQbF+WrmD aunDGI0cxuLQsZ9HpO1CA5V4yYMf3V/9s+ebSAv5g== X-ME-Sender: Received: from localhost (mfe2536d0.tmodns.net [208.54.37.254]) by mail.messagingengine.com (Postfix) with ESMTPA id 8C1887FA76; Mon, 4 Dec 2017 13:17:33 -0500 (EST) Date: Mon, 4 Dec 2017 13:17:32 -0500 From: Leo Famulari To: Marius Bakke Subject: Re: [bug#29526] [PATCH] gnu: bazaar: Fix CVE-2017-14176. Message-ID: <20171204181732.GB30970@jasmine.lan> References: <4b3e37125d709c57eb9221feab374590e7b8ac7b.1512152074.git.leo@famulari.name> <87shcrzybw.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="jho1yZJdad60DJr+" Content-Disposition: inline In-Reply-To: <87shcrzybw.fsf@fastmail.com> User-Agent: Mutt/1.9.1 (2017-09-22) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 29526-done Cc: 29526-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --jho1yZJdad60DJr+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 03, 2017 at 03:21:39PM +0100, Marius Bakke wrote: > Leo Famulari writes: > > +Patch copied from Debian's Bazaar package version bzr_2.7.0+bzr6619-7+= deb9u1: > > + > > +https://alioth.debian.org/scm/loggerhead/pkg-bazaar/bzr/2.7/revision/4= 204 >=20 > I was looking for a fix for this a couple of days ago as well, but could > not find anything in the upstream repository: >=20 > https://code.launchpad.net/bzr Yeah, there is not much upstream activity anymore. > LGTM, and thanks! Thanks for the review! --jho1yZJdad60DJr+ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlolkTsACgkQJkb6MLrK fwhQDQ//aXsFwdJTg8VyieS12U3M0iX4jdxqPUER2XfUBgJGYasPIszfWppMoXdp bdTtNpY/1uSmTqDCNY1o2B9lZz7k2RegQ7CqtKBic5sl3iAuERGOKZKBDE4lOrns uSkTcvCv2uGl6N97faAIRBYvVYTt5bxZhPNK7iqARbr68xbiYy96dcA32LCsbisu C6OoNyAgOz3d0XsREIXK24Nzhdo99quTC0ZbBudaB8Zd2Xbrge87kLMjlLYFp3/I aPIuoRf0WIEu8Qms43E91keH9RzhFoN/5w9G5oMeRHy22AXFGivVQfMROX4DiHVd KrXsmd7FUtRD3t/RSqm4+dI1PgLFtzGJltCBVAp6QJBn5KVHz4DdllXkA1plmNxB fmsUcmq1wptsg5JZTqk24aikayG2LnoCxN6YXLbLk4aFhKwdGFD4XUoNg3d9XY3Y zglPcBZ4w7Svf7y1zlnVuyWAc40qRGOJmLox5qRIUA+P6stmFMJEBauksuaO+dqc VlAsuayp6xGDxbXDut+BdegCKGWLFAvG7pvFpSSCy90jm2ZpvnKyvqq6zqTTmQ7V WExXHCVN92ipFKAgKEgUPp66wZtY4eDOxz6GL+bM0QIbRia1LrYjhADBn3aTOn4F ycQOGbWMsKR7fr4/xj+Ivr3Bchd748oFAwLrkniYb8+L2KwjROI= =x8VS -----END PGP SIGNATURE----- --jho1yZJdad60DJr+-- From unknown Fri Aug 15 04:08:28 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 02 Jan 2018 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator