GNU bug report logs -
#33067
[PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933].
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Tue, 16 Oct 2018 18:23:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
Full log
Message #16 received at 33067 <at> debbugs.gnu.org (full text, mbox):
Hello!
Leo Famulari <leo <at> famulari.name> skribis:
> Previously I reported the patch pushed and closed the bug. However, the
> push must have failed without me noticing. Now that I saw your message,
> I had more time to look at the patch and update it. Now pushed as
> eed00f93e8999712191e39c59c15e23461520f43
>
> On Thu, Oct 18, 2018 at 01:11:12AM +0200, Ludovic Courtès wrote:
>> The patch changes just one ‘if’ condition. Could you check in 0.7.6 if
>> that condition matches what the patch changed?
>
> The only upstream change was to fix the bug which would make it ignore
> valid configuration data when parsing the config file.
>
> Our patch also tightened the conditional that led to that point, so that
> the previously faulty check would not be passed some "dummy" constants.
>
> Not being able to read the original bug report, I can't tell if these
> extra changes were made in response to a bug that was actually
> experienced, or if we were just being cautious.
>
> Since nothing else changed upstream, it seems like the tightening can't
> hurt, at least the one regarding the SOC_END constant, which I think
> could still be used erroneously. But we should send it upstream.
Sounds good, thanks for checking!
Ludo’.
This bug report was last modified 6 years and 277 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.