[Pkg-kde-extras] exiv2 stretch update (CVE-2018-16336)

Tue Oct 30 07:51:49 GMT 2018

Hi Roberto,

On Mon, Oct 29, 2018 at 07:58:39PM -0400, Roberto C. Sánchez wrote:
> On Sat, Oct 27, 2018 at 01:59:13PM +0200, Salvatore Bonaccorso wrote:
> > Hi Roberto,
> > 
> > On Sat, Oct 20, 2018 at 11:10:17PM -0400, Roberto C. Sánchez wrote:
> > > Hi all,
> > > 
> > > I prepared an update of exiv2 for jessie.  The patches I prepared
> > > applied to the stretch version with only one minor change required.
> > > 
> > > The main change is the patch for CVE-2018-16336.  However, I also
> > > included a tweak to the patch for CVE-2018-10958/CVE-2018-10999 based on
> > > feedback I received approximately one month after I uploaded the last
> > > security update for exiv2:
> > > 
> > > https://github.com/Exiv2/exiv2/issues/302#issuecomment-408640903
> > > 
> > > I have attached a debdiff from version 0.25-3.1+deb9u1 to
> > > 0.25-3.1+deb9u2 for your review and the actual packages are available
> > > here:
> > > 
> > > https://people.debian.org/~roberto/
> > > 
> > > If the package and proposed changes look good, please let me know and I
> > > can sign and upload the packages and someone on the security team can
> > > publish the DSA.
> > 
> > Looking at CVE-2018-16336 I feel it does not really warrant a DSA on
> > it's own. But given you have prepared a targeted fix for the issue,
> > can I redirect you trough the stretch-pu mechanism and have a fix
> > included in the next stretch point release?
> 
> That sounds like a reasonable approach.  Are these the correct
> instructions for me to follow?
> 
> https://www.debian.org/doc/manuals/developers-reference/ch05.html#upload-stable

Yes this is right. There was as well announced
https://lists.debian.org/debian-devel-announce/2018/04/msg00007.html
for a slightly changed worflow possibility (for the cases one is
absolutely confident the upload will be accepted, once can upload in
advance, but still submit debdiff and bug to release.d.o).

Regards,
Salvatore