Bug#1028475: Backport recent GVariant security fixes to Stable

Philip Withnall philip at tecnocode.co.uk
Mon Jan 16 16:12:44 GMT 2023


On Sat, 2023-01-14 at 21:15 +0100, Salvatore Bonaccorso wrote:
> Hi Simon,
> 
> Thank you for adding looping in.
> 
> On Thu, Jan 12, 2023 at 10:10:35AM +0000, Simon McVittie wrote:
> > Control: tags -1 + security
> > 
> > On Wed, 11 Jan 2023 at 16:37:01 +0000, Philip Withnall wrote:
> > > Are there plans to backport the recent GVariant security fixes to
> > > Debian Stable?
> > > 
> > > These are:
> > >  - https://gitlab.gnome.org/GNOME/glib/-/issues/2782
> > >  - https://gitlab.gnome.org/GNOME/glib/-/issues/2121
> > >  - https://gitlab.gnome.org/GNOME/glib/-/issues/2540
> > >  - https://gitlab.gnome.org/GNOME/glib/-/issues/2794
> > >  - https://gitlab.gnome.org/GNOME/glib/-/issues/2797
> > >  - https://gitlab.gnome.org/GNOME/glib/-/issues/2840
> > >  - https://gitlab.gnome.org/GNOME/glib/-/issues/2841
> > > 
> > > In addition, these two issues have highly related fixes (which
> > > it’s
> > > probably easiest to backport in the same tranche), but they are
> > > not
> > > security issues:
> > >  - https://gitlab.gnome.org/GNOME/glib/-/issues/2612
> > >  - https://gitlab.gnome.org/GNOME/glib/-/issues/2839
> > > 
> > > Apologies if a decision has been deliberately taken to not
> > > backport
> > > them, I don’t fully understand the criteria for what gets
> > > backported.
> > 
> > There are actually two sets of criteria for what gets backported to
> > stable. If the Debian security team (Cc'd) thinks an issue is
> > sufficiently
> > serious to need a security advisory and an immediate release, then
> > they
> > prepare a security update, either doing the work themselves or
> > coordinating
> > with the package's maintainer for the actual code changes.
> > 
> > If the security team are not interested in an issue, but the
> > package's
> > maintainer thinks the issue needs a stable update, then the
> > package's
> > maintainer coordinates with the release team to get the change into
> > the
> > next stable point release, which happens once per 1-2 months.
> > 
> > I think these issues are all denial-of-service, which the security
> > team
> > usually treats as not sufficiently important for an advisory and an
> > off-schedule fix. Security team: do you agree, based on the
> > information
> > quoted below? If yes, we can treat this as a low-priority security
> > fix
> > (I would personally rate its severity at somewhere between
> > important
> > and minor) and fix it in a point release later.
> 
> I do agree, a point release update seems enough (if feasible, in
> backport size and confidence).

Makes sense to me. Thanks both for considering this.

Philip



More information about the pkg-gnome-maintainers mailing list