[Pkg-kde-extras] Update of exiv2 in stretch

Roberto C. Sánchez roberto at debian.org
Thu Jun 28 13:35:42 BST 2018 

Hola Maximiliano,

I forked your Salsa project but I had difficulty figuring out the proper
starting point for a branch.  It looks like master contains work for
both unstable and experimental in it.  I did use a Git repository to do
my work, but I began with importing exiv2_0.25-3.1.dsc.

That said, I have exported the indivdual commits as patches and attached
them to this mail.  You can use 'git apply' on them and it should just
work, except maybe for the placement of the changelog entry.

I did want to add two additional notes for your information:

1. My changes do not address CVE-2018-11037 (the only remaining open CVE
against the exiv2 package in Debian), since upstream has not yet fixed
it.  The issue in GitHub indicates it will be fixed in 0.27.

2. I had to make some adjustments to the error handling from the newer
upstream commits, as they have ported the "enforce" mechanism (similar
to assert) from D and it seemed to large a change to bring in for a
security update.  I requested a review of my patch from upstream in
GitHub (https://github.com/Exiv2/exiv2/issues/302) but have not yet
received a reply.  After submitting that request for review I did
patches for the remaining CVEs and encountered enough other erorr
handling code that I am comfortable with my approach, so I don't think
it that important that upstream has not yet replied.

I will leave it up to you integrate my patches, make the upload to
unstable, and coordinate the remaining transitions and advisory with the
security team.  You are welcome to use the DLA text I attached to the
first mail, or to write your own more detailed advisory as you prefer.

Regards,

-Roberto

On Thu, Jun 28, 2018 at 10:22:02AM +0200, Maximiliano Curia wrote:
> ¡Hola Roberto!
> 
> El 2018-06-28 a las 01:05 -0400, Roberto C. Sánchez escribió:
> > Hello all,
> 
> > I wanted to let you know that I have prepared updates of the exiv2
> > packages for jessie (LTS) and wheezy (ELTS).  The patches that I
> > prepared applied cleanly to the exiv2 package in stretch.
> 
> > The stretch packages that I built are here:
> 
> > https://people.debian.org/~roberto/
> 
> > I have also attached the DLA text I have published for the jessie
> > update.  It can serve as the basis of the DSA for stretch, if needed.
> 
> > If you prefer that I go ahead with uploading the packages that I have
> > prepared, please let me know.
> 
> Nice job, thanks for taking care of exiv2.
> 
> I would prefer if we have these changes applied in unstable first, if that's
> ok with you (which is the same as the stretch version so only the version
> needs to be changed for that).
> 
> About the changes, if you used a git repository to work on these changes it
> would be better to simply merge the individual commits instead of a
> monolithic change from the debdiff. So, if possible, could you send us a
> merge request from salsa, or a link to a public git with these changes?
> 
> If you prefer, go ahead and upload the modified package to unstable, we can
> deal with merging the changes afterwards.
> 
> Happy hacking,
> -- 
> "Don't let what you cannot do interfere with what you can do."
> -- Wooden's Rule
> Saludos /\/\ /\ >< `/



-- 
Roberto C. Sánchez
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exiv2_0.25-3.1+deb9u1_(1_of_4).patch
Type: text/x-diff
Size: 7025 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-kde-extras/attachments/20180628/cbee384c/attachment-0004.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exiv2_0.25-3.1+deb9u1_(2_of_4).patch
Type: text/x-diff
Size: 4487 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-kde-extras/attachments/20180628/cbee384c/attachment-0005.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exiv2_0.25-3.1+deb9u1_(3_of_4).patch
Type: text/x-diff
Size: 5803 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-kde-extras/attachments/20180628/cbee384c/attachment-0006.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exiv2_0.25-3.1+deb9u1_(4_of_4).patch
Type: text/x-diff
Size: 18623 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-kde-extras/attachments/20180628/cbee384c/attachment-0007.patch>

More information about the pkg-kde-extras mailing list