[Pkg-net-snmp-devel] Bug#963713: Bug#963713: net-snmp: CVE-2019-20892
Sergio Durigan Junior
sergiodj at debian.org
Mon Jul 6 14:44:02 BST 2020
On Monday, June 29 2020, Craig Small wrote:
> Hi All
> There's a few goes of the required patches but I think I've got them all.
> There was the v3doublefree2.patch, a format patch and then the first git
> reference in the tracker where they have re-arranged the free function so
> it tracks the reference count.
>
> The result does compile and build packages and it is not too terrible about
> the lintian warnings, but I haven't installed or tested it yet; that's a
> job for tomorrow (which is only an hour away, but it will be much longer
> than that). If anyone is keen in the meantime go ahead and see if it works
> for you.
Hey Craig,
Thanks for the work on the patches; I've had to do the same for Ubuntu,
so I understand the complexity... :-)
I'd like to propose an improvement on the current fix. While doing the
backports on Ubuntu, I noticed a few other patches that were needed in
order to guarantee that the existing memory leaks were addressed.
Unfortunately, the very first upstream commit that tried to fix the CVE
ended up introducing some leaks, and in the end it was necessary to
reorganize the code a little bit to solve them all. The commits are
scattered over the history, sometimes without much context, so it takes
a little time until we have a proper set of them to be backported.
Anyway, I took the liberty to open an MR here:
https://salsa.debian.org/debian/net-snmp/-/merge_requests/3
This MR adds the extra patches from upstream, performs some renames, and
brings the Debian package closer to the Ubuntu version.
Let me know what you think.
Thanks,
--
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
https://sergiodj.net/
More information about the Pkg-net-snmp-devel
mailing list