Santuario patch coming shortly

Cantor, Scott cantor.2 at osu.edu
Thu Aug 2 15:21:01 BST 2018


> Thanks for the heads-up.  I squashed and backported your patches, dropping
> some disconnected whitespace and (void)->() prototype changes (as far as I
> know, they are equivalent in C++) for easier review by the Debian Security
> Team.  Does this look sane to you?

Yes.

The void thing is just style, and I tend to clean up style issues as I make changes because it's sort of a breadcrumb to tell me I made changes to a file and isn't from the original author's version anymore. It's not perhaps the best practice but that's why.

> There are changes in a header file as well, so some of the SP stack will need
> to be recompiled to include the fix, I guess.  Or all of it, maybe?

Strictly speaking perhaps, but the functions in question aren't being called by my code, just by Santuario itself, so they're already re-inlined there with this build. But I would imagine Debian might have a standard rule that any C++ lib bump necessitates everything else being rebuilt.

> Are you okay with us getting a separate CVE for this Santuario issue?
> Could you use the same or another one for the SP?

There's no separate CVE for the SP, I haven't changed any code there at this stage. I am fine with you getting one for the issue if you like.

-- Scott




More information about the Pkg-shibboleth-devel mailing list