Santuario patch coming shortly
Cantor, Scott
cantor.2 at osu.edu
Thu Aug 2 15:21:01 BST 2018
> Thanks for the heads-up. I squashed and backported your patches, dropping
> some disconnected whitespace and (void)->() prototype changes (as far as I
> know, they are equivalent in C++) for easier review by the Debian Security
> Team. Does this look sane to you?
Yes.
The void thing is just style, and I tend to clean up style issues as I make changes because it's sort of a breadcrumb to tell me I made changes to a file and isn't from the original author's version anymore. It's not perhaps the best practice but that's why.
> There are changes in a header file as well, so some of the SP stack will need
> to be recompiled to include the fix, I guess. Or all of it, maybe?
Strictly speaking perhaps, but the functions in question aren't being called by my code, just by Santuario itself, so they're already re-inlined there with this build. But I would imagine Debian might have a standard rule that any C++ lib bump necessitates everything else being rebuilt.
> Are you okay with us getting a separate CVE for this Santuario issue?
> Could you use the same or another one for the SP?
There's no separate CVE for the SP, I haven't changed any code there at this stage. I am fine with you getting one for the issue if you like.
-- Scott
More information about the Pkg-shibboleth-devel
mailing list