A few small questions

debian.org at spam.lublink.net debian.org at spam.lublink.net
Tue Aug 29 01:56:26 BST 2023 

Hello Jonas,

I am looking at CVE-2022-42705, fortunately for me the upstream commit 
is strictly the CVE patch we are looking for, so generating the patch 
was straight forward ( I included it as an attachment ).

It looks like old-stable refers to Debian Buster so I ran buster and 
downloaded the package source with 'apt source asterisk' and 'apt-get 
install build-essential devscripts --yes' and 'apt-get build-dep 
asterisk'.

I'm unsure though about how to deal with the quilt patches. Both of the 
files targeted by the patch are downloaded during the ./configure script 
:

[pjproject]  Verifying /tmp/pjproject-2.12.1.tar.bz2
[pjproject]  Verify successful
[pjproject]  Unpacking /tmp/pjproject-2.12.1.tar.bz2
[pjproject]  Applying patches 
/opt/asterisk-16.28.0~dfsg/third-party/pjproject/patches 
/opt/asterisk-16.28.0~dfsg/third-party/pjproject/source
[pjproject]  Applying user.mak
[pjproject]  Rebuilding
[pjproject]  Applying custom

I notice that the pjproject folder has patches in it, this does not seem 
covered by quilt.

Question 1 : Where should I drop the patch ? Should my patch in 
debian/patches generate a patch in third-party/pjproject/patches ?


Question 2 : Where do I write the test and how should I execute it ?

I see there is the folder debian/tests, but it doesn't seem to contain 
tests for other CVEs. I also checked tests/ and saw no mention of 
previous CVE. Where do I write the test and where/how do I run it?

Question 3 : Which version am I testing against? Is there a git branch I 
should be using instead of using the source package directly from the 
repo?



Thanks!

David





On 2023-08-28 19:35, debian.org at spam.lublink.net wrote:
> On 2023-08-28 16:45, Jonas Smedegaard wrote:
>> Quoting debian.org at spam.lublink.net (2023-08-27 23:31:35)
>>> what next smalls steps can we take ?
>> 
>> The developer's overview is https://tracker.debian.org/pkg/asterisk
>> 
>> In the "actions needed" in the middle of that is listed 3 security
>> issues in stable.
>> 
>> It would be helpful if you could...
>>   * try compose a test for each of those bugs
>>   * try isolate a minimal diff for each of those bugfixes,
>>     to be applied to the package in stable
>>   * check that the tests are succesful with the patches applie.
>> 
>> 
>> 
>> Kind regards,
>> 
>>  - Jonas
> challenge accepted
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cve-2022-42705.patch
Type: text/x-diff
Size: 2549 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20230828/bcd62b8a/attachment.patch>

More information about the Pkg-voip-maintainers mailing list