A few small questions

debian.org at spam.lublink.net debian.org at spam.lublink.net
Sun Sep 3 17:28:48 BST 2023 

Hello Jonas,

I poked around salsa and found the folder Xpjproject in branch 
debian/latest, and according to debian/rules, this seems to be  building 
pjproject-2.12.1.tar.bz2 for the newer releases. This version already 
has patches for the 3 CVEs.

I tried checking out the git branch buster, and found that the 
Xpjproject folder doesn't exist and I only found the file 
pjproject_2.8~dfsg.orig.tar.bz2 ( in debian/ ) .

How would I produce a patch for this ? Should I decompress the tar.bz2 
file, patch it, recompress it and then apply the generate a binary patch 
?

I notice there is no git branch for bullseye, is git branching still 
used?

1:16.2.1~dfsg-1+deb10u2 is the only version of Asterisk that is 
reportedly still affected by the three CVEs, why do we need to patch 
this if buster-security contains a fixed version? If we do need to patch 
it, where do I post the patch? Git branch?

What are my next steps here?

Thanks,

David Lublink





On 2023-08-28 20:56, debian.org at spam.lublink.net wrote:
> Hello Jonas,
> 
> I am looking at CVE-2022-42705, fortunately for me the upstream commit 
> is strictly the CVE patch we are looking for, so generating the patch 
> was straight forward ( I included it as an attachment ).
> 
> It looks like old-stable refers to Debian Buster so I ran buster and 
> downloaded the package source with 'apt source asterisk' and 'apt-get 
> install build-essential devscripts --yes' and 'apt-get build-dep 
> asterisk'.
> 
> I'm unsure though about how to deal with the quilt patches. Both of the 
> files targeted by the patch are downloaded during the ./configure 
> script :
> 
> [pjproject]  Verifying /tmp/pjproject-2.12.1.tar.bz2
> [pjproject]  Verify successful
> [pjproject]  Unpacking /tmp/pjproject-2.12.1.tar.bz2
> [pjproject]  Applying patches 
> /opt/asterisk-16.28.0~dfsg/third-party/pjproject/patches 
> /opt/asterisk-16.28.0~dfsg/third-party/pjproject/source
> [pjproject]  Applying user.mak
> [pjproject]  Rebuilding
> [pjproject]  Applying custom
> 
> I notice that the pjproject folder has patches in it, this does not 
> seem covered by quilt.
> 
> Question 1 : Where should I drop the patch ? Should my patch in 
> debian/patches generate a patch in third-party/pjproject/patches ?
> 
> 
> Question 2 : Where do I write the test and how should I execute it ?
> 
> I see there is the folder debian/tests, but it doesn't seem to contain 
> tests for other CVEs. I also checked tests/ and saw no mention of 
> previous CVE. Where do I write the test and where/how do I run it?
> 
> Question 3 : Which version am I testing against? Is there a git branch 
> I should be using instead of using the source package directly from the 
> repo?
> 
> 
> 
> Thanks!
> 
> David
> 
> 
> 
> 
> 
> On 2023-08-28 19:35, debian.org at spam.lublink.net wrote:
>> On 2023-08-28 16:45, Jonas Smedegaard wrote:
>>> Quoting debian.org at spam.lublink.net (2023-08-27 23:31:35)
>>>> what next smalls steps can we take ?
>>> 
>>> The developer's overview is https://tracker.debian.org/pkg/asterisk
>>> 
>>> In the "actions needed" in the middle of that is listed 3 security
>>> issues in stable.
>>> 
>>> It would be helpful if you could...
>>>   * try compose a test for each of those bugs
>>>   * try isolate a minimal diff for each of those bugfixes,
>>>     to be applied to the package in stable
>>>   * check that the tests are succesful with the patches applie.
>>> 
>>> 
>>> 
>>> Kind regards,
>>> 
>>>  - Jonas
>> challenge accepted

More information about the Pkg-voip-maintainers mailing list