[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#33067] [PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933].
From: |
Ludovic Courtès |
Subject: |
[bug#33067] [PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933]. |
Date: |
Fri, 19 Oct 2018 10:29:40 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Hello!
Leo Famulari <address@hidden> skribis:
> Previously I reported the patch pushed and closed the bug. However, the
> push must have failed without me noticing. Now that I saw your message,
> I had more time to look at the patch and update it. Now pushed as
> eed00f93e8999712191e39c59c15e23461520f43
>
> On Thu, Oct 18, 2018 at 01:11:12AM +0200, Ludovic Courtès wrote:
>> The patch changes just one ‘if’ condition. Could you check in 0.7.6 if
>> that condition matches what the patch changed?
>
> The only upstream change was to fix the bug which would make it ignore
> valid configuration data when parsing the config file.
>
> Our patch also tightened the conditional that led to that point, so that
> the previously faulty check would not be passed some "dummy" constants.
>
> Not being able to read the original bug report, I can't tell if these
> extra changes were made in response to a bug that was actually
> experienced, or if we were just being cautious.
>
> Since nothing else changed upstream, it seems like the tightening can't
> hurt, at least the one regarding the SOC_END constant, which I think
> could still be used erroneously. But we should send it upstream.
Sounds good, thanks for checking!
Ludo’.