On Fri, 2016-02-19 at 03:59 +0800, Ying-Chun Liu (PaulLiu) wrote: > Ben Hutchings 於 2015年12月31日 06:37 寫道: > > > > On Wed, 2015-12-30 at 20:19 +0800, Ying-Chun Liu (PaulLiu) wrote: > > [...] > > > > > > I've made a patch. As attachment. > > I don't think it's a complete fix, as it doesn't check that there's > > enough space for the terminating null (or shift sequence, where > > needed). > > > > > > > > Should I just push it to unstable? Or I need to do some further > > > steps > > > before that? > > You should probably coordinate with maintainers of other affected > > packages, e.g. claws-mail. There is an upstream fix for claws- > > mail, > > although it's not quite right (see my comment on security-tracker). > > > > > > > > I didn't see any bug numbers against macopix package for CVE- > > > 2015-8614. > > > What's the best next step? > > So far as I know it's not necessary to create a bug report, though > > there's no harm in doing so. > > > > Ben. > > > Hi Ben, > > I synced the code from the claws-mail upstream which fixes the bug. > Please see the attachment. Sorry to keep you waiting. After I looked at what macopix does, it seemed to me that it doesn't work with untrusted input. So although it has the same bug, it doesn't seem to be a security flaw. What do you think? Ben. -- Ben Hutchings - Debian developer, member of Linux kernel and LTS teams
Attachment:
signature.asc
Description: This is a digitally signed message part