Bug#861926: jessie-pu: package php-tcpdf/6.0.093+dfsg-1

To: "Laurent Destailleur (eldy)" <eldy@destailleur.fr>, 861926@bugs.debian.org
Subject: Bug#861926: jessie-pu: package php-tcpdf/6.0.093+dfsg-1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 06 May 2017 08:25:36 +0100
Message-id: <[🔎] 1494055536.26551.6.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 861926@bugs.debian.org
In-reply-to: <[🔎] 20170505235608.17626.5089.reportbug@smtp.localdomain>
References: <[🔎] 20170505235608.17626.5089.reportbug@smtp.localdomain>

Control: tags -1 + moreinfo
Control: retitle -1  jessie-pu: package tcpdf/6.0.093+dfsg-1

On Sat, 2017-05-06 at 01:56 +0200, Laurent Destailleur (eldy) wrote:
> I request permission to upload a fix of package php-tcpdf to fix
> security bug CVE-2015-3935 #814030
> https://sourceforge.net/p/tcpdf/bugs/1005/
> 
> Fix is as simple as the following patch. Non regression tested with
> success on package "dolibarr" and "phpmyadmin".

There seems to be some confusion here. CVE-2015-3935 is a previously
resolved issue in dolibarr, not tcpdf (bugs are fixed by uploads of
source packages, not binary packages), and is not the vulnerability to
which #814030 refers.

I assume you mean CVE-2017-6100 but, as noted by Raphael in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814030#78 , in order
to agree an upload we will need a debdiff between the source package
that you are proposing to upload and the package in stable, not simply
the patch to the code.

Regards,

Adam

Reply to:

References:
- Bug#861926: jessie-pu: package php-tcpdf/6.0.093+dfsg-1
  - From: "Laurent Destailleur \(eldy\)" <eldy@destailleur.fr>

Prev by Date: Bug#861926: jessie-pu: package php-tcpdf/6.0.093+dfsg-1
Next by Date: Processed: Re: Bug#861926: jessie-pu: package php-tcpdf/6.0.093+dfsg-1
Previous by thread: Bug#861926: jessie-pu: package php-tcpdf/6.0.093+dfsg-1
Next by thread: Processed: Re: Bug#861926: jessie-pu: package php-tcpdf/6.0.093+dfsg-1
Index(es):
- Date
- Thread