On Mon, Apr 08, 2013 at 10:18:14PM +0100, Adam D. Barratt wrote: > On Mon, 2013-04-08 at 22:56 +0200, Tzafrir Cohen wrote: > > On Mon, Apr 08, 2013 at 09:13:43PM +0100, Adam D. Barratt wrote: > > > On Sat, 2013-04-06 at 16:39 +0300, Tzafrir Cohen wrote: > > > > Please unblock package asterisk. It includes a number of fixes, mostly > > > > two series of security fixes. > [...] > > > > + * Patches backported from Asterisk 1.8.19.1 (Closes: #697230): > > > > + - Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large > > > > stack > > > > + allocations when using TCP. > > > > + The following two fixes were also pulled in order to easily > > > > apply it: > > > > + - Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop > > > > > > That patch is more than 30% of the diff on its own. :-( > > > > > > How difficult would it have been to backport the fix to the code we have > > > in wheezy? > > > > Looking into that. > > Thanks. If the answer is that it's non-trivial then it may be worth > considering whether we should let the package spend a few more days in > unstable (depending on how urgently the security team believe we need > the fixes in wheezy).
Done. It turned out to be much smaller than the original one. At first glance there isn't any other code path. http://anonscm.debian.org/viewvc/pkg-voip/asterisk/trunk/debian/patches/AST-2012-014?revision=10137&view=markup All other requested changed are commited to SVN. I'll rebuild -3 morning. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzaf...@cohens.org.il | | best tzaf...@debian.org | | friend -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
