Control: tag -1 wontfix On Sun, Nov 30, 2014 at 01:52:31PM +0100, Laszlo Boszormenyi (GCS) wrote: > Please consider unblocking libsodium/1.0.1-1 despite being a new, > bugfix only upstream release. Its changelog[1] says: > -- cut -- > * DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid > collisions with similar macros defined by other libraries. > * sodium_bin2hex() is now constant-time. > * crypto_secretbox_detached() now supports overlapping input and > output regions. > * NaCl's donna_c64 implementation of curve25519 was reading an > extra byte past the end of the buffer containing the base point. > This has been fixed. > -- cut -- > > The first one is not to clash with Wine and others. Constant time > function prevents an attacker to get a closer idea what the input was in > a normal use call. Third is to prevent memory corruptions if input and > output regions overlap. The last one is clearly a buffer over-read > security fix. > As libsodium is a network communication cryptography and signaturing > library, I think these fixes are a should have for Jessie.
This isn't really a good fit for this stage in the process; I realise you've been waiting a while but that's probably a reflection on the size of the diff. Unless you can persuade me that any of it is RC, I'm minded to decline this one. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
signature.asc
Description: Digital signature
