On Thu, 2017-09-28 at 07:53 +0200, Salvatore Bonaccorso wrote: > Hi Adam, > > On Thu, Sep 28, 2017 at 06:43:59AM +0100, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Thu, 2017-09-28 at 05:02 +0200, Salvatore Bonaccorso wrote: > > > weechat in stretch is affected by CVE-2017-14727, tracked as > > > #876553. > > > > > > > * logger: call strftime before replacing buffer local > > > > variables > > > > (CVE-2017-14727) (Closes: #876553) > > > > > > https://weechat.org/news/98/20170923-Version-1.9.1-security-relea > > > se/ > > > > > > Attached proposed debdiff for the stretch point release. > > > > > > > There's quite a bit of noise in such a small diff. :-( I appreciate > > why, though. > > Yes I can understand, you are a bit unahppy with me with that regard. > I followed upstream, which renamed several of the mask_* pointers and > added a new one for one more operation and shuffled around. > > I prefered to rather follow upstream here, hope I can convince you. > > or did you mean something else?
No problem; I wasn't unhappy with you. Following upstream's diff makes perfect sense, it's just unfortunate that they ended up with a patch that was significantly larger than the actual change. In their position, I'm not sure I'd have wanted to be having to add "mask_2.5" type variables just to avoid the rename though. Apologies if that wasn't clear. Regards, Adam
