Hi David, On Fri, Dec 04, 2020 at 05:22:03PM -0500, David da Silva Polverari wrote: > Package: release.debian.org > Severity: important > Tags: buster > User: release.debian....@packages.debian.org > Usertags: pu > > Hi, > > A global buffer overflow vulnerability was found by Red Hat on > pngcheck-2.4.0 [1]. It was found and reported by the Debian Security > Team that the vulnerability also affects the versions found on the > Debian archive [2]. > > The bug was already fixed on unstable [2]. I have prepared a revision > for buster-security for pngcheck/2.3.0-7 with the backported changes > from unstable. The proposed update builds correctly on a minimal > up-to-date buster chroot. > > I didn't coordinate with the security team, as the vulnerability is > marked "no-dsa" in the Debian Security Tracker [3]. > > If the update is deemed correct, I can make it available on mentors, and > open an RFS as I don't have uploading rights. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1902011 > [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976350 > [3] https://security-tracker.debian.org/tracker/CVE-2020-27818 > > Regards, > Polverari
> diff -Nru pngcheck-2.3.0/debian/changelog pngcheck-2.3.0/debian/changelog > --- pngcheck-2.3.0/debian/changelog 2013-06-26 09:28:27.000000000 +0000 > +++ pngcheck-2.3.0/debian/changelog 2020-12-04 21:22:18.000000000 +0000 > @@ -1,3 +1,10 @@ > +pngcheck (2.3.0-7+deb10u1) buster-security; urgency=high For the update via the point release, the target distribution needs to be set to 'buster' (vs. buster-security). Regards, Salvatore
