On Wed, Feb 1 2023 at 10:09:15 AM +0100, Emilio Pozuelo Monfort
<po...@debian.org> wrote:
On 01/02/2023 09:47, Andres Salomon wrote:
Hi Security Team & Jeremy,
I had originally planned to ask the release team about fixing
#1029845 (the bug below) in bullseye via t-p-u. However, it would
appear that there's also an outstanding security bug in harfbuzz
(CVE-2022-33068, tracked at #1013673). So instead, maybe it's
better if we group the font removal and the security fix together
and upload something like what I've attached (a debdiff against
2.7.4-1) to bullseye-security. What do folks think?
Jeremy, I created a bullseye branch over in my repo at
https://salsa.debian.org/dilinger/harfbuzz/-/commits/bullseye
Based on what's decided, I can adjust it and do a MR to whatever
your preferred branch name is.
Can you also include this change to fix a compiler warning on that
security fix?
https://github.com/harfbuzz/harfbuzz/commit/e421613e8f825508afa9a0b54d33085557c37441
Cheers,
Emilio
Thanks, good catch. It's in
https://salsa.debian.org/dilinger/harfbuzz/-/commit/d091e7184675da712b8bb308cf7c11f45d77011f
now.
