On 2006-05-15 Max Kellermann <[EMAIL PROTECTED]> wrote: > Package: gnutls13 > Version: 1.3.5-1.1 > Severity: important
> In the gnutls13 package, I detected a buffer overflow which had been > fixed 3 months ago in 1.2.10 and 1.3.4: > http://lists.gnupg.org/pipermail/gnutls-dev/2006-February/001053.html > The gnutls upstream sources > (ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.3.5.tar.bz2) do not > contain the faulty code anymore, the Debian sources > (gnutls13_1.3.5.orig.tar.gz) however do. > There are many other (tiny) differences in ./lib/gnutls_x509.c. This > leads me to the conclusion that Debian's gnutls13_1.3.5.orig.tar.gz is > incorrect. I can confirm this. Looks like code was pulled somewhere from CVS. (.orig is the Debian tarball.) [EMAIL PROTECTED]:/tmp$ diff -ur gnutls13-1.3.5.orig gnutls-1.3.5 \ | grep -v '^Only' | diffstat doc/gnutls.texi | 2 +- lib/gnutls_x509.c | 47 +++++++++++++++++++++++------------------------ lib/minitasn1/errors.c | 27 +++++++++++++++------------ po/pl.po | 30 +++++++++++++++++++++--------- 4 files changed, 60 insertions(+), 46 deletions(-) Actually the cvs-snapshot seems to be quite crufty, it contains files deleted upstream a long time ago diff -ur gnutls13-1.3.5.orig gnutls-1.3.5 | grep '^Only' | \ grep -E '\.[ch]$' | wc 46 184 2179 e.g. lib/gnutls_random.c was removed in August from upstream cvs and last shipped with gnutls 1.2.6. cu andreas -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken. (c) Jasper Ffforde -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
