On Fri, Aug 28, 2009 at 12:22:06AM +0200, gregor herrmann wrote: > On Thu, 27 Aug 2009 21:27:13 +0200, Bas Zoetekouw wrote: > > > > FYI I'm preparing stable updates of perl and libcompress-raw-zlib-perl > > > because of the identical issue in Compress-Raw-Zlib (CVE-2009-1391). The > > > security team recommended this because they are too busy to prepare DSAs > > > for such minor issues. > > > > > > Please consider updating libcompress-raw-bzip2-perl too. The window for > > > the next stable update is closing this weekend. > > > > Unfortunately I don't have access to my Debian machines at the moment > > (I'm in the middle of moving house). Gregor volunteered to NMU the > > package though. > > Gregor, do you think you'll have time to NMU on such short notice? > > Oops, seems I should read all mails before preparing debdiffs after > reading the first one :) > > Anyway, you've seen my tentative diff, and I also have time on Friday > and Sunday for any changes and uploads.
Thanks for picking this up Gregor. Not sure if a testcase can be found through the CVE entries, so I'm attaching one for your convenience. > Cheers, > gregor, who is just a bit confused why libcompress-raw-zlib-perl goes > to s-p-u and libcompress-raw-bzip2-perl maybe to > stable-security Has the security team acked a libcompress-raw-bzip2-perl upload? I assumed this one would go through s-p-u too. -- Niko Tyni nt...@debian.org
#!/usr/bin/perl -w # dd if=/dev/zero bs=16384 count=1 | bzip2 - | valgrind perl bunzip2.pl >/dev/null use strict ; use Compress::Raw::Bzip2; local $/ = undef; Compress::Raw::Bunzip2->new->bzinflate(<>, my $out); print $out;
