Email: firstname.lastname@example.org • Mastodon: @email@example.com • Debian: benh (Salsa, QA) • Gitweb: git.decadent.org.uk • GitHub: bwhacks
This was my sixth month working on Debian LTS. I was assigned 10.5 hours by Freexian's Debian LTS initiative. This was less than in previous months, but I was still able to work on several packages.
This update was almost ready to release at the end of April. I had to rebuild from the upstream tarball as released by Guillem, then uploaded and issued DLA 220-1.
This update was also almost ready to release. I hoped to get some users to test it, but didn't get any response. I uploaded and issued DLA 221-1.
Ruby 1.8 had a single CVE to fix. It was already fixed in wheezy against a similar upstream version, so it took little time to apply that patch. Ruby has an extensive test suite that reassured me this wouldn't cause a regression. I uploaded and issued DLA 224-1.
p7zip allows arbitrary file overwrite via symlinks (CVE-2015-1038) when extracting a carefully constructed archive, and this bug is not fixed upstream. This sort of bug has been identified and fixed previously in similar tools such as GNU tar, so I looked at how that handles links and tried to apply a similar change in p7zip. This was somewhat complicated by the code style (C++ with COM-style interfaces and NIH containers), but not too hard. I came up with a patch that seems to work for the versions in Debian, and have attached it to the upstream bug report for review.
I reviewed the patches for Linux 18.104.22.168 - many of which were my own backports - and then integrated this update into the SVN branch. I will probably upload a new version soon, whether or not there's a high severity issue, just to avoid piling up a large number of changes in one update.