[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: pkg/47442 (pkgsrc' security/gnupg2 package needs security update for CVE-2012-6085 [patch included])
The following reply was made to PR pkg/47442; it has been noted by GNATS.
From: Bug Hunting <bughunting%xs4all.nl@localhost>
To: NetBSD GNATS <gnats-bugs%NetBSD.org@localhost>
Cc: drochner%NetBSD.org@localhost, Thomas Klausner <wiz%NetBSD.org@localhost>
Subject: Re: pkg/47442 (pkgsrc' security/gnupg2 package needs security update
for CVE-2012-6085 [patch included])
Date: Tue, 15 Jan 2013 18:45:11 +0100
On Tue, Jan 15, 2013 at 11:25:53AM +0000, drochner%NetBSD.org@localhost wrote:
> Synopsis: pkgsrc' security/gnupg2 package needs security update for
> CVE-2012-6085 [patch included]
> State-Changed-From-To: open->closed
> State-Changed-By: drochner%NetBSD.org@localhost
> State-Changed-When: Tue, 15 Jan 2013 11:25:44 +0000
> applied, thanks
Thank you for taking this PR.
However, unfortunately, the PR's handling is far off from what it
could have been, as it hasn't been applied in full (and was therefore
closed unreasonably, as well), and the part that _has_ been applied,
hasn't been applied (fully) correctly.
The following issues should be addressed, specifically:
The name of the patches/ directory patch was changed away from what
it should be, following pkgsrc conventions: see, e.g., the pkgsrc
Guide, section 11.3.2:
``The file names of the patch files are usually of the form
Please rename the file appopriately.
Also, although that's my personal opinion, a bit more information
could've been copied from what I provided in the patch' comment
lines; e.g., this includes the upstream bug id (I do note by the
way the actual CVE addressed with it is now in the patch' file
name, but see above for why that should be undone).
The difference in name (and comment contents) of the distinfo file
as explained above of course also led to a different distinfo file,
with your commit; please make sure to regenerate it appropriately
after altering things again, now.
What is described above regarding the comments in the patches/
directory patch file, basically also applies for the overall commit
message; also, you added the actual issue the CVE holds with your
commit message, but please note that the CVE is not just about a
possible keyring corruption, but also a memory access violation
(see, e.g., <http://seclists.org/bugtraq/2012/Dec/151>); this by
the way (probably) also is the reason why for the pkg-vulnerabilities
file, rightly, ``multiple-vulnerabilities'' is specified in the
``type of exploit'' field, for this vulnerability (for the gnupg
entry, but I also copied that for the one for gnupg 2, of course).
Then: pkgsrc/doc/CHANGES-2013 wasn't updated.
Lastly: no pull-up request for pkgsrc-2012Q4 was made (and, of
course, pkgsrc/doc/CHANGES-pkgsrc-2012Q4 wasn't altered along with
(No offence, but please take better care next time; basically sending
in a PR twice like here, is just a waste of time.)
Main Index |
Thread Index |