Re: pkg/47442 (pkgsrc' security/gnupg2 package needs security update for CVE-2012-6085 [patch included])

To: shannonjr%NetBSD.org@localhost, gnats-admin%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost, Bug Hunting <bughunting%xs4all.nl@localhost>
Subject: Re: pkg/47442 (pkgsrc' security/gnupg2 package needs security update for CVE-2012-6085 [patch included])
From: Bug Hunting <bughunting%xs4all.nl@localhost>
Date: Tue, 15 Jan 2013 17:50:10 +0000 (UTC)

The following reply was made to PR pkg/47442; it has been noted by GNATS.

From: Bug Hunting <bughunting%xs4all.nl@localhost>
To: NetBSD GNATS <gnats-bugs%NetBSD.org@localhost>
Cc: drochner%NetBSD.org@localhost, Thomas Klausner <wiz%NetBSD.org@localhost>
Subject: Re: pkg/47442 (pkgsrc' security/gnupg2 package needs security update
 for CVE-2012-6085 [patch included])
Date: Tue, 15 Jan 2013 18:45:11 +0100

 Hi,

 On Tue, Jan 15, 2013 at 11:25:53AM +0000, drochner%NetBSD.org@localhost wrote:
 > Synopsis: pkgsrc' security/gnupg2 package needs security update for 
 > CVE-2012-6085 [patch included]
 > 
 > State-Changed-From-To: open->closed
 > State-Changed-By: drochner%NetBSD.org@localhost
 > State-Changed-When: Tue, 15 Jan 2013 11:25:44 +0000
 > State-Changed-Why:
 > applied, thanks

 Thank you for taking this PR.

 However, unfortunately, the PR's handling is far off from what it
 could have been, as it hasn't been applied in full (and was therefore
 closed unreasonably, as well), and the part that _has_ been applied,
 hasn't been applied (fully) correctly.

 The following issues should be addressed, specifically:

 The name of the patches/ directory patch was changed away from what
 it should be, following pkgsrc conventions: see, e.g., the pkgsrc
 Guide, section 11.3.2:
 ``The file names of the patch files are usually of the form
 patch-path_to_file__with__underscores.c.''.
 Please rename the file appopriately.

 Also, although that's my personal opinion, a bit more information
 could've been copied from what I provided in the patch' comment
 lines; e.g., this includes the upstream bug id (I do note by the
 way the actual CVE addressed with it is now in the patch' file
 name, but see above for why that should be undone).

 The difference in name (and comment contents) of the distinfo file
 as explained above of course also led to a different distinfo file,
 with your commit; please make sure to regenerate it appropriately
 after altering things again, now.

 What is described above regarding the comments in the patches/
 directory patch file, basically also applies for the overall commit
 message; also, you added the actual issue the CVE holds with your
 commit message, but please note that the CVE is not just about a
 possible keyring corruption, but also a memory access violation
 (see, e.g., <http://seclists.org/bugtraq/2012/Dec/151>); this by
 the way (probably) also is the reason why for the pkg-vulnerabilities
 file, rightly, ``multiple-vulnerabilities'' is specified in the
 ``type of exploit'' field, for this vulnerability (for the gnupg
 entry, but I also copied that for the one for gnupg 2, of course).

 Then: pkgsrc/doc/CHANGES-2013 wasn't updated.

 Lastly: no pull-up request for pkgsrc-2012Q4 was made (and, of
 course, pkgsrc/doc/CHANGES-pkgsrc-2012Q4 wasn't altered along with
 that either).

 (No offence, but please take better care next time; basically sending
 in a PR twice like here, is just a waste of time.)

 Thanks,

 Bug Hunting

Prev by Date: Re: pkg/47381 (add pkgsrc/www/py-werkzeug and py-werkzeug-html-docs 0.8.3)
Next by Date: Re: pkg/47423 (graphviz does not list fontconfig as a dependancy)
Previous by Thread: Re: pkg/47442 (pkgsrc' security/gnupg2 package needs security update for CVE-2012-6085 [patch included])
Next by Thread: pkg/47446: p5-Term-ReadLine-TTYtter 1.4
Indexes:

Home | Main Index | Thread Index | Old Index