Thanks for the update on how to proceed and the insight into the inner workings of pkg. Am 11.04.2017 um 03:07 schrieb Greg Troxel <gdt%lexort.com@localhost>: > pkgsrc tries hard to keep track of versions that are affected by various > issues (usually captured by a CVE code). When a package is patched for > that CVE, we adjust the entry in pkg-vulnerabilities. To help keep > track of which are patched and which are not, we try to have comments in > the patch files (before the diff hunks) that say 1) what the patch does, > and for security patches to give the CVE ref and 2) where the patch came > from. Often a patch is taken from upstream svn/git/etc., and has been > applied to head or a release branch after the latest release. > OK, I did not know that. So my patch is not completely in line with that. Hopefully I can recontruct the sources (probably from the arc mailinglist and some linux repository). […] > Also, I wonder how you are making patches. If you use mkpatches (from > pkgtools/pkgdiff), it will create files with our more recent naming > convention based on files names instead of -aa. Thanks for this information. I wasn’t aware of that, so I just used cvs diff… It was intended to prevent local issues until someone else fixes it officially. Now this turns out not to be the best plan in a community driven effort ;-) > > The two current entries are > > arc<5.21enb2 insecure-temp-files http://www.zataz.net/adviso/arc-09052005.txt > arc-[0-9]* directory-traversal https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527 > > I'm guessing your fix is for the directory traversal issue. Your guess is correct. > > In general, if you have changes to pkgsrc that can just be applied after > review, sending a patch to pkgsrc to this list is a good plan. > > > Do you know if arc has released a fixed version? Might you be able to > poke them to do that? I will try to find out, but it seems that no newer version exists (sourceforge, at least). All the linux distros i have seen so far have individual patched versions of 5.21p. So I guess we’ll have to live with a patched 5.21p for the forseeable future. Cheers Oskar
Attachment:
smime.p7s
Description: S/MIME cryptographic signature