Security Patch in netpanzer (question)

Jason L Tibbitts III tibbs at math.uh.edu
Fri Jun 9 04:30:45 UTC 2006


>>>>> "HC" == Hugo Cisneiros <hugo at devin.com.br> writes:

HC> It seems that the SVN version is ok, but I'm not a programmer to
HC> make a patch only to fix this vulnerability.

Upstream should be pretty well qualified to help you out here; have
you contacted them?  (I guess you must have; they seem to have taken a
patch from you.)

HC> An option would be to create and apply a patch to update the
HC> entire version to SVN instead of only the vulnerability fix.

That's rather suboptimal, but would work if nothing else does.  You
have to be careful that it's not less stable and doesn't break
existing configurations.

Ideally you'd just get a patch that fixes the issue.  One possibility
if upstream won't or can't help you is to go though their SVN tree and
look for a commit that indicates it fixes the security issue.  You may
get lucky and can find something obvious, but it assumes that upstream
provides useful comments.  When I reported that CVE I did spend a
little time looking through their tree but nothing jumped out of me.

I just looked again; try looking at revisions 928, 929 and other
revisions around that time.  They seem to be related, although there
are a lot of patches.  Many of them seem to be trivial changes;
perhaps you can pick out the fix.

http://svn.berlios.de/viewcvs/netpanzer?rev=928&view=rev

HC> If applying the patch to update entirely to the svn version, I
HC> must change the entire package's version or change only the
HC> release field in the specfile?

I would indicate the version change; the naming guidelines have
information on how to name snapshot packages:

http://fedoraproject.org/wiki/Packaging/NamingGuidelines#head-cfd71146dbb6f00cec9fe3623ea619f843394837

 - J<




More information about the fedora-extras-list mailing list