diffoscope: Update to 256. [security fixes]

  • Done
  • quality assurance status badge
Details
2 participants
  • John Kehayias
  • Vagrant Cascadian
Owner
unassigned
Submitted by
Vagrant Cascadian
Severity
normal

Debbugs page

Vagrant Cascadian wrote 1 years ago
(address . guix-patches@gnu.org)
87r0hl2us9.fsf@wireframe
The attached patch updates diffoscope to 256, which contains a security
fix for directory traversals when using gpg.

Both diffoscope and it's dependent, reprotest, still build fine!

I am not sure what the expedited process for security updates are, but
if there is anything I can do, please let me know!

live well,
vagrant
From 9dcababcf0e94ddab30de91054e04400b263879c Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@debian.org>
Date: Fri, 9 Feb 2024 12:58:57 -0800
Subject: [PATCH] gnu: diffoscope: Update to 256. [security fixes]


* gnu/packages/diffoscope.scm (diffoscope): Update to 256.
---
gnu/packages/diffoscope.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (26 lines)
diff --git a/gnu/packages/diffoscope.scm b/gnu/packages/diffoscope.scm
index 626ac00425..f4d271f690 100644
--- a/gnu/packages/diffoscope.scm
+++ b/gnu/packages/diffoscope.scm
@@ -74,7 +74,7 @@ (define-module (gnu packages diffoscope)
(define-public diffoscope
(package
(name "diffoscope")
- (version "255")
+ (version "256")
(source
(origin
(method git-fetch)
@@ -83,7 +83,7 @@ (define-public diffoscope
(commit version)))
(file-name (git-file-name name version))
(sha256
- (base32 "07mkmwp3ni2dh5w5q2vxkc588l5dabcly3jrd8ic62318si7d400"))))
+ (base32 "1sdg314a3hp2kv492130p8w7j8mlhymij7h2rndm4q7gqrshp6jf"))))
(build-system python-build-system)
(arguments
(list

base-commit: 513755d64debb44096f21e323a5b89a7a597d2ca
--
2.39.2
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZcaYpgAKCRDcUY/If5cW
qv9HAP9d5ZAeamKDymuwhScKsXuAhiyLCFBrys2J19w/nsCsQwEAn6O5PqMsgRfX
CV+XCSwpcInIgW/uh2+eleYvQk36yw8=
=VcX+
-----END PGP SIGNATURE-----

John Kehayias wrote 1 years ago
(name . Vagrant Cascadian)(address . vagrant@reproducible-builds.org)(address . 69007@debbugs.gnu.org)
87mss98ge4.fsf@protonmail.com
Hi vagrant!

On Fri, Feb 09, 2024 at 01:27 PM, Vagrant Cascadian wrote:

Toggle quote (6 lines)
> The attached patch updates diffoscope to 256, which contains a security
> fix for directory traversals when using gpg.
>
> Both diffoscope and it's dependent, reprotest, still build fine!
>

Great, thank you! (following up here for posterity; discussed via IRC)

Toggle quote (4 lines)
> I am not sure what the expedited process for security updates are, but
> if there is anything I can do, please let me know!
>

As we discussed, we should formalize some CC-ing of the security list,
or a separate security team for reviewing patches (for public flaws,
rather than reporting them). And making sure "[security fixes]" is
noted, as you did here, for easy sorting.

Toggle quote (9 lines)
> live well,
> vagrant
>
> From 9dcababcf0e94ddab30de91054e04400b263879c Mon Sep 17 00:00:00 2001
> From: Vagrant Cascadian <vagrant@debian.org>
> Date: Fri, 9 Feb 2024 12:58:57 -0800
> Subject: [PATCH] gnu: diffoscope: Update to 256. [security fixes]
>

In any event, patch looks good and as a leaf with a pretty trivial
patch, I think you would be clear to push directly to begin with. There
was some discussion a while back at what is "trivial," but a version
update with 1 dependent is about as easy as it gets. Perhaps another
thing to make sure we are on the same page about but I doubt anyone
would complain if you had pushed this directly.

We could also let QA build, since it is back up, but again, very minor
concern here if something were to break.

Anyway, please do push! I might put "[security fixes]" before the period
in the commit message to match previous ones, but that is very minor.

Thanks again!
John

Toggle quote (31 lines)
>
> * gnu/packages/diffoscope.scm (diffoscope): Update to 256.
> ---
> gnu/packages/diffoscope.scm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/diffoscope.scm b/gnu/packages/diffoscope.scm
> index 626ac00425..f4d271f690 100644
> --- a/gnu/packages/diffoscope.scm
> +++ b/gnu/packages/diffoscope.scm
> @@ -74,7 +74,7 @@ (define-module (gnu packages diffoscope)
> (define-public diffoscope
> (package
> (name "diffoscope")
> - (version "255")
> + (version "256")
> (source
> (origin
> (method git-fetch)
> @@ -83,7 +83,7 @@ (define-public diffoscope
> (commit version)))
> (file-name (git-file-name name version))
> (sha256
> - (base32 "07mkmwp3ni2dh5w5q2vxkc588l5dabcly3jrd8ic62318si7d400"))))
> + (base32 "1sdg314a3hp2kv492130p8w7j8mlhymij7h2rndm4q7gqrshp6jf"))))
> (build-system python-build-system)
> (arguments
> (list
>
> base-commit: 513755d64debb44096f21e323a5b89a7a597d2ca
Vagrant Cascadian wrote 1 years ago
Re: diffoscope: Update to 256. [security fixes]
(address . 69007-done@debbugs.gnu.org)
87jznd2sdv.fsf@wireframe
On 2024-02-09, Vagrant Cascadian wrote:
Toggle quote (5 lines)
> The attached patch updates diffoscope to 256, which contains a security
> fix for directory traversals when using gpg.
>
> Both diffoscope and it's dependent, reprotest, still build fine!

Pushed as 30196aec07dab8cc0f4a614b160f1857377a6a84.

live well,
vagrant
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZcakzQAKCRDcUY/If5cW
qoX3AQCauYNAXkyBaWcfSrl/wSuYXMDSg72jQHbac0smDOaNxQEAl3HJCJlfKaf0
R9uG0DO9bl3RndWqo4Ci/wnMXHNiPAk=
=Z3Dg
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 69007@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 69007
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help