On Wed, Jan 15, 2014 at 01:43:54PM -0700, Eric Blake wrote:
On 01/11/2014 07:27 AM, Guido Günther wrote:
> Hi,
> attached patches backport the fixes for CVE-2013-6458 to v0.9.12-maint. I
> decided to cherry-pick the introduction of VIR_STRDUP and virReportError
> as well to ease backporting of future fixes. I'd be happy about any review.
Looks correct to me. I'll let you push to 0.9.12-maint since you
already did that work; I already pushed to all the branches 0.10.2 and
later. When porting to 0.10.2, I chose to just inline the call to
strdup() instead of backporting VIR_STRDUP, for fewer patches but more
conflict resolution; but either approach seems acceptable.
Thanks for the review!
Is anyone still using v0.9.11-maint? The CVE extends back to 0.9.8, so
we could argue that we should either fix the 0.9.11 branch, or add
another commit to the branch that explicitly marks it as end-of-life
because no one appears to be relying on it. Fedora 18 is now
end-of-life, so from Fedora's perspective, I only care about 0.10.2
(RHEL and CentOS 6), 1.0.5 (F19), 1.1.3 (F20) and soon 1.2.1 (rawhide),
although I didn't mind touching all the intermediate branches on my way
down to 0.10.2. RHEL 5 is also vulnerable to CVE-2013-6458, but as we
don't have an upstream v0.8.2-maint branch (thank goodness!), that's
something for Red Hat to worry about.
I'd say let's close 0.9.11. We have 0.8.3 in Debian oldstable but I'm
not going to open a maint branch for this but deal with it in the
package itself.
Cheers,
-- Guido