Package patches have not been applied
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
boost (Ubuntu) |
Triaged
|
Low
|
Unassigned |
Bug Description
Today I merged the latest 1.36.0 from SVN r48974 with the debian packaging from 1.34.1-4ubuntu3 for Hardy.
I spent some time checking the debian/patches and removing the ones that have been included upstream.
I got held up by debian/
On investigating the current 1.34.1-4ubuntu3 debian/rules I realised it doesn't have any logic to apply the patches! This seemed weird since various Ubuntu package maintainers have added patches and uploaded the new packages to the repositories.
I then looked at the Intrepid package 1.34.1-11ubuntu1. In this package, quilt has been added to debian/rules and the index debian/
So it looks like the Hardy package we're shipping has had several patches added but never actually applied, with the result that the built binaries do not contain the fixes the patches are intended to provide.
Subscribed ubuntu-security since some of the patches that aren't applied are:
boost (1.34.1-4ubuntu3) hardy; urgency=low
* debian/ patches/ 05_regex_ fixes.patch: fix for regex_parser( ) in boost/regex/ v4/basic_ regex_parser. hpp to return svn.boost. org/trac/ boost/changeset /42674 svn.boost. org/trac/ boost/changeset /42745
basic_
error on invalid repetition of next state
* References
CVE-2008-0171
CVE-2008-0172
http://
http://
-- Jamie Strandboge <email address hidden> Thu, 20 Mar 2008 09:03:20 -0400