Ubuntu
boost package

Package patches have not been applied

Bug #274837 reported by TJ
2
Affects Status Importance Assigned to Milestone
boost (Ubuntu)
Triaged
Low
Unassigned

Bug Description

Today I merged the latest 1.36.0 from SVN r48974 with the debian packaging from 1.34.1-4ubuntu3 for Hardy.

I spent some time checking the debian/patches and removing the ones that have been included upstream.

I got held up by debian/patches/03-st_mt.patch because it patches debian/rules. The problem is, the content info in the diff has no relation to the current debian/rules. That made me wonder why package-build doesn't throw an error and fail.

On investigating the current 1.34.1-4ubuntu3 debian/rules I realised it doesn't have any logic to apply the patches! This seemed weird since various Ubuntu package maintainers have added patches and uploaded the new packages to the repositories.

I then looked at the Intrepid package 1.34.1-11ubuntu1. In this package, quilt has been added to debian/rules and the index debian/patches/series is populated with the list of patches.

So it looks like the Hardy package we're shipping has had several patches added but never actually applied, with the result that the built binaries do not contain the fixes the patches are intended to provide.

CVE References

Revision history for this message
TJ (tj) wrote :

Subscribed ubuntu-security since some of the patches that aren't applied are:

boost (1.34.1-4ubuntu3) hardy; urgency=low

  * debian/patches/05_regex_fixes.patch: fix for
    basic_regex_parser() in boost/regex/v4/basic_regex_parser.hpp to return
    error on invalid repetition of next state
  * References
    CVE-2008-0171
    CVE-2008-0172
    http://svn.boost.org/trac/boost/changeset/42674
    http://svn.boost.org/trac/boost/changeset/42745

 -- Jamie Strandboge <email address hidden> Thu, 20 Mar 2008 09:03:20 -0400

Changed in boost:
importance: Undecided → High
milestone: none → ubuntu-8.04.2
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The version of boost in hardy does not have a patch system and the patches in the debian/patches directory are simply a record of what has been applied. If you check the diff, you'll see that the CVE fixes will be applied after doing an 'apt-get source' (and indeed are). It appears that other patches in the directory may not have been applied in line however, and those will need to be checked further.

As this is not a security issue, I am reducing the importance, unmilestoning and unsubscribing the security team.

Changed in boost:
importance: High → Low
milestone: ubuntu-8.04.2 → none
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.