Ubuntu
0xffff package

Update 0xffff to stable version 0.6.1

Bug #1462602 reported by Pali on 2015-06-06

260

This bug affects 1 person

	Status	Importance	Assigned to
0xffff (Ubuntu)	Fix Released	Undecided	Unassigned
Trusty	Confirmed	Undecided	Unassigned
Utopic	Confirmed	Undecided	Unassigned

Bug Description

[Impact]
Please update 0xffff package to last stable version 0.6.1 for supported ubuntu version. Older version of 0xffff contains bugs and security problems (memory corruption, buffer overwrite, ...) which cause device to become unbootable. 0.6.1 version is already in ubuntu vivid.

[Test Case]
Try to flash supported device with older (prior 0.6.1) version of 0xffff flasher. Flash procedure could fail and device will become unbootable. After upgrading to 0.6.1 version flash procedure should not fail and device should be bootable.

[Regression Potential]
None.. Nothing can be worse as unbootable device... New version just fix security problems (like memory corruption, buffer overflow) and documentation typos.

Pali (pali) on 2015-06-06

information type:

Private Security → Public Security

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2015-06-08:

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in 0xffff (Ubuntu):
status:	New → Incomplete

Revision history for this message

Pali (pali) wrote on 2015-06-09: [Bug 1462602] Re: Update 0xffff to stable version 0.6.1

Seth Arnold, I'm upstream developer of 0xFFFF project, but I do not
understand what you need. Do you need to create debian (source) package
of new 0xFFFF version? It is already present in vidid, see:
http://packages.ubuntu.com/vivid/0xffff
https://launchpad.net/ubuntu/+source/0xffff

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2015-06-09:

Pali, ah, thanks for the explanation.

What we normally look for in security updates is minimal patches that address just security updates. The usual way to prepare updates is to download the source packages for the different affected releases, adapt the patches to the specific software, and then provide a "debdiff" between the old package and the new package.

A handful of packages do get updated via wholesale new versions, like firefox, chromium-browser, mysql, and others, via a process known as the "micro release exceptions" -- https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions -- but this usually takes a few "regular" updates that go well as a precondition to the MRE.

Thanks

Revision history for this message

Pali (pali) wrote on 2015-06-09:

I released version 0.6.1 (point release) as update to 0.6 which just fix security problems, crashes and update docs (to match program behavior). This minor 0.6.1 release is just drop-in update for 0.6 version and basically all changes between 0.6 and 0.6.1 should be applied. So for me it does not make sense to generate diffs between 0.6 and 0.6.1, then include these diffs on top of 0.6 ubuntu version (in that some debdiff format) because it will make exactly same version as which is in vivid (=0.6.1). It is not like firefox (or other such application) when update intorduce new features, codebase etc... This update for 0xFFFF is for stable releases which fix only bugs, crashes. It does not add any new feature or something similar. So what to prefer to do in this case?

Revision history for this message

Robie Basak (racb) wrote on 2015-06-15:

Hi Pali,

See https://wiki.ubuntu.com/StableReleaseUpdates:

"7. New upstream microreleases

In some cases, when upstream fixes bugs, they do a new microrelease instead of just sending patches. If all of the changes are appropriate for an SRU by the criteria above, then it is acceptable (and usually easier) to just upload the complete new upstream microrelease instead of backporting the individual patches. Note that some noise introduced by autoreconf is okay, but making structural changes to the build system (such as introducing new library dependencies) is generally not."

Since your package doesn't currently have a micro release exception in Ubuntu, the SRU team will need to examine the entire diff to decide whether each individual fix meets the criteria for inclusion in a stable release update. I'm sure they're capable of generating the diff themselves, but making life easier for them and providing some specific commentary to them on what is going on will probably be useful.

Please still submit a debdiff against Vivid that provides the change to debian/changelog so a sponsor can review and upload exactly what you want. I'd expect a new entry in debian/changelog at a minimum, with a description of what the update does and why, a reference to this bug, targetting the release(s) you want and with a version number that works (see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging for a guide).

Revision history for this message

Pali (pali) wrote on 2015-06-15:

Ubuntu has already generated diff between 0.6-1 and 0.6.1-1 versions and
it is on Launchpad: https://launchpad.net/ubuntu/+source/0xffff/0.6.1-1

Direct link to diff file is here:
http://launchpadlibrarian.net/193647295/0xffff_0.6-1_0.6.1-1.diff.gz

Examining commits per changes for easy to read/review is on github:
https://github.com/pali/0xFFFF/compare/0.6...0.6.1

Now I think you have everything needed for (easy) review process.

status confirmed

Changed in 0xffff (Ubuntu):
status:	Incomplete → Confirmed

Adam Conrad (adconrad) on 2015-06-15

Changed in 0xffff (Ubuntu):
status:	Confirmed → Fix Released
Changed in 0xffff (Ubuntu Trusty):
status:	New → Confirmed
Changed in 0xffff (Ubuntu Utopic):
status:	New → Confirmed