Since Marc just updated precise, I compared your patches to his and noticed a few things:
* 0016-CVE-2012-3439.patch should be renamed 0013-CVE-2012-588x.patch since CVE-2012-3439 was split out into CVE-2012-5885, CVE-2012-5886 and CVE-2012-5887 (as mentioned in the changelog)
* 0016-CVE-2012-3439.patch had some additional whitespace changes not in the upstream patch
* 0016-CVE-2012-3439.patch does not match the changes in http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?r1=1380829&r2=1380828&pathrev=1380829. Specifically, your patch retains 'this.' in this chunk, but it should not (ie, you use !this.opaque.equals):
@@ -587,7 +623,7 @@
}
// Validate the opaque string
- if (!this.opaque.equals(opaque)) {
+ if (!opaque.equals(opaqueReceived)) { return false;
}
* 0014-CVE-2012-4431.patch has additional whitespace changes
* 0015-CVE-2012-4534.patch has additional whitespace and typo changes
* debian/changelog is not formatted in the normal manner, with one stanza per CVE
It seems like you might have applied the patches by hand. If so, I encourage you to use the 'patch' utility. At this point, since there are now additional fixes, I think I am going to pull Marc's new patches and where the patches differ, update the changelog, run through QRT and publish. Thanks for your work on this!
Thanks for the debdiff!
Since Marc just updated precise, I compared your patches to his and noticed a few things: 2012-3439. patch should be renamed 0013-CVE- 2012-588x. patch since CVE-2012-3439 was split out into CVE-2012-5885, CVE-2012-5886 and CVE-2012-5887 (as mentioned in the changelog) 2012-3439. patch had some additional whitespace changes not in the upstream patch 2012-3439. patch does not match the changes in http:// svn.apache. org/viewvc/ tomcat/ tc6.0.x/ trunk/java/ org/apache/ catalina/ authenticator/ DigestAuthentic ator.java? r1=1380829& r2=1380828& pathrev= 1380829. Specifically, your patch retains 'this.' in this chunk, but it should not (ie, you use !this.opaque. equals) :
* 0016-CVE-
* 0016-CVE-
* 0016-CVE-
@@ -587,7 +623,7 @@
}
// Validate the opaque string opaque. equals( opaque) ) { equals( opaqueReceived) ) {
return false; 2012-4431. patch has additional whitespace changes 2012-4534. patch has additional whitespace and typo changes
- if (!this.
+ if (!opaque.
}
* 0014-CVE-
* 0015-CVE-
* debian/changelog is not formatted in the normal manner, with one stanza per CVE
It seems like you might have applied the patches by hand. If so, I encourage you to use the 'patch' utility. At this point, since there are now additional fixes, I think I am going to pull Marc's new patches and where the patches differ, update the changelog, run through QRT and publish. Thanks for your work on this!