From 0eab0e46f4828839a7f7e46e48fc33167377ec0d Mon Sep 17 00:00:00 2001
From: Oliver Giles <email address hidden>
Date: Wed, 30 May 2018 09:06:02 +0300
Subject: [PATCH] Fix length-check before populating propnames
The earlier length check did not check enough bytes. But rather
than fixing the off-by-one, it makes more sense to do a single
check at the start of the loop.
Resolves CVE-2017-9058.
Although, the second piece of the code/patch wasn't applied to trusty because it hasn't ytnefprint. I'm not sure if I got it right, but you are meaning even for Trusty only this patch doesn't solve the issue?
@Michael, I agree with you, but right now for bionic and xenial this package is in universe what means it's a community question of time it be update with those CVEs.
Hi Oliver,
Thanks for the comments...
For trusty I did an update applying:
From 0eab0e46f482883 9a7f7e46e48fc33 167377ec0d Mon Sep 17 00:00:00 2001
From: Oliver Giles <email address hidden>
Date: Wed, 30 May 2018 09:06:02 +0300
Subject: [PATCH] Fix length-check before populating propnames
The earlier length check did not check enough bytes. But rather
than fixing the off-by-one, it makes more sense to do a single
check at the start of the loop.
Resolves CVE-2017-9058.
Although, the second piece of the code/patch wasn't applied to trusty because it hasn't ytnefprint. I'm not sure if I got it right, but you are meaning even for Trusty only this patch doesn't solve the issue?
@Michael, I agree with you, but right now for bionic and xenial this package is in universe what means it's a community question of time it be update with those CVEs.