Relevant commits for CVE-2021-21289?

[utkarsh2102]

Hello @flavorjones,

Thanks for your amazing work on this! \o/

With my Debian maintenance and security hat on, I'd like to know the relevant commits which would be sufficient to fix CVE-2021-21289. I want to backport these changes to v2.7.5 and v2.7.6.

Thanks in advance! :)

[utkarsh2102]

Oh as I see it, #548 is the fix for this, right?
Besides, do you think I can directly backport this to v2.7.5 and v2.7.6? Or do you anticipate or foresee any problems with that?

[flavorjones]

@utkarsh2102 the relevant commits are all in #548:

• aae0b13
• 2ac906b
• f43a395
• b48b12f
• 63f8779

These changes can definitely be backported safely, yes. It's possible that there might be conflicts merging the changes to the tests -- but you can probably just cherry-pick the changes the lib directory, which should rebase cleanly.

[utkarsh2102]

Thanks, @flavorjones!
I'll try to backport the tests as much as I can though (it's always good for us to ensure no regressions) and shall report here when I run into any problems.

I'll close this once I upload the backported packages to the Debian archive! Thanks for your help! \o/

[flavorjones]

I'm going to close this, but please do update me if you run into any problems! Thank you!

[utkarsh2102]

Hi @flavorjones,

Can I get a POC for this? In case it's supposed to be private, could you please email me the same at utkarsh[at]debian[dot]org?

Thanks again for your help! 😄