<div dir="ltr">Hi Guido<div><br></div><div>Regarding this question:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span style="font-size:12.8px">Does it make sense to add this as an autopkgtest?</span></blockquote><div><br></div><div>Well we could do that, but I do not think it is worth the effort for a wheezy security update.</div><div>In stretch (rails package, where I got the patch from) and later there is already a good unit test suite where this is tested. I'll leave it to the package maintainer to decide whether it should be tested automatically.</div><div><br></div><div>Best regards</div><div><br></div><div>// Ola</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 27, 2016 at 10:45 AM, Guido Günther <span dir="ltr"><<a href="mailto:agx@sigxcpu.org" target="_blank">agx@sigxcpu.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Ola,<br>
<span class="">On Thu, May 26, 2016 at 11:27:42PM +0200, Ola Lundqvist wrote:<br>
> Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team<br>
><br>
> This is my third package contribution to Debian LTS. I'm doing this as a<br>
> training exercise and this is why the maintainer have not been asked to<br>
> this for me.<br>
><br>
> I have prepared an update of the ruby-activerecord-3.2 package with a fix<br>
> for<br>
> <a href="https://security-tracker.debian.org/tracker/CVE-2015-7577" rel="noreferrer" target="_blank">https://security-tracker.debian.org/tracker/CVE-2015-7577</a><br>
><br>
> What i have done is to take the CVE-2015-7577.patch file from the rails<br>
> 2:4.1.8-1+deb8u2 package in jessie.<br>
> Two out of three chunks applied cleanly and the third one was simple to<br>
> copy-paste in place.<br>
><br>
> I have also written a very simple test application from an example. It does<br>
> not test the specific security problem but at least show that there is no<br>
<br>
</span>Does it make sense to add this as an autopkgtest?<br>
<span class=""><br>
> obvious regression problem. If you know of an easy way to do more extended<br>
> testing of this update then please let me know (or run it yourself and let<br>
> me know the results). As the source is so similar between the rails package<br>
> and this I trust that the extra test introduced in rails will cover the<br>
> specific problem even though I have not run it specifically (it is part of<br>
> the whole rails suite and not trivial to extract parts of it).<br>
><br>
> You can find the debdiff here:<br>
> <a href="http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2/CVE-2015-7577-deb7u2.debdiff" rel="noreferrer" target="_blank">http://apt.inguza.net/wheezy-security/ruby-activerecord-3.2/CVE-2015-7577-deb7u2.debdiff</a><br>
<br>
</span>This looks good to me.<br>
Cheers,<br>
-- Guido<br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><font face="courier new, monospace" size="1"> --------------------- Ola Lundqvist ---------------------------</font></div><div><font face="courier new, monospace" size="1">/ <a href="mailto:opal@debian.org" target="_blank">opal@debian.org</a> Folkebogatan 26 \</font></div><div><font face="courier new, monospace" size="1">| <a href="mailto:ola@inguza.com" target="_blank">ola@inguza.com</a> 654 68 KARLSTAD |</font></div><div><font face="courier new, monospace" size="1">| <a href="http://inguza.com/" target="_blank">http://inguza.com/</a> +46 (0)70-332 1551 |</font></div><div><font face="courier new, monospace" size="1">\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /</font></div><div><font face="courier new, monospace" size="1"> ---------------------------------------------------------------</font></div><div><br></div></div></div></div></div>
</div>