[Bug 1785499] Re: Make squashfs-tools in Xenial in sync with Bionic and Cosmic

Thu Aug 16 02:59:35 UTC 2018

This bug was fixed in the package squashfs-tools -
1:4.3-3ubuntu2.16.04.3

---------------
squashfs-tools (1:4.3-3ubuntu2.16.04.3) xenial; urgency=medium

  * Re-number current patches to match bionic/cosmic:
    - 0001-kfreebsd.patch
    - 0002-fix_phys_mem_calculation.patch
    - 0003-CVE-2015-4645_and_CVE-2015-4646.patch
    - 0004-unsquashfs-add-support-for-LZMA-magics.patch
    - 0005-add-fstime.patch
    - 0006-uptream-fix-race.patch
    - 0009-unsquashfs-preserve-symlink-times.patch
    - 0010-use-macros-not-raw-octal-with-chmod.patch
    - 0011-also-set-stickybit-as-non-root.patch

  * Sync patch content with bionic/cosmic (fuzz).
    - 0005-add-fstime.patch: Fix -Wint-conversion warning by
      initializing the time_t variable with (time_t)0 instead of NULL
    - 0006-uptream-fix-race.patch: Fix typo in description
    - 0003-CVE-2015-4645_and_CVE-2015-4646.patch: Fix typo in description

  * Cherry-pick two new fixes from bionic/cosmic: (LP: #1785499)
    - 0007-fix-2GB-limit-in-mksquashfs.patch
    - 0008-preserve_file_capabilities.patch

 -- Stéphane Graber <stgraber at ubuntu.com>  Sun, 05 Aug 2018 23:49:09
-0400

** Changed in: squashfs-tools (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-4645

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-4646

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to squashfs-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1785499

Title:
  Make squashfs-tools in Xenial in sync with Bionic and Cosmic

Status in squashfs-tools package in Ubuntu:
  Fix Released
Status in squashfs-tools source package in Xenial:
  Fix Released

Bug description:
  squashfs-tools upstream hasn't changed in a while but a number of
  bugfixes are applied through packaging in Debian and Ubuntu.

  The bionic and cosmic versions right now are identical but xenial is
  missing a few fixes which is a problem for the LXD snap among other
  things.

  Looking at debian/series/patches, the fixes currently missing in the xenial version are:
   - 0007-fix-2GB-limit-in-mksquashfs.patch
   - 0008-preserve_file_capabilities.patch

  I'll attach test cases for both of those below and then will prepare
  an SRU that effectively makes the source package identical to what we
  have in bionic, minus the different changelog.

  This should be pretty safe considering both Ubuntu and Debian have
  been shipping those two patches for a while and the fs caps one is
  going to be pretty important moving forward as we're discussing having
  Ubuntu ship with fscaps by default.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squashfs-tools/+bug/1785499/+subscriptions