[Pkg-vala-maintainers] Bug#775913: vala-0.26: CVE-2014-8154: Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()

[Andreas Henriksson]

Hello Moritz Muehlenhoff.

I'm pretty sure this is not the answer you're wishing to hear but I
though it's better to give you some reply then not answer at all...

On Thu, Feb 12, 2015 at 04:41:47PM +0100, Moritz Muehlenhoff wrote:
[...]
> > Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()
> 
> What's the status?

TTBOMK:
Fixed in 0.26.2 currently available from experimental. Will likely be
available (first in unstable+testing then) in backports archive after
the Jessie release. There's a lack of people finding it useful to redo
the upstream bugfix releases badly just because of debian policies or
whatever the issue is with getting them into testing during freeze.

Given that experimental in many cases are already (rightly so) filled
with packages of upstream development releases and we have nowhere to
put upstream bugfix releases in Debian now, I've been considering
setting up my own repository where I can share updated packages with
those interested.... (that would also solve the issue that backports
isn't really suitable since you then explicitly will have to point out
each and every package you want a fixed version of.)
Unfortunately this hasn't yet surfaced high enough on my already
busy schedule (and would be better to see a proper distribution channel
set up within debian if that's possible at all).

Regards,
Andreas Henriksson