Incomplete patch for CVE-2020-10936?

[utkarsh2102]

Hi @ikedas,

Thanks for the fix for CVE-2020-10936 :)
The announcement claims that the relevant patch for this is this commit: 3f8449c

However, it seems that there are claims of incompleteness at: #943 (comment)

Whilst I'd want to fix this in Debian, I'd want to know if this indeed is incomplete or not? Is there any left out bit other than the forementioned commit (3f8449c)?
Does this need any more patching than this?

It'd be really helpful if you could possibly help with this. Once done, I'll proceed with this fix in Debian.

[racke]

The patch mentioned in #943 was sent 2018 to the Sympa security list and was not disclosed to the public. I think it would be possible to send it to the Debian security team for further consideration.

[utkarsh2102]

It'd be great if this could be done.
Please consider reaching the Security team at: team[at]security[dot]debian[dot]org
I'd really appreciate if you could CC me in this thread: utkarsh[at]debian[dot]org

Thanks in advance :)

[racke]

Done. You are welcome @utkarsh2102

[ikedas]

There doesn't seem the evidence that our patch for CVE-2020-10936 is incomplete.

This issue is closed for now.