How do I submit a backport for CVE-2021-3177?

Asked by Saif Hakim on 2021-02-19

Hi there,

I realize that Python 2.7 has reached EOL, but my understanding is that this package is intended to still receive security updates as needed.

According to https://ubuntu.com/security/CVE-2021-3177 , it looks like no progress has been made to handle CVE-2021-3177. Python recently released new patch releases for this vuln for 3.x as seen here: https://github.com/python/cpython/pull/24239/files . A backport can be found here: https://github.com/ActiveState/cpython/commit/23b4a15e57b7a664fcec877011dd53b4aa3522c9 . I'd like to help get this change patched and released.

As a first-tie contributor, is this the correct set of steps to proceed?
1. File a bug in Launchpad linked to CVE.
2. Add a patch to debian/patches/ as described in https://wiki.debian.org/BuildingTutorial
3. Submit as a Merge Request in https://salsa.debian.org/cpython-team/python2

Thanks,
Saif

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu python2.7 Edit question
Assignee:
No assignee Edit question
Solved by:
Saif Hakim
Solved:
2021-02-20
Last query:
2021-02-20
Last reply:
Saif Hakim (saifelse) said : #1

(1) https://bugs.launchpad.net/bugs/1916117
(2) Figured out that python2.7 uses `quilt`
(3) Made an attempt at this https://salsa.debian.org/cpython-team/python2/-/merge_requests/3

Saif Hakim (saifelse) said : #2

It looks like I did this correctly.