Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2017 December

 

The following contributions were made:

  • LTS front desk activities week 50                      
    • Triaged graphicsmagick. Package already in dsa-needed.txt. Added to dla-needed.txt. Maintainer contacted.                     
      • CVE-2017-17498 concluded to be vulnerable after code analysis.
      • CVE-2017-17500 concluded to be vulnerable after code analysis.
      • CVE-2017-17501 concluded to be vulnerable after code analysis.
      • CVE-2017-17502 concluded to be vulnerable after code analysis.
      • CVE-2017-17503 concluded to be vulnerable after code analysis.
    • Triaged lilypond
      • CVE-2017-17523 marked as minor issue following jessie.
    • Triaged aubio
      • CVE-2017-17554 marked as minor issue. The motivation is that this is a DoS function and there are no known services using this. In addition it was easy enough to trigger other problems that gave a backtrace. At least with python interface which means that there must be tons of other ways to cause a DoS.
      • CVE-2017-17555 masked as minor issue. Same motivation as CVE-2017-17555.
    • Triaged bouncycastle
      • CVE-2017-13098 The vulnerable file do not exist and code search did not match either. Marked accordinly.
    • Triaged hdf5. The package is typically used on a trusted network.
      TODO: Check what redhat and canonical concludes at the end of the week.
      • CVE-2017-17505 DoS class. Considered minor in this case.
      • CVE-2017-17506 DoS class. Considered minor in this case.
      • CVE-2017-17507 DoS class. Considered minor in this case.
      • CVE-2017-17508 DoS class. Considered minor in this case.
      • CVE-2017-17509 DoS class. Considered minor in this case.
    • Triaged tiff and concluded that tiff3 is also vulnerable and thus added to dla-needed.txt. Maintainer not contacted due to request not to do so.
      • CVE-2017-11613 Looks serious enough. A fix is not available so I can not tell for sure the the vulnerability is there in both tiff (4) and tiff3. The mentioned variable is not checked in any version so it is an educated guess that it is vulnerable.
    • Triaged imagemagick. Added to dla-needed. Maintainer contacted.
      • CVE-2017-17504 Vulnerable.
      • CVE-2017-17499 Vulnerable.
    • Triaged libraw.
      • CVE-2017-16909 DoS class vulnerability. Minor issue as DoS class vulnerabilities has been classed minor in the past for this package.
      • CVE-2017-16910 DoS class vulnerability. Minor issue as DoS class vulnerabilities has been classed minor in the past for this package.
    • Triaged sensible-utils. Added to dla-needed.txt and maintainer contacted.
      • CVE-2017-17512 Source code analysis concludes that it is vulnerable.
    • Triaged tidy.
      • CVE-2017-17497 DoS class vulnerability. Marked as minor.
    • Triaged check-mk
      • CVE-2017-11507 XSS vulnerability for a nagios plugin. Marked as minor.
    • Triaged eglibc
      • CVE-2017-1000409 Marked as minor. Similar decision as for other simular vulnerabilities for this package.
      • CVE-2017-1000408 Memory leak, marked as minor. Similar decision as for other similar vulnerabilities for this package.
    • Started to triage context, texlive-base and texlive-bin
      • CVE-2017-17513 argument injection when $BROWSER is used. Similar to CVE-2017-17512. The final conclusion after a lot of code analysis is that the vulnerable code do not exist. The browser variable is not used in wheezy. There are potentially related vulnerabilities but the specific CVE explicitly mentions the browser variable and only that has been checked here.
    • Triaged fontforge
      • CVE-2017-17521 argument injection in help browser call. Minor issue as the call of this function is always by trusted content.
    • Triage nip2
      • CVE-2017-17514 argument injection. Code vulnerable but all calls to this function is on "safe" content. About page, hep documents or software homepage. Classified as minor.
    • Triaged abiword. Added to dla-needed.txt. Maintainers not contacted as it is the QA group.
      • CVE-2017-17529 argument injection again. This time in a fallback uri open function. Potentially the user attacker can control the URL so let us add that one for safety.
    • Triaged gjots2
      • CVE-2017-17535 Classified as minor in wheezy as even though the function itself do not validate the url, the function that call do actually terminate on whites\
        pace so the package is in practice not vulnerable.
    • Triaged geomview
      • CVE-2017-17530. Argument injection again. This time it is possible by setting WEBBROWSER environment variable. The url/file part can not be controlled by the user so I can not really see that this is an important thing to fix. If the user set WEBBROWSER with arguments that should even be honored. Marked as minor issue.
    • Triaged global. Added to dla-needed.txt and maintainer contacted.
      • CVE-2017-17531 argument injection. Not clear what the gozilla.c file is used for but it is vulnerable.
    • Triaged kildclient. Added to dla-needed. Maintainer contacted.
      • CVE-2017-17511 argument injection. Can not convince myself that the package is not vulnerable. It may not be but better fix than not.
    • Triaged mensis
      • CVE-2017-17534 Even though the help function do not check the URL it is not possible to exploit this as the help function is only called with explicit files or pages that can not be altered by an attacker. Marked as minor issue.
    • Triaged ocaml-batteries
      • CVE-2017-17519 marked as minor as it is only affecting browse of help pages.
    • Triaged scummvm
      • CVE-2017-17528 argument injection. Vulnerable code not present. The openurl function is not present in wheezy
    • Triage swi-prolog
      • CVE-2017-17524 I realize that I do not know prolog good enough to tell whether this is a problem or not. After learning some basic prolog I could understand that the URL is quoted which makes it harder to trigger this vulnerability, even thoug it is still possible. It is quoted in a little unusual way which makes it unlikely to be triggered by anything by a very dedicated attacker. There are other more pressing vulnerabilities that we should focus on instead as it is also unlikely that an argument injection will lead to anything else than a erroneous command and a failed launch. Still it is technically possible that any command can be run, but again that would be a very rare event.
    • Triaged sylpheed
      • CVE-2017-17517 argument injection again. Only occurs on a non-default configuration and only when there is no %s string. Marked as minor issue.
    • Triaged tkabber
      • CVE-2017-17533 argument injection. This one seems to be really valid.
    • Triaged whitedune
      • CVE-2017-17518 argument injection. The vulnerable code is present but only called for file preview which means that an attacker can not control the URL and hence this is not an issue. Marked as minor issue.
    • Triaged jython
      • CVE-2017-17522 argument injection. File not provided so the package is not affected.
    • Triaged python2.6, python2.7 and python3.2. Vulnerable. Added to dla-needed.txt.  Maintainer contacted.
      • CVE-2017-17522 (same issue as for jython) argument injection. The file is vulnerable and provided. We do not know what it is used for and therefore it should be fixed to be on the safe side.
    • Triaged ruby1.8 and ruby1.9.1. Added to dla-needed.txt. Maintainer contacted.
      • CVE-2017-17405 ftp command injection. Wheezy vulnerable.