Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2017 March

The following contributions were made:

  • Correction of icoutils (DLA-854-1)
  • Did a brief re-check on zziplib but no news so far.
  • Assisting the maintainer in correction for r-base (DLA-861-1). Helped with (among some more things) issuing the DLA.
  • Correction for audiofile DLA-867-1:
    • Had to add a build dependency on asciidoc. Without asciidoc the package do not build from source. Filed #857784 for this.
    • CVE-2017-6829. The patch had to be manually back-ported due to significant code changes. Half the patch was not applicable. The upstream patch require a "clamp" function that is not available so that had to be back-ported too.
    • CVE-2017-6830 and CVE-2017-6834 (same patch). The patch had to be manually back-ported due to minor code changes.
    • CVE-2017-6831. Was applied manually but that was more due to that it was not so easy to get a decent patch file to apply. With a decent patch file it would probably not have been necessary.
    • CVE-2017-6832, CVE-2017-6833, CVE-2017-6835, CVE-2017-6837 (same patch). The patch had to be manually back-ported due to minor code changes.
    • CVE-2017-6839. Was applied manually due to significant code changes. The part for BlockCodec.cpp was not applied as that file do not exist in wheezy.
    • CVE-2017-6836 and CVE-2017-6838 (fix of CVE-2017-6839). Applied manually. For some reason these two CVEs corrects a CVE with a higher number.
  • Front desk activities w12
    • Found erlang to be vulnerable to CVE-2016-10253. Pinged upstream with a note that the CVE is assigned. Some follow up regarding this. The maintainer later convinced me that wheezy is not affected by CVE-2016-10253 so the CVE was marked so in the database.
    • Found apng2gif vulnerabilty status to be:
      • CVE-2017-6960 successfully reproduced the problem -> vulnerable.
      • CVE-2017-6961 could not reproduce the core dump so I'm not convinced that this is a real security issue. It could of course be but I'm not convinved yet. Some further discussions regarding this.
      • CVE-2017-6962 could not reproduce the core dump so I'm not convinced that this is a real security issue. It could of course be but I'm not convinved yet. Some further discussions regarding this.
    • Found putty to be vulnerable to CVE-2017-6542.
    • Some discussion regarding git and the possibility to reproduce the problem.
    • Marked CVE-2017-5644 as no-dsa for libapache-poi-java following jessie.
    • Marked CVE-2017-7207 for ghostscript following jessie.
    • Found xrdp to be vulnerable to CVE-2017-6967. Not a critical issue but is definitely worth fixing.
    • Found pcre3 to be vulnerable to CVE-2017-7186.
    • Found python3.2 to be vulnerable to CVE-2016-0772. Python 2.7 had already been fixed and a DLA issued.
    • Found jhead to be vulnerable to CVE-2016-3822.
    • Found libxslt to be vulnerable to CVE-2017-5029.
    • Found binutils to be vulnerable to CVE-2017-6965, CVE-2017-6966, CVE-2017-6969, CVE-2017-7209 and CVE-2017-7210.
    • Marked CVE-2016-10254 and CVE-2016-10255 as no-dsa following jessie.
    • Found polarssl to be vulnerable to CVE-2017-2784. However James informed me that wheezy is not affected. Jessie is however.
    • Investigated CVE-2017-3305. That specific issue is most probably not in wheezy as it is stated as not affected for jessie. Jessie and wheezy share the same upstream version number for security updates. What is not clear is whether the BACKRONYM vulnerability is actually present in wheezy or jessie. A question has been sent to the LTS team and Security team. Salvatore clarified the notes so I added mysql-5.5 to dla-needed.txt.
    • Triaging for ntp:
      • CVE-2017-6463 and CVE-2017-6464 looks like a real DOS problem, but only by authenticated users.
      • CVE-2017-6462 was marked as no-dsa as the vulnerability can only be triggered by someone having /dev/datum modification privileges.
      • CVE-2017-6460 looks like a real DOS problem.
      • CVE-2017-6458 was marked as no-dsa as the problem could only be triggered by adding really long variable (200+ bytes) names in ntpd.conf. That should be really rare that people with root privileges do that by mistake.
      • CVE-2017-6451 was marked as not affected as additional code changes was required to activate the clock and thus the vulnerability.
    • Answered an email about the CVE-2017-2619 for samba. Added samba to dla-needed.txt file.
    • Triaging for libvpx:
      • CVE-2017-0393 is present in wheezy. Found the source reference from NVD.
      • CVE-2016-6712 is not present in wheezy. The vulnerable source file do not exist.
      • CVE-2017-6711 is present in wheezy. Found the source reference from NVD.
      • CVE-2016-3881 is not present in wheezy. The vulnerable source file do not exist. A similar fix is made in another file but that is fixed in CVE-2017-6711.
      • CVE-2016-2464 is not present in wheezy. The component is libwebm and that is not present in Debian sources. Also took the freedom to update the CVE for unstable as the source is not present there either.
    • Marked CVE-2017-6435, CVE-2017-6436, CVE-2017-6437, CVE-2017-6438, CVE-2017-6439 and CVE-2017-6440 as no-dsa for libplist following jessie.
    • Found apparmor to be vulnerable to CVE-2017-6507. This is an important correction. Can maybe be seen as a DoS problem, but it is not really a security problem. In any case it should be fixed.
    • Found apt-cacher to be vulnerable to #858739 (no CVE assigned yet).
    • Found tiff to be vulnerable to CVE-2016-10266, CVE-2016-10267, CVE-2016-10268 and CVE-2016-10269.
    • Found firebird2.5 to be vulnerable to CVE-2017-6369.