Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2017 May

The following contributions were made:

  • Marked CVE-2017-6519 for avahi as no-dsa following jessie.
  • Looked through the vulnerabilities for various packages to see if I could find anyone that I can help with without too much effort. So far nothing found.
  • Analysis/review/triage of the vulnerabilities reported for libpodofo. The motivation for minor issue mark on quite a few of them are that there are no known services that use this library (apart from desktop applications) and the ones marked as minor issue has worst case as a DoS. The result are as follows:
    • CVE-2017-8787 Possible unspecified impact. Needs further analysis.
    • CVE-2017-8378 Possible unspecified impact. Needs further analysis.
    • CVE-2017-8054 The worst case is a denial of service (infinite recursion and application crash). Marked as no-dsa (minor issue).
    • CVE-2017-8053 The worst case is a denial of service (infinite recursion and stack consumption). Marked as no-dsa (minor issue).
    • CVE-2017-7383 The worst case is a denial of service (null pointer dereference). Marked as no-dsa (minor issue).
    • CVE-2017-7382 The worst case is a denial of service (null pointer dereference). Marked as no-dsa (minor issue).
    • CVE-2017-7381 The worst case is a denial of service (null pointer dereference). Marked as no-dsa (minor issue).
    • CVE-2017-7380 The worst case is a denial of service (null pointer dereference). Marked as no-dsa (minor issue).
    • CVE-2017-7378 The worst case is a denial of service (heap-based buffer over-read). Marked as no-dsa (minor issue).
    • CVE-2017-6849 The worst case is a denial of service (null pointer dereference). Marked as no-dsa (minor issue).
    • CVE-2017-6848 The worst case is a denial of service (null pointer dereference). Marked as no-dsa (minor issue).
    • CVE-2017-6847 The worst case is a denial of service (null pointer dereference). Marked as no-dsa (minor issue).
    • CVE-2017-6846 The worst case is a denial of service (null pointer dereference). Marked as no-dsa (minor issue).
    • CVE-2017-6845 The worst case is a denial of service (null pointer dereference). Marked as no-dsa (minor issue).
    • CVE-2017-6843 Unspecified impact. Needs further analysis.
    • CVE-2017-6842 The worst case is a denial of service (null pointer dereference). Marked as no-dsa (minor issue).
    • CVE-2017-6841 The worst case is a denial of service (null pointer dereference). Marked as no-dsa (minor issue).
    • CVE-2017-6840 The worst case is a denial of service (invalid read). Marked as no-dsa (minor issue).
  • LTS front desk activities week 20
    • Marked CVE-2017-8872 for libxml2 as no-dsa (Minor Issue) following jessie. The motivation for a minor issue is that it can only be reproduced if zero bytes is read and a --disable-shared is used when configuring/building the package.
    • Marked CVE-2017-8933 for menu-cache as no-dsa (Minor Issue) following jessie. The vulnerability is a real vulnerability but the attacker must have local file system access and that user will have its name on the file that do the service denial.
    • Questioned that CVE-2017-7479 (for openvpn) was marked as no-dsa for Jessie. It is an inefficient attack (196 GB need to be transmitted) but it should be rather easy to automate. Work in progress.
    • Marked CVE-2017-8934 for pcmanfm as no-dsa (Minor Issue) following jessie. Same motivation as for CVE-2017-8933 for menu-cache above.
    • Asked why CVE-2017-8364 for rzip was marked as no-dsa. Work in progress.
    • Found deluge package to be vulnerable. Added it to the dla-needed file and informed the maintainer about it.
    • Marked CVE-2017-0373 and CVE-2017-0374 for libconfig-model-perl as no-dsa following Jessie. It is a vulnerability but only for people who use model files from a source that is not trusted. That should be a rare problem. Was later informed that CVE-2017-0374 is not applicable to wheezy and there is no point fixing CVE-2017-0373 (as perl itself has it '.' in its default path).
    • Marked CVE-2017-XXXX for perltidy as no-dsa (Minior issue). Decided to do this even though Jessie tells that it can be done in a point release. The reason is that this problem only occurs if the tidy function is run on source files and such files should normally be in the users home directory where nobody have write access apart from the user itself.
    • Found lzo2 package to be vulnerable from CVE-2017-8845. Added it to the dla-needed file and informed the maintainer about it.
    • Added graphicsmagic to dla-needed.txt following Jessie for CVE-2017-9098.
    • Marked CVE-2017-9038, CVE-2017-9039, CVE-2017-9040, CVE-2017-9041, CVE-2017-9042, CVE-2017-9043 and CVE-2017-9044 for binutils as no-dsa (minor issue) following Jessie.
    • Marked CVE-2017-9052, CVE-2017-9053, CVE-2017-9054 and CVE-2017-9055 for dwarfutils as no-dsa (Minor Issue) following Jessie.
    • Marked CVE-2017-8825 for libetpan as no-dsa (Minor issue) following Jessie.
    • Added postgresql-9.1 to dla-needed.txt following Jessie for CVE-2017-7484 and CVE-2017-7486.
      • Was later informed the following: "CVE-2017-7486 and CVE-2017-7484 are marked as "not-affected" for postgresql-9.1 in Jessie."
      • However I can not really see that for CVE-2017-7486. The code is definitely there.
      • CVE-2017-7484 seems to be correctly stated and marked the same for wheezy.
    • Added dropbear to dla-needed.txt following Jessie for CVE-2017-9078 and CVE-2017-9079.
    • Triaged a few CVEs where I could not decide whether it is minor or not.
    • Triaged CVE-2017-8798 for miniupnpc and concluded that it is non-minor. Added it to dla-needed.txt.
    • Triaged CVE-2017-8829 for lintian and concluded that it is non-minor. Added it to dla-needed.txt.
    • Triaged CVE-2017-2295 for puppet and concluded that it is non-minor (I'd even say major). Added it to dla-needed.txt.
    • Triaged CVE-2017-8849 for smb4k and it is definitely non-minor (Even major). Added it to dla-needed.txt.
    • Triaged the vulnerabilies for lrzip and concluded the following:
      • CVE-2017-8842 Minor. Denial of service in a command line tool.
      • CVE-2017-8843 Minor. Denial of service in a command line tool.
      • CVE-2017-8844 Needs further investigation.
      • CVE-2017-8846 Minor. Denial of service in a command line tool.
      • CVE-2017-8847 Minor. Denial of service in a command line tool.
    • Triaged CVE-2016-8728 and CVE-2016-8729 for mupdf and concluded that they are important enough to fix.
  • Security update of nss. Backported patch for CVE-2017-7502 built and announced DLA-971-1. Also filed a bug report (#863839) against the nss package regarding this vulnerability.
  • Reviewed "Patch proposal for CVE-2017-6960 in Wheezy".