Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2017 November

The following contributions were made:

  • LTS front desk activities week 45
    • Triaged graphicsmagick. Package already in dsa-needed.txt. Added to dla-needed.txt. Maintainer contacted.
      • CVE-2017-16545 - testing indicates that the package is not vulnerable, as an assert is given and not a segv. However the vulnerable code is present as seen after code analysis. Marked as no-dsa with a note.
      • CVE-2017-16547 - testing confirms the vulnerability
    • Triaged imagemagick. Added to dla-needed.txt. Maintainer contacted.
      • CVE-2017-16546 - This is similar to the issue reported for graphicsmagick CVE-2017-16545. The test case is not identical however and in this case it could be reproduced. The problem should be fixed.
    • Triaged ruby-yajl. Added to dla-needed.txt. Maintainer contacted.
      • CVE-2017-16516 - sounds nasty. Have to check whether there are any software in Debian that include this however. There are a few so the problem should be fixed.
    • Triaged wordpress. Added to dla-needed.txt. Maintainer contated.
      • CVE-2012-6707 - looks really really old! But it looks like a rather important thing to fix and the fix seems straight forward. Have not checked whether it applies cleanly.
    • Triaged mysql-connector-net. Not considered as important enough. Maintainer contacted.
      • CVE-2017-10203 - From the description this do not look very severe. It is described as a low impact on availability. This is not important enough for an update in wheezy.
      • CVE-2017-10277 - Unclear what the vulnerability is. Human interaction is required and the impact is low on integrity and confidentiality. I do not think it is worth the effort to fix this.
    • Triaged libnet-ping-external-perl. Added to dla-needed.txt but with a note that the package shall be removed instead of fixed. 
      • CVE-2008-7319 - Looks serious enough to be fixed. No package depends on this lib but someone might have built software around it. However it is marked as no-dsa (to be removed in next point release) in jessie. Sent an email checking how we should handle this.
    • Triaged cacti. Added to dla-needed.txt. Maintainer contacted.
      • CVE-2017-16641 - It is possible to create a backconnect shell. This is definitely worth fixing.
      • CVE-2017-16660 - A logged in cacti admin can read any file on the filesystem. This is definitely worth fixing. After being in contact with maintainer I realized that this issue is not an issue for wheezy. Marked accordingly.
      • CVE-2017-16661 - A logged in cacti admin can create files in the filesystem. This is definitely worth fixing. After being in contact with maintainer I realized that this issue is not an issue for wheezy. Marked accordingly.
    • Triaged sam2p. Maintainer contacted.
      • CVE-2017-16663 - The crash is an integer overflow that can result in a crash. The fix is to make a check and an assert. Not worth to fix this issue on a package that do not seem to be frequently used.
    • Triaged sqlite3
      • CVE-2017-2518 - Potential issue. Code analysis do not find any real issue. Classified as minor.
      • CVE-2017-2519 - Can not find the vulnerable code in wheezy.
      • CVE-2017-2520 - Can not find the vulnerable code in wheezy.
    • Triaged postgresql. Package is not vulnerable so maintainer should not be contacted.
      • CVE-2017-12172 - Concluded that the vulnerable code is not installed.
      • CVE-2017-15098 - After some searching I found that this is a problem with some json function that do exist in postgresql 9.6 but that function do not exist in 9.1 which means that the vulnerability is not there. Marked accordingly.
    • Triaged asterisk. Maintainers contacted.
      • CVE-2017-16671 - After checking the conclusion is that the vulnerable code do not exist in wheezy.
      • CVE-2017-16672 - A memory leak in a rather uncommon situation should be seen as a minor thing. Marked accordingly.
    • Triaged backintime
      • CVE-2017-16667 - Vulnerable code does not exist. Marked accordingly.
    • Triaged libspring-ldap-java. Package added to dla-needed.txt. Maintainer contacted.
      • CVE-2017-8028 - Serious problem.
    • Triaged swftools. Maintainer contacted. 
      • CVE-2017-16711 - application crash issue. DoS class vulnerability in a tool. Should be considered as a minor issue. Marked accordingly.
    • Triaged php5. Added to dla-needed.txt. Maintainer not contacted. Instead a target release is defined.
      • CVE-2017-16642 - Looks problematic. Not severe though. Code is as vulnerable as later releases.
    • Triaged roundcube. Added to dla-needed.txt. Maintainer contacted.
      • CVE-2017-16651 - Sounds serious. Code looks vulnerable but rather different.