Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2017 September

The following contributions were made:

  • LTS front desk activities week 36
    • Investigated icedove that had a number of CVEs. It was seen as not fixed but in fact they were reported as fixed in DLA-1087-1. After some checking the reason for it still being reported as unfixed is that the DLA has actually not been sent yet and the package is not yet uploaded. Will follow up this in a day or two. After follow up the package had been fixed so this was not a real problem.
    • Triaged issues for libgig. All CVEs that are classified as Denial of Service (DoS) vulnerability are marked as no-dsa with reason minor issue as there are no known service type application based on this library. There are only desktop like applications and a crash in such a problem can be seen as a minor problem. It is annoying but minor. While investigating the issues someone else triaged it for jessie and stretch and come to the same conclusion. Maintainer informed.
      • CVE-2017-12950 gig.ccp is obviously vulnerable (4.0.0 may also be affected) according to the code but classified as DoS.
      • CVE-2017-12951 gig.ccp is obviously vulnerable (4.0.0 may also be affected) according to the code but classified as DoS.
      • CVE-2017-12952 helper.h is clearly vulnerable when looking at the code but classified as DoS.
      • CVE-2017-12953 gig.ccp is obviously vulnerable (4.0.0 may also be affected) according to the code but classified as DoS.
      • CVE-2017-12954 gig.ccp is obviously vulnerable (4.0.0 may also be affected) according to the code but classified as DoS.
    • Triaged CVE-2017-14107 for libzip. Marked as no-dsa, minor issue, following jessie and stretch. Classified as DoS. Maintainer informed.
    • Triaged four CVEs for nss but quickly concluded that I do not have permission to view the issues in mozilla bugzilla and it is therefore hard to get any further. I will follow this up in a few days to see if Debian Security team have done the triaging. After a few days a new try was made and then it was clear that Redhat has revieled some information. From this information it is clear that the vulnerability is only possible to exploit if the malicous user have access to modify the NSS DBM files and that typically requires access as the user running nss (service or client binary). This means that this is not really a problem. Maintainer not contacted using usual tools but this information has been sent to the bugs listed below.
      • CVE-2017-11695 According to BTS #873256 the version in wheezy is affected. Marked as ignored for wheezy.
      • CVE-2017-11696 According to BTS #873257 the version in wheezy is affected. Marked as ignored for wheezy.
      • CVE-2017-11697 According to BTS #873258 the version in wheezy is affected. Marked as ignored for wheezy.
      • CVE-2017-11698 According to BTS #873259 the version in wheezy is affected. Marked as ignored for wheezy.
    • Triaged CVE-2015-7700 for pngcrush. The code is clearly vulnerable. The question is whether it is important enough to fix it. However as it is hard to judge it is better to fix than not to. When adding it to dla-needed.txt it was clear that someone else had add it there already but missed one character. Fixed that. Did not inform maintainer as I assume someone else have already done so. Checked with Raphael who added it to dla-needed.txt whether the maintainer was informed or not.
    • Triaged a number of CVEs for unrar-free. Maintainer contacted about the result.
      • CVE-2017-14120 This shall definitely be fixed. Classified as grave in BTS #874059.
      • CVE-2017-14121 Null pointer dereference which must be seen as a DoS vulnerability. Therefore seen as a minor issue.
      • CVE-2017-14122 Stack problem. Not as clearly classified as DoS as CVE-2017-14121 but anyway classified as such and marked as minor issue.
    • Triaged opencv. There were quite a few CVEs to triage. This package is not used in any service software and therefore DoS vulnerabilities should be considered as minor issues. Maintainer contacted and opencv was added to dla-needed.txt.
      • CVE-2016-1516 Make it possible to execute arbitrary code. Is that so? If so that shall definitely be fixed! Will follow up.
      • CVE-2016-1517 Classified as DoS.
      • CVE-2017-12597 Out of bounds write. Can be more serious than a DoS. Worth investigating further and probably worth fixing too.
      • CVE-2017-12598 Same as CVE-2017-12597? At least points to the same issue upstream.
      • CVE-2017-12599 Same as CVE-2017-12597? At least points to the same issue upstream.
      • CVE-2017-12600 Classified as DoS (CPU hog).
      • CVE-2017-12601 Same as CVE-2017-12597? At least points to the same issue upstream.
      • CVE-2017-12602 Classified as DoS (memory hog).
      • CVE-2017-12603 Same as CVE-2017-12597? At least points to the same issue upstream.
      • CVE-2017-12604 Same as CVE-2017-12597? At least points to the same issue upstream.
      • CVE-2017-12605 Same as CVE-2017-12597? At least points to the same issue upstream.
      • CVE-2017-12606 Same as CVE-2017-12597? At least points to the same issue upstream.
      • CVE-2017-12862 Possible arbitrary code execution
      • CVE-2017-12863 Possible arbitrary code execution
      • CVE-2017-12864 Possible arbitrary code execution
    • Did some follow up on CVE-2017-9434 (from LTS front desk work in June) due to a mail thread about it. That CVE is actually not a real issue but did not change anything as the related fix is a good one and it do not really matter.
    • Did a brief investigation of CVE-2017-14128, CVE-2017-14129 and CVE-2017-14130 for binutils. Marked them as no-dsa as they are minor issues. Maintainer contacted.
    • Triaged ledger. Both are of the type arbitrary code execution. Maintainer contacted and added ledger to dla-needed.txt.
      • CVE-2017-2807 It is technically possible to trigger this, but practically it may be challenging. The system where ledger is run needs to be modified in some way so the memory copied is of a type that can be used by the attacker. Still it may be worth fixing.
      • CVE-2017-2808 It is technically possible to trigger this, but practically it is challenging to actually make use of it. The attacker must convince someone to run ledger on a crafted file and at the same time make sure code is put in the exact memory area where it can be exploited. Still it may be worth fixing.
    • Triaged CVE-2017-14159 for openldap. It was classified as minor in both jessie and stretch so I classified it similarly for wheezy. Maintainer contacted.
    • Triaged CVE-2017-12794 for python-django. It was postponed in jessie and stretch as it only affects debug mode. For wheezy I decided to classify it as no-dsa (minor issue) as it only affects the debug mode and also that it was "just" a XSS vulnerability and not worse than that. Maintainers contacted. Got feedback that the version in wheezy and jessie is actually not affected at all. Checked the source code and concluded that the feedback was correct. Security tracker updated accordingly.
    • Triaged bug #874429 for bzr. No CVE assigned yet but it has been requested. The same problem has been deemed important enough to fix in git so it should be fixed in bzr too. Maintainer contacted.
    • Triaged CVE-2017-14166 for libarchive. It is worth fixing. Maintainer not contacted as the maintainer do not want to be contacted about LTS issues. libarchive was added to dla-needed.txt.
    • Triaged CVE-2017-13735 for libraw. It is a DoS class vulnerability and libraw do not have any reverse package dependencies at all. Therefore I classified it as minor. Maintainer contacted.
    • Triage CVE-2017-14158 for python-scrapy. This is a memory consumption problem of class DoS. May however be worth fixing. On the other hand the problem has been known since 2013 without a fix which means that upstream can not really consider it as a real problem. Decided to mark it as no-dsa (minor issue) and contacted maintainer about that.
    • Triaged a very large list of issues for tcpdump. The conclusion is none of them are really important enough to be fixed on its own but the large list makes it worth the effort, especially since the whole package can be ported to wheezy. It is therefore simple to fix all these issues with quite little effort. Maintainer contacted and package added to dla-needed.txt.
    • Triaged CVE-2017-9779 for ocaml. One could argue that people should not create seuid binaries. However as this may be necessary on quite a few places and ocaml may be used to do that that actually votes for making an update on this one. Maintainer contacted and package added to dla-needed.txt.
    • Started to triage two CVEs for mp3gain. Information has been added about the link to the google drive link at least. Technical details are known, but an available exploit is not. I'll handed over further judgement and the task to contact maintainer to Chris for next weeks duty.
      • CVE-2017-12911 Stack corruption which means that it may be exploitable. However no known solution is in place which means that it is hard to judge the severity.
      • CVE-2017-12912 Refers to the same issue.
    • Triaged issues for libstruts1.2-java. Maintainer contacted and package added to dla-needed.txt.
      • CVE-2017-12611 Remote code execution class vulnerability but only if the application programmer has made a mistake. Marked as ignored (Minor issue).
      • CVE-2017-9793 Worth fixing.
      • CVE-2017-9804 DoS class under special circumstances. Classified as low impact by upstream. Marked as ignored (Minor issue)
      • CVE-2017-9805 Worth fixing.
    • Quick triage of CVE-2017-14228 for nasm and I could not fine any strong reason for not following jessie and stretch. Therefore marked it as no-dsa (Minor issue). Found no reason to contact the maintainer either so I did not do that. A bug report already exist about the issue.
    • Triaged CVE-2017-14226 for libwpd. After checking the code it looked like wheezy was not affected simply because the code looked very much like the patch tells that it should look like. So to confirm that I tested it and it was not reproducible on wheezy. It was easy to reproduce in stretch however. Therefore marked it as no-affected for wheezy.
    • Triaged two CVEs for u-boot.
      • CVE-2017-3225 After quite some digging I think I have been able to conclude that ENV_AES is not available in wheezy at all. The proposed solution to this CVE and the next is to mark them deprecated and recommend not to use (will be deleted in later revisions). In this patch it is ENV_AES that is marked as deprecated and the wheezy code do not have any single line mentioning ENV_AES (nor AES with capital letters). The sid source have a lot of such strings. This is why I conclude that wheezy is not affected by this.
      • CVE-2017-3226 After some checking it became quite clear that the vulnerable code do not exist in wheezy. Simply because the source code do not have anything resembling the environment variable mentioned. The source code in sid do.
    • Finally at the end of the week, I compiled a mail describing the left-overs (mp3gain) for Chris (nexts weeks LTS appointed duty) to have a look at.