Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2018 May

The following contributions were made:

  • LTS front desk activities
    • wget - Added to dla-needed.txt and maintainer contacted.
      • CVE-2018-0494 - Severe enough to fix. Following Debian Security team.
    • mp3gain
      • CVE-2018-10776 - Marked as end of life
      • CVE-2018-10777 - Marked as end of life
      • CVE-2018-10778 - Marked as end of life
    • xen - added to dla-needed.txt
      • CVE-2018-8897 - In DSA-needed
    • ncurses
      • CVE-2018-10754 - Declared as minor issue by the Debian Security team and I agree. Marked as ignored.
    • lrzip
      • CVE-2018-10685 - Triaged ths issue and concluded that it is a minor issue not worth investigating further. Declared as minor ussue.
    • libgxps
      • CVE-2018-10733 - Triaged this issue and concluded that remote denial of service has been declared as minor for this package in the past and I find no reason to change that. Declared as minor issue.
      • CVE-2018-10767 - Triaged this issue and declared as minor issue for the same reason as for CVE-2018-10733.
    • poppler
      • CVE-2018-10768 - Source code analysis showed that the vulnerable code is not present. Possibly in other forms but that is not part of this CVE. In any case the problem is of minor nature so it will not be investigated further.
      • CVE-2017-18267 - Infinite recursion sounds like a minor issue as poppler is a pdf rendering function. The worst case that can happen is that the user have to kill the process. Marked as ignored. The code is clearly vulnerable (source analysis).
    • pdns
      • CVE-2018-1046 - Source code analysis showed that the vulnerable function do not exist. In any case the problem is of minor nature.
    • xdg-utils - added to dla-needed.txt and contacted maintainers
      • CVE-2017-18266 - Argument injection. As CVE-2017-17512 was considered important enough to fix. But not CVE-2017-17511. The package is very popular according to popcon so I consider it worth it. Source code analysis show that the package is vulnerable even though the patch do not apply without modification.
    • prosody
      • CVE-2017-18265 - Source code analysis show what the report describes that the vulnerability occur in a later release. The report tells that the problem occur after upgrade to Debian 9 (from Debian 8) indicating that the problem do not exist in Debian 8 and earlier. After checking the code for wheezy it is clear that the vulnerable code do not exist so therefore marking it accordingly.
    • libvorbis
      • CVE-2018-10393 - Marking it as ignored as it is very close to end-of-life for wheezy LTE. Similar reports has been marked as postponed and minor issue but as we are close to end of life there is no point in postponing it for wheezy.
      • CVE-2018-10392 - Marking it as ignored with similar reasoning as for CVE-2018-10393.
    • libspring-java - Added to dla-needed.txt but with a note that it should be investigated further. TODO.
      • CVE-2018-1270 - Sounds serious enough to fix.
      • CVE-2018-1272 - Sounds serious enough to fix.
    • spice and spice-gtk
      • CVE-2017-12194 - Found it in the undetermined list and decided to check because it looked like it would be easy to check. Indeed the code is vulnerable, at least as described in the CVE and bugzilla report. So marked it as affected. Later Salvatore investigated this more and found that only spice-gtk is affected. After some more checking it is clear that the demarchal.py file is not included in any binary package in wheezy, hence the vulnerability do not affect wheezy.
    • blender - Added to dla-needed.txt, but as the work is rather high maybe it is not worth the effort. Sent a mail to LTS list for advice. The advice was to ignore it and removed the package from dla-needed.txt.
      • CVE-2017-2899 ... CVE-2017-2908 - Vulnerable but marked as ignored.
      • CVE-2017-2918 - Vulnerable but marked as ignored.
      • CVE-2017-12081 - Vulnerable but marked as ignored.
      • CVE-2017-12082 - Vulnerable but marked as ignored.
      • CVE-2017-12086 - Vulnerable but marked as ignored.
      • CVE-2017-12099 ... CVE-2017-12105 - Vulerable but marked as ignored.
    • firefox-esr - Fixed in Debian Stable indicating that we should do the same. Checked and Emilio is already on the problem. The package was added to dla-needed.txt by someone else.