Debian Long Term Support work 2022 October

Work done this month:

  • Added protobuf to dla-needed.
  • Decided to wait a little with analysis of issues for the following packages since the popcon score is very low. Will continue later this week, but since this is a report for October it will be described in the report for November instead.
    • onionshare
    • 389-ds-base
    • wabt (slightly more users so it should have prio)
    • smarty3 (slight more users so it should have prio)
    • ring (slightly more...)
    • shiro
    • ruby-sidekiq
    • ruby-omniauth
    • ruby-commonmarker
    • nheko
    • libitext5-java
    • node-matrix-js-sdk (just 2...)
    • php-dompdf
    • pngcheck
    • powerline-gitstatus
    • puppet-module-puppetlabs-apt (very low)
    • puppet-module-puppetlabs-mysql (very low)
    • php-illuminate-database
  • Triaged python-cmarkgfm and cmark-gfm for LTS (buster) and concluded CVE-2022-24724 and CVE-2022-39209 to be minor issues. Same conclusion as for similar packages. It is clear that gmark-cfm is only used by developers (popcon) and the risk that someone provides a service that process such documents from remote is slim. Even if it is provided as a remote service the risk is small.
  • Triaged consul and concluded that the package is vulnerable to a lot of fairly important issues. Added to dla-needed.
  • Triaged hsqldb and concluded that the correction is intrusive. I suggest to ignore but mail sent to the list to check if others have another opinion. Got the comment that it should be checked further so added it to dla-needed with a reference to that email discussion.
  • Triaged jhead and concluded that the package should be fixed. Even though you have to trick someone to use specific option(s) an arbitrary code execution is not good so it should be fixed.
  • Did some triaging on wabt and it looks minor but it could be my limited understanding of the tool so it should be checked further.
  • Triaged libapreq2 and concluded that it should be fixed so added it to dla-needed.
  • Triaged php7.3 and concluded that it should be added to dla-needed. Two out of three CVEs where not very important. I would even argue that one of them is not an issue at all, but the third one is definitely problematic so it should be fixed.
  • Triaged ntfs-3g and concluded that it should be fixed so the package was added to dla-needed. It is not the most urgent things because USB drives are not that common anymore but it should not be neglected because this was the kind of vulnerabilities that Windows was infamous for.
  • Triaged and marked CVE-2022-42920 for node-minimatch as no-dsa for buster following decision for bullseye.
  • Triaged ceph and concluded that it should be corrected, or at least be checked further by someone who have a little more knowledge about ceph. So added to dla-needed. What is not clear is whether the vulnerability can be exploited in a Debian system or not. It is clear that someone with login permission and access to ceph user and at the same time can execute arbitrary commands can likely do that. The question is whether the ceph user can execute arbitrary commands.