Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2020 January

The following contributions were made:

  • Worked on ksh and CVE-2019-14868 that was mentioned as needing further triaging. After analyzing the code it was clear that the code was "vulnerable". However when testing the vulnerability it turned out that the vulnerability was quite minor. The startup variable is executed as an arithmetic expression. The CVE mentions that arbitrary expression can be executed but after some testing I could conclude that this was not the case. Arbitrary arithmetic expression can be executed but as soon as you start to add something that can be used to hack something it is no longer possible since aborts telling that it is not a valid arithmetic expression. This made me mark this as a minor issue for jessie. It should probably be marked the same for stable too but I'll let the security team conclude that. Removed the entry from dla-needed.txt as well.
  • Checked lout package and CVE-2019-19918 and CVE-2019-19917. It turned out that the CVEs were marked as minor issue for Buster and Stretch. There is no reason to treat Jessie differently. Therefore I marked the two CVEs as ignored and removed the package from dla-needed.txt.
  • Checked out ansible and CVE-2019-14846, CVE-2019-14905, CVE-2019-14904, CVE-2019-14864 and CVE-2019-14858. All of them are marked as no-dsa (minor issue) for both Buster and Stretch. There is no reason to treat Jessie differently. Marking them as ignored and removing ansible from dla-needed.txt.
  • Analyzed the patch for squid3. It is the same patch for CVE-2019-12523 and CVE-2019-18676. The URN checks introduced was possible to locate, but the heap overflow is harder. There are two additional checks added but without some reproduction vector it is hard to be sure whether the problem is solved with that or not. It may be the whole SBuf usage introduction that solves the heap problem.
  • Started to look into importing the DLAs that are missing. Found a good instruction on https://wiki.debian.org/AlbanVidal/draft/Salsa_HowCreateMergeRequest
  • Front desk work.
  • Triaged otrs2 and concluded that the below CVEs should be marked as unsupported since the package is in non-free.
    • CVE-2020-1765
    • CVE-2020-1766
    • CVE-2020-1767
  • Triaged cacti and CVE-2020-7237. The conclusion is that the package in jessie is not vulnerable since the configuration option does not exist in this version.
  • Triaged libxmlrpc3-java and CVE-2019-17570. Some timing issue in the security db sync since this is marked with a DLA already.
  • Triaged tomcat7 and its two CVEs. Same timing issue since both packages have a DLA already.
  • Triaged mruby and its undetermined CVEs.
    • CVE-2020-6840 - The vulnerability exist in later versions, but jessie is not affected since the code has been introduced later.
    • CVE-2020-6839 - Bullseye and later do not have this function. Jessie has but unclear whether it is vulnerable or not. In any case marked it as a minor issue since similar class vulnerabilities in the past has been done so too.
    • CVE-2020-6838 - One of the commits is the same as CVE-2020-6840 and the two others has been introduced later. So marking it as not-affected.
  • Marked a number of CVEs as end-of-life for nethack.
  • Triaged aspell. Marked CVE-2019-20433 as ignored following the decision for stretch.
  • Triaged intel-microcode. It is non-free but at least the medium rated vulnerability seems to be fairly severe. Added it to dla-needed.txt.
  • Triaged libxmlrpc3-java and concluded that CVE-2019-17570 is severe enough to be fixed so added the package to dla-needed.txt. But it turned out that it was already fixed causing some confusion.
  • Looked at the snappy package trying to work out if the undetermined tag is correct.
  • Answered a few email questions from DLA developers wanting feedback.
  • Triaged sudo and added to the dla-needed.txt file.
  • Triaged spamassassin and added it to the dla-needed.txt file.
  • Triaged firefox-esr and added it to the dla-needed.txt file.
  • Triaged u-boot. Tagged CVE-2020-8432 as ignored following stretch decision.
  • Marked CVE-2019-20421 for exiv2 as ignored in jessie. Similar issues have been marked the same many times before.
  • Triaged neety. The request smuggling vulnerabilities looks important enough to fix. Convinced after reading a paper about it. Added it to dla-needed.txt.
  • Triaged CVE-2020-8492 for python2.7 and python3.4. After some thinking it looks like it is a minor issue. The argument is that it is a client DoS problem and the attack cannot really be exploited unless the attacker writes custom python code. If that is possible the attacker can anyway implement an infinite loop or similar with ease. So CVE marked as minor issue. To be sure however an email was sent to LTS list asking for advice.