Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2020 May

The following contributions were made:

  • Front desk work.
  • Triaged condor. CVE-2019-18823 is a little unusual for a CVE. It looks like it is four different issues. At least one of them seems to be important enough to fix. On the other hand the package does not really seem to be that popular. Is it worth fixing. After some day I decided to add it to DLA needed.
  • Triaged jquery. CVE-2020-11023 and CVE-2020-11023 are fixed with the same patch. The extend function htmlPrefilter does not exist in the jessie version. Marked them as not-affected. The truth is a little more complicated since other functions can have similar problem, but since they do not promise any filtering this should be known by the application developer using jquery. In any case this is a XSS vulnerability which is less severe than other vulnerabilities.
  • Triaged salt. Found commits and added them in a note. Concluded that the package is vulnerable to both issues and both should be fixed. Added to dla-needed.
  • Triaged wordpress. Package added to dla-needed. It really took quite some time to find the code...
    • CVE-2020-11025 - Found the fix and added it as a note. Looks like the vulnerable code is not present.
    • CVE-2020-11026 - Cannot find the commit.
    • CVE-2020-11027 - Found jessie fix commit and added it as a note. Vulnerable code present in jessie.
    • CVE-2020-11028 - Cannot find the commit.
    • CVE-2020-11029 - Found one commit and added it as a note. Vulnerable code present in jessie.
    • CVE-2020-11030 - Found 5.4 fix and added it as a note. Concluded that jessie is not vulnerable since the code is not present.
  • Triaged vlc, adding EOL entries.
  • Continued triaging of opensc from last month report. The problem in CVE-2019-20792 is a double free. Opensc contain tools for interacting with smart cards. The question is whether we should assume that the tools are only used to interact with known cards. In this case this is not an issue. However if cards from anyone should be assumed then this can potentially be a problem. Still a double free should not give more than a crash. On the other hand this piece of software seems to have got quite a lot of security issues fixed, even heap overflow and the like. Looks like the package maintainer have been working hard to keep security good. Also rather minor issues have DLAs assigned. So even though the severity is not that high, maybe it should be fixed. In any case it is not urgent so I'll wait some time for Debian Security team to make a judgement. Finally decided on postponing it.
  • Continued triaging of percona-xtrabackup from last month report. Not urgent. The question is whether a no-dsa is good enough. Will wait some more day for Debian Security team to make a decision. After some waiting without any action I decided to put it on dla-needed.
  • Added apache2 to DLA needed as a response to an email telling that there is a grave bug.
  • Answered email about libsixel and jbig2dec.
    • Marked CVE-2020-11721 for libsixel as no-dsa.
    • Asked the front desk adding libsixel on why it was done so even though we only have no-dsa issues.
    • Answered that jbig2dec is probably not worth fixing.
  • As promised on the meeting I have updated the README file describing more about workflow and triaging.
  • Triaged undetermined package gpac. From the code it is clear that CVE-2020-11558 is not vulnerable in jessie. Marked accordingly in the tracker. Similar code present with different name but the variable the extra function checks for is not there so it cannot be necessary to check for it too. In addition the proof of concept file does not reproduce the problem. In the jessie version the tool tell that the PoC file is not correct and exits before it crash.
  • Normal non-front desk work.
  • Worked on bluez. After looking at the patches in stretch it looks like the patch files can be applied as is. The updates that will fail is hog.c, but after looking at the code I can find no evidence that this file need an update in jessie. It does not seem that accept function is there at all and hence need no bond check either. This should be doubled-checked. Add this information as notes in dla-needed.txt.
  • Worked on wireshark. Only one issue CVE-2020-11647 marked for fixing for wireshark. However the issue is really similar to another issue that is postponed. Therefore postponing this too and then also removing the package from dla-needed.
  • Given comments on the LTS survey.
  • Involved in discussion regarding the bluez update.
  • Involved in discussion regarding README and wiki. The conclusion was to move some parts to the wiki so I did that too.