I've worked during March 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: expat (ELTS) ============ Last month I've woCVE-2023-5242rked on expat for LTS, and the work continued for ELTS - jessie and stretch - and finished with the release of ELA-1073-1 fixing CVE-2023-52425. For context, this is the report from last month for the update to LTS: As expat is a very widely used package, one needs to be extra careful to when tackling stuff there. Fortunatly I found that there is an upstream test suite available in the package. However it was not enabled and when trying to enable it the test suite failed to compile, so I spent some time to fix and re-enable the testsuite and fix the compilation issue. Then it was time to backport the first CVE-2023-52425. The patch is quite of size and after completing the backporting the testsuite was note really happy with several tests failing. After some debugging I've decided to split the patch into the consisting upstream commits and to iterate to an solution, to isolate the commits where the test suite starts failing. This allowed me to debug into the problems and identify some other extra required upstream changes to the library and test suite. In the end the test suite was happy, and the debugging helped to show that the patch for the CVE basically uncovered some bugs in the old test code. The other CVES have been triaged and found to be not affecting/actionable for the LTS and ELTS packages: CVE-2023-52426 is fixing a billion laughs attacks when the library is compiled without XML_DTD defined, which is not the case for Debian. (for the other case it is CVE-2013-0340, however, this vulnerbilty will not be fixes won't be backported due to the risk of regression due to the size, complexity, and new APIs. Expat provides API to mitigate expansion attacks, so this is ultimately under control of the app using Expat. CVE-2023-52427 is not applicable for the LTS/ELTS packages as well: It is actually a limitiation/bug of a function the original CVE-2013-0340 mitigation heuristic, as as we don't have that code… After backporting CVE-2023-52425 for ELTS, on jessie python3.4's autopkgtest showed a regression, which needed to be examined. Unfortunatly the autopkgtest logs were not verbose, so it was unclear where the failure was comming from until I was able to run the tests locally, where it showed that the indeed the expat mitigation for CVE-2023-52425 caused the failure in pyexpat, as the test feds the xml one byte after the other -- which is the exact thing the patch for CVE-2023-52425 detects and mitigates for: > "Expat 2.6.0 introduced a security mechanism called “reparse deferral” > where instead of causing denial of service through quadratic runtime > from reparsing large tokens, reparsing of unfinished tokens is now > delayed by default until a sufficient amount of input is reached. Due to > this delay, registered handlers may — depending of the sizing of input > chunks pushed to Expat — no longer be called right after pushing new > input to the parser." The failing test is tripping over that: The XMLPullParser [4] is designed to provide a "Pull API for non-blocking parsing" and when the parser is feed in a way that the parsing deferral is engaged, it might not generate event although the complete token is already fed into the parser - at least not until the close() function is called or further data is fed. Future python versions got API around that, namely the flush() function, but that would require user code changes beside backporting this function to our python versions. With that I've reached out to the team and asked for their opinion how to handle the situation the result was that due to the fact that there were no reports of this issue for buster and that severval other distributions were also going the route to ignore the python issue (or fix the python tests to match the new expat behaviour). frr (LTS) ========= In contrast to expat, frr was quite straight forward, but there were a lot of vulnerabilities to backport: CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 CVE-2024-31948 CVE-2024-31949. Those are all fixed with the upload, announced as DLA-3797-1 (Addtionally, several CVE's had been triaged a found not to affect buster.) -- tobi [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi
Attachment:
signature.asc
Description: PGP signature