Re: Bug#977468: smuxi is marked for autoremoval from testing

[Salvatore Bonaccorso <carnil@debian.org>]

Hi Mirco,

On Mon, Jan 11, 2021 at 10:54:27AM +0800, Mirco Bauer wrote:
> Thanks for your email and raised concern, Jeremy.
> 
> Full accessibility in Smuxi has been a high priority for me for a long
> time.
> 
> I looked into the vulnerability of the log4net library that Smuxi depends
> on. my assessment doesn't classify a XXE for local configuration file as
> release critical. An attacker would need to have write access to the
> configuration file to exploit it. It that point a XXE is pointless, he can
> just execute curl, wget, perl, python or write something to ~/.bashrc
> directly.

I can agree here.

What I though to raise is a concern: Is log4net actively maintained? A
RC severiy might be warranted in such a case to hilight the problem.
log4net was on same version since stretch for the Debian revision and
even longer ago for the upstream version.

This was tried to explain with the comment in message 14.

> Having identified the offending code the fix is a one line change on the
> other hand. I plan to upload a fixed version of log4net in the coming days.

Do you have a chance to make an upload so that the underlying issue is
fixed at least starting in bullseye?

> To bump the version to the latest one of log4net so late in the release
> cycle I don't see as a good option. There are 2 other reverse dependencies
> that could break where I am not upstream of.

Jupp this might defintively be too late now.

Regards,
Salvatore