[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bits from the Testing Security team

[ note: Reply-To: set to debian-devel ]

This is a quick summary of the Debian Testing Security Team[1] work
and a request for some aid to help sort out some difficult Sarge
security problems.

Contents of this message:
	What the Testing Security Team has been up to
	How can I leverage my powerful brain to aid you?
	Let the games begin!
	This is fun, how else can I help?

Background information

The first thing the Debian Testing Security Team did was to check all
security holes since the release of Debian 3.0 to ensure that all the
holes are fixed in Sarge.

Now that this has finished, we are busy checking to make sure that
security problems that have already been fixed in unstable as well as
stable do not continue to affect testing. 

We are also dealing with new holes as they are made known. Every day
we get an updated list of Mitre's comprehensive list of known security
problems, known affectionatly as CAN numbers[2]. We've been going
through old CANs as well as the newly released CANs and check
changelogs, advisories, test proof-of-conecpts, dig out patches from
other vendor's kernels, whatever is needed to confidently determine
whether sarge is vulnerable to the particular CAN or not. We then
record our findings, file bugs, write patches, do NMUs as necessary,
track fixed packages and work with the Debian Release Managers to make
sure fixes reach testing quickly. The result of this is the Testing
Security issues page[2] which shows how many holes are unfixed (that
we know of) in testing as well as the associated bugs and debian
package versions required to plug the hole. In addition to this, it
also indicates how many unprocessed TODO items are still remaining for
us to process.[4]

How can I leverage my powerful brain to aid you?

I'm glad you asked! Your brain is much bigger than our individual
brains, so we need the collective help of everyone to brainstorm
solutions to some difficult remaining CANs. Our goal is to reduce our
TODO count to zero, but we need your help.

There are a few CANs that are pretty vague in their broad
applicability, they potentially cover a number of packages and we need
help figuring out which packages those would be. Bonus points if you
can tell us if the package is affected by its associated CAN, extra
bonus points if you tell us the bug number that you filed to alert the
package maintainer of the security hole, tagged it security and added
a patch. So without further ado, here they are, if you have any
information that can help us, please follow-up to debian-devel.

Let the games begin!

1. What packages contain X.400 (CAN-2003-0565)[5]?

2. What packages contain S/MIME besides mozilla, because the current
version (mozilla 2:1.7.3) contains safe NSS 3.9.1 (CAN-2003-0564)[6]?

3. What packages modify JPEG images (CAN-2005-0406)[7]? Please limit
your answers to those packages that do not modify the EXIF thumbnail,
we dont need to hear "imagemagick" or "the gimp." If you use this jpg[8]
whose thumbnail contains a green swirl instead of the red one you can
test this. Basically if the file is loaded into a program doing the
right thing (e.g. gimp) and saved again, the swirl in the thumbnail
turns red. If a program is doing the wrong thing (e.g. convert[9]), the
thumbnail stays green. convert exiftest.jpg -draw "rectangle 0,0
300,300 fill black" out.jpg will draw a black rectangle over the
swirl, but the thumbnail in out.jpg still has the green swirl.

4. What packages contain libtiff code (besides libtiff4 3.6.1-4 which is
not affected due to DSA-617-1)? (CAN-2004-1308)[10]?

5. What ftp programs are affected by directory traversal
vulnerabilities (CAN-2002-1345)[11]?

6. What packages in Debian are SMTP mailscanners that can be
potentially bypassed by fragmenting messages (CAN-2002-1121)[12].

7. Is our xpdf vulnerable to CAN-2005-0206[13]?

This is fun, how else can I help?

Glad you asked! Any with a interest in participating are welcome to
join the team, Debian Developers and others with the skills and desire
to help. The team can be contacted through its mailing list[14]. There
is a second mailing list[15] that receives commit messages to our
repository. An alioth project page[1] is also available. Have a read
of this message[16] if you are interested in participating, the
details are there about how to start helping check CANs on a regular

What do I win? huh? Huh?!

You get a little sticker that says:

"I donated to Sarge today!" [swirl here]

Ok, not really, but you do get our gratitude, these are annoying and
difficult. Thanks.

[1] http://secure-testing.alioth.debian.org/
[2] http://cve.mitre.org/cve/candidates/downloads/full-can.html
[3] http://merkel.debian.org/~joeyh/testing-security.html
[4] An alternate page tracks archive changes more quickly, but may be
inaccurate due to bugs in madison on newraff is here:
[5] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2003-0565
[6] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2003-0564
[7] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0406
[8] http://www.sfritsch.de/debian/exiftest.jpg
[9] convert is from package "imagemagick" and exif is from "exif"
[10] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-1308
[11] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-1345
[12] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-1121
[13] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0206
[14] http://secure-testing.alioth.debian.org/secure-testing-team@lists.alioth.debian.org
[15] http://secure-testing.alioth.debian.org/secure-testing-commits@lists.alioth.debian.org
[16] http://lists.debian.org/debian-security/2004/10/msg00166.html

Attachment: signature.asc
Description: Digital signature

Reply to: