Who should I report source audits too?
I've recently started downloading and auditing some of the package
sources of random packages which are installed upon the Debian servers
at my workplace; with a view to looking for security holes.
Out of the three packages that I've examined thus far I've found one
package to be wonderfully written, one to be remotely exploitable[1]
and one to crash with a little bit of environmental tweaking[2].
I'm wondering what I should do in general for these different cases:
If a program is remotely exploitable/crashable should I:
1) Tell upstream only.
2) Notify upstream and the Debian package maintainer
3) Notify upstream and inform debian-security.
4) Notify debian-qa too.
(I'm a little unclear of the role of the debian-qa list - I'm a recent
member of the Debian project and I may well have forgotten the relevent
details in the information overload of reading and digesting so many
documents ;)
One the one hand mailing upstream is clearly the right thing to do,
but often there are large gaps between releases, and it seems like a
good thing to minimize the window of having users exploited to a
package that may be crashed, even in a very unlikely scenario.
Informing upstream AND submitting a Debian bug report would seem to
increase the workload on a developer - once to fix the bug and upload
a package, and once to upload the hopefully quickly modified upstream
package.
Really I'm looking for guidance here so that I don't unnecessarily
increase the workload of other Debian developers, and also to make
a worthwhile contribution.
Steve
---
[1] - Remote users can gain a shell under the UID of the client
who runs the given game. This should be in the hands of
the security team as I write this. (In this case upstream
was included a Debian developer so only one notification was
made; to him direct).
[2] - export LOGNAME=`perl -e 'print "x" x 200'`; ./buggy-game-not-setuid
In this case I've notified upstream but not had a response..
Reply to: