Re: Who should I report source audits too?

To: Steve Kemp <skx@tardis.ed.ac.uk>
Cc: debian-devel@lists.debian.org
Subject: Re: Who should I report source audits too?
From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>
Date: Thu, 24 Oct 2002 18:43:56 -0500 (CDT)
Message-id: <[🔎] Pine.GSO.4.40.0210241839310.13109-100000@pollux.cc.umanitoba.ca>
In-reply-to: <[🔎] 20021024001622.A21236@tardis.ed.ac.uk>

I have started an unofficial auding project on sourceforge. It was my
intention to talk to debian-devel about what I should do, however the open
policy of Debian leads me to believe that posting the raw audits in the
sourceforge project would be partially acceptable as long as bugs were
filed by hand.

If the bug covers multiple distributions (ones other than Debian) then
special consideration is needed and upstream should probably be contacted
first. Using the private Debian security e-mail address would probably be
a good thing to do too as they should be kept in on cert and other related
coordinated vulnerability squashing.

Debian's security team can contact qa if they need help.

     Drew Daniels

On Thu, 24 Oct 2002, Steve Kemp wrote:

>   I've recently started downloading and auditing some of the package
>  sources of random packages which are installed upon the Debian servers
>  at my workplace; with a view to looking for security holes.
>
>   Out of the three packages that I've examined thus far I've found one
>  package to be wonderfully written, one to be remotely exploitable[1]
>  and one to crash with a little bit of environmental tweaking[2].
>
>   I'm wondering what I should do in general for these different cases:
>
>   If a program is remotely exploitable/crashable should I:
>
>      1)  Tell upstream only.
>      2)  Notify upstream and the Debian package maintainer
>      3)  Notify upstream and inform debian-security.
>      4)  Notify debian-qa too.
>
>   (I'm a little unclear of the role of the debian-qa list - I'm a recent
>  member of the Debian project and I may well have forgotten the relevent
>  details in the information overload of reading and digesting so many
>  documents ;)
>
>   One the one hand mailing upstream is clearly the right thing to do,
>  but often there are large gaps between releases, and it seems like a
>  good thing to minimize the window of having users exploited to a
>  package that may be crashed, even in a very unlikely scenario.
>
>   Informing upstream AND submitting a Debian bug report would seem to
>  increase the workload on a developer - once to fix the bug and upload
>  a package, and once to upload the hopefully quickly modified upstream
>  package.
>
>   Really I'm looking for guidance here so that I don't unnecessarily
>  increase the workload of other Debian developers, and also to make
>  a worthwhile contribution.
>
> Steve
> ---
> [1] - Remote users can gain a shell under the UID of the client
>       who runs the given game.  This should be in the hands of
>       the security team as I write this.  (In this case upstream
>       was included a Debian developer so only one notification was
>       made; to him direct).
>
> [2] - export LOGNAME=`perl -e 'print "x" x 200'`; ./buggy-game-not-setuid
>       In this case I've notified upstream but not had a response..

Reply to:

Follow-Ups:
- Re: Who should I report source audits too?
  - From: Steve Kemp <skx@tardis.ed.ac.uk>

References:
- Who should I report source audits too?
  - From: Steve Kemp <skx@tardis.ed.ac.uk>

Prev by Date: Re: [desktop] why kde and gnome's menu situation sucks
Next by Date: Re: non-pristine sources under pool/
Previous by thread: Re: Who should I report source audits too?
Next by thread: Re: Who should I report source audits too?
Index(es):
- Date
- Thread