Hi,
Am 29.04.2017 um 23:48 schrieb Ola Lundqvist:
[...]
> I would like to get an understanding on the criteria used to
> mark CVE-2017-5886, CVE-2017-5854, CVE-2017-5853, CVE-2017-5852
> and CVE-2015-8981 as no-dsa in jessie and why it was decided to fix it
> in wheezy. Because they were just of DoS class (and are we sure all of
> them are that)?
I have decided to fix libpodofo in Wheezy because I consider PDF
libraries with reverse dependencies, similar to image libraries, as a
realistic target for attackers on desktop and server systems. The denial
of service is one possible outcome, more interesting to know is how it
is achieved. A heap-based buffer overflow could have a more serious
impact which goes far beyond a simple crash. Just because someone didn't
come up with a proof of concept yet doesn't mean it is not doable. In
this regard I believe the LTS team should work harder to fix such issues
and be more thorough.
We already discussed this in the past but the security team also marks
CVEs as no-dsa because they may be too minor but could be fixed in a
later point release. We don't do point releases instead we fix
everything right away or never or postpone it for later when more
serious issues have piled up. The tag no-dsa doesn't mean that the CVE
should not be fixed. For stable this tag simply translates to "it is not
a priority, we may fix it later, should be done via a point release, too
minor, not critical but still a security bug".
For LTS and myself it means, when time and resources permit, fix it.
Actually when I work on a package I also look at all the no-dsa tags
from the past and if I can realistically fix them in a finite amount of
time, I'll do it together with the apparently more serious issues.
Of course there are good reasons to mark CVEs as no-dsa in Wheezy. For
instance the elfutils and binutils CVEs won't affect people on a
production system or only a tiny, tiny minority. Some other issues are
not worth fixing right away but maybe something more serious emerges
later, then why not fix the minor CVE as well?
> As I see it I do not think it is worth fixing problems that are of class
> DoS.
Actually DoS issues can be very serious. Imagine a multi-user (web)
application where one user can cause a denial of service by uploading a
PDF or image file and thus make the server unavailable.
> So I have re-read the CVEs and most of the ones that were marked as
> no-dsa in jessie are of that type. However there are some that were
> classified as unspecified impact. Is it so that someone have concluded
> that they are just of DoS type and not something worse, like arbitrary
> code execution?
Exactly. As I said before even without a PoC certain programming errors
like heap-based buffer overflows might cause arbitrary code execution.
> I just want to understand so I can look further into the other issues in
> libpodofo and mark them accordingly.
I have concluded that libpodofo's upstream developers are active and
want to fix these issues. The fixes can be backported and mainly consist
of additional guards to safeguard against buffer or integer overflows. I
believe we should fix the CVEs especially because the version in Jessie
is identical and we could easily address those bugs in both distributions.
Regards,
Markus