Re: upload leptonlib
On 2018-02-15 21:34:48, Ben Hutchings wrote:
> On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
>> On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
>> > Hello.
>> >
>> > I prepared LTS security update for leptonlib. Please review and upload.
>> > You can find debdiff along with the mail.
>> > link:
>> > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
>> >
>>
>> Abhijith,
>>
>> I have reviewed and uploaded the package. While you backported the
>> upstream fix, I feel like their approach falls under item #2 of "The Six
>> Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot
>> help but wonder if another vulnerability will be uncovered later that
>> uses different characters that are not being checked.
>
> I found one already: it filters out `command` but not $(command).
>
> I'm afraid this library appears to have been written without any regard
> for security, or even the existence of multiuser systems.
>
> Bug #890548 (stack buffer overflows) is probably exploitable in wheezy,
> and I think there are more instances.
>
> Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I
> can still see:
[...]
I've re-added the package to dla-needed.txt for #889759 /
CVE-2018-3836. Should a new CVE be issued for #885704?
A.
--
If you have come here to help me, you are wasting our time.
But if you have come because your liberation is bound up with mine, then
let us work together. - Aboriginal activists group, Queensland, 1970s
Reply to: