On Thu, 2018-02-22 at 07:26 +0100, Salvatore Bonaccorso wrote: > Hi Ben, > > On Sat, Feb 17, 2018 at 09:28:19PM +0000, Ben Hutchings wrote: > > On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote: > > > On 2018-02-15 21:34:48, Ben Hutchings wrote: > > > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > > > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > > > > > Hello. > > > > > > > > > > > > I prepared LTS security update for leptonlib. Please review and upload. > > > > > > You can find debdiff along with the mail. > > > > > > link: > > > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > > > > > > > > > > > > > Abhijith, > > > > > > > > > > I have reviewed and uploaded the package. While you backported the > > > > > upstream fix, I feel like their approach falls under item #2 of "The Six > > > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot > > > > > help but wonder if another vulnerability will be uncovered later that > > > > > uses different characters that are not being checked. > > > > > > > > I found one already: it filters out `command` but not $(command). > > > > > > > > I'm afraid this library appears to have been written without any regard > > > > for security, or even the existence of multiuser systems. > > > > > > > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, > > > > and I think there are more instances. > > > > > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I > > > > can still see: > > > > > > [...] > > > > > > I've re-added the package to dla-needed.txt for #889759 / > > > CVE-2018-3836. Should a new CVE be issued for #885704? > > > > I think additional CVEs are needed for: > > > > 1. #890548 > > This one has CVE-2018-7186. > > > 2. Incomplete fix for #889759 / CVE-2018-3836 > > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so > > there is a possibility of path traversal and arbitrary file overwrite > > 4. #885704 > > 5. The remaining hardcoded paths in /tmp > > Have you already requested CVEs for the other issues? No I haven't. Ben. -- Ben Hutchings [W]e found...that it wasn't as easy to get programs right as we had thought. ... I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs. - Maurice Wilkes, 1949
Attachment:
signature.asc
Description: This is a digitally signed message part