Re: upload leptonlib
- To: Ben Hutchings <ben@decadent.org.uk>
- Cc: Antoine Beaupré <anarcat@orangeseeds.org>, Roberto C. Sánchez <roberto@debian.org>, Abhijith PA <abhijith@disroot.org>, Debian LTS <debian-lts@lists.debian.org>, leptonlib@packages.debian.org
- Subject: Re: upload leptonlib
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 22 Feb 2018 20:34:33 +0100
- Message-id: <[🔎] 20180222193433.GA6254@eldamar.local>
- Mail-followup-to: Ben Hutchings <ben@decadent.org.uk>, Antoine Beaupré <anarcat@orangeseeds.org>, Roberto C. Sánchez <roberto@debian.org>, Abhijith PA <abhijith@disroot.org>, Debian LTS <debian-lts@lists.debian.org>, leptonlib@packages.debian.org
- In-reply-to: <[🔎] 1519317496.2617.248.camel@decadent.org.uk>
- References: <[🔎] bc8204ac-f111-d069-5095-29dfb1becd63@disroot.org> <[🔎] 20180215032335.xqgqbvkpr65ftj7b@camaguey.connexer.com> <[🔎] 1518730488.2617.129.camel@decadent.org.uk> <[🔎] 87mv08iv61.fsf@curie.anarc.at> <[🔎] 1518902899.2617.156.camel@decadent.org.uk> <[🔎] 20180222062619.uasr4ryjd3ndvqqe@lorien.valinor.li> <[🔎] 1519317496.2617.248.camel@decadent.org.uk>
Hi Ben,
On Thu, Feb 22, 2018 at 05:38:16PM +0100, Ben Hutchings wrote:
> On Thu, 2018-02-22 at 07:26 +0100, Salvatore Bonaccorso wrote:
> > Hi Ben,
> >
> > On Sat, Feb 17, 2018 at 09:28:19PM +0000, Ben Hutchings wrote:
> > > On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote:
> > > > On 2018-02-15 21:34:48, Ben Hutchings wrote:
> > > > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
> > > > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> > > > > > > Hello.
> > > > > > >
> > > > > > > I prepared LTS security update for leptonlib. Please review and upload.
> > > > > > > You can find debdiff along with the mail.
> > > > > > > link:
> > > > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
> > > > > > >
> > > > > >
> > > > > > Abhijith,
> > > > > >
> > > > > > I have reviewed and uploaded the package. While you backported the
> > > > > > upstream fix, I feel like their approach falls under item #2 of "The Six
> > > > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot
> > > > > > help but wonder if another vulnerability will be uncovered later that
> > > > > > uses different characters that are not being checked.
> > > > >
> > > > > I found one already: it filters out `command` but not $(command).
> > > > >
> > > > > I'm afraid this library appears to have been written without any regard
> > > > > for security, or even the existence of multiuser systems.
> > > > >
> > > > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy,
> > > > > and I think there are more instances.
> > > > >
> > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I
> > > > > can still see:
> > > >
> > > > [...]
> > > >
> > > > I've re-added the package to dla-needed.txt for #889759 /
> > > > CVE-2018-3836. Should a new CVE be issued for #885704?
> > >
> > > I think additional CVEs are needed for:
> > >
> > > 1. #890548
> >
> > This one has CVE-2018-7186.
> >
> > > 2. Incomplete fix for #889759 / CVE-2018-3836
> > > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so
> > > there is a possibility of path traversal and arbitrary file overwrite
> > > 4. #885704
> > > 5. The remaining hardcoded paths in /tmp
> >
> > Have you already requested CVEs for the other issues?
>
> No I haven't.
Alright, I will try to request the pending ones tonight.
Regards,
Salvatore
Reply to: