State of ampache: we should declare it unsupported
All,
Summary: ampache appears to not be supportable and I'd like to recommend
that we simply declare it as no longer supported in jessie.
If no objections are raised to my recommendation, I intend to proceed
with the necessary updates (i.e., update to debian-security-support,
associated announcement, and whatever else is needed) at the end of next
week.
------------------------------------------------------------------------
Read on for deatils:
So, I decided to have a look at the ampache package (open CVEs:
CVE-2019-12385, CVE-2019-12386). The vulnerabilities are potentially
quite serious (SQL injection and cross-site scripting), though since I
don't use ampache it is not clear how common it is to host in a
configuration exposed to the public Internet.
That said, ampache was triaged into dla-needed.txt 6 weeks ago (on 25th
August) and at that point the discussion on the GitHub issue [0]
associated with the two open CVEs appears to have concluded (last
comment was on 23rd July), with no additional comments since then.
The factors which prompted me to recommend that we consider declaring
ampache as unsupported in jessie rather than attempting to fix the
vulnerabilities are:
+ upstream has supposedly "fixed" the issues, but the changes are part
of a single very large commit that prepares the code base for
development of the next major release of ampache
+ the package exists only in jessie, with a very low popcon of 19
+ the version in jessie appears to be a pre-release snapshot that was
made at least two years prior to jessie release and it is not clear
that upstream ever made an official release from that line of
development
The commit which is refrenced in the GitHub issue has a commit message
which is a bulleted list of 115 entries (indicating that it is likely a
squash of at least that many individual commits). In the issue
discussion, in response to a question about the specific commits/PRs
that address the CVEs, the upstream references the aforementioned commit
and lists 7 "specific changes" that resolve the CVE's. However, the
"specific changes" do not correspond to anything described in the single
large commit message. Additionally, searching the git history (with the
help of the --grep option) did not reveal any of the "specific changes"
identified by the author. I also searched within his own fork of the
canonical upstream repository and found nothing helpful there either.
For context, the diffstat of the single large commit in question ends
with:
642 files changed, 18132 insertions(+), 20952 deletions(-)
Given that it is likely impossible to extract the necessary targeted
changes to address the CVEs, and that even if such a task were feasible
the likelihood that the changes would apply to a pre-release snapshot
more than 6 years old, and that there does not appear to be sufficient
information to validate that the fixes are effective (the reporter
provides PoCs via an article published after the initial report, but it
is not clear that the information there is sufficiently complete), it
seems like the effort to properly maintain ampache is too great.
Marking the vulnerabilities as "no-dsa" or "ignore" does not seem right,
as they are rather serious, so declaring ampache as unsupported seems
the only viable alternative.
Regards,
-Roberto
[0] https://github.com/ampache/ampache/issues/1872
--
Roberto C. Sánchez
Reply to: