[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [buster] CVE-2022-46871: libusrsctp maybe backporting a new version ?

Hi Bastien

Thank you for brining this up. We should also consider the severity of
the problem.
>From what i understand the worse case problem is a "use after free"
The source is here:

I would say this is quite minor.

I know I added it for buster, but that was just following the decision
for bullseye. With the information you provide about the porting
complexity and binary interface compatibility problem I would say I
think we should ignore it instead.

SCTP is not the most common protocol for mozilla I guess either.

Please let me know what you think.

You mention rebuild all reverse dependencies. Well I do not find any
within Debian.
This makes it even less important to fix it.

ola@buster-lts:~/build$ apt-rdepends -r libusrsctp1
Reading package lists... Done
Building dependency tree
Reading state information... Done
  Reverse Depends: libusrsctp-dev (=
  Reverse Depends: libusrsctp-examples (=
ola@buster-lts:~/build$ apt-rdepends -r libusrsctp-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done


// Ola

On Sun, 18 Jun 2023 at 15:12, Bastien Roucariès <rouca@debian.org> wrote:
> Hi,
> The last two hours I tried to fix CVE-2022-46871 by backporting the timer handling patch by patch until I get something approximativly sane.
> If believe it is not really the way to go:
> - it is quite fragile
> - upstream does not correctly create separate commit and create periodic merge from Freebsd (huge commit)
> - in all the case it break ABI and will need a rebuild of rdeps (public structure changes, function changes)
> - in will need other patch in order to fix the last parts, that cancel timer depending of packet type.
> - reading upstream commit, I see other interesting fixes like not checking return of sprintf
> - test suite does not test all the cases
> For me the safest way will be to backport the bulleyes version to buster and rebuild if needed the rdeps
> I want to have some piece of advice on it.
> Bastien

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: