Re: [buster] CVE-2022-46871: libusrsctp maybe backporting a new version ?

To: Bastien Roucariès <rouca@debian.org>
Cc: "dr@jones.dk" <dr@jones.dk>, debian-lts <debian-lts@lists.debian.org>, roberto@freexian.com
Subject: Re: [buster] CVE-2022-46871: libusrsctp maybe backporting a new version ?
From: Ola Lundqvist <ola@inguza.com>
Date: Sun, 18 Jun 2023 21:16:28 +0200
Message-id: <[🔎] CABY6=0=hBHb01xhz9ST5oVJG3XaybpF=SyLfk7qx5v8ggKRaQg@mail.gmail.com>
In-reply-to: <[🔎] 2094040.QQobVyZjho@portable-bastien>
References: <[🔎] 2094040.QQobVyZjho@portable-bastien>

Hi Bastien

Thank you for brining this up. We should also consider the severity of
the problem.
>From what i understand the worse case problem is a "use after free"
vulnerability.
The source is here:
https://bugs.launchpad.net/ubuntu/+source/libusrsctp/+bug/2015448

I would say this is quite minor.

I know I added it for buster, but that was just following the decision
for bullseye. With the information you provide about the porting
complexity and binary interface compatibility problem I would say I
think we should ignore it instead.

SCTP is not the most common protocol for mozilla I guess either.

Please let me know what you think.

You mention rebuild all reverse dependencies. Well I do not find any
within Debian.
This makes it even less important to fix it.

ola@buster-lts:~/build$ apt-rdepends -r libusrsctp1
Reading package lists... Done
Building dependency tree
Reading state information... Done
libusrsctp1
  Reverse Depends: libusrsctp-dev (= 0.9.3.0+20190127-2)
  Reverse Depends: libusrsctp-examples (= 0.9.3.0+20190127-2)
libusrsctp-dev
libusrsctp-examples
ola@buster-lts:~/build$ apt-rdepends -r libusrsctp-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
libusrsctp-dev

Cheers

// Ola

On Sun, 18 Jun 2023 at 15:12, Bastien Roucariès <rouca@debian.org> wrote:
>
> Hi,
>
> The last two hours I tried to fix CVE-2022-46871 by backporting the timer handling patch by patch until I get something approximativly sane.
>
> If believe it is not really the way to go:
> - it is quite fragile
> - upstream does not correctly create separate commit and create periodic merge from Freebsd (huge commit)
> - in all the case it break ABI and will need a rebuild of rdeps (public structure changes, function changes)
> - in will need other patch in order to fix the last parts, that cancel timer depending of packet type.
> - reading upstream commit, I see other interesting fixes like not checking return of sprintf
> - test suite does not test all the cases
>
> For me the safest way will be to backport the bulleyes version to buster and rebuild if needed the rdeps
>
> I want to have some piece of advice on it.
>
> Bastien
>

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: [buster] CVE-2022-46871: libusrsctp maybe backporting a new version ?
  - From: roucaries bastien <roucaries.bastien+debian@gmail.com>

References:
- [buster] CVE-2022-46871: libusrsctp maybe backporting a new version ?
  - From: Bastien Roucariès <rouca@debian.org>

Prev by Date: [buster] CVE-2022-46871: libusrsctp maybe backporting a new version ?
Next by Date: Re: [buster] CVE-2022-46871: libusrsctp maybe backporting a new version ?
Previous by thread: [buster] CVE-2022-46871: libusrsctp maybe backporting a new version ?
Next by thread: Re: [buster] CVE-2022-46871: libusrsctp maybe backporting a new version ?
Index(es):
- Date
- Thread