[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

(E)?LTS report for november

I've worked during november 2023 on the below listed packages, for Freexian

Many thanks to Freexian and our sponsors [2] for providing this opportunity!



Folowing previous month work, I have finalized to fix testsuite, by regenerating certificate (lack of documentation
or even commit message description of how to do rendered this step a little bit slow).

I have tested and ported CVEs fix to python3.5

I have also opened debian bug about recommending netbase for python3 #1055172, following a autopkgtest suite failure. This one was fixed on
Finally I have released ELA-997-1


I have followed buster fix CVE-2020-11987, CVE-2022-38398,
CVE-2022-38648, CVE-2022-40146, CVE-2022-44729, CVE-2022-44730

backport was not too difficult but patch does not apply cleanly, so special attention was needed

I have  released ELA-998-1


CVE-2023-34058 does not apply to jessie (vulnerable component was introduced later).

Backport from buster CVE-2023-34059/CVE-2023-34058. Patch does apply cleanly.

Some state (algorithm was coded as a state machine) have changed and part does not apply (some part concern
wayland support introduced later), so patching need a partial rewrite.

A few function were not present in jessie. I choose after a risk analysis to open code it due to small size.

I have released ELA-999-1


Backport CVE-2023-43040 from buster. Other CVE does not apply or patches were too intrusive
to port. This patch was hard to port due to some code reorganisation and indention/code style change.
Release ELA-1000-1


see zbar/LTS below. Here only CVE-2023-40889 apply.

Special difficulty include the use of old mercurial upstream tree for this old version.

I have released  ELA-1013-1



I have backported from bullseye CVE-2023-34059/CVE-2023-34058. Patch apply with offset.
Significant API changes for logging error. Need a partial rewrite.
I have released DLA-3646 


Fix CVE-2019-13147: Fix a DOS due integer overflow.
Bail out early if NeXT audiofile.
support allocate more than INT_MAX/8 channels.
 (Closes: #931343). Diagnostic was done with valgrind. 

Fixing by myself and creating a patch.

Test also return of malloc and bail out early in case of error.
 Upstream was not responsive, but I posted the fix.

Fix CVE-2022-24599: Fix a memory leak by reading not null
terminated copyright field (Closes: #1008017).
Diagnostic was done with valgrind. 

Fixing by myself and creating a patch.

Test also return of malloc and bail out early in case of error.
Upstream was not responsive, but I posted the fix.

I have released DLA-3650-1


Find fix from upstream for CVE-2022-46175
Massive change from upstream,  thus backport was not possible
I have thus created a patch and a test suite.

I have released  DLA-3665-1


Stefano investigated how many packages in Debian (typically Debian-native packages) recorded versions in their packaging metadata 
(egg-info directories) that weren’t valid PEP-440 Python versions. pip is starting to enforce that all versions on the system are valid. Reportbug 
was affected. I  render PEP-440 compliant the last three package and released three DLA


I have fixed a stack and heap overflow attack. upstream was not responsive and existing patches were not suitable for inclusion in a library (abort instead of returning a failure code).
CVE-2023-40889 was easier to fix by avoiding to loop over the index. However CVE-2023-40890 was harder.

zbar code is uncommented and original author does not answer. Bug lie in databar component were a lookup function read a data out of bound a static array of size 22.
The reason of this size was undocumented and because the size was hardcoded as integer 22 instead of a macro it is was impossible to know the reason of this size.

At this stage two hypothesis could be formulated:
- the array was too small and the bug could be solved by increasing the size
- the array was indexed by a non validated data input and thus go out of bound.

Due to lack of documentation both on code comments and commits, I have resorted to a slow but safer approach read the databar standard with a few book about barcode
borrowed from my local library. After a few hour of reading, I found that the 22 constant correspond to a number of so called segment by standard and thus is a characteristic of the databar code.
The out of bound read was thus due to insufficient validation of data input and we should consider that the readen symbol was incorrect.

Thus I patched the code in order to return a NONE symbol.

Unfortunately I could not reproduce the test case. Original bug report does not include a POC. I tried to found the original reporter and I guessed 
it was a university project from Washington University in St. Louis The mail address of the project leader bounce but I achieved to get the mail of the leader of the university team,
and after a few exchange a mail get the POC. A special thanks to the Washington University in St. Louis for their professionalism.

Testing show that CVE were closed.

I have released a DLA

Other tasks

I have also participated to (E)LTS meeting and improving internal documentation of the team.
I have also helped other on IRC.

I tested the staging extended tree for helmut

A special thanks to Washington University in St. Louis.

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors



Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: