I've worked during november 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! ELTS: ==== python3.5 --------------- Folowing previous month work, I have finalized to fix testsuite, by regenerating certificate (lack of documentation or even commit message description of how to do rendered this step a little bit slow). I have tested and ported CVEs fix to python3.5 I have also opened debian bug about recommending netbase for python3 #1055172, following a autopkgtest suite failure. This one was fixed on unstable. Finally I have released ELA-997-1 batik ------- I have followed buster fix CVE-2020-11987, CVE-2022-38398, CVE-2022-38648, CVE-2022-40146, CVE-2022-44729, CVE-2022-44730 backport was not too difficult but patch does not apply cleanly, so special attention was needed I have released ELA-998-1 open-vmtools -------------------- CVE-2023-34058 does not apply to jessie (vulnerable component was introduced later). Backport from buster CVE-2023-34059/CVE-2023-34058. Patch does apply cleanly. Some state (algorithm was coded as a state machine) have changed and part does not apply (some part concern wayland support introduced later), so patching need a partial rewrite. A few function were not present in jessie. I choose after a risk analysis to open code it due to small size. I have released ELA-999-1 ceph -------- Backport CVE-2023-43040 from buster. Other CVE does not apply or patches were too intrusive to port. This patch was hard to port due to some code reorganisation and indention/code style change. . Release ELA-1000-1 zbar ------ see zbar/LTS below. Here only CVE-2023-40889 apply. Special difficulty include the use of old mercurial upstream tree for this old version. I have released ELA-1013-1 LTS === open-vmtools --------------------- I have backported from bullseye CVE-2023-34059/CVE-2023-34058. Patch apply with offset. Significant API changes for logging error. Need a partial rewrite. I have released DLA-3646 audiofile ------------- Fix CVE-2019-13147: Fix a DOS due integer overflow. Bail out early if NeXT audiofile. support allocate more than INT_MAX/8 channels. (Closes: #931343). Diagnostic was done with valgrind. Fixing by myself and creating a patch. Test also return of malloc and bail out early in case of error. Upstream was not responsive, but I posted the fix. Fix CVE-2022-24599: Fix a memory leak by reading not null terminated copyright field (Closes: #1008017). Diagnostic was done with valgrind. Fixing by myself and creating a patch. Test also return of malloc and bail out early in case of error. Upstream was not responsive, but I posted the fix. I have released DLA-3650-1 node-json5 ---------------- Find fix from upstream for CVE-2022-46175 Massive change from upstream, thus backport was not possible I have thus created a patch and a test suite. I have released DLA-3665-1 reportbug/python-requestbuilder/postgresql-multicorn --------------------------------------------------------------------------------- Stefano investigated how many packages in Debian (typically Debian-native packages) recorded versions in their packaging metadata (egg-info directories) that weren’t valid PEP-440 Python versions. pip is starting to enforce that all versions on the system are valid. Reportbug was affected. I render PEP-440 compliant the last three package and released three DLA zbar ------ I have fixed a stack and heap overflow attack. upstream was not responsive and existing patches were not suitable for inclusion in a library (abort instead of returning a failure code). CVE-2023-40889 was easier to fix by avoiding to loop over the index. However CVE-2023-40890 was harder. zbar code is uncommented and original author does not answer. Bug lie in databar component were a lookup function read a data out of bound a static array of size 22. The reason of this size was undocumented and because the size was hardcoded as integer 22 instead of a macro it is was impossible to know the reason of this size. At this stage two hypothesis could be formulated: - the array was too small and the bug could be solved by increasing the size - the array was indexed by a non validated data input and thus go out of bound. Due to lack of documentation both on code comments and commits, I have resorted to a slow but safer approach read the databar standard with a few book about barcode borrowed from my local library. After a few hour of reading, I found that the 22 constant correspond to a number of so called segment by standard and thus is a characteristic of the databar code. The out of bound read was thus due to insufficient validation of data input and we should consider that the readen symbol was incorrect. Thus I patched the code in order to return a NONE symbol. Unfortunately I could not reproduce the test case. Original bug report does not include a POC. I tried to found the original reporter and I guessed it was a university project from Washington University in St. Louis The mail address of the project leader bounce but I achieved to get the mail of the leader of the university team, and after a few exchange a mail get the POC. A special thanks to the Washington University in St. Louis for their professionalism. Testing show that CVE were closed. I have released a DLA Other tasks ========= I have also participated to (E)LTS meeting and improving internal documentation of the team. I have also helped other on IRC. I tested the staging extended tree for helmut A special thanks to Washington University in St. Louis. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, rouca
Attachment:
signature.asc
Description: This is a digitally signed message part.