[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

(E)LTS report for March 2024

I've worked during March 2024 on the below listed packages, for
Freexian LTS/ELTS [1] 

Many thanks to Freexian and sponsors [2] for providing this opportunity!

ELTS and LTS: 

nss (DLA 3757-1, ELA-1054-1)

Completed testing on nss and uploaded the package to LTS and ELTS
fixing CVE-2024-0743, CVE-2023-5388 and in ELTS additionally

(This is a continuation of February's work, repeating myself for

nss has currently three (buster) and four (jessie,stretch) open
vulnerabilties. Some of the patches were easy to backport, but
there were challenges with CVE-2023-5388 and CVE-2023-6135.

For the first one, at the beginning of my work, there was no patch
publicly available, albeith some commercial distribution had claimed
that they have fixed it already, however I couldn't find the patch.
MAYBE that's because they've recently restricted accesss to their source
code to their customers only. At least I couldn't find it.

However, after asking the LTS team, someone from the team pointed me to
patches from AWS and rockylinux and only a few days later upstream
commited a patch to their repository. (which was a bit different than
the patch found earlier.)

The second one, CVE-2023-6135 is a side-channel attack nick named
"Minerva".  The security tracker lists two relevant patches and they are
partially backportable, expect on the parts where the buster code seems
not to have the NIST curves, at least not in the files the upstream
patch is patching.  I've adopted the upstream patches, but I was too
unsure about what bits of those patches are acutally required for
buster, so I've decided not to apply the patch and keep the CVE
unhandled and reached out to upstream to obtain further information
about the vulnerablity. Upstream suggested to defer this CVE for now, as
they plan to prepare patches for one of their LTS versions and it will
make more sense to use those for backporting them to (E)LTS.

expat (WIP)

Most of the time I've worked on expat this month to tackle
CVE-2023-52425, CVE-2023-52426 and CVE-2023-52427.

As expat is a very widely used package, one needs to be extra careful to
when tackling stuff there. Fortunatly I found that there is an upstream
test suite available in the package. However it was not enabled and when
trying to enable it the test suite failed to compile, so I spent some
time to fix and re-enable the testsuite and fix the compilation issue.

Then it was time to backport the first CVE-2023-52425. The patch is
quite of size and after completing the backporting the testsuite was
note really happy with several tests failing. After some debugging I've
decided to split the patch into the consisting upstream commits and to
iterate to an solution, to isolate the commits where the test suite
starts failing. This allowed me to debug into the problems and identify
some other extra required upstream changes to the library and test suite.
In the end the test suite was happy, and the debugging helped to show
that the patch for the CVE basically uncovered some bugs in the old test

The other CVES have been triaged and found to be not
affecting/actionable for the LTS and ELTS packages:

CVE-2023-52426 is fixing a billion laughs attacks when the library is
compiled without XML_DTD defined, which is not the case for Debian.
(for the other case it is CVE-2013-0340, however, this vulnerbilty will
not be fixes won't be backported due to the risk of regression due to
the size, complexity, and new APIs. Expat provides API to mitigate
expansion attacks, so this is ultimately under control of the app using

CVE-2023-52427 is not applicable for the LTS/ELTS packages as well:
It is actually a limitiation/bug of a function the original
CVE-2013-0340 mitigation heuristic, as as we don't have that code…

I'm currently finishing testing and will upload the package likely this
weekend if the testing is successful.


[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors


Attachment: signature.asc
Description: PGP signature

Reply to: