I've worked during March 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: nss (DLA 3757-1, ELA-1054-1) ============================ Completed testing on nss and uploaded the package to LTS and ELTS fixing CVE-2024-0743, CVE-2023-5388 and in ELTS additionally CVE-2023-4421. (This is a continuation of February's work, repeating myself for context:) nss has currently three (buster) and four (jessie,stretch) open vulnerabilties. Some of the patches were easy to backport, but there were challenges with CVE-2023-5388 and CVE-2023-6135. For the first one, at the beginning of my work, there was no patch publicly available, albeith some commercial distribution had claimed that they have fixed it already, however I couldn't find the patch. MAYBE that's because they've recently restricted accesss to their source code to their customers only. At least I couldn't find it. However, after asking the LTS team, someone from the team pointed me to patches from AWS and rockylinux and only a few days later upstream commited a patch to their repository. (which was a bit different than the patch found earlier.) The second one, CVE-2023-6135 is a side-channel attack nick named "Minerva". The security tracker lists two relevant patches and they are partially backportable, expect on the parts where the buster code seems not to have the NIST curves, at least not in the files the upstream patch is patching. I've adopted the upstream patches, but I was too unsure about what bits of those patches are acutally required for buster, so I've decided not to apply the patch and keep the CVE unhandled and reached out to upstream to obtain further information about the vulnerablity. Upstream suggested to defer this CVE for now, as they plan to prepare patches for one of their LTS versions and it will make more sense to use those for backporting them to (E)LTS. expat (WIP) =========== Most of the time I've worked on expat this month to tackle CVE-2023-52425, CVE-2023-52426 and CVE-2023-52427. As expat is a very widely used package, one needs to be extra careful to when tackling stuff there. Fortunatly I found that there is an upstream test suite available in the package. However it was not enabled and when trying to enable it the test suite failed to compile, so I spent some time to fix and re-enable the testsuite and fix the compilation issue. Then it was time to backport the first CVE-2023-52425. The patch is quite of size and after completing the backporting the testsuite was note really happy with several tests failing. After some debugging I've decided to split the patch into the consisting upstream commits and to iterate to an solution, to isolate the commits where the test suite starts failing. This allowed me to debug into the problems and identify some other extra required upstream changes to the library and test suite. In the end the test suite was happy, and the debugging helped to show that the patch for the CVE basically uncovered some bugs in the old test code. The other CVES have been triaged and found to be not affecting/actionable for the LTS and ELTS packages: CVE-2023-52426 is fixing a billion laughs attacks when the library is compiled without XML_DTD defined, which is not the case for Debian. (for the other case it is CVE-2013-0340, however, this vulnerbilty will not be fixes won't be backported due to the risk of regression due to the size, complexity, and new APIs. Expat provides API to mitigate expansion attacks, so this is ultimately under control of the app using Expat. CVE-2023-52427 is not applicable for the LTS/ELTS packages as well: It is actually a limitiation/bug of a function the original CVE-2013-0340 mitigation heuristic, as as we don't have that code… I'm currently finishing testing and will upload the package likely this weekend if the testing is successful. -- tobi [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi
Attachment:
signature.asc
Description: PGP signature