Bug#552124: marked as done (qa.debian.org: bogusly warns about security issues when fixed)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 24 Oct 2009 13:15:01 -0500
with message-id <4ae34404.c701be0a.584c.3883@mx.google.com>
and subject line Re: Bug#552124: qa.debian.org: bogusly warns about security issues when fixed
has caused the Debian Bug report #552124,
regarding qa.debian.org: bogusly warns about security issues when fixed
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
552124: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552124
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: qa.debian.org: bogusly warns about security issues when fixed
• From: Rene Engelhard <rene@debian.org>
• Date: Fri, 23 Oct 2009 16:35:39 +0200
• Message-id: <[🔎] 20091023143539.GA19132@rene-engelhard.de>

Package: qa.debian.org
Severity: important

Hi,

let's look at http://packages.qa.debian.org/o/openoffice.org.html. We see
at the top: "There are 5 open security issues, please fix them. "

Let's look what they are:

CVE-2009-0200	Integer underflow in OpenOffice.org (OOo) before 3.1.1 and ...

fixed in both etch-security and lenny-security (etch-backports is not relevant
anymore) and just waits to be in a point release.
Why is this listed as still needing to be fixed?

CVE-2009-0201	Heap-based buffer overflow in OpenOffice.org (OOo) before 3.1.1 and ...

fixed in both etch-security and lenny-security (etch-backports is not relevant
anymore) and just waits to be in a point release.
Why is this listed as still needing to be fixed?

CVE-2009-2139	Heap-based buffer overflow in svtools/source/filter.vcl/wmf/enhwmf.cxx ...
CVE-2009-2140	Multiple heap-based buffer overflows in ...
CVE-2009-3239	Buffer overflow in the EMF parser implementation in OpenOffice.org ...

fixed, but security-tracker buggy....

CVE-2009-3569	Stack-based buffer overflow in OpenOffice.org (OOo) allows remote ...
CVE-2009-3570	Unspecified vulnerability in OpenOffice.org (OOo) has unspecified ...
CVE-2009-3571	Unspecified vulnerability in OpenOffice.org (OOo) has unknown impact ...

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551068. Nothing to fix
there (yet).

At least the first too should not be shown!

Grüße/Regards,

Rene

--- End Message ---

--- Begin Message ---

• To: 552124-done@bugs.debian.org
• Subject: Re: Bug#552124: qa.debian.org: bogusly warns about security issues when fixed
• From: Raphael Geissert <geissert@debian.org>
• Date: Sat, 24 Oct 2009 13:15:01 -0500
• Message-id: <4ae34404.c701be0a.584c.3883@mx.google.com>
• References: <20091023143539.GA19132__28750.2275583849$1256310172$gmane$org@rene-engelhard.de>

Hi Rene,

Whenever you encounter discrepancies in the tracker (in the case data
generated by the tracker) please address them via the proper channel (which
is not via the qa resources).
You can reach the appropriate people via IRC and/or the ML, please take a
look at http://security-tracker.debian.org/tracker/data/report
(that's right, the tracker is not only on hands of the stable sec team)

Thanks!

Rene Engelhard wrote:
[...]
> Let's look what they are:
> 
> CVE-2009-0200 Integer underflow in OpenOffice.org (OOo) before 3.1.1 and
> CVE-2009-0201 Heap-based buffer overflow in OpenOffice.org (OOo) before
> 3.1.1 and ...
> 
> fixed in both etch-security and lenny-security (etch-backports is not
> relevant anymore) and just waits to be in a point release.
> Why is this listed as still needing to be fixed?

Because etch-backports is still marked as unfixed, but note that these are
not being counted on the number displayed by the PTS.

> 
> CVE-2009-2139 Heap-based buffer overflow in
> svtools/source/filter.vcl/wmf/enhwmf.cxx ...
> CVE-2009-2140 Multiple heap-based buffer overflows in ...

As per IRC discussion, marking 2140 as not affecting the package, and 2139
is just like the others above.


> CVE-2009-3239 Buffer overflow in the EMF parser implementation in
> OpenOffice.org ...

This seems to be a duplicate, reported to mitre.

-2140 and -3239 were still marked as to be checked. We have recently
discussed and agreed that in order to process the data faster we would
start marking CVE ids as affecting the packages we know they _may_ affect,
when there's not enough time to fully investigate the issue. The idea is
that other people, the maintainer included, helps out. So, in this case it
worked, thanks.

> 
> CVE-2009-3569 Stack-based buffer overflow in OpenOffice.org (OOo) allows
> remote ...
> CVE-2009-3570 Unspecified vulnerability in OpenOffice.org (OOo) has
> unspecified ...
> CVE-2009-3571 Unspecified vulnerability in OpenOffice.org (OOo) has
> unknown impact ...
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551068. Nothing to fix
> there (yet).

For tracking pourposes those are not fixed, whether more details have been
disclosed or not. Shall those issues be determined as invalid they will be
changed accordingly in the tracker.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

--- End Message ---