[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#601181: unblock: openscenegraph-2.4.0-1.1+lenny1 (was: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds)

Alberto Luaces writes:

> Moritz Muehlenhoff writes:
>
>> On Sun, Nov 07, 2010 at 10:20:50PM +0100, Alberto Luaces wrote:
>>> Moritz Muehlenhoff writes:
>>> 
>>> > In gmane.linux.debian.devel.release, you wrote:
>>> >> --=-=-=
>>> >>
>>> >> Hello,
>>> >>
>>> >> recently a bug has been reported for the lenny version of the
>>> >> openscenegraph 2.4.0-1.1 source package, based upon the fact that this
>>> >> package includes an embedded, vulnerable copy of the lib3ds library:
>>> >>
>>> >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181
>>> >>
>>> >> The security team said that our proposed update did not warrant a
>>> >> security update, and that we should make a stable release instead.
>>> >>
>>> >> The Debian Developers of this package and me have now available a new
>>> >> version of the package which removes the embedded copy and makes the
>>> >> compilation process link the generated libraries against Debian system's
>>> >> lib3ds version. I'm attaching the diff in this mail for you to
>>> >> inspect. I wonder if the `high' priority that I have given to this
>>> >> release is fine or not.
>>> >
>>> > That wouldn't buy us much, since lib3ds isn't fixed in Lenny yet, it
>>> > would need to be updated along.
>>> 
>>> Yes, that was my intention. It seemed sensible to me to pull out
>>> openscenegraph the insecure code and make it depend on the new lib3ds
>>> version. I thought that since lenny and squeeze versions of lib3ds are
>>> compatible, the latter could be backported in short by the security
>>> team.
>>> 
>>> What do you think? Should I wait for lenny's lib3ds to get fixed or
>>> could we start updating openscenegraph to use the external library?
>>
>> lib3ds also has been labeled as not warranting a DSA, so it won't be
>> updated by the Security Team (we're barely keeping up with regular
>> DSAs currently). Since it's orphaned it's unlikely to be updated in
>> stable soon. Fixing it should be straight-forward, though. The patch
>> from my 1.3.0-5 NMU in unstable can be applied straight-away for Lenny.
>
> If that could be possible it would be great. In that case, I have
> attached the debdiff that Adam asked for. Otherwise we would have to
> remove 3DS support in openscenegraph, maybe breaking some end user
> program.
>
> Another possibility could be to fix the embedded lib3ds in
> openscenegraph, just following the error description in the CVE.

I have finally came across this and made a release patching
openscenegraph in the same way as it is done in lib3ds for
Squeeze. Please unblock.

diff -u openscenegraph-2.4.0/debian/changelog openscenegraph-2.4.0/debian/changelog
--- openscenegraph-2.4.0/debian/changelog
+++ openscenegraph-2.4.0/debian/changelog
@@ -1,3 +1,11 @@
+openscenegraph (2.4.0-1.1+lenny1) stable; urgency=high
+
+  * A vulnerability (CVE-2010-0280) was detected in OSG's embedded copy of
+    lib3ds. Applying the same patch for lib3ds in Squeeze, since there are
+    few chances for lib3ds to get updated in Lenny (Closes: #601181).
+
+ -- Alberto Luaces <aluaces@udc.es>  Thu, 11 Nov 2010 10:08:03 +0100
+
 openscenegraph (2.4.0-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -u openscenegraph-2.4.0/debian/patches/00list openscenegraph-2.4.0/debian/patches/00list
--- openscenegraph-2.4.0/debian/patches/00list
+++ openscenegraph-2.4.0/debian/patches/00list
@@ -3,0 +4 @@
+lib3ds_vulnerability.dpatch
only in patch2:
unchanged:
--- openscenegraph-2.4.0.orig/debian/patches/lib3ds_vulnerability.dpatch
+++ openscenegraph-2.4.0/debian/patches/lib3ds_vulnerability.dpatch
@@ -0,0 +1,24 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## lib3ds_vulnerability.dpatch by  <aluaces@udc.es>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' openscenegraph-2.4.0~/OpenSceneGraph/src/osgPlugins/3ds/mesh.cpp openscenegraph-2.4.0/OpenSceneGraph/src/osgPlugins/3ds/mesh.cpp
+--- openscenegraph-2.4.0~/OpenSceneGraph/src/osgPlugins/3ds/mesh.cpp	2006-08-21 17:07:31.000000000 +0200
++++ openscenegraph-2.4.0/OpenSceneGraph/src/osgPlugins/3ds/mesh.cpp	2010-11-11 09:59:08.000000000 +0100
+@@ -93,8 +93,11 @@
+             faces=lib3ds_word_read(f);
+             for (i=0; i<faces; ++i) {
+               index=lib3ds_word_read(f);
+-              ASSERT(index<mesh->faces);
+-              strcpy(mesh->faceL[index].material, name);
++              if (index<mesh->faces) {
++                strncpy(mesh->faceL[index].material, name, 64);
++              } else {
++                // TODO warning
++              }
+             }
+           }
+           break;


Regards,

Alberto
Reply to: