[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#780154: unblock: oss4/4.2-build2010-2

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package oss4

A security issue was filed against the usb drivers contained in the oss4
package, and was pung again late January as #775662, but maintainers of
that part of the package didn't seem to have discussed with upstream
about it.  Considering how many issues there are in there, I tend not to
trust the module at all.  In upload oss4/4.2-build2010-2, I have thus
just disabled the usb module, see attached debdiff.

unblock oss4/4.2-build2010-2

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

-- 
Samuel
<A>  mr  -  remove the home of correct users who accidentally enter mr
<A>        instead of rm

diff -Nru oss4-4.2-build2010/debian/changelog oss4-4.2-build2010/debian/changelog
--- oss4-4.2-build2010/debian/changelog	2014-11-22 16:22:36.000000000 +0100
+++ oss4-4.2-build2010/debian/changelog	2015-03-09 20:27:33.000000000 +0100
@@ -1,3 +1,10 @@
+oss4 (4.2-build2010-2) unstable; urgency=medium
+
+  * Disable USB drivers, which insufficiently validate USB device descriptors.
+    (Closes: #775662)
+
+ -- Samuel Thibault <sthibault@debian.org>  Mon, 09 Mar 2015 20:16:31 +0100
+
 oss4 (4.2-build2010-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru oss4-4.2-build2010/debian/oss4-dkms.dkms.in oss4-4.2-build2010/debian/oss4-dkms.dkms.in
--- oss4-4.2-build2010/debian/oss4-dkms.dkms.in	2014-10-23 22:47:36.000000000 +0200
+++ oss4-4.2-build2010/debian/oss4-dkms.dkms.in	2015-03-09 20:07:55.000000000 +0100
@@ -1,7 +1,7 @@
 PACKAGE_NAME="oss4"
 PACKAGE_VERSION="_VERSION_"
 BUILT_MODULE_NAME[0]="osscore"
-BUILT_MODULE_NAME[1]="oss_usb"
+BUILT_MODULE_NAME[1]="oss_sbpci"
 BUILT_MODULE_NAME[2]="oss_sbxfi"
 BUILT_MODULE_NAME[3]="oss_via823x"
 BUILT_MODULE_NAME[4]="oss_geode"
@@ -31,7 +31,8 @@
 BUILT_MODULE_NAME[28]="oss_audiopci"
 BUILT_MODULE_NAME[29]="oss_ymf7xx"
 BUILT_MODULE_NAME[30]="oss_cmpci"
-BUILT_MODULE_NAME[31]="oss_sbpci"
+# This module insufficiently validates USB device descriptors, thus disabled.
+#BUILT_MODULE_NAME[31]="oss_usb"
 BUILT_MODULE_LOCATION[0]="core/"
 BUILT_MODULE_LOCATION[1]="drivers/"
 BUILT_MODULE_LOCATION[2]="drivers/"
@@ -63,7 +64,7 @@
 BUILT_MODULE_LOCATION[28]="drivers/"
 BUILT_MODULE_LOCATION[29]="drivers/"
 BUILT_MODULE_LOCATION[30]="drivers/"
-BUILT_MODULE_LOCATION[31]="drivers/"
+#BUILT_MODULE_LOCATION[31]="drivers/"
 DEST_MODULE_LOCATION[0]="/updates/dkms/"
 DEST_MODULE_LOCATION[1]="/updates/dkms/"
 DEST_MODULE_LOCATION[2]="/updates/dkms/"
@@ -95,7 +96,7 @@
 DEST_MODULE_LOCATION[28]="/updates/dkms/"
 DEST_MODULE_LOCATION[29]="/updates/dkms/"
 DEST_MODULE_LOCATION[30]="/updates/dkms/"
-DEST_MODULE_LOCATION[31]="/updates/dkms/"
+#DEST_MODULE_LOCATION[31]="/updates/dkms/"
 AUTOINSTALL=yes
 MAKE[0]="make -C ${kernel_source_dir} SUBDIRS=${dkms_tree}/${PACKAGE_NAME}/${PACKAGE_VERSION}/build/core modules && \
          make -C ${dkms_tree}/${PACKAGE_NAME}/${PACKAGE_VERSION}/build/drivers osscore_symbols.inc && \
Reply to: