[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108338: preapproval for unblock: erlang/1:27.3.4.1+dfsg-1 or erlang/1:27.3.4+dfsg-1 with a patch

Hi Paul,

On Thu, Jun 26, 2025 at 7:51 PM Paul Gevers <elbrus@debian.org> wrote:
>
> control: tags -1 moreinfo
>
> Hi Sergei,
>
> On 26-06-2025 13:00, Sergei Golovan wrote:
> > So what would be better, to upload minimal changes which fix only
> > CVE-2025-4748, or the full 27.3.4.1?
>
>
> Can you please check our FAQ [1] and try to answer the questions listed
> in the "new upstream" section? I'll note that erlang is a key package.

Sorry, I was too brief in theis bugreport. Should've added more detail.

>
> As I don't know how erlang works, does it mean we need to rebuild all
> reverse dependencies for the CVE to get fixed, or is the effect
> contained in the binaries build by src:erlang? (Same for the other bug
> fixes in the new upstream version).

There is the Erlang interface library (libei.a and libei_st.a libraries shipped
in the erlang-dev package), and if it is changed, then yes, we would have
to rebuild all its reverse dependencies (e.g. guestfs, kamailio, some ejabberd
dependencies). There's no changes in the Erlang interface library in 27.3.4.1
though, so we don't have to rebuild its reverse dependencies. Other than that,
Erlang reverse dependencies should be rebuilt only if the major version of
Erlang changes (e.g. from 25 in bookworm to 27 in testing).

Here is the list of changes in Erlang 27.3.4.1 with short comments:

erlang-asn1: lib/asn1/src/asn1ct_gen_per.erl - a minuscule internal change, does
    not affect API
erlang-eldap: lib/eldap/src/eldap.erl - a fix of function
specification, relevant only
    for documentation and tools which analyze Erlang code
erlang-base: lib/kernel/src/inet.erl: Augmented documentation
    lib/kernel/src/user_drv.erl: Fix a bug when remote shell stopped the remote
    node by closing its input stream (a small useful enhancement, the
bug occurs rarely).
erlang-ssh: lib/ssh/src/ssh_connection.erl,
lib/ssh/src/ssh_connection_handler.erl,
    lib/ssh/src/ssh_options.erl: These are the most intrusive changes
in the whole patch,
    they robustify closing SSH channels, also, they fix breaking SSH
protocol when
    Erlang SSH clients send double channel closing message. As far as
I know, no code in
    Debian uses Erlang SSH, so there should not be any breakages.
Also, the API has not
    been changed.
erlang-ssl: lib/ssl/src/ssl_gen_statem.erl,
lib/ssl/src/tls_handshake_1_3.erl: A small
    improvement in logging.
erlang-xmerl: lib/xmerl/src/xmerl_scan.erl: fixes for function specifications,
erlang-base: lib/stdlib/src/edlin_expand.erl,
lib/stdlib/src/shell.erl: A few fixes in the
    Erlang shell, including crashes with autocompletion.
    lib/stdlib/src/zip.erl: FINALLY, CVE-2025-4748 in extracting ZIP files.

All the changes do not alter API or ABI, so no code should be rebuild
in order to use
this new Erlang. The changes also quite small, so I don't expect breakage.

In my opinion, not only fixing CVE-2025-4748, but also at least
changes in SSH are useful
enough to be included in trixie. Fixes for crashes in the Erlang shell
improve usability
as well (though I never experienced them myself).

Cheers!
-- 
Sergei Golovan
Reply to: