Re: questioning lenny's vulnerability to CVE-2010-3301

To: debian-security-tracker@lists.debian.org
Subject: Re: questioning lenny's vulnerability to CVE-2010-3301
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Mon, 20 Sep 2010 14:27:04 -0400
Message-id: <[🔎] 20100920142704.8055cd61.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] 4C975681.9090001@sysdev.oucs.ox.ac.uk>
References: <[🔎] 20100917214822.732754df.michael.s.gilbert@gmail.com> <[🔎] 4C975681.9090001@sysdev.oucs.ox.ac.uk>

On Mon, 20 Sep 2010 13:41:37 +0100, moog wrote:
>  >> Finally, although 2.6.35-1~experimental.3 is described as fixed, I've
>  >> now looked at the code and the LOAD_ARGS32 macro is still missing a
>  >> setting of %eax so I believe it is still vulnerable.
>  >
>  >that's a limitation of the tracker since its based on unstable.
>  >anything greater than unstables 2.6.32-23 will be considered fixed.
> 
> I know pretty much nothing about how the tracker works or how difficult
> it would be to change it, but if we agree that a tool such as the tracker
> is only useful insofar as the information it gives is correct, then I
> think it follows that in cases where the assertion is not based on actual
> knowledge of the presence or absence of the vulnerability, but is instead
> based on a comparison of version numbers that doesn't take into account
> the genealogy of the versions, it would be better to make no assertion
> rather than risk making an incorrect one. That way, people consulting the
> tracker will know that in those cases they need to find out that
> information some other way in order to be sure.

i agree very much with your perspective.  however, fixing this bug
is rather difficult.

the entire basis of the tracker is that once an issue is declared fixed
in unstable that it remains fixed in all future versions.  this
assumption holds as long as maintainers do not drop the security fix in
future versions in unstable (which can happen, but it so rare that i've
never seen it).

however, with experimental since versions are greater than unstable
already without any direct relationship, this assumption doesn't always
hold (such as in this case).

i think an appropriate fix is to eliminate this assumption in the
experimental version checking, which will force a lot of experimental
info to be entered manually. however, i won't have time to look at
implementing that for a while.

if you have any interest in fixing this.  you can look at the tracker
code [0].  if you have questions on getting the test server up and
running with populated data, let me know.

best wishes,
mike

[0] https://svn.debian.org/wsvn/secure-testing

Reply to:

Follow-Ups:
- Re: questioning lenny's vulnerability to CVE-2010-3301
  - From: moog <moog@sysdev.oucs.ox.ac.uk>

References:
- Re: questioning lenny's vulnerability to CVE-2010-3301
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Re: questioning lenny's vulnerability to CVE-2010-3301
  - From: moog <moog@sysdev.oucs.ox.ac.uk>

Prev by Date: Re: questioning lenny's vulnerability to CVE-2010-3301
Next by Date: Bug#597752: mahara: embedded code copies
Previous by thread: Re: questioning lenny's vulnerability to CVE-2010-3301
Next by thread: Re: questioning lenny's vulnerability to CVE-2010-3301
Index(es):
- Date
- Thread