Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable

To: Hideki Yamane <henrich@iijmio-mail.jp>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 27 Jan 2022 15:52:15 +0100
Message-id: <[🔎] YfKxnxRbNgaMJo0N@eldamar.lan>
Mail-followup-to: Hideki Yamane <henrich@iijmio-mail.jp>, debian-security-tracker@lists.debian.org
In-reply-to: <[🔎] 20220127230344.865324ac6e113680763d7ffa@iijmio-mail.jp>
References: <[🔎] 20220127203432.bfaa4ba3fc041a2be6fec40f@iijmio-mail.jp> <[🔎] YfKhPeh7tFmtu7ep@eldamar.lan> <[🔎] 20220127230344.865324ac6e113680763d7ffa@iijmio-mail.jp>

HI,

On Thu, Jan 27, 2022 at 11:03:44PM +0900, Hideki Yamane wrote:
> Hi Salvatore,
> 
> On Thu, 27 Jan 2022 14:42:21 +0100
> Salvatore Bonaccorso <carnil@debian.org> wrote:
> > >  policykit-1 in testing is noted as vulnerable but its version
> > >  0.105-31.1~deb12u1 fixed CVE-2021-4034.
> > > 
> > >  Will the data in security-tracker be updated automatically?
> > 
> > I'm aware of that, but I have not added a fixed version explicitly for
> > testing, as this was not meant to be done this way. 0.105-31.1~deb12u1
> > was only uploaded to bookworm directly as the unstable->testing
> > migration had to be stopped due to #1004272 due to the urgency of
> > CVE-2021-4034.
> 
>  So, you mean that 0.105-31.1~deb12u1 is a temporary solution and the fix
>  should be delivered as usual proper way, right?

Yes, I meant the upload of 0.105-31.1~deb12u1 was a temporary solution
as packages in unstable were stopped from migrating.

policykit-1 in unstable fixes the issue as well, but got build with
the broken binutils. It got in meanwhile binNMU'ed as well after
#1004272 is fixed.

>  And some people say "testing is vulnerable as security-tracker says"
>  - but I want to confirm that it's not.

Yes this is correct. testing contains the fix for CVE-2021-4034 with
0.105-31.1~deb12u1 but it will soonish be superseeded with the proper
0.105-31.1 (at which point the security-tracker will show it
correctly, we might add a temporary override if it confuses too much
people).

>  You've pointed #1004272 as "binutils: missing RELRO header", does it
>  affect policykit-1? (or maybe affects more widely?) 
>  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004272

policykit-1 is not the only one affected by the binutils issue, some
packages got built with the broken version. TTBOMK Adrian Bunk
identified the broken ones and let for them schedule binNMUs
accordinly with the fixed binutils version.

Hope this helps!

Regards,
Salvatore

p.s.: btw, apolgies, my initial mail was sent in too much hurry, and so
      was badly formulated to understand. Hope the above is more
      clarifying now.

Reply to:

Follow-Ups:
- Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
  - From: Hideki Yamane <henrich@iijmio-mail.jp>

References:
- CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
  - From: Hideki Yamane <henrich@iijmio-mail.jp>

Prev by Date: Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
Next by Date: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
Previous by thread: Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
Next by thread: Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
Index(es):
- Date
- Thread