Re: Testing needed for binutils security update

To: Luciano Bello <luciano@debian.org>
Cc: debian-security@lists.debian.org, debian-user@lists.debian.org, team@security.debian.org
Subject: Re: Testing needed for binutils security update
From: Alexander Cherepanov <cherepan@mccme.ru>
Date: Mon, 29 Dec 2014 07:08:01 +0300
Message-id: <[🔎] 54A0D3A1.4000800@mccme.ru>
In-reply-to: <[🔎] 3900930.0n1URhHoe7@box>
References: <[🔎] 17100744.7nMcH3bRfP@box> <[🔎] 5499443E.4060008@mccme.ru> <[🔎] 3900930.0n1URhHoe7@box>

On 2014-12-26 16:02, Luciano Bello wrote:

On Tuesday 23 December 2014 13.30.22 Alexander Cherepanov wrote:

CVEs were assigned only to a small number of issues so far and I'm not
sure it's worth it to fix them without fixing others.


That's true, but we have to draw the line somewhere. The bigger the patches to
backport, the easier to introduce regressions.

I suggest to patch in this DSA those issues with a CVE id. We can later release
a new DSA with the next batch of patches.


Sure, whatever is more convenient for you.

Or did you fix
others too? You can find more issues and fixes in two upstream bugs:

https://sourceware.org/bugzilla/show_bug.cgi?id=17512
https://sourceware.org/bugzilla/show_bug.cgi?id=17531

and the process is not over, new issues are still being found and fixed.


The suggested package for this DSA fixes some of the PoC in these issues.


I guess these are exactly the issues CVEs were assigned for.

Sorry if it's not easy to track. I'd like to make it easier for Debian.
Any feedback on the process is welcome.


Indeed, it is not easy to track, but I don't know how to improve that.

If you (or others) get any ideas please let me know. I hope to fuzz moreprograms in the future and I'm afraid it will be something similar.

It could be great to distinguish those critical crashes for security for those
less critical. I understand this might be complicated, tho.

There are some easy to implement ideas, e.g. to filter out non-securityissues like null derefs.

Would it be useful to sort issues with the help of the "exploitable" GDBextension:

https://github.com/jfoote/exploitable
?

BTW, the situation with elfutils is somewhat similar, the bug report is
here:
https://bugzilla.redhat.com/show_bug.cgi?id=1170810


I'm reporting this issue to our elfutils maintainer to keep the track of it.


Thanks!

Do
you know if there is a plan to get CVE id for this/these issue/s?

Probably we need to at least match fixes with samples before requestingCVEs. I've written some thoughts here:https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-December/004504.html. Feel free to comment.


--
Alexander Cherepanov

Reply to:

References:
- Testing needed for binutils security update
  - From: Luciano Bello <luciano@debian.org>
- Re: Testing needed for binutils security update
  - From: Alexander Cherepanov <cherepan@mccme.ru>
- Re: Testing needed for binutils security update
  - From: Luciano Bello <luciano@debian.org>

Prev by Date: ca-certificates update
Next by Date: AUTOMATICKY: Roman Beitl je mimo kancelář/Roman Beitl is out of the office (příchod 05.01.2015)
Previous by thread: Re: Testing needed for binutils security update
Next by thread: Re: elfutils issues
Index(es):
- Date
- Thread