Re: Debian ships very old software (rplay, paps)
On Fri, Oct 31, 2025 at 12:04 PM Nicolas George <george@nsup.org> wrote:
>
> Vincent Lefevre (HE12025-10-31):
> > You would have seen that there is potential denial of service
> > (process crashes).
>
> At worst, true. It is a mistake to lump denials of service together with
> real security flaws. For starters, is is possible to deny service by the
> virtue of being bigger than the target, without any flaw in the target.
I think they are two different attack vectors. A DDoS is different
from a crash. Both affect Availability (re: CIA), but the
remediations are different. For DDoS, you often get the upstream
network provider to provide protections and filtering. For a crash,
you have to fix the code.
> > Worse, Fabio Degrigis could trigger a SIGSEGV on a memcpy:
> >
> > https://www.openwall.com/lists/oss-security/2025/10/18/4
> >
> > which would mean a bad pointer or buffer overflow.
>
> → a crash.
The thing about a crash is (or a call to abort(), a SIGABRT or a
SIGSEGV), it can corrupt state. So your database (or other persistent
data) could become corrupt. That's an attack on Integrity (re: CIA).
> > > Almost all software runs on Windows or Macos. So what?
> > Here we're on Debian.
>
> You have not answered: so what if most software does something? Is it
> supposed to imply that it is a good thing?
>
> > This is silly.
>
> Absolutely not. In terms of security and stability, there is no
> difference between a package that you have not installed because you
> have chosen not to install it and a package that you have not installed
> because it is not available.
Jeff
Reply to: