Refining security support for apt

To: security@debian.org, security@ubuntu.com, deity@lists.debian.org
Subject: Refining security support for apt
From: Julian Andres Klode <jak@debian.org>
Date: Tue, 5 Jan 2021 16:59:44 +0100
Message-id: <[🔎] 20210105164648.GA575512@debian.org>
Mail-followup-to: security@debian.org, security@ubuntu.com, deity@lists.debian.org

Hi security@d.o, security@u.c, and deity followers,

with the recent vulnerabilities we have realized that we can't really
protect former apt_inst against all sorts of untrusted archives, like
compression bombs.

Like we fixed file descriptor leaks in python-apt to avoid services
using it on broken deb files to not run out of fds. Yet, you can just
pass them a 1TB tarball of all zeroes and you have a DoS anyway.

Hence I think that going forward, it's best to say that we will not
offer security updates for such denial of service cases resulting from
untrusted input, but will continue to offer updates for things that
causes invalid memory accesses, such as buffer overflows.

Updates like the file descriptor one, or the changes to protect against
long file names / link names in the past update will instead be provided as
stable release, unless they accompany another security update.

Thanks,

Julian
-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Reply to:

Follow-Ups:
- Re: Refining security support for apt
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Bug#979321: Please use '=' instead of '#' for progress bars
Next by Date: Re: Refining security support for apt
Previous by thread: Bug#979321: Please use '=' instead of '#' for progress bars
Next by thread: Re: Refining security support for apt
Index(es):
- Date
- Thread