Re: Refining security support for apt
On Tue, Jan 05, 2021 at 04:59:44PM +0100, Julian Andres Klode wrote:
> Hi security@d.o, security@u.c, and deity followers,
>
> with the recent vulnerabilities we have realized that we can't really
> protect former apt_inst against all sorts of untrusted archives, like
> compression bombs.
>
> Like we fixed file descriptor leaks in python-apt to avoid services
> using it on broken deb files to not run out of fds. Yet, you can just
> pass them a 1TB tarball of all zeroes and you have a DoS anyway.
>
> Hence I think that going forward, it's best to say that we will not
> offer security updates for such denial of service cases resulting from
> untrusted input, but will continue to offer updates for things that
> causes invalid memory accesses, such as buffer overflows.
>
> Updates like the file descriptor one, or the changes to protect against
> long file names / link names in the past update will instead be provided as
> stable release, unless they accompany another security update.
That sounds totally reasonable, anyone parsing deb files from untrusted
sources in a server context should apply proper resource limits and
restarts on failures anyway.
Cheers,
Moritz
Reply to: