Re: Refining security support for apt

To: security@debian.org, security@ubuntu.com, deity@lists.debian.org
Subject: Re: Refining security support for apt
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 5 Jan 2021 19:24:28 +0100
Message-id: <[🔎] 20210105182428.wtnr57srjzzhiwvf@inutil.org>
In-reply-to: <[🔎] 20210105164648.GA575512@debian.org>
References: <[🔎] 20210105164648.GA575512@debian.org>

On Tue, Jan 05, 2021 at 04:59:44PM +0100, Julian Andres Klode wrote:
> Hi security@d.o, security@u.c, and deity followers,
> 
> with the recent vulnerabilities we have realized that we can't really
> protect former apt_inst against all sorts of untrusted archives, like
> compression bombs.
> 
> Like we fixed file descriptor leaks in python-apt to avoid services
> using it on broken deb files to not run out of fds. Yet, you can just
> pass them a 1TB tarball of all zeroes and you have a DoS anyway.
> 
> Hence I think that going forward, it's best to say that we will not
> offer security updates for such denial of service cases resulting from
> untrusted input, but will continue to offer updates for things that
> causes invalid memory accesses, such as buffer overflows.
> 
> Updates like the file descriptor one, or the changes to protect against
> long file names / link names in the past update will instead be provided as
> stable release, unless they accompany another security update.

That sounds totally reasonable, anyone parsing deb files from untrusted
sources in a server context should apply proper resource limits and
restarts on failures anyway.

Cheers,
        Moritz

Reply to:

References:
- Refining security support for apt
  - From: Julian Andres Klode <jak@debian.org>

Prev by Date: Refining security support for apt
Next by Date: Processed: Bug#969932 marked as pending in apt
Previous by thread: Refining security support for apt
Next by thread: Processed: Bug#969932 marked as pending in apt
Index(es):
- Date
- Thread