Bug#1064293: less: CVE-2022-48624
Hi, On Sat, Apr 20, 2024 at 07:54:13AM -0400, P. J. McDermott wrote: > On 2024-04-19 at 15:55, Salvatore Bonaccorso wrote: > > Hi, > > > > FWIW, I'm actually preparing a security update for the two CVEs and > > for bookworm I was first planning to do a 590-2.1 reaching unstable, > > and so then 590-2.1~deb12u1 for bookworm. > > > > But if you want to override it with a NMU and proposing to salvage the > > package this is equally fine. > > Your DELAYED/2 NMU is probably the fastest and best way to get these > CVEs fixed in unstable and bookworm, so that's fine, thanks. Any plans > for 551-2 in bullseye? The two patches in your NMU apply cleanly there. Yes, both bookworm-security and bullseye-security updates are already prepared and uploaded to security-master. I will wait for some exposure of less in unstable with the two fixes before releasing the DSA. I have not pushed the changes yet to the repository (will be done after the DSA release). I cannot comment on the salvaging of the package directly, as Milan has responded to the bug and even acked the NMU. So I assume he is active and you need to discuss with him on co-maintainership for less. But as I read the discussion is already happening. So stopping here to comment. Regards, Salvatore
Bug#1064293: less: CVE-2022-48624
On 2024-04-20 at 16:19, Christoph Anton Mitterer wrote: > On Sat, 2024-04-20 at 07:54 -0400, P. J. McDermott wrote: > > Then the salvage procedure can play out for the full 28+ days > > specified > > by developers-reference (21 days to allow the maintainer to object > > followed by a DELAYED/7 adoption upload). I've already soft-proposed > > to > > salvage in bug #1069280 yesterday. And as mentioned there I'm not > > yet a > > DD or DM, so I'd need to find a sponsor (and access to > > debian/less.git). > > In the light of the recent XZ backdoor, wouldn't it generally be more > desirable to get more co-maintainers, rather than replacing an existing > one? Sure, that's exactly the plan. I don't intend to remove or prevent anyone from co-maintaining src:less. Note that my proposal to adopt, co-maintain, or salvage (bug #1069280) said that I would keep the current maintainer in Uploaders or Maintainer unless he requests otherwise. My intent is not to force out the existing maintainer, but to help where he seems to have been too busy to properly maintain src:less for at least two years. (No shame in being busy, but it looks like the package could use some help keeping up with new upstream releases, security issues like these, etc.) And the repository is already in the "debian" Salsa group (formerly "collab-maint" on Alioth), where any DD can commit to it. Also, if I adopt or salvage src:less, I plan to allow low-threshold NMU[1]. Other than that, I don't know of an appropriate team for it. [1]: https://wiki.debian.org/LowThresholdNmu -- Patrick "P. J." McDermott: http://www.pehjota.net/ Lead Developer, ProteanOS: http://www.proteanos.com/ Founder and CEO, Libiquity: http://www.libiquity.com/
Bug#1064293: less: CVE-2022-48624
On Sat, 2024-04-20 at 07:54 -0400, P. J. McDermott wrote: > Then the salvage procedure can play out for the full 28+ days > specified > by developers-reference (21 days to allow the maintainer to object > followed by a DELAYED/7 adoption upload). I've already soft-proposed > to > salvage in bug #1069280 yesterday. And as mentioned there I'm not > yet a > DD or DM, so I'd need to find a sponsor (and access to > debian/less.git). In the light of the recent XZ backdoor, wouldn't it generally be more desirable to get more co-maintainers, rather than replacing an existing one? Cheers, Chris.
Bug#1064293: less: CVE-2022-48624
On 2024-04-19 at 15:55, Salvatore Bonaccorso wrote: > Hi, > > FWIW, I'm actually preparing a security update for the two CVEs and > for bookworm I was first planning to do a 590-2.1 reaching unstable, > and so then 590-2.1~deb12u1 for bookworm. > > But if you want to override it with a NMU and proposing to salvage the > package this is equally fine. Your DELAYED/2 NMU is probably the fastest and best way to get these CVEs fixed in unstable and bookworm, so that's fine, thanks. Any plans for 551-2 in bullseye? The two patches in your NMU apply cleanly there. Then the salvage procedure can play out for the full 28+ days specified by developers-reference (21 days to allow the maintainer to object followed by a DELAYED/7 adoption upload). I've already soft-proposed to salvage in bug #1069280 yesterday. And as mentioned there I'm not yet a DD or DM, so I'd need to find a sponsor (and access to debian/less.git). If your NMU and my salvaging procedure go through, I'll rebase my work upon and acknowledge your NMU. And I'd like to backport a 643-1 to bookworm and bullseye sloppy (and update bullseye-backports with your NMU, unless you do that). You and I both apparently made the exact same changes to backport the CVE-2024-32487 patch (except your patch still has the original upstream diffstat instead of the backport, which is fine), so that's a good confirmation that my patch was (and yours is) correct. -- Patrick "P. J." McDermott: http://www.pehjota.net/ Lead Developer, ProteanOS: http://www.proteanos.com/ Founder and CEO, Libiquity: http://www.libiquity.com/
Bug#1064293: less: CVE-2022-48624
Hi, FWIW, I'm actually preparing a security update for the two CVEs and for bookworm I was first planning to do a 590-2.1 reaching unstable, and so then 590-2.1~deb12u1 for bookworm. But if you want to override it with a NMU and proposing to salvage the package this is equally fine. Regards, Salvatore
Bug#1064293: less: CVE-2022-48624
On 2024-04-12 at 16:10, Christoph Anton Mitterer wrote: > Hey. > > There seems to be a somewhat similar issue reported by Jakub Wilk on > oss-security: > https://www.openwall.com/lists/oss-security/2024/04/12/5 > > where quoting causes troubles (though I couldn't replay the demo). That was since assigned CVE-2024-32487 and Debian bug #1068938. > Any chance to get both fixed in Debian unstable? While the maintainer appears to be somewhat active elsewhere in Debian, this package hasn't seen an upload in over a year and the packaged version is getting close to three years old. (Although I found that updating to the latest upstream release version introduces new test suite and lintian issues requiring some upstream patches backported and reverted/fixed.) In my Salsa fork[1] I have updated the package (fixing CVE-2022-48624) and backported (with necessary code changes) the CVE-2024-32487 fix. I would like to adopt, co-maintain, or if necessary salvage src:less (see bug #1069280). But the procedure[2] for that requires 28 days of waiting for the maintainer to respond. Perhaps in the meantime a new upstream version NMU is warranted, or should the procedure be sped up somehow? [1]: https://salsa.debian.org/pehjota/less [2]: https://www.debian.org/doc/manuals/developers-reference/pkgs.html#how-to-salvage-a-package -- Patrick "P. J." McDermott: http://www.pehjota.net/ Lead Developer, ProteanOS: http://www.proteanos.com/ Founder and CEO, Libiquity: http://www.libiquity.com/
Bug#1064293: less: CVE-2022-48624
Hey. There seems to be a somewhat similar issue reported by Jakub Wilk on oss-security: https://www.openwall.com/lists/oss-security/2024/04/12/5 where quoting causes troubles (though I couldn't replay the demo). Any chance to get both fixed in Debian unstable? Cheers, Chris.
Bug#1064293: less: CVE-2022-48624
Source: less Version: 590-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for less. CVE-2022-48624[0]: | close_altfile in filename.c in less before 606 omits shell_quote | calls for LESSCLOSE. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-48624 https://www.cve.org/CVERecord?id=CVE-2022-48624 [1] https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144 Please adjust the affected versions in the BTS as needed. Regards, Salvatore