Re: [SECURITY] [DLA 2441-1] sympa security update

[Antoine Beaupré]

On 2020-11-09 14:04:02, Sylvain Beucler wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> - -
> Debian LTS Advisory DLA-2441-1debian-lts@lists.debian.org
> https://www.debian.org/lts/security/ 
> November 09, 2020 https://wiki.debian.org/LTS
> - -
>
> Package: sympa
> Version: 6.2.16~dfsg-3+deb9u4
> CVE ID : CVE-2018-1000671 CVE-2020-26880
> Debian Bug : 908165 972189

What's up with those bug reports? #908165 refers to CVE-2018-1000671 but
#972189 refers to CVE-2020-10936, not CVE-2020-26880.

Also, CVE-2020-26880 is marked as unfixed in the security tracker (and
the upstream bugtracker), but not CVE-2020-10936...

Which one is which? Is the sympa package in Debian LTS still vulnerable
to privilege escalation?

A.

-- 
The true revolutionary is guided by a great feeling of love.
- Ernesto "Che" Guevara


signature.asc
Description: PGP signature

Re: heads up: DLA should now be published on the website

[Antoine Beaupré]

On 2019-02-21 18:18:06, Holger Levsen wrote:
> Hi Antoine,
>
> On Mon, Feb 18, 2019 at 04:10:47PM -0500, Antoine Beaupré wrote:
>> But my little finger tells me there are many DLAs still missing from the
>> website. So even if/when the above MR does get merged, more entries will
>> be missing. So someone will need to make sure to run the check script to
>> make sure no entries are missing regularly, see also:
>> https://salsa.debian.org/webmaster-team/cron/merge_requests/1
>
> I've looked at this script now, it works nicely, just our results are
> not so good yet:
>
> ~/Projects/debian-www/webwml$ ../cron/parts/10-check-advisories 2>&1 |wc -l
> 314
> ~/Projects/debian-www/webwml$ ../cron/parts/10-check-advisories --mode DLA 
> 2>&1 |wc -l
> 1762
> ~/Projects/debian-www/webwml$ ../cron/parts/10-check-advisories --mode DLA 
> 2>&1 | head -10
> ERROR: .data or .wml file missing for DLA 1685-1
> ERROR: .data or .wml file missing for DLA 1684-1
> ERROR: .data or .wml file missing for DLA 1683-1
> ERROR: .data or .wml file missing for DLA 1660-2
> ERROR: .data or .wml file missing for DLA 1682-1
> ERROR: .data or .wml file missing for DLA 1681-1
> ERROR: .data or .wml file missing for DLA 1680-1
> ERROR: .data or .wml file missing for DLA 1679-1
> ERROR: .data or .wml file missing for DLA 1678-1
> ERROR: .data or .wml file missing for DLA 1677-1
> debian-work:~/Projects/debian-www/webwml$ 
>
> -> this script is incorrect/broken for DLAs it seems, as 
> https://www.debian.org/lts/security/ does list the DLAs 1677-1681,
> just DLAs 1682-1685 are missing. And they are called DLA-1234 there,
> not "DLA 1234-1"...

Weird. Is your local checkout up to date? What if you run in debug mode?

> Also, if this merge request would be merged, it would just run it in
> normal, DSA, mode. Do you have a suggestion how to run it in DLA mode?

We could simply change the default here:

parser.add_argument('--mode', default='DSA', choices=('DSA', 'DLA'),
help='which sort of advisory to check (default: 
%(default)s)')  # noqa: E501

a.
-- 
If you have come here to help me, you are wasting our time.
But if you have come because your liberation is bound up with mine, then
let us work together.- Aboriginal activists group, Queensland, 1970s

(early) monthly report

[Antoine Beaupré]

Hi all,

Here's my early LTS report. The TL;DR: is:

 * website work
 * python-gpg
 * golang
 * libarchive
 * netmask
 * libreoffice
 * enigmail

# Website work

I again worked on the website this month, doing one more mass import
([MR 53][]) which was finally merged by Holger Levsen, after I [fixed
an issue with PGP signatures][] showing up on the website.

[fixed an issue with PGP signatures]: 
https://salsa.debian.org/webmaster-team/webwml/merge_requests/51

I also polished the misnamed "audit" script that checks for missing
announcements on the website and published it as [MR 1][] on the
"cron" project of the webmaster team. It's still a "work in progress"
because it is still too noisy: there are a few DLAs missing already
and we haven't published the latest DLAs on the website.

[MR 1]: https://salsa.debian.org/webmaster-team/cron/merge_requests/1
[MR 53]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/53

The remaining work here is to automate the import of new announcements
on the website ([bug #859123][]). I've done what is hopefully the
[last mass import][] and updated the workflow in the wiki.

Finally, I have also done a bit of [cleanup][] on the website that
was necessary after the mass import which also required [rewrite
rules][] at the server level. Hopefully, I will have this fairly well
wrapped up for whoever picks this up next.

[rewrite rules]: https://salsa.debian.org/anarcat/dsa-puppet/merge_requests/1
[cleanup]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/55
[last mass import]: 
https://salsa.debian.org/webmaster-team/webwml/merge_requests/58
[bug #859123]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859123

# Python GPG concerns

Following a new vulnerability (CVE-2019-6690) disclosed in the
python-gnupg library, I have [expressed concerns][] at the security
reliability of the project in future updates, refering to wider issues
identified by Isis Lovecroft in [this post][]. 

I suggested we should simply drop security support for the project,
citing it didn't have many reverse dependencies. But it seems that
wasn't practical and the [response][] was that it was actually
possible to keep on maintaining it an such an update was issued for
jessie.

[response]: 
https://lists.debian.org/20190209103913.e45eqo3gax5g3...@manillaroad.local.home.trueelena.org
[this post]: https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html
[expressed concerns]: https://lists.debian.org/87r2cj4kg2@curie.anarc.at

# Golang concerns

Similarly, I have [expressed more concerns][] about the maintenance of
Golang packages following the disclosure of a vulnerability
(CVE-2019-6486) regarding elliptic curve implementations in the core
Golang libraries. An update (DLA-1664-1) was issued for the core, but
because Golang is statically compiled, I was worried the update wasn't
sufficient: we also needed to upload updates for any build dependency
using the affected code as well.

[expressed more concerns]: 
https://lists.debian.org/87sgx0czxg@curie.anarc.at

Holger asked the golang team for help and i also asked on
irc. Apparently, all the non-dev packages (with some exceptions) were
binNMU'd in stretch but the process needs to be clarified.

I also wondered if this maintenance problem could be resolved in the
long term by switching to dynamic linking. Ubuntu tried to switch to
dynamic linking but abandoned the effort, so it seems Golang will be
quite difficult to maintain for security updates in the forseeable
future.

# Libarchive updates

I have reproduced the problem described in CVE-2019-120 and
CVE-2019-119 in jessie. I published a fix as [DLA-1668-1][]. I had
to build the update without sbuild's overlay system (in a tar chroot)
otherwise the cpio tests fail.

[DLA-1668-1]: https://lists.debian.org/20190207192754.ga14...@curie.anarc.at

# Netmask updates

This one was minimal: a patch was [sent by the maintainer][] so I only
wrote and sent [DLA 1665-1][]. Interestingly, I didn't have access to
the `.changes` file which made writing the DLA a little harder, as my
workflow normally involves calling `gen-DLA --save` with the .changes
file which autopopulates a template. I learned that `.changes` files
are normally archived on `coccia.debian.org` (specifically in
`/srv/ftp-master.debian.org/queue/done/`), but not in the case of
security uploads.

[DLA 1665-1]: https://lists.debian.org/20190206222753.ga28...@curie.anarc.at
[sent by the maintainer]: 
https://lists.debian.org/20190206005958.ga7...@debian.org

# Libreoffice

I once again tried to tackle an issue (CVE-2018-16858) with
Libreoffice. The [last time][] I tried to work on LibreOffice, the
test suite was failing and the linker was *crashing* after hours of
compilation and I never got anywhere. But that was wheezy, so I
figured jessie might be in better shape.

[last time]: 
https://anarc.at/blog/2017-11-30-free-software-activities-november-2017

I quickly got into trouble with sbuild: I ran ou

heads up: DLA should now be published on the website

[Antoine Beaupré]

On 2019-02-01 20:58:28, Holger Levsen wrote:
> On Fri, Feb 01, 2019 at 01:58:04PM -0500, Antoine Beaupré wrote:

[...]

> can you please put that on wiki.d.o/LTS/Development?!

This is now done. I added a new section to the wiki

https://wiki.debian.org/LTS/Development#Publishing_updates_on_the_website

The TL;DR: is that you now need to clone the main website and issue a
merge request when you publish a DLA. Once you have a clone, it should
be as simple as:

parse-dla.pl 
git checkout -b DLA--Y
git add 2019
git commit -m'DLA-XXX-Y'
git push -u origin
salsa mr

I've done one more mass import, hopefully the last:

https://salsa.debian.org/webmaster-team/webwml/merge_requests/58

But my little finger tells me there are many DLAs still missing from the
website. So even if/when the above MR does get merged, more entries will
be missing. So someone will need to make sure to run the check script to
make sure no entries are missing regularly, see also:

https://salsa.debian.org/webmaster-team/cron/merge_requests/1

Obviously, this workflow is not optimal and could be automated, see also
#859123 (in CC).

Thank you for your time.

A.

-- 
Omnis enim ex infirmitate feritas est.
All cruelty springs from weakness.
 - Lucius Annaeus Seneca (58 AD)

Re: rssh security update breaks rsync via Synology's "hyper backup"

[Antoine Beaupré]

On 2019-02-18 09:27:37, Russ Allbery wrote:
> Does this plan sound good to everyone?  I'll follow up with the proposed
> diffs for stable and oldstable.

Works for me (LTS), although I won't be the one performing the upgrade
(I've unclaimed the package for other reasons).

Thanks for your work!

A.

-- 
Gods don't like people not doing much work. People who aren't busy all
the time might start to think.
- Terry Pratchett, Small Gods

Re: rssh security update breaks rsync via Synology's "hyper backup"

[Antoine Beaupré]

On 2019-02-14 10:08:40, Russ Allbery wrote:
> Roman Medina-Heigl Hernandez  writes:
>
>> Added Russ (rssh maintainer).
>
>> I cannot probe it but I guess chances are high that the issue is present
>> both in stable and oldstable (I cannot find a good reason to filter
>> different commands: solution should be the same or very similar) so I'm
>> still keeping debian-security in the loop.
>
> That command line exactly is probably safe, but --daemon is definitely not
> safe in combination with --config, -M, or --dparam.  I'm not sure what
> happens if you pass combinations like --server --daemon --address or
> --port.  Unfortunately, so far as I can tell, --server --daemon is not
> even documented in the rsync man page as something you can do (I certainly
> didn't know about its existence before this string of CVEs), so it's
> pretty hard to figure out what its intended behavior is without doing a
> deep dive into source code.
>
> We can try to make the command-line verification even more complex to try
> to allow for more edge cases (another one just came up in an Ubuntu bug,
> where libssh apparently sends arguments differently than scp itself does).
> I'm not super-thrilled, but I guess I created this problem and signed up
> for it, so I can try to keep playing whack-a-mole with new command-line
> variations.
>
> Note that I'm definitely removing rssh from unstable and testing before
> the next release as unsupportable.  Upstream has orphaned it, and I think
> the primitive that it's attempting to implement is fundamentally
> impossible to maintain securely.  So the long-term solution is for
> everyone to migrate away from it, I'm afraid; the question is what to do
> about stable (and oldstable).
>
> In this particular case, a simple command="rsync --server --daemon ." in
> your ssh authorized_keys file might be a better solution than rssh.  (But
> be aware of CVE-2019-3463.)

Thanks for the detailed analysis Russ! It does seem to be a bit of a
whack-a-mole game that would be better solved by proper use of
`command`...

That said, if we do fix this in jessie, we should do it at the same time
as the regression identified in stretch (DSA-4377-2).

Russ, do you want to handle the Jessie update or should the LTS team do
it?

Should we wait for resolution on this issue before shipping the errata?

Thanks!

-- 
In serious work commanding and discipline are of little avail.
 - Peter Kropotkin

Re: Bug#859122: about 500 DLAs missing from the website

[Antoine Beaupré]

On 2019-02-12 08:13:18, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sat, Feb 09, 2019 at 03:55:44AM +0100, Laura Arjona Reina wrote:
>> * We still need the Apache redirects, so the people that try the old
>> URLs (wether directly because they knew, or via the security tracker),
>> find the files they need. What we need to do is send a patch to
>> 
>> https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/templates/apache-www.debian.org.erb
>> 
>> that sets the redirect from
>> https://www.debian.org/security/any_year/dla-whatever to
>> https://www.debian.org/security/lts/any_year/dla-whatever
>> 
>> * Adaptation in the security tracker so the new URL paths are used from
>> now on is also needed.
>
> I have the attached patch commited in a local branch, but want first
> to confirm is this the final intended URL to reach the DLAs?
>
> Regards,
> Salvatore
> From ceda9e3d1fc38f505462bce8c0aa4cdd2b165d87 Mon Sep 17 00:00:00 2001
> From: Salvatore Bonaccorso 
> Date: Tue, 12 Feb 2019 08:10:16 +0100
> Subject: [PATCH] Adapt URL to DLA advisories in a
>  https://www.debian.org/security/lts/
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> As discussed in https://bugs.debian.org/859122 DLAs and DSAs will be
> separated in different supages. This needs adaption for the URL
> referenced in the source fields of the security-tracker for DLAs.
>
> Thanks: Laura Arjona Reina, Holger Levsen and Antoine Beaupré
> ---
>  bin/tracker_service.py | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/bin/tracker_service.py b/bin/tracker_service.py
> index 971f4b4e38eb..a2ea755d8f39 100755
> --- a/bin/tracker_service.py
> +++ b/bin/tracker_service.py
> @@ -1574,7 +1574,7 @@ Debian bug number.'''),
>  for (date,) in self.db.cursor().execute(
>  "SELECT release_date FROM bugs WHERE name = ?", (dla,)):
>  (y, m, d) = date.split('-')
> -return 
> url.absolute("https://www.debian.org/security/%d/dla-%d";
> +return 
> url.absolute("https://www.debian.org/security/lts/%d/dla-%d";
>  % (int(y), int(number)))
>  return None

I believe this is backwards, you want /lts/security, not /security/lts.

For example:

https://www.debian.org/lts/security/2019/dla-1659

I was also hoping to see the "errata number" in there, but it seems I
was mistaken.

-- 
L'ennui avec la grande famille humaine, c'est que tout le monde veut
en être le père.
- Mafalda

Re: concerns about the security reliability of python-gnupg

[Antoine Beaupré]

On 2019-02-09 11:39:18, Elena ``of Valhalla'' wrote:
> On 2019-02-07 at 11:44:45 -0500, Antoine Beaupré wrote:
>> Hi,
>> 
>> Recently, python-gnupg was triaged for maintenance in Debian LTS, which
>> brought my attention to this little wrapper around GnuPG that I'm
>> somewhat familiar with.
>> 
>> Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch
>> right now, with buster and sid marked as fixed, as you can see here:
>> 
>> https://security-tracker.debian.org/tracker/source-package/python-gnupg
>
> sorry, my fault for missing the CVE when uploading the new upstream
> version; I will prepare the fix for stable(-security) ASAP.

No problem! :)

> I don't care enough about LTS to learn its upload procedures, but if
> somebody is interested in doing it I can backport the patch and push it
> to git, for them to upload.

I'm sure people in the LTS team (including myself) would be happy to
carry that torch any way you prefer. We can perform as much or as little
as you want in the process.

>> I'm concerned about the security of this project in general. Even though
>> that specific instance might be fixed, there are many more bad security
>> practices used in this project. A fork was created by Isis Agora
>> Lovecruft to fix those issues:
>> 
>> https://github.com/isislovecruft/python-gnupg/
>
> AFAIK that fork is dead upstream, and it's not compatible with Vinay
> Sajip's version, so it can't be used to satisfy the dependency in other
> packages

Maybe so, but the security concerns raised are serious and should be
addressed.

I'm surprised to hear it's not backwards-compatible, however... That is
certainly a concern if we'd want to switch upstreams, but that's not
exactly what I was proposing... Isis renamed their package to "pretty
bad protocol" anyways, which makes it clear it's not designed to be a
drop-in replacement.

>> [...]
>> I suspect many such issues could be identified formally in the
>> python-gnupg package.
>
> My experience with upstream is that they are quite good at reacting to
> issues that are raised on their bugtracker (and I'm happy to forward
> them there from the debian BTS).
>
> On the other hand, they don't maintain a LTS version, so the fix will
> happen in the latest release, and while I'm confident that many patches
> will be backportable there is no guarantee that *all* of them would be,
> especially to the version in oldstable.

I am especially concerned about backporting fixes Isis identified. Those
are far-ranging vulnerabilities that require massive code refactoring. I
doubt those would be meaningfully backportable.

>> But maybe, instead, we should just mark it as unsupported in
>> debian-security-support and move on. There are few packages depending on
>> it, in jessie:
>> [...]
>> in buster:
>> [...]
>
> I think this list is missing something, maybe the reverse dependencies
> of python3-gnupg: I know that gajim-pgp depends on it (and is in turn
> recommended by gajim) at least in buster; earlier versions used an old
> embedded copy of the same library, so this isn't really a "new"
> dependency.

I guess that's why I missed it in jessie - there are no rdeps for the
py3 version in jessie...

I'm not sure what to do next here. I just felt it was important to
outline possibly fundamental problems with this package that are not
currently mapped in the CVE process. Maybe that shouldn't lead to any
action on our part, but I wanted people here to be aware of those
concerns.

A.

-- 
Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
- Benjamin Franklin, 1755

Re: Bug#859122: about 500 DLAs missing from the website

[Antoine Beaupré]

On 2019-02-09 14:39:50, Holger Levsen wrote:
> Hi Laura,
>
> many many thanks for your work on this, including and especially this
> writeup!
>
> some comments below, where I dont say anything I mean 'yay"! :)
>
> On Sat, Feb 09, 2019 at 03:55:44AM +0100, Laura Arjona Reina wrote:
>> * The /lts/security//index.*.html files show the last advisory for
>> the cases where there are several files with the same beginning (e.g.
>> for DSA- and DSA--2, both html files are generated, but the
>> index only points to the -2 file). If this is not the intended
>> behaviour, changes in index.wml and Makefiles are needed.
>
> I think we want the other DLAs linked from the indexes as well.
>
> shall we file a bug to not forget this?

I looked into this, and couldn't figure it out.

Please do file a bug for now, I have no idea how to fix this...

[...]

>> * We still need the Apache redirects, so the people that try the old
>> URLs (wether directly because they knew, or via the security tracker),
>> find the files they need. What we need to do is send a patch to
>> 
>> https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/templates/apache-www.debian.org.erb
>> 
>> that sets the redirect from
>> https://www.debian.org/security/any_year/dla-whatever to
>> https://www.debian.org/security/lts/any_year/dla-whatever
>
> right. shall we file a bug to not forget this?

Filed the patch here:

https://salsa.debian.org/anarcat/dsa-puppet/merge_requests/1

Reviews welcome. I'm particularly doubtful of the dla-map thing - it's
not in the source repo, but can I assume it's present on the website
deployment?

>> * Adaptation in the security tracker so the new URL paths are used from
>> now on is also needed.
>
> right. shall we file a bug to not forget this?

Sure, please do.

A.

-- 
People arbitrarily, or as a matter of taste, assigning numerical values
to non-numerical things. And then they pretend that they haven't just
made the numbers up, which they have. Economics is like astrology in
that sense, except that economics serves to justify the current power
structure, and so it has a lot of fervent believers among the powerful.
- Kim Stanley Robinson, Red Mars

Re: Bug#859122: about 500 DLAs missing from the website

[Antoine Beaupré]

On 2019-02-09 03:55:44, Laura Arjona Reina wrote:
> Hello all
>
> Holger Levsen merged the generated DLAs and I've worked to create the
> /lts tree to show them separated from the DSA. I have moved to this new
> /lts folder the DLAs from years 2014, 2015 and 2016 that we had already,
> and remove them from the /security tree and removed references to DLAs
> in the Makefiles/indexes in /security.
>
> I think it's mostly done, I've closed all the related MR except one, but
> there are some small tasks left, that I hope we can solve together:
>
> * I have initially copied the content of /security/ to /lts/security,
> removed subfolders that I think are not needed (audit, key-rollover,
> oval, undated) and some other files that I think they were not needed
> too. Then I did a search and replace DSA -> DLA, dsa- -> dla- in the
> scripts, makefiles and indexes, and fixed the paths, and built locally
> (with "make) and I couldn't spot errors, but I don't trust every file
> that is currently in /lts/security is needed or has been used with my
> "make" command, so a review of the folder (comparing it with /security)
> done by an LTS or security team member, is welcome.

It's true there's a lot of junk in there... I suspect most of the `.pl`
scripts in there could actually be symlink to the main secteam scripts,
because they are basically the same.

I also suspect most of the stuff is unused, even from the secteam's
point of view. For example, `check-cve-refs.pl` assumes there's a
`security/data` directory in the website, which is not the case
(anymore?). I would suggest removing those from at least the LTS
section and have done so in the following MR:

https://salsa.debian.org/webmaster-team/webwml/merge_requests/55

> * The README needs to be reviewed and adapted (I just did the search and
> replace dsa -> dla and DSA -> DLA).

Done as well in the same MR.

> * I guess that parse-advisory.pl (and maybe others) can be removed, but
> I was not confident to do it without advice.

Done as well in the same MR.

> * I didn't check the results of the generated RSS feeds. If anybody uses
> RSS readers, a review is welcome too.

It looks good to me here.

> * The /lts/security//index.*.html files show the last advisory for
> the cases where there are several files with the same beginning (e.g.
> for DSA- and DSA--2, both html files are generated, but the
> index only points to the -2 file). If this is not the intended
> behaviour, changes in index.wml and Makefiles are needed.

Ideally, we'd show both, is that possible?

> * Please review the content (text, links) of these files:
>
> /lts/index.wml
> /lts/security/index.wml
>
> I've tried to be short (for the case translators are fast and then you
> decide to heavy rewrite, to not to loose much work).

That makes sense to me. I wonder if we should link to the
crossreferences.wml content, which is also relevant here.

> * Translations have been handled, but I've left the *title* of these
> files unchanged:
>
> french/lts/security/*/dla*.wml
> russian/lts/security/*/dla*.wml
> danish/lts/security/*/dla*.wml
> japanese/lts/security/*/dla*.wml
>
> All those files have title "LTS Security Advisories from " (being
>  the year: 2014, or 2015, or 2016). I guess translators can do a
> quick search and replace with the correct sentence and they don't need
> to update the commit hash, that's already done. I'll contact translators
> and point them to this message.

Fair enough.

> * This new /lts section of the website is not referenced yet in other
> places of the Debian website. I'm not sure if it should be referenced in
> /security, in /releases/, or in both. There is also the temptation
> of creating a link in the homepage but there is also the suggestion of
> reducing the links in the homepage, so... For now, I'll try to add it to
> the sitemap and see how many references to the LTS wiki page we have
> currently, to see if any of them can be replaced with link to this
> section in the website. But I'll wait some days to do it because it's
> not clear for me if you want to populate the section to cover all the
> aspects of LTS, or keep it only/mainly for security stuff.

I would avoid putting the LTS work too proeminently on the website at
this point, to be honest. The goal of publishing those advisories there,
for me, is coherence: they were already partly present and I wanted to
have them *all* available *somewhere* with a predictable URL and RSS
feeds (as opposed to, say the mailing list).

We shouldn't get into the slippery debate of how much we want LTS
content on the website, in my opinion.

> * We still need the Apache redirects, so the people that try the old
> URLs (wether directly because they knew, or via the security tracker),
> find the files they need. What we need to do is send a patch to
>
> https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/templates/apache-www.debian.org.erb
>
> that sets the redirect from
> http

Re: faad2 and systemd: (semi)-automaticly unclaimed after 2 weeks of inactivity

[Antoine Beaupré]

On 2019-02-11 10:57:20, Holger Levsen wrote:
> hi,
>
> I've just unclaimed faad2 and systemd as the last documented activity on these
> packages was more than two weeks ago...
>
> If you intend to continue working on them, please just reclaim them and
> update the note.

Hehe... "arroseur arrosé" as they say in french. First time I'm affected
by the auto-unclaimer, and I must say it's fair: I *have* been stalled
on that one without progress for even more than two weeks now. The only
reason why I still had it claimed is that I claimed it for *other* CVEs
(DLA 1639-1) and didn't unclaim it when I was finished.

The remaining work there dates back from November 2018, for those who
are curious and tempted to give it a shot. I detailed part of the work I
did on the tmpfiles.c stuff in message:

https://lists.debian.org/87d0r07hl3@curie.anarc.at

Long story short: the patch is too invasive to backport, so the next
step is to try a backport of the entire tmpfiles.c file. It might sound
crazy, but the individual systemd files like those are fairly well
enclosed. The trick will be to work around new APIs and macros that are
used in the new code, as opposed to properly cherry-picking the zillions
of tiny and large patches applied across the history of that file to
properly fix the bug.

A.

-- 
Only in the darkness can you see the stars.
- Martin Luther King, Jr.

Re: (when?) do we (still) contact maintainers?

[Antoine Beaupré]

On 2019-02-07 18:32:39, Markus Koschany wrote:
> Please do not CC me. I am subscribed.
>
> Am 07.02.19 um 18:23 schrieb Antoine Beaupré:
> [...]
>> Well, I don't think we should make such calls without announcing it and
>> documenting the new workflow clearly, first off.
>> 
>> Second, I think I mostly agree with you, but we need to be certain we
>> won't upset other people's workflow, and this should be discussed.
>
> How does my decision to not contact a maintainer interrupt your
> workflow? You can still contact the maintainer before you start to work
> on a package.

I meant the debian package maintainers, not mine.

A.

-- 
In a world where Henry Kissinger wins the Nobel Peace Prize,
there is no need for satire.
- Tom Lehrer

Re: (when?) do we (still) contact maintainers?

[Antoine Beaupré]

On 2019-02-07 17:58:48, Markus Koschany wrote:
> Hello,
>
> Am 07.02.19 um 17:32 schrieb Antoine Beaupré:
> [...]
>> Am I missing something here? Did we change this practice, or is this an
>> oversight?
>
> I have been part of the team for three years now, from my experience
> almost all people are very happy when someone else fixes bugs in
> oldstable. Most of the time we get either no response at all or someone
> tells us to just go ahead. Since we have now the capacity to handle all
> those issues all by ourselves, I don't find it no longer necessary to
> contact every maintainer beforehand. Instead I decide on a case-by-case
> basis. I would rather change the current recommendation and the
> do-not-call list to a list of maintainers who want to be contacted first
> before we work on their packages or have always prepared updates
> themselves (e.g. postresql). This list will be quite short.

Well, I don't think we should make such calls without announcing it and
documenting the new workflow clearly, first off.

Second, I think I mostly agree with you, but we need to be certain we
won't upset other people's workflow, and this should be discussed.

A.

-- 
Tout ce qui n’est pas donné est perdu.
- Proverbe indien

Re: concerns about the security reliability of python-gnupg

[Antoine Beaupré]

On 2019-02-07 16:48:56, Holger Levsen wrote:
> On Thu, Feb 07, 2019 at 11:44:45AM -0500, Antoine Beaupré wrote:
>> But maybe, instead, we should just mark it as unsupported in
>> debian-security-support and move on. There are few packages depending on
>> it, in jessie:
> [...]
>> in buster:
>> Note that the list is (slowly) growing.
>  
> marking it it unsupported in debian-security-support for jessie and
> stretch might be the right step forward, but if if it's really as bad as
> you describe, I think it should be kicked out of buster, instead of
> carried on.

That too. But I'd like to hear the maintainer's opinion before taking
any more drastic measures. :)

A.

-- 
Les plus beaux chants sont les chants de revendications
Le vers doit faire l'amour dans la tête des populations.
À l'école de la poésie, on n'apprend pas: on se bat!
- Léo Ferré, "Préface"

Re: concerns about the security reliability of python-gnupg

[Antoine Beaupré]

On 2019-02-07 11:44:45, Antoine Beaupré wrote:
> https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html
> https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/

Oops, that second link should have been:

https://dev.gentoo.org/~mgorny/articles/attack-on-git-signature-verification.html

A.

-- 
Computer science is no more about computers
than astronomy is about telescopes
- E. Dijkstra

concerns about the security reliability of python-gnupg

[Antoine Beaupré]

Hi,

Recently, python-gnupg was triaged for maintenance in Debian LTS, which
brought my attention to this little wrapper around GnuPG that I'm
somewhat familiar with.

Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch
right now, with buster and sid marked as fixed, as you can see here:

https://security-tracker.debian.org/tracker/source-package/python-gnupg

I'm concerned about the security of this project in general. Even though
that specific instance might be fixed, there are many more bad security
practices used in this project. A fork was created by Isis Agora
Lovecruft to fix those issues:

https://github.com/isislovecruft/python-gnupg/

Those patches were not merged back upstream, which is disputing isis'
claims. The security issues found in the upstream package are partly
documented here:

https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html

I am concerned that fixing only this specific CVE will give users a
false sense of security, as many more similar issues might be lurking in
the code. Having, myself, dealt with writing such a library (lesson
learnt: don't do that), I can confirm it is very hard (if not
impossible) to properly talk with GnuPG in a reasonable way. There is
now a constant flow of vulnerabilities coming out that outline commonly
made mistakes when trying to talk the line dialog with GnuPG. For
example:

https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html
https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/

I suspect many such issues could be identified formally in the
python-gnupg package.

But maybe, instead, we should just mark it as unsupported in
debian-security-support and move on. There are few packages depending on
it, in jessie:

Reverse Depends:
  Dépend: hash-slinger
  Dépend: pyspread

in stretch:

Reverse Depends:
  Casse: gnupg (<< 0.3.8-3)
  Recommande: python-sleekxmpp
  Dépend: pyspread
  Dépend: hash-slinger
  Dépend: goopg
  Dépend: deken

in buster:

Reverse Depends:
  Casse: gnupg (<< 0.3.8-3)
  Dépend: hash-slinger
  Dépend: goopg
  Recommande: python-sleekxmpp
  Dépend: python-rosbag
  Dépend: pyspread

Note that the list is (slowly) growing.

What do people think?

A.

-- 
L'adversaire d'une vraie liberté est un désir excessif de sécurité.
- Jean de la Fontaine

(when?) do we (still) contact maintainers?

[Antoine Beaupré]

Hi,

I was under the impression that we were supposed to contact maintainers
when we add packages to dla-needed.txt, as part of the triage work. That
is, at least, the method documented here:

https://wiki.debian.org/LTS/Development#Triage_new_security_issues

Confident that people doing the triage would do so, I have stopped
double-checking that such work was being done but now, looking at the
python-gnupg package, I noticed nothing was sent out to the maintainer,
at least not with this list in CC. The maintainer and package are not in
data/packages/lts-do-not-call.txt so I think they should have been
contacted first.

Am I missing something here? Did we change this practice, or is this an
oversight?

A.
-- 
Arguing for surveillance because you have nothing to hide is no
different than making the claim, "I don't care about freedom of speech
because I have nothing to say."
- Edward Snowden


signature.asc
Description: PGP signature

Re: [SECURITY] [DLA 1664-1] golang security update

[Antoine Beaupré]

On 2019-02-06 23:42:12, Chris Lamb wrote:
> Hi Antoine,
>
>> all golang Debian packages are (as elsewhere) statically compiled
>> and linked so we'd need to rebuild all the rdeps
>
> Hm. Can we avoid /all/ the rdeps? I mean, grep the rdeps for ones
> that use this library?

Yeah, that's what I was implying, sorry if that was unclear... I'm not
actually sure how that works. I assume it's a bunch of binNMUs, but we
first need to figure out which packages actually use that specific lib.

Maintaining golang security update is really tricky.. :/ I wish we could
just dynamically link everything in Debian, but I'm afraid that's heresy
(even if technically possible, apparently) in Golang circles...

a.

-- 
The greatest crimes in the world are not committed by people breaking
the rules but by people following the rules. It's people who follow
orders that drop bombs and massacre villages.
- Banksy

Re: [SECURITY] [DLA 1664-1] golang security update

[Antoine Beaupré]

On 2019-02-06 22:17:26, Chris Lamb wrote:
> It was discovered that there was a denial of service vulnerability
> or possibly even the ability to conduct private key recovery
> attacks within in the elliptic curve cryptography handling in the
> Go programming language libraries.

Hello Chris!

Have you given any thought to the impact this could have on the
build-dependencies that might be affected by this vulnerability? As you
probably know, all golang Debian packages are (as elsewhere) statically
compiled and linked so we'd need to rebuild all the rdeps to have this
properly fixed in the dependencies...

A.

-- 
Si Dieu est, l'homme est esclave ; 
or l'homme peut, doit être libre, donc Dieu n'existe pas.
Et si Dieu existait, il faudrait s'en débarrasser!
- Michel Bakounine

Re: buffer overflow vulnerability in netmask 2.3.12

[Antoine Beaupré]

On 2019-02-06 21:52:35, Guilhem Moulin wrote:
> Hi anarcat,
>
> On Wed, 06 Feb 2019 at 14:13:23 -0500, Antoine Beaupré wrote:
>> 4. issue a DLA when the package is accepted
>
> I wouldn't mind if you or another LTS team member were talking care of
> this one :-)

Alright, DLA coming right up! :)

A.

-- 
We should act only in such away that if everyone 
else acted as we do, we would accept the results.
- Emmanuel Kant

Re: buffer overflow vulnerability in netmask 2.3.12

[Antoine Beaupré]

On 2019-02-06 01:59:58, Guilhem Moulin wrote:
> Dear LTS team,

Hi Guilhem!

> A buffer overflow vulnerability was recently found in the netmask
> package (a small utility that helps determining network masks):
>
> https://github.com/tlby/netmask/issues/3
>
> The Security Team argued that the version in stretch (2.4.3-1) doesn't
> warrant a DSA as the program is built with hardening options enabled
> (thus turning the buffer overflow vulnerability into an harmless clash),
> but that's not the case for the version in jessie (2.3.12), so I guess
> it makes sense to upload a +deb8u1.

Agreed.

> I attach a debdiff with a trivial fix backported from 2.4.4, more
> specifically the ‘errors.c’ part of
>
> 
> https://github.com/tlby/netmask/commit/29a9c239bd1008363f5b34ffd6c2cef906f3660c
>
> For convenience, you can also find the source package at
>
> dget -x https://people.debian.org/~guilhem/tmp/netmask_2.3.12+deb8u1.dsc
>
> Notes:
>  * I only started maintaining this package after jessie was frozen, but
>the previous maintainer is no longer active and I thus took the
>liberty to update the ‘Maintainer’ field in d/control accordingly.

While this is usually a superfluous change, I think that in this case it
makes sense so we know who to talk with the next time a problem happens
(which will hopefully be never :).

>  * Before 2.4.2-1 the package was (incorrectly) native, so in this
>jessie-security package I applied the fix directly to the upstream
>source rather than going via a patch series.
>  * Upstream hasn't yet filed a CVE for this issue; I forwarded jmm's
>instructions regarding this.

Sorry, forwarded where? Did I miss something?

Ideally, we would have at least one Debian-specific tracking number if
we don't have a CVE. A bug in the BTS would do, for example. I'd be
happy to do that administrativa if you wish.

[...]

The patch otherwise looks sound and should be uploaded.

I believe the next step is to:

 1. open a bug report in the BTS
 2. mention it in the changelog
 3. upload the package to security-master
 4. issue a DLA when the package is accepted

I'd be happy, like anyone else in the LTS team I'm sure, to take on any
or all of those tasks, at your discretion.

Cheers,

A.
-- 
Un éducateur dans l'âme ne prend rien au sérieux que par rapport
à ses disciples -- soi-même non excepté.
- Nietzsche, "Par delà le bien et le mal"

DLA-1654-1 libav missing?

[Antoine Beaupré]

Hi,

It looks like no advisory was sent out for this upload.

I noticed this while auditing the website for missing advisories. Yu'll
be happy to know that with the current patchset, this is the only older
advisory missing until the 2018 gap due to the mailing list crash. :)
See also:

https://salsa.debian.org/webmaster-team/webwml/merge_requests/53

A.

On 2019-01-31 22:50:29, Mike Gabriel wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Format: 1.8
> Date: Mon, 21 Jan 2019 15:30:50 +0100
> Source: libav
> Binary: libav-tools libav-dbg libav-doc libavutil54 libavcodec56 
> libavdevice55 libavformat56 libavfilter5 libswscale3 libavutil-dev 
> libavcodec-dev libavdevice-dev libavformat-dev libavfilter-dev libswscale-dev 
> libavresample-dev libavresample2 libavcodec-extra-56 libavcodec-extra
> Architecture: source all amd64
> Version: 6:11.12-1~deb8u5
> Distribution: jessie-security
> Urgency: medium
> Maintainer: Debian Multimedia Maintainers 
> 
> Changed-By: Mike Gabriel 
> Description:
>  libav-dbg  - Debug symbols for Libav related packages
>  libav-doc  - Documentation of the Libav API
>  libav-tools - Multimedia player, encoder and transcoder
>  libavcodec-dev - Development files for libavcodec
>  libavcodec-extra - Libav codec library (additional codecs meta-package)
>  libavcodec-extra-56 - Libav codec library (additional codecs)
>  libavcodec56 - Libav codec library
>  libavdevice-dev - Development files for libavdevice
>  libavdevice55 - Libav device handling library
>  libavfilter-dev - Development files for libavfilter
>  libavfilter5 - Libav video filtering library
>  libavformat-dev - Development files for libavformat
>  libavformat56 - Libav file format library
>  libavresample-dev - Development files for libavresample
>  libavresample2 - Libav audio resampling library
>  libavutil-dev - Development files for libavutil
>  libavutil54 - Libav utility library
>  libswscale-dev - Development files for libswscale
>  libswscale3 - Libav video scaling library
> Changes:
>  libav (6:11.12-1~deb8u5) jessie-security; urgency=medium
>  .
>* Non-maintainer upload by the LTS team..
>* CVE-2015-1207: avformat/mov: Fix integer overflow in
>  mov_read_udta_string().
>* CVE-2017-14169: In mxf_read_primer_pack() function, catch item_num
>  being negative, to avoid bypassing the check for a large value.
>* CVE-2017-14223: avformat/asfdec: Fix DoS in asf_build_simple_index().
>  Fix missing EOF check in loop.
>* CVE-2017-7863: Bail out if trns was found before IHDR or IDAT in PNG 
> data.
>* CVE-2014-8542: Add case for jv to avcodec_align_dimensions2().
>* CVE-2017-7865: Add case for interplay_video to 
> avcodec_align_dimensions2().
> Checksums-Sha1:
>  d1c670a1ede382a8c0a379895d99f2de6a9d8309 4023 libav_11.12-1~deb8u5.dsc
>  4b74b8714868803c8b6b23df9b31e3c1d7e3a456 71392 
> libav_11.12-1~deb8u5.debian.tar.xz
>  c364c438d26c1fe025166e7cbb541f54c7318496 18445106 
> libav-doc_11.12-1~deb8u5_all.deb
>  3862b02852aec371a5350796e07af48777ff4b39 66616 
> libavcodec-extra_11.12-1~deb8u5_all.deb
>  894d06bcacdf38396263eee1447d6576432f66da 474142 
> libav-tools_11.12-1~deb8u5_amd64.deb
>  df4f9221da0209d855c8b43c4922f60fd66ba90a 21594462 
> libav-dbg_11.12-1~deb8u5_amd64.deb
>  210fc9597bc1f20b2b47d9f10b13bb0eec6b5aa2 131622 
> libavutil54_11.12-1~deb8u5_amd64.deb
>  8bbd6cb7be9e56840566b69514929d90df355428 3108618 
> libavcodec56_11.12-1~deb8u5_amd64.deb
>  9f492a7d32650e046c2e94e70c6eadc0e8c977a4 91496 
> libavdevice55_11.12-1~deb8u5_amd64.deb
>  66eac9eea9f2bc0640a1c123056cf39eb18ee707 586708 
> libavformat56_11.12-1~deb8u5_amd64.deb
>  4ef6c0f8076ef84482b5e44a1b6b2a89448a4df1 172670 
> libavfilter5_11.12-1~deb8u5_amd64.deb
>  08c94862cba93c2a25af004cd55f0f9ab9338788 145058 
> libswscale3_11.12-1~deb8u5_amd64.deb
>  375995325b23da7c3a6902d483527385c22151b2 193714 
> libavutil-dev_11.12-1~deb8u5_amd64.deb
>  1a782d1210d682704263ad81147994eed571273b 3431898 
> libavcodec-dev_11.12-1~deb8u5_amd64.deb
>  1f9411c19c4d4d1c4e3bfa85d4097455c998de8a 94544 
> libavdevice-dev_11.12-1~deb8u5_amd64.deb
>  8e04147d34c357e9de0321049235903b725b34bc 692202 
> libavformat-dev_11.12-1~deb8u5_amd64.deb
>  31887c8c10b450d83b2ffc2fa63a3d1d176f6818 203786 
> libavfilter-dev_11.12-1~deb8u5_amd64.deb
>  b8261e35500052f89513f64f8fb9f1e498719273 157922 
> libswscale-dev_11.12-1~deb8u5_amd64.deb
>  419950f0408b0521c48847088b03aecf17c67d96 112968 
> libavresample-dev_11.12-1~deb8u5_amd64.deb
>  7d2e43e8e94af40eb99dd423a8943292a98beb39 104020 
> libavresample2_11.12-1~deb8u5_amd64.deb
>  9183cc4c375475f84d9b6cb45e8f6790b1264c46 3113166 
> libavcodec-extra-56_11.12-1~deb8u5_amd64.deb
> Checksums-Sha256:
>  814e2e8337cf050ed55f62c1a8ec60934e027df64b84ed9bce9cf8a2c8816578 4023 
> libav_11.12-1~deb8u5.dsc
>  b8c0bc197ef098a9bae1c9180ed3220606fe9c80f9b44ab9d98637417dae28ef 71392 
> libav_11.12-1~deb8u5.debian.tar.xz
>  ab761dea136d2bf1171783c4e779edc6bb9c9a4dc058379ff23f77db0e5b05c5 18445106 
> l

LTS report for January

[Antoine Beaupré]

Hello,

Here's my report for January.

## sbuild regression

My first stop this month was to notice a problem with sbuild from
buster running on jessie chroots ([bug #920227][]). After discussions
on IRC, where fellow Debian Developers basically fabricated me a patch
on the fly, I sent [merge request #5][] which was promptly accepted
and should be part of the next upload.

 [merge request #5]: https://salsa.debian.org/debian/sbuild/merge_requests/5
 [bug #920227]: https://bugs.debian.org/920227

## systemd

I again worked a bit on systemd. I marked [CVE-2018-16866][] as not
affecting jessie, because the vulnerable code was introduced in later
versions. I backported fixes for [CVE-2018-16864][] and
[CVE-2018-16865][] and published the resulting package as
[DLA-1639-1][], after doing some smoke-testing.

I still haven't gotten the courage to dig back in the large backport
of `tmpfiles.c` required to fix [CVE-2018-6954][].

 [CVE-2018-16864]: https://security-tracker.debian.org/tracker/CVE-2018-16864
 [CVE-2018-16865]: https://security-tracker.debian.org/tracker/CVE-2018-16865
 [CVE-2018-16866]: https://security-tracker.debian.org/tracker/CVE-2018-16866
 [DLA-1639-1]: https://lists.debian.org/20190123042620.ga4...@curie.anarc.at
 [CVE-2018-6954]: https://security-tracker.debian.org/tracker/CVE-2018-6954

## tiff review

I did a quick review of the fix for [CVE-2018-19210][] [proposed
upstream][] which seems to have brought upstream's attention back to
the issue and finally merge the fix.

 [CVE-2018-19210]: https://security-tracker.debian.org/tracker/CVE-2018-19210
 [proposed upstream]: https://gitlab.com/libtiff/libtiff/merge_requests/47

## Enigmail EOL

After [reflecting on the issue][] one last time, I decided to mark
Enigmail as EOL in jessie, which involved an upload of
debian-security-support to jessie ([DLA-1657-1][]), unstable and a
[stable-pu][].

 [stable-pu]: https://bugs.debian.org/921117
 [DLA-1657-1]: https://lists.debian.org/87sgx72z6a@curie.anarc.at
 [reflecting on the issue]: 
https://lists.debian.org/87tvi0cw99@curie.anarc.at

## DLA / website work

I worked again on fixing the LTS workflow with the DLAs on the main
website. Reminder: hundreds of DLAs are missing from the website ([bug 
#859122][]) 
and we need to figure out a way to automate the import of
newer ones ([bug #859123][]).

The details of my work are in [this post][] but basically, I readded a
bunch more DLAs to the MR and got some good feedback from the www team
(in [MR #47][]). There's still some work to be done on the DLA parser,
although I have merged my own improvements ([MR #46][]) as I felt they
had been sitting for review long enough.

Next step is to deal with noise like PGP signatures correctly and
thoroughly review the proposed changes.

While I was in the webmaster's backyard, I tried to help with a few
things by merging a [LTS errata][] and a [paypal integration note][]
although the latter ended up being a mistake that was reverted. I also
rejected some issues ([MR #13][], [MR #15][]) during a quick triage.

 [bug #859122]: https://bugs.debian.org/859122
 [bug #859123]: https://bugs.debian.org/859123
 [this post]: https://lists.debian.org/87o97v2vt1@curie.anarc.at
 [MR #47]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/47
 [MR #46]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/46>
 [LTS errata]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/40
 [paypal integration note]: 
https://salsa.debian.org/webmaster-team/webwml/merge_requests/39
 [MR #15]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/15
 [MR #13]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/13

## phpMyAdmin review

After reading this [email from Lucas Kanashiro][], I [reviewed][]
[CVE-2018-19968][] and reviewed and tested [CVE-2018-19970][].

 [reviewed]: https://lists.debian.org/87imy32tlu@curie.anarc.at
 [email from Lucas Kanashiro]: 
https://lists.debian.org/c2fbedd3-436c-0497-c987-69fa5b213...@riseup.net
 [CVE-2018-19970]: https://security-tracker.debian.org/tracker/CVE-2018-19970
 [CVE-2018-19968]: https://security-tracker.debian.org/tracker/CVE-2018-19968

-- 
Non qui parum habet, sed qui plus cupit, pauper est.
It is not the man who has too little, but the man who craves more,
that is poor.- Lucius Annaeus Seneca (65 AD)


signature.asc
Description: PGP signature

Re: DLAs not arriving at my mailbox and I think it may be a general issue

[Antoine Beaupré]

On 2019-02-03 22:09:20, Ola Lundqvist wrote:
> If someone have an idea on how I may have screwed this up myself I'm happy
> to know. :-)

After a quick glance, this might be gmail obsessing over DMARC. Typical
problems all mailing lists providers have suffered since this infamous
standard came up - the workaround is usually to rewrite the From header
in mailing lists to be the list itself.

I'm actually surprised to see that lists.debian.org hasn't implemented
such workarounds yet, I would think this is a very common occurence...

Probably something to discuss with listmasters, but check in the BTS
first (lists.debian.org metapackage).

Cheers,

A.

-- 
Be the change you want to see happen.
- Arleen Lorrance, 1974

Re: Review and testing phpmyadmin for Jessie LTS

[Antoine Beaupré]

Hi,

I've reviewed both patches and they look sane. I did some smoke tests on
the package (installed it and mariadb in a VM) and it seems to run
okay. I also did an naive attempt at exploiting CVE-2018-19970 but
couldn't succeed, which can either mean I failed or the flaw is
fixed. :)

Good job,

A.

On 2019-01-29 15:27:59, Lucas Kanashiro wrote:
> Hugo,
>
> I just uploaded a new package fixing the issue that you pointed out here
> again: https://people.debian.org/~kanashiro/jessie_lts/phpmyadmin/
>
> I didn't perform any new testing yet, I want to do it soon. But if you
> could have a try again it would be great.
>
> Cheers.
>
> On 1/29/19 11:37 AM, Hugo Lefeuvre wrote:
>> Hi Lucas,
>>
>>> Great, sorry for being a victim of my lack of attention... I've never
>>> used phpmyadmin (that's why I requested some testing) and my local tests
>>> were so basic that they didn't catch this issue. Shame on me.
>> That's 
>
>> fine, main thing is issues have been found before upload :)
>>  
>>> I'll fix it and perform some tests. Thanks for the review and the time
>>> that you spent on this.
>> I am available for testing the updated package if needed.
>>
>> cheers,
>>  Hugo
>>
> -- 
> Lucas Kanashiro

-- 
Drowning people
Sometimes die
Fighting their rescuers.
- Octavia Butler

Re: automating process for publishing DLAs on the website

[Antoine Beaupré]

I'm looking at the update process for DLAs on the main website again. In
#859122, I've mentioned that I have, again, updated the MR to include
all DLAs up to DLA-1657-1. The www team folks tell me they will review
that this weekend.

But that mass-import process is kind of clunky: every time I need to
download the entire archive, extract it, parse every email, and add the
diff. It's slow and error prone and not automated, of course.

So I'm bringing back the topic of how we should automate this.

If I remember correctly, the current proposal is to add this as part of
the workflow for LTS developers: when you send the announcement on the
list, you also send a merge request on the website. This would get
reviewed and merged by another LTS developer with access to the webwml
repository:

https://salsa.debian.org/webmaster-team/webwml/project_members

At least me and Holger have those accesses for now, and I would suggest
people who do regular frontdesk work could make sure those MR are
reviewed and merged in a timely manner as well.

Would that work for everyone here?

If so, we can *already* start with that process, which would actually
look like this.

One time setup:

git clone https://salsa.debian.org/webmaster-team/webwml
cd webwml
salsa fork

Each time there's a new DLA:

./bin/gen-DLA --save $CHANGES # correctly claim the DLA
$EDITOR DLA--Y # make sure the text is okay, like you normally
   # do before the email gets sent
mutt -H DLA--Y # send the email
cd ~/src/webwml/english/security
git checkout -b DLA--Y
./parse-dla.pl ~-/DLA--Y
git add 2019/DLA-XXX-Y*
$EDITOR 2019/DLA--Y* # make sure everything looks good
git add 2019/DLA-XXX-Y*
git commit -m'DLA--Y advisory'
git push -u origin
salsa mr

(Note: that "salsa" command is a new one shipped with devscripts. I only
read the manpage and didn't actually test that. :) Unfortunately, once
the MR is created, there's no magic command to merge it for
reviewers... Seems like this needs to be done through the web
interface.)

I'd be happy if someone sat down and actually tested that procedure.

The alternative, of course, is to setup "something" that would
automatically parse emails to debian-lts-announce@l.d.o but I suspect
that could be much more brittle than a manual operation like the above,
even if it means slightly more work.

Thank you for your attention.

A.

-- 
Hard times are coming when we will be wanting the voices of writers
who can see alternatives to how we live now and can see through our
fear-stricken society and its obsessive technologies to other ways of
being, and even imagine some real grounds for hope. We will need
writers who can remember freedom. Poets, visionaries—the realists of a
larger reality. - Ursula Le Guin

Re: about 500 DLAs missing from the website

[Antoine Beaupré]

On 2018-12-19 18:05:36, Antoine Beaupré wrote:
> The DLAs are visible here:
>
> https://www-staging.debian.org/security/2018/dla-1580
>
> One thing that's unclear is how the entries get added to the main list
> in:
>
> https://www-staging.debian.org/security/2018/
>
> That still needs to be cleared up.

That's actually in the webwml code, I opened a MR to add those:

https://salsa.debian.org/webmaster-team/webwml/merge_requests/50

> In the meantime, I did do a mass
> import here:
>
> https://salsa.debian.org/webmaster-team/webwml/merge_requests/47

... and I just updated that with the latest, up until DLA-1657-1.

A.

-- 
It will be a great day when our schools get all the money they need
and the air force has to hold a bake sale to buy a bomber.
- Unknown

HEADS UP: enigmail to be EOL'd by the end of week

[Antoine Beaupré]

On 2019-01-22 15:21:19, Daniel Kahn Gillmor wrote:
> On Tue 2019-01-22 14:44:50 -0500, Antoine Beaupré wrote:
>> I'm not sure we should remove *both* enigmail and thunderbird from
>> jessie. I understand there are problems with the a.m.o version, but then
>> that's somewhat outside of scope of LTS. It would seem rather unfair for
>> users of thunderbird that do *not* use enigmail to have their favorite
>> email client yanked away from them because a third-party plugin fails to
>> be maintainer correctly.
>>
>> Right now I'm leaning towards completely dropping support from Enigmail
>> in jessie, since the changes required are too far ranging to be
>> comfortable.
>
> I've yet to hear a specific concern about a known failure that derives
> from the backporting work that anarcat did.
>
> I know of several concrete failures that will result from users of
> Jessie pulling enigmail from a.m.o.
>
> telling jessie users that they should pull from a.m.o. is effectively
> doing them a disservice, if they think they're being supported.
>
> If i was responsible for maintaining jessie, i'd prefer to go the route
> of the backported fixes, but i don't have the capacity to spend a lot of
> time on jessie itself, so i guess my preferences should be weighed
> accordingly.

So I understand where you're coming from. As you suggested, however, I
feel I should give more weight to my LTS and security team members in
this specific case. If this was just enigmail and gpg, I would
definitely defer to you as you are a core maintainer of those packages.

The update touches much more than the gpg toolchain. I don't feel
comfortable spending more time testing the repercussions of the change
throughout the ever expending dependencies of gcrypt.

So I will look at sending a EOL announcement on the mailing list soon,
and do the required debian-security-support changes as well, unless
someone objects by the end of the week. It's too bad all this work will
get lost, but I don't have the energy to push this one against the tide
anymore. And if someone would or could have picked it up, they would
have done so already.

The best course, at this point, seems to let this die already.

A.

-- 
The greatest crimes in the world are not committed by people breaking
the rules but by people following the rules. It's people who follow
orders that drop bombs and massacre villages.
- Banksy

Re: proposed removal of Enigmail from jessie/LTS

[Antoine Beaupré]

On 2018-12-20 14:30:49, Daniel Kahn Gillmor wrote:
> fwiw, i agree with jmm that encouraging users to upgrade to stable is
> the best outcome here.  The question is, what are we doing to the folks
> who (for whatever reason) can't make that switch.
>
> On Thu 2018-12-20 17:01:30 +0100, Moritz Mühlenhoff wrote:
>> If suddenly all kinds of core libraries are getting updated in jessie
>> (with minimal testing)
>
> we're not talking about "all kinds of core libraries" -- we're talking
> about a very selected subset.  And i don't think we're talking about
> "minimal testing", there has been a reasonable amount of testing.  I
> think we ought to consider this specific case, rather than trying to
> make a systematized rule.
>
>> EOLing enigmail seems the only sensible option by far.
>
> the main issue with EOLing enigmail is that users will (instead of
> upgrading to stable) typically just use the version from
> addons.mozilla.org, which has both non-DFSG-free issues and
> significantly scary behavior (downloading and silently executing
> binaries from the web on the user's behalf).
>
> If we're EOLing thunderbird on jessie entirely, that'd be one thing (and
> i'd be ok with it).  But EOLing enigmail on its own sounds like a route
> to trouble for enigmail users on jessie.

So looking back at this problem again...

I'm not sure we should remove *both* enigmail and thunderbird from
jessie. I understand there are problems with the a.m.o version, but then
that's somewhat outside of scope of LTS. It would seem rather unfair for
users of thunderbird that do *not* use enigmail to have their favorite
email client yanked away from them because a third-party plugin fails to
be maintainer correctly.

Right now I'm leaning towards completely dropping support from Enigmail
in jessie, since the changes required are too far ranging to be
comfortable.

But I could be convinced otherwise.

A.

-- 
Il n'existe aucune limite sacrée ou non à l'action de l'homme dans
l'univers. Depuis nos origines nous avons le choix: être aveuglé par
la vérité ou coudre nos paupières.
- [no one is innocent]

Re: limits of automatic unclaiming (Re: pdns/pdns-recursor)

[Antoine Beaupré]

On 2018-12-27 14:16:22, Holger Levsen wrote:
> Hi Abhijith, Antoine,
>
> I just ran "./bin/review-update-needed --lts --unclaim 1814400 --exclude
> linux linux-4.9" today and it unclaimed pdns/pdns-recursor as the last
> NOTE entries were more than 3 weeks ago. However Abhijith wrote here:
>
> On Sat, Dec 22, 2018 at 01:02:06PM +0530, Abhijith PA wrote:
>> I am currently working on pdns[1] and pdns-recursor's[2] security issues
>> and which are marked as no-DSA, postponed. Last month I picked it up as
>> I had some time remaining. Upstream patch is available for the remaining
>> issues(CVE-2018-10851, CVE-2018-14644). Both patches contain C++11
>> specific code and I was only able to port CVE-2018-14644. In
>> CVE-2018-10851 I used 'boost' library's smart pointers to deal with the
>> default C++11 smart pointers, but I am not quite there. I was wondering
>> whether anyone here can _help_ me with it. I don't want to spend anymore
>
> Abhijith, thanks for this update! Just please also update the notes for
> these packages in data/dla-needed.txt.
>
> Antoine, this is an example were automatic unclaim might be problematic,
> as it would have unclaimed pdns/pdns-recursor which is not ideal. (For
> now, just ment as a data point.)

I'm not sure it would be that problematic. I think Abhijith could
(should?) have posted a note in dla-needed.txt summarizing this
situation or adding a pointer to the above email.

The idea, anyways, is that worst case the issue gets unclaimed and
reclaimed by someone else. In the above case, Abhijith specifically
identified that as a *desirable* outcome, so I'm not sure it's really a
problem.

Personally, I believe the general case of unexpected unclaims will be
the package will be unclaimed and *not* claimed by anyone else. At least
that's my experience of unclaiming "hard" packages that I couldn't
finish within a month.

A.

-- 
Non qui parum habet, sed qui plus cupit, pauper est.
It is not the man who has too little, but the man who craves more,
that is poor.- Lucius Annaeus Seneca (65 AD)

Re: monthly report

[Antoine Beaupré]

[Ugh. Sorry about that last email, the markup was terrible - I
copy-pasted from Emacs' markdown mode which ellipsises links... Here's a
better formatted one.]

## Enigmail / GnuPG 2.1 backport

I've spent a significant amount of time working on the Enigmail
backport for a third consecutive month. I first [published][] a
straightforward backport of GnuPG 2.1 depending on the libraries
available in jessie-backports last month, but then I actually [rebuilt
the dependencies as well][] and sent a "HEADS UP" to the mailing list,
which finally got peoples' attention.

[rebuilt the dependencies as well]: 
https://lists.debian.org/87zht94219@curie.anarc.at
[published]: https://lists.debian.org/87r2fqnja0@curie.anarc.at

There are many changes bundled in that possible update: GnuPG actually
depends on about half a dozen other libraries, mostly specific to
GnuPG, but in some cases used by third party software as well. The
most problematic one is [libgcrypt20][] which Emilio Pozuelo
Monfort [said][] included tens of thousands of lines of change. So
even though I tested the change against cryptsetup, gpgme, libotr,
mutt and Enigmail itself, there are concerns that other dependencies
that merit more testing as well.

[libgcrypt20]: https://tracker.debian.org/libgcrypt20
[said]: https://lists.debian.org/6a8835ce-f54d-faa6-2689-aeb91b1b6...@debian.org

This caused many to raise the idea of aborting the work and simply
marking Enigmail as unsupported in jessie. But Daniel Kahn Gillmor
[suggested][] this should also imply removing Thunderbird itself from
jessie, as simply removing Enigmail will force people to use the
binaries from Mozilla's add-ons service. Gillmor [explained][] those
builds include a OpenPGP.js implementation of dubious origin, which is
especially problematic considering it deals with sensitive private key
material.

[explained]: https://lists.debian.org/878t0mzlv2@fifthhorseman.net
[suggested]: https://lists.debian.org/87pntxxg6h@fifthhorseman.net

It's unclear which way this will go next. I'm taking a break of this
issue and hope others will be able to test the packges. If we keep on
working on Enigmail, the next step will be to re-enable the `dbg`
packages that were removed in the stretch updates, use dh-autoreconf
correctly, remove some `mingw` pacakges I forgot and [test gcrypt like
crazy][] ([especially the 1.7 update][]). We'd also update to the
latest Enigmail, as it fixes issues that forced the Tails project to
[disable autocrypt][] because of [weird interactions][] that make it
send cleartext (instead of encrypted) mail in some cases.

[weird interactions]: https://redmine.tails.boum.org/code/issues/15923
[disable autocrypt]: https://redmine.tails.boum.org/code/issues/16186
[especially the 1.7 update]: 
https://lists.debian.org/20181220130018.ga5...@argenau.bebt.de
[test gcrypt like crazy]: 
https://lists.debian.org/1c1ca626-de3c-1f72-3c95-e280c1bdf...@debian.org

## Automatic unclaimer

My [previous report][] yielded an [interesting discussion][] around my
work on the security tracker, specifically the "automatic unclaimer"
designed to unassign issues that are idle for too long. Holger Levsen,
with his new coordinator hat, tested the program and found many bugs
and missing features, which I was happy to implement. After many
patches and back and forth, it seems the program is working well,
although it's ran by hand by the coordinator.

[interesting discussion]: 
https://lists.debian.org/debian-lts/2018/11/msg00097.html
[previous report]: https://lists.debian.org/debian-lts/2018/11/msg00090.html

## DLA website publication

I took a look at various issues surrounding the publication of LTS
advisories on the main debian.org website. While normal security
advisories are regularly published on [debian.org/security][] [about
500+ DLAs are missing from the website][], mainly because [DLAs are
not automatically imported][].

[DLAs are not automatically imported]: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859123
[about 500+ DLAs are missing from the website]: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859122
[debian.org/security]: https://www.debian.org/security/

As it turns out, there is a script called `parse-dla.pl` that is
designed to handle those entries but for some reason, they are not
imported anymore. So I got to work to import the backlog and make sure
new entries are properly imported.

[Various fixes for parse-dla.pl][] were necessary to properly parse
messages both from the templates generated by `gen-DLA` and the
existing archives correctly. then I tested the result with two
existing advisories, which resulted in two MR on the webml repo: [add
data for DLA-1561][] and [add dla-1580 advisory][]. I requested and
was granted access to the repo, and eventually merged my own MRs after
a review from Levsen.

[add dla-1580 advisory]: 
https://salsa.debian.org/webmaster-team/webwml/merge_requests/42
[add data for DLA-1561]: 
https://salsa.debian.org/webmaster-tea

monthly report

[Antoine Beaupré]

Hi!

This is my monthly report, published on the mailing list as I haven't
found time to do my personal report on my blog in over a month now...

## Enigmail / GnuPG 2.1 backport

I've spent a significant amount of time working on the Enigmail
backport for a third consecutive month. I first 
[published](https://lists.debian.org/87r2fqnja0@curie.anarc.at) a
straightforward backport of GnuPG 2.1 depending on the libraries
available in jessie-backports last month, but then I actually [rebuilt
the dependencies as 
well](https://lists.debian.org/87zht94219@curie.anarc.at) and sent a "HEADS 
UP" to the mailing
list, which finally got peoples' attention.

There are many changes bundled in that possible update: GnuPG actually
depends on about half a dozen other libraries, mostly specific to
GnuPG, but in some cases used by third party software as well. The
most problematic one is [[!debpkg libgcrypt20]] which Emilio Pozuelo
Monfort 
[said](https://lists.debian.org/6a8835ce-f54d-faa6-2689-aeb91b1b6...@debian.org)
 included tens of thousands of lines of change. So
even though I tested the change against cryptsetup, gpgme, libotr,
mutt and Enigmail itself, there are concerns that other dependencies
that merit more testing as well.

This caused many to raise the idea of aborting the work and simply
marking Enigmail as unsupported in jessie. But Daniel Kahn Gillmor
[suggested](https://lists.debian.org/87pntxxg6h@fifthhorseman.net) this 
should also imply removing Thunderbird itself from
jessie, as simply removing Enigmail will force people to use the
binaries from Mozilla's add-ons service. Gillmor 
[explained](https://lists.debian.org/878t0mzlv2@fifthhorseman.net) those
builds include a OpenPGP.js implementation of dubious origin, which is
especially problematic considering it deals with sensitive private key
material.

It's unclear which way this will go next. I'm taking a break of this
issue and hope others will be able to test the packges. If we keep on
working on Enigmail, the next step will be to re-enable the `dbg`
packages that were removed in the stretch updates, use dh-autoreconf
correctly, remove some `mingw` pacakges I forgot and [test gcrypt like
crazy](https://lists.debian.org/1c1ca626-de3c-1f72-3c95-e280c1bdf...@debian.org)
 ([especially the 1.7 
update](https://lists.debian.org/20181220130018.ga5...@argenau.bebt.de)). We'd 
also update to the
latest Enigmail, as it fixes issues that forced the Tails project to
[disable autocrypt](https://redmine.tails.boum.org/code/issues/16186) because 
of [weird interactions](https://redmine.tails.boum.org/code/issues/15923) that 
make it
send cleartext (instead of encrypted) mail in some cases.

## Automatic unclaimer

My [previous report][] yielded an [interesting 
discussion](https://lists.debian.org/debian-lts/2018/11/msg00097.html) around
my work on the security tracker, specifically the "automatic
unclaimer" designed to unassign issues that are idle for too
long. Holger Levsen, with his new coordinator hat, tested the program
and found many bugs and missing features, which I was happy to
implement. After many patches and back and forth, it seems the program
is working well, although it's ran by hand by the coordinator.

[previous report]: https://lists.debian.org/debian-lts/2018/11/msg00090.html

## DLA website publication

I took a look at various issues surrounding the publication of LTS
advisories on the main debian.org website. While normal security
advisories are regularly published on 
[debian.org/security](https://www.debian.org/security/) [about
500+ DLAs are missing from the 
website](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859122), mainly 
because [DLAs are
not automatically 
imported](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859123).

As it turns out, there is a script called `parse-dla.pl` that is
designed to handle those entries but for some reason, they are not
imported anymore. So I got to work to import the backlog and make sure
new entries are properly imported.

[Various fixes for 
parse-dla.pl](https://salsa.debian.org/webmaster-team/webwml/merge_requests/43) 
were necessary to properly parse
messages both from the templates generated by `gen-DLA` and the
existing archives correctly. then I tested the result with two
existing advisories, which resulted in two MR on the webml repo: [add
data for 
DLA-1561](https://salsa.debian.org/webmaster-team/webwml/merge_requests/41) and 
[add dla-1580 
advisory](https://salsa.debian.org/webmaster-team/webwml/merge_requests/42). I 
requested and
was granted access to the repo, and eventually merged my own MRs after
a review from Levsen.

I eventually used the following procedure to test importing the entire
archive:

rsync -vPa master.debian.org:/home/debian/lists/debian-lts-announce .
cd debian-lts-announce
xz -d \*.xz
cat \* > ../giant.mbox
mbox2maildir ../giant.mbox debian-lts-announce.d
for mail in debian-lts-announce.d/cur/\*; do
  ~/src/se

Re: proposed removal of Enigmail from jessie/LTS

[Antoine Beaupré]

On 2018-12-20 14:30:49, Daniel Kahn Gillmor wrote:
> fwiw, i agree with jmm that encouraging users to upgrade to stable is
> the best outcome here.  The question is, what are we doing to the folks
> who (for whatever reason) can't make that switch.
>
> On Thu 2018-12-20 17:01:30 +0100, Moritz Mühlenhoff wrote:
>> If suddenly all kinds of core libraries are getting updated in jessie
>> (with minimal testing)
>
> we're not talking about "all kinds of core libraries" -- we're talking
> about a very selected subset.  And i don't think we're talking about
> "minimal testing", there has been a reasonable amount of testing.  I
> think we ought to consider this specific case, rather than trying to
> make a systematized rule.
>
>> EOLing enigmail seems the only sensible option by far.
>
> the main issue with EOLing enigmail is that users will (instead of
> upgrading to stable) typically just use the version from
> addons.mozilla.org, which has both non-DFSG-free issues and
> significantly scary behavior (downloading and silently executing
> binaries from the web on the user's behalf).
>
> If we're EOLing thunderbird on jessie entirely, that'd be one thing (and
> i'd be ok with it).  But EOLing enigmail on its own sounds like a route
> to trouble for enigmail users on jessie.

Thanks both of you for your feedback. I'm running out of time until the
holidays so I will personally let that one rest until January.

The packages are on people.d.o and can be tested by anyone. I think it
would be very useful if people would pursue that.

Alternatively, we can just drop support for Enigmail in jessie, as I
proposed in September. It just feels it's too bad to have wasted all
that time only to give up when we're so close to the goal, only because
of libgcrypt.

But, as Emilio said, we coudln't have forseen those difficulties back
then so maybe it's fair to just give up at this point. I would be
worried about our users however...

Have a nice holiday season, or congress for those of you with that
privilege. ;)

A.

-- 
The price of reliability is the pursuit of the utmost simplicity.
- C.A.R. Hoare

Re: automating process for publishing DLAs on the website

[Antoine Beaupré]

On 2018-12-19 18:05:36, Antoine Beaupré wrote:
> On 2018-12-19 11:09:10, Antoine Beaupré wrote:
>> On 2018-12-19 14:58:29, Holger Levsen wrote:
>>> On Wed, Dec 19, 2018 at 09:52:19AM -0500, Antoine Beaupré wrote:
>>>> > I also note #859122 is not marked 'patch'.
>>>> fixed.
>>>  
>>> :)
>>>
>>>> >> I've requested access as an individual, for what that's worth.
>>>> > you were given access a week ago, too. \o/
>>>> yup. I guess I could just merge my own patches now... or do you want to
>>>> review them and do that instead, so we can get at least a second pair of
>>>> eyes on them?
>>>  
>>> I just briefly reviewed them (not being a debian-www expert) and they
>>> a.) looked good and b.) only affect our areas, so I do think you should
>>> merge them.
>>
>> i merged both patches, but it doesn't look like the change showed up on
>> the main website yet:
>>
>> https://www.debian.org/security/2018/
>>
>> ... doesn't list any DLA, and those are both 404s:
>>
>> https://www.debian.org/security/2018/dla-1580
>> https://www.debian.org/security/2018/dla-1561
>
> This is actually processed every few hours, not directly after the CI
> runs.
>
> The DLAs are visible here:
>
> https://www-staging.debian.org/security/2018/dla-1580
>
> One thing that's unclear is how the entries get added to the main list
> in:
>
> https://www-staging.debian.org/security/2018/
>
> That still needs to be cleared up. In the meantime, I did do a mass
> import here:
>
> https://salsa.debian.org/webmaster-team/webwml/merge_requests/47

Sigh. I forgot to add that one issue that came up is duplicates: even
though the security tracker enforces unique DLA identifiers fairly well,
human error still creeps in and leads to duplicate DLA identifiers in
the wild. This will make automation harder: the current parser croaks
out on duplicate identifiers (and rightly so).

I guess we can just punt that back to the humans: they just need to
issue a new advisory with the correct identifier.

The problem is this is first come, first serve: if DLA X is claimed by
alice and bob comes in and publishes DLA X before alice has time to send
the mail, DLA X is on the website and can't be reverted by the script
and will need manual correction. I am worried this will be forgetten in
the future...

A.
-- 
The difference between a democracy and a dictatorship is that in a
democracy you vote first and take orders later; in a dictatorship you
don't have to waste your time voting.
 - Charles Bukowski

Re: automating process for publishing DLAs on the website

[Antoine Beaupré]

On 2018-12-19 11:09:10, Antoine Beaupré wrote:
> On 2018-12-19 14:58:29, Holger Levsen wrote:
>> On Wed, Dec 19, 2018 at 09:52:19AM -0500, Antoine Beaupré wrote:
>>> > I also note #859122 is not marked 'patch'.
>>> fixed.
>>  
>> :)
>>
>>> >> I've requested access as an individual, for what that's worth.
>>> > you were given access a week ago, too. \o/
>>> yup. I guess I could just merge my own patches now... or do you want to
>>> review them and do that instead, so we can get at least a second pair of
>>> eyes on them?
>>  
>> I just briefly reviewed them (not being a debian-www expert) and they
>> a.) looked good and b.) only affect our areas, so I do think you should
>> merge them.
>
> i merged both patches, but it doesn't look like the change showed up on
> the main website yet:
>
> https://www.debian.org/security/2018/
>
> ... doesn't list any DLA, and those are both 404s:
>
> https://www.debian.org/security/2018/dla-1580
> https://www.debian.org/security/2018/dla-1561

This is actually processed every few hours, not directly after the CI
runs.

The DLAs are visible here:

https://www-staging.debian.org/security/2018/dla-1580

One thing that's unclear is how the entries get added to the main list
in:

https://www-staging.debian.org/security/2018/

That still needs to be cleared up. In the meantime, I did do a mass
import here:

https://salsa.debian.org/webmaster-team/webwml/merge_requests/47

A.

-- 
Le péché est né avant la vertu, comme le moteur avant le frein.
 - Jean-Paul Sartre

Re: proposed removal of Enigmail from jessie/LTS

[Antoine Beaupré]

On 2018-12-19 21:22:21, Emilio Pozuelo Monfort wrote:
> Hi Antoine,
>
> On 19/12/2018 18:25, Antoine Beaupré wrote:
>> On 2018-12-19 17:03:26, Holger Levsen wrote:
>>> On Wed, Dec 19, 2018 at 11:40:07AM -0500, Antoine Beaupré wrote:
>>> [...]
>>> I've now also re-read this thread (for the 2nd time today..) and first
>>> I'd like to notice that all the concerns were only brought up in the
>>> last week, so it was definitly right from you to work on this for those
>>> months. Second, it now reads to me as if Emilio changed his mind after
>>> expressing concerns on Dec 14th, he indeed replied much more favorably
>>> on the 18th.
>> 
>> Thanks for your message, I'm relieved and happy to get support from
>> you. :)
>
> I'm sorry if my comments caused your frustration. I think you have done an
> amazing job getting all this work done. I just think we need to try and 
> balance
> the goal of supporting all packages that we can, versus the risk or causing
> regressions in important stuff.

You're right. Sorry I might have overreacted - I am going through some
intense family issues right now and I might be a little jittery. :)

>>> I mostly worried that you didnt test all dependent packages and that we
>>> essentially might break those when trying to support a package no
>>> customer has expressed need for. But then I also suppose such breakage
>>> could be fixed...
>> 
>> So I was mostly concerned about libgcrypt dependencies, and in
>> particular cryptsetup, and smoke tests seems to go through okay
>> there, for what that's worth...
>
> cryptsetup is definitely one of the main rdeps.  Also libgcrypt20 is used by
> systemd, ntfs-3g. There's also libssh, which is used by e.g. qemu, php-ssh2,
> libcurl...
>
> That doesn't mean we can't upgrade it. It just means it's an important package
> and the risk is higher due to its wide use and because of the extensive 
> changes.
> Just need to be extra careful.

Right.

>>> and now we are back to square one :/
>> 
>> Not really. We're actually at square N-1, we just need to do that one
>> final jump to get in the "let's actually support that newer version"
>> game. :p
>> 
>> Should we pursue this? Are there any other packages that should be
>> tested?
>> 
>> Would love other people's opinion as well...
>
> Maybe some of the other rdeps. libssh test suite (if it has one), systemd...
> However in the end it will come down to whether you feel confident to push 
> that
> out or think it's better to stay put.
>
> Whatever you decide, I'll do my best to help in any way I can.

That's great! :) Unfortunately I'm running out of time this month - I
have a measly 2-3h left this month and holidays are coming up so I don't
know if I'll be able to complete this before the new year.

A.
-- 
Celui qui ne connaît pas l'histoire est condamné à la revivre.
- Karl Marx

Re: proposed removal of Enigmail from jessie/LTS

[Antoine Beaupré]

On 2018-12-19 17:03:26, Holger Levsen wrote:
> On Wed, Dec 19, 2018 at 11:40:07AM -0500, Antoine Beaupré wrote:
> [...]
> I've now also re-read this thread (for the 2nd time today..) and first
> I'd like to notice that all the concerns were only brought up in the
> last week, so it was definitly right from you to work on this for those
> months. Second, it now reads to me as if Emilio changed his mind after
> expressing concerns on Dec 14th, he indeed replied much more favorably
> on the 18th.

Thanks for your message, I'm relieved and happy to get support from
you. :)

> I mostly worried that you didnt test all dependent packages and that we
> essentially might break those when trying to support a package no
> customer has expressed need for. But then I also suppose such breakage
> could be fixed...

So I was mostly concerned about libgcrypt dependencies, and in
particular cryptsetup, and smoke tests seems to go through okay
there, for what that's worth...

> and now we are back to square one :/

Not really. We're actually at square N-1, we just need to do that one
final jump to get in the "let's actually support that newer version"
game. :p

Should we pursue this? Are there any other packages that should be
tested?

Would love other people's opinion as well...

A.

-- 
Pour marcher au pas d'une musique militaire, il n'y a pas besoin de
cerveau, une moelle épinière suffit.
- Albert Einstein

Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport

[Antoine Beaupré]

On 2018-12-18 14:34:06, Emilio Pozuelo Monfort wrote:

[...]

> Looking at a jessie -> jessie-new diff, I see that several -dbg packages are
> gone in your backports.

Yes. That's because they were switched to dbgsym in stretch, but that
mecanism wasn't supported in jessie. I did a "fast" backport which meant
just dropping those, but I could possibly re-create the -dbg packages
for jessie-security, especially considering we might trigger bugs and
regressions which could really use dbg/gdb support.

> There are some mingw builds as well, which in some cases
> don't seemto be installed, but e.g. libgpg-error actually adds a mingw 
> package.
> I would remove all that stuff.

Hmm... I *thought* I explicitely removed all that stuff, but i'll make
sure to remove that one as well, thanks for the catch!

> The npth diff is pretty trivial, basically comes down to this:
>
>  src/npth.c |  132 

Neat, I'll explicitely review that one then.

> libassuan is a bit larger, but not too bad:
>
> $ diff libassuan-2.*/src/ | diffstat | tail -1
>  26 files changed, 1492 insertions(+), 510 deletions(-)
>
> (some of that is Makefile.in)

Probably worth reviewing as well...

> libgpg-error has some autogenerated stuff, ignoring that it's mostly this:
>
>  estream.c| 1456 
> +--

... and same.

> libgcrypt is a bit more worrying, even after dropping most of the noise:
>
> $ diff libgcrypt20-1.*/ | filterdiff -x '*.pc/*' -x '*/debian/*' -x 
> '*/tests/*'
> | diffstat | tail -1
>  263 files changed, 51927 insertions(+), 14888 deletions(-)

Yeah, that's my concern as well.

Daniel, what do you think of that diff? Is that something we can
reasonably review? How much can we expect stability in that upgrade?

I know you stated before general principles of gpg vs lib / API
stability, but I'd be curious to hear your thoughts on gcrypt, in this
specific case.

> FWIW I see that Ubuntu added OpenPGP.js back, and is using gnupg 2.0.x in
> trusty. We ruled that out because supporting gnupg 2.0.x is unfeasible or
> because we are missing some dependencies for OpenGPG.js ? Can't we just use 
> the
> bundled code inside enigmail? Sorry if these questions have already been
> answered. I have looked at the various long threads but wasn't sure.

Yeah, I went down that rabbit hole... three months ago now! I documented
my work in bug #787774. It's a complicated set of nesting dependencies,
and many packages would first need to cross NEW in unstable (let alone
stretch / jessie) before this lands in Debian. A summary of the
situation is here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787774#49

I made a wiki page, back then, detailing all those dependencies. I am
just re-running the script again to get an accurate picture:

https://wiki.debian.org/Javascript/Nodejs/Tasks/openpgp

That's all stuff in unstable, mind you. All that would need to trickle
down in jessie somehow, and that includes npm/nodejs, which I am not
sure are in good health in jessie in the first place.

A.

-- 
During times of universal deceit, telling the truth becomes a
revolutionary act.   - Georges Orwell

proposed removal of Enigmail from jessie/LTS

[Antoine Beaupré]

On 2018-12-19 16:21:46, Holger Levsen wrote:
> Hi Antoine, dkg,
>
> On Sat, Dec 15, 2018 at 01:09:39PM +0100, Moritz Mühlenhoff wrote:
>> On Fri, Dec 14, 2018 at 09:08:42AM +0100, Emilio Pozuelo Monfort wrote:
>> > However given the impact of these library updates, I was wondering
>> > if we have considered to just mark enigmail as EOL in jessie? Obviously if 
>> > we
>> > can keep supporting stuff we should do that, but as you say these library
>> > updates affect important unrelated rdeps so we need to weigh that.
>> +1
>
> I've read this thread multiple times now and came to conclude that
> Moritz and Emilio are probably right here, also because - afaics - noone
> besides you two have tested the packages on
> https://people.debian.org/~anarcat/debian/jessie-lts/ and also mostly
> concerning whether they fix enigmail, not so much for subtile breakage
> in other parts. (Or did I miss something?)
>
> Then I also looked at the packages LTS customers (=sponsors) are using
> and noted neither enigmail nor libgcrypt20 are among those, so while I
> agree breaking/not fixing/declaring EOL of enigmail will be sad for our
> jessie users, I also think that most web users are using modern desktops
> now (though of course those still on jessie are bitten) and that keeping
> jessie stable should have highest priority.
>
> Of course, more tests could probably convince me again in the other
> direction.. ;)

So I appreciate finally getting feedback on this proposal, but I'll just
note that I've been personnally working on this project for over three
months now, and it's the first time the proposal to remove Enigmail from
jessie has been explicitely supported instead of the gnupg
backport. That is, as far as I can remember and find through archive
searches.

I've brought up the topic of how to deal with breakage on Enigmail
numerous times on this forum. The first thread starts here, in
September:

https://lists.debian.org/871s9fps8e@curie.anarc.at

I even explicitely proposed to remove enigmail from jessie here:

https://lists.debian.org/87pnwzngcy@curie.anarc.at

There was no explicit support for that idea and limited feedback on the
other proposals I brought up. After helping dkg with the stretch
package, thinking that would would eventually benefit jessie as well (or
ultimately even stretch-LTS), I waited another month and brought up the
proposals again:

https://lists.debian.org/87pnvra144@curie.anarc.at

Both Emilio and Daniel supported the idea of pushing the GnuPG 2.1
backport. So I did that and spent most of my LTS time for december
working on the GnuPG 2.1 upload.

I was just about to finalize the upload, based on Emilio's review of the
patchset, when I read your message. Now I'm at a loss at what to do with
this project.

Obviously, it would be easy to upload a new debian-security-support
package to declare Enigmail dead. But it would have been a much more
efficient use of our time if we would have decided that back in
september when I first brought up the idea.

I find this situation rather frustrating, to say the least. I understand
people don't always have time to read all messages and respond promptly
to proposals, but I think I've given that one plenty of time, so it's a
little difficult to just drop everything now, after so much work has
been done to finalize that backport.

A.

-- 
Le pouvoir n'est pas à conquérir, il est à détruire
- Jean-François Brient, de la servitude moderne

Re: automating process for publishing DLAs on the website

[Antoine Beaupré]

On 2018-12-19 14:58:29, Holger Levsen wrote:
> On Wed, Dec 19, 2018 at 09:52:19AM -0500, Antoine Beaupré wrote:
>> > I also note #859122 is not marked 'patch'.
>> fixed.
>  
> :)
>
>> >> I've requested access as an individual, for what that's worth.
>> > you were given access a week ago, too. \o/
>> yup. I guess I could just merge my own patches now... or do you want to
>> review them and do that instead, so we can get at least a second pair of
>> eyes on them?
>  
> I just briefly reviewed them (not being a debian-www expert) and they
> a.) looked good and b.) only affect our areas, so I do think you should
> merge them.

i merged both patches, but it doesn't look like the change showed up on
the main website yet:

https://www.debian.org/security/2018/

... doesn't list any DLA, and those are both 404s:

https://www.debian.org/security/2018/dla-1580
https://www.debian.org/security/2018/dla-1561

Any ideas?

A.

-- 
Twenty years from now you will be more disappointed by the things that
you didn't do than by the ones you did do. So throw off the bowlines.
Sail away from the safe harbor. Catch the trade winds in your sails.
Explore. Dream. Discover.  - Mark Twain

Re: automating process for publishing DLAs on the website

[Antoine Beaupré]

On 2018-12-19 14:44:02, Holger Levsen wrote:
> Hi Antoine,
>
> On Tue, Dec 11, 2018 at 10:15:15AM -0500, Antoine Beaupré wrote:

[...]

> I also note #859122 is not marked 'patch'.

fixed.

[...]

>> I've requested access as an individual, for what that's worth.
>
> you were given access a week ago, too. \o/

yup. I guess I could just merge my own patches now... or do you want to
review them and do that instead, so we can get at least a second pair of
eyes on them?

then if all is good I could push a batch to complete the backlog and get
us started on an ongoing workflow...

>> I've also got feedback from larjona on IRC, saying she didn't have time
>> to work on this yet, but ping'd the team to see if someone else
>> will. Otherwise she might be able to review our work in January.
>
> that's almost like next week ;)

right, time flies!

>> I wonder if we could consider more automation here to remove the manual
>> push/pull process, because it seems it will be a significant source of
>> friction in our process in the future...
>
> sure, more automation = better.
>
>> Anyways, hopefully we'll figure out a workflow soon enough. :)
>
> I'm confident we will, eventually. #859122 was filed >18 months ago, so
> I don't think it's suddenly urgent, though I fully agree it would be
> more than nice to have this fixed before the bug is two years old.

yep. i'm not in a rush...

a.

-- 
One of the strongest motives that leads men to art and science is
escape from everyday life with its painful crudity and hopeless
dreariness. Such men make this cosmos and its construction the pivot
of their emotional life, in order to find the peace and security which
they cannot find in the narrow whirlpool of personal experience.
   - Albert Einstein

Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport

[Antoine Beaupré]

On 2018-12-14 09:08:42, Emilio Pozuelo Monfort wrote:
> On 13/12/2018 21:14, Antoine Beaupré wrote:
>> Hi,
>> 
>> This is the latest update in the Thunderbird / Enigmail changes that are
>> happening in jessie. I have built a series of test packages, partly from
>> stretch (gnupg2, enigmail) and partly from backports (libassuan,
>> libgcrypt, libgpg-error, npth) and uploaded them here:
>> 
>> https://people.debian.org/~anarcat/debian/jessie-lts/
>> 
>> I need people to test those packages, and not just enigmail users. Some
>> of those packages have pernicious and deep ramifications. I am
>> particularly worried about libgcrypt, which is used for example by
>> cryptsetup.
>
> I see that your tests have gone well so far (except for enigmail itself for
> unrelated reasons as you explain). This is great work, and I don't mean to 
> push
> back on it. However given the impact of these library updates, I was wondering
> if we have considered to just mark enigmail as EOL in jessie? Obviously if we
> can keep supporting stuff we should do that, but as you say these library
> updates affect important unrelated rdeps so we need to weigh that.

I have repeatedly considered this, and received almost zero feedback on
the idea, other than "we should support our users", which I took as a go
ahead to actually complete the backport.

I have outlined the tradeoffs of this in the past. For me, the biggest
concern is that users will blindly install Enigmail from the app store
and that actually has security vulnerabilities because the jessie gpg
version is too old, as I understand it.

> BTW I have briefly looked at the versions you have backported, and I wonder 
> why
> npth and libgpg-error have deb8u3 rather than deb8u1?

An oversight. I also need to use dh-autoreconf in enigmail as I have
been told it actually exists in jessie - not sure how I couldn't find
it. :)

> I haven't looked at your changes yet, but I will find some time to look at 
> them
> and give these packages a try.

Thanks! The more testing we get, the better off we'll be. :)

A.

-- 
No animal has more liberty than the cat; but it buries the mess it
makes. The cat is the best anarchist. Until they learn that from the cat
I cannot respect them.
- For whom the bell tolls, Ernest Hemingway

HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport

[Antoine Beaupré]

Hi,

This is the latest update in the Thunderbird / Enigmail changes that are
happening in jessie. I have built a series of test packages, partly from
stretch (gnupg2, enigmail) and partly from backports (libassuan,
libgcrypt, libgpg-error, npth) and uploaded them here:

https://people.debian.org/~anarcat/debian/jessie-lts/

I need people to test those packages, and not just enigmail users. Some
of those packages have pernicious and deep ramifications. I am
particularly worried about libgcrypt, which is used for example by
cryptsetup.

I am also concerned about the interactions between gpg2 and legacy gpg
1.4. I have made sure that gpg binaries are not clobbered by gpg2, which
means it *should* be possible to run both side by side. But this does
mean having multiple key storage at once when gpg2 is in used, something
we have managed to avoid in the 1.4 -> 2.x migration in stretch so
far. I am also specifically concerned about statements such as "[even
though co-installability was considered while designing 2.1, in practice
1.4 and 2.1+ don't mix well][gnupg]" that were said elsewhere.

 [gnupg]: 
https://lists.gnupg.org/pipermail/gnupg-users/2018-February/059988.html

Nevertheless, I have gone through the process of testing the packages
against their dependencies in a jessie virtual machine, as much as
possible. The following tools were tested, based on [advice from dkg][]:

 * cryptsetup: no build-time test suite, smoke-tested (luksFormat/Open +
   mkfs + edit file / close loop), main related change is libgpgerror
   and libgcrypt bumps

 * gpgme: build-time test suite passes, no further direct test although
   covered by later mutt tests, i believe

 * gmime: untested
 
 * libotr: depends on libgcrypt11, so presumed not affected. built, but
   no build-time test suite
  
 * mutt: no test suite, segfaults when hitting "enter" when no key
   match, but bug already present in jessie before proposed
   changes. other smoke tests seem okay.
  
 * claws: untested

 * mcabber: untested

 * enigmail: self-test suite passes at build time, had several problems
   during account setup (revocation cert failed to create during key
   init; can encrypt to a client, but not sign or decrypt. so something
   definitely wrong), related to missing pinentry packages. once
   pinentry is installed, all functionality seems to be working,
   including receiving and sending encrypted+signed and encrypted
   emails. autocrypt not tested.

Regarding the latter, it seems like autocrypt caused some problems at
least with the [Tails team][15923]. It might be advisable to upgrade
to Enigmail 2.0.9 in stretch and jessie before completing this work, as
it seems to address those issues specifically.

 [advice from dkg]: https://lists.debian.org/87ftvrnbyb@fifthhorseman.net
 [15923]: https://redmine.tails.boum.org/code/issues/15923

I would appreciate code reviews, although the changes to perform the
backports are generally trivial: downgrade debhelper from 10 to 9,
delete the dh-strip --dbgsym-migration overrides, remove the mingw
packages, etc. Those who want to review the changes in code might want
to use the git repositories on salsa, because all packages are
conveniently available there. I created a debian/jessie-security branch
on every repository I had write access to, or on a fork in my own
namespace otherwise:

https://salsa.debian.org/debian/enigmail
https://salsa.debian.org/debian/gnupg2
https://salsa.debian.org/debian/libassuan
https://salsa.debian.org/anarcat/libgcrypt
https://salsa.debian.org/debian/libgpg-error
https://salsa.debian.org/anarcat/npth

Unless I get significant pushback on this, I plan on uploading those
packages next tuesday.

Phew! Maybe we'll get through that one at last. :)

A.

-- 
Seul a un caractère scientifique ce qui peut être réfuté. Ce qui n'est
pas réfutable relève de la magie ou de la mystique.
- Karl Popper

Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

[Antoine Beaupré]

Gah. Forgot to fix the CC here as well, sorry for the noise.

On 2018-12-11 10:05:53, Antoine Beaupré wrote:
> On 2018-12-10 17:44:51, Mike Gabriel wrote:
>> Hi,
>>
>> I'd like to discuss the possible pathways for getting FreeRDP fixed in  
>> Debian jessie LTS (and Debian stretch, too).
>>
>> Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam  
>> maintainers and the actual packager of FreeRDPv2 in Debian).
>>
>> 1. Looking at fixing FreeRDP v1.1 in jessie / stretch
>> -
>>
>> He sketched up the following pathway for getting freerdp (v1.1) fixed  
>> in Debian jessie (and stretch):
>>
>>* Backport https://github.com/FreeRDP/FreeRDP/pull/4499
>>  -> required for FreeRDP in jessie/stretch to be able to connect  
>> to current RDP servers
>> (not a security issue, but a functionality issue due to  
>> Microsoft updates rolled out
>> during Q1 / 2018).
>>  -> estimated effort: 1-2h
>>
>>* CVE-2018-8785: not needed for jessie / stretch (code not present)
>>
>>* CVE-2018-8786,
>>  CVE-2018-8789: estimated hours for all three: 1-2h
>>
>>* CVE-2018-8787: estimated hours: 1-2h
>>* CVE-2018-8788: can be become quite an effort, estimated time: 2h++
>>
>>* CVE-2018-8784: not needed for jessie / stretch (code not present)
>>
>>
>> While this sounds nice and feasible the underlying tone of investing  
>> so much work into FreeRDP v1.1 was a different one.
>>
>> E.g. the fix for CVE-2018-8789 should be quick and simple. But the  
>> surrounding code is buggy to a great extent, too.
>>
>> There have been so many stabilizing code fixes over the past 1-2 years.
>>
>>
>> 2. Backporting FreeRDP v2 from buster to jessie and stretch
>> 
>>
>> Another approach, with a more stable and usable result is backporting  
>> FreeRDP v2 to jessie and stretch right away.
>>
>> Most people (I hope) are using freerdp2-x11 from stretch-backports  
>> (plus remmina from stretch-bpo) on Debian stable these days (freerdp  
>> 1.1 in stretch is broken with Windows RDP servers that are up-to-date  
>> with their patch levels).
>>
>> libfreerdp-client1.1
>>Reverse Depends: freerdp-x11 (>= 
>> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>>Reverse Depends: libfreerdp-dbg (=  
>> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>>Reverse Depends: libfreerdp-dev (=  
>> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>>Reverse Depends: libguac-client-rdp0 (>= 0.8.3-1+b2)
>>Reverse Depends: libxfreerdp-client1.1 (>=  
>> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>>Reverse Depends: remmina-plugin-rdp (>= 1.1.1-2)
>>Reverse Depends: vlc (>= 2.2.7-1~deb8u1)
>> freerdp-x11
>>Reverse Depends: freerdp-x11-dbg (=  
>> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>>Reverse Depends: ltsp-client (5.5.4-4)
>>
>> So the plan could be this:
>>
>>- rebuild freerdp (v1.1) as a shared libs package only, drop  
>> freerdp-x11 (which
>>  contains the command line tool)
>>
>>- backport freerdp2 from Debian unstable to jessie/stretch
>>- backport remmina from Debian unstable to jessie/stretch
>>- rebuild vlc in jessie (and possibly stretch, too) without RDP support
>>- ltsp-client: adapt command line syntax to new FreeRDP2 cli style
>
> That sounds like a large change, especially about dropping RDP support
> from VLC... Do we have any idea about how VLC uses RDP and how many of
> our users expect that to work in the first place? How about changes in
> remmima?
>
>>- libguac-client-rdp0: leave as is... Guacamole upstream still believes in
>>  FreeRDP v1.1 shared lib API...
>
> "Believes"? I don't understand this point...
>
>> Summary
>> ---
>>
>> Before going any deeper into this, I'd love to get some feedback from  
>> the LTS and the security team about the proposed strategies. Are there  
>> other possible pathways to go? If so, please share yours.
>>
>> The FreeRDP v1.1 backporting work (8-10 hours) would have to be  
>> outsourced to ThinCast in Austria (where most FreeRDP upstream devs  
>> work these days).
>
> I don't know of any other pathways, but from what I understand we have
> some extra hours to spare, so we could allow ourselves such an expense
> to keep jessie ... "stable". :)
>
> A.
> -- 
> Dans vos mensonges de pierre
> Vous gaspillez le soleil
> - Gilles Vigneault

-- 
Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are, by
definition, not smart enough to debug it.
- Brian W. Kernighan

Re: automating process for publishing DLAs on the website

[Antoine Beaupré]

On 2018-11-20 15:30:21, Holger Levsen wrote:
> On Mon, Nov 19, 2018 at 07:07:26PM -0500, Antoine Beaupré wrote:
>> The process broke down a while back, and reasons don't matter. We need
>> to figure out how to fix this.
>> 
>> So I opened #859122 to import the missing DLAs and I've made good
>> progress.
>> 
>> But I've opened this bug report (#859123) to fix the process. So far,
>> the idea we had was to make LTS contributors submit a patch to the
>> website as part of the DLA publication process. You'd run the little
>> "parse-dla.pl" script which would create two files in the webwml git
>> repository, separate from the security tracker! that's where the
>> debian.org website lives.. Then you'd commit those and send a merge
>> request to the project (or just push if you have the rights). The
>> webmaster folks seemed to be open to grant us access to the repo to
>> remove friction as well..
>> 
>> How does that sound?
>  
> sounds very good to me. thanks for your work on this so far!

Right, agreed. :) I guess the script could both parse previous emails
and future ones quite easily.

The problem we have right now is we have no feedback from the www team
on the patches proposed in #859122 so I don't know if the formatting is
alright. Nor is it promising for the promptness with which the team can
respond to our constant flurry of such MRs in the future...

>> Another thing I thought we could do would be to hook that script into a
>> mailbox that would receive mail from the debian-lts-announce list and
>> automatically publish the results into git. But so far my efforts at
>> automating things on Debian infrastructure have mostly failed, so I'm
>> not sure it's the way to go. Besides, the parse-dsa.pl script isn't
>> exactly solid, and don't like the idea of parsing arbitrary input like
>> this without a human oversight. But it would certainly reduce friction
>> to a minimum, which I like.
>
> I better like your above proposal than generating data from parsing mails 
> which
> we have sent previously.
>
> So I've just requested webwml access from the debian-www folks.

... where did you do that?

Considering that the patches I proposed now 3 weeks ago haven't been
merged, it seems it would be imperative for all LTS people to have
access to the www repository in our workflow. Or at least a significant
numebr of people. Otherwise we'll just be clogging their review queue
forever.

I've requested access as an individual, for what that's worth.

I've also got feedback from larjona on IRC, saying she didn't have time
to work on this yet, but ping'd the team to see if someone else
will. Otherwise she might be able to review our work in January.

I wonder if we could consider more automation here to remove the manual
push/pull process, because it seems it will be a significant source of
friction in our process in the future...

Anyways, hopefully we'll figure out a workflow soon enough. :)

A.

A.
-- 
Gods don't like people not doing much work. People who aren't busy all
the time might start to think.
- Terry Pratchett, Small Gods

Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

[Antoine Beaupré]

On 2018-12-10 17:44:51, Mike Gabriel wrote:
> Hi,
>
> I'd like to discuss the possible pathways for getting FreeRDP fixed in  
> Debian jessie LTS (and Debian stretch, too).
>
> Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam  
> maintainers and the actual packager of FreeRDPv2 in Debian).
>
> 1. Looking at fixing FreeRDP v1.1 in jessie / stretch
> -
>
> He sketched up the following pathway for getting freerdp (v1.1) fixed  
> in Debian jessie (and stretch):
>
>* Backport https://github.com/FreeRDP/FreeRDP/pull/4499
>  -> required for FreeRDP in jessie/stretch to be able to connect  
> to current RDP servers
> (not a security issue, but a functionality issue due to  
> Microsoft updates rolled out
> during Q1 / 2018).
>  -> estimated effort: 1-2h
>
>* CVE-2018-8785: not needed for jessie / stretch (code not present)
>
>* CVE-2018-8786,
>  CVE-2018-8789: estimated hours for all three: 1-2h
>
>* CVE-2018-8787: estimated hours: 1-2h
>* CVE-2018-8788: can be become quite an effort, estimated time: 2h++
>
>* CVE-2018-8784: not needed for jessie / stretch (code not present)
>
>
> While this sounds nice and feasible the underlying tone of investing  
> so much work into FreeRDP v1.1 was a different one.
>
> E.g. the fix for CVE-2018-8789 should be quick and simple. But the  
> surrounding code is buggy to a great extent, too.
>
> There have been so many stabilizing code fixes over the past 1-2 years.
>
>
> 2. Backporting FreeRDP v2 from buster to jessie and stretch
> 
>
> Another approach, with a more stable and usable result is backporting  
> FreeRDP v2 to jessie and stretch right away.
>
> Most people (I hope) are using freerdp2-x11 from stretch-backports  
> (plus remmina from stretch-bpo) on Debian stable these days (freerdp  
> 1.1 in stretch is broken with Windows RDP servers that are up-to-date  
> with their patch levels).
>
> libfreerdp-client1.1
>Reverse Depends: freerdp-x11 (>= 
> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>Reverse Depends: libfreerdp-dbg (=  
> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>Reverse Depends: libfreerdp-dev (=  
> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>Reverse Depends: libguac-client-rdp0 (>= 0.8.3-1+b2)
>Reverse Depends: libxfreerdp-client1.1 (>=  
> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>Reverse Depends: remmina-plugin-rdp (>= 1.1.1-2)
>Reverse Depends: vlc (>= 2.2.7-1~deb8u1)
> freerdp-x11
>Reverse Depends: freerdp-x11-dbg (=  
> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>Reverse Depends: ltsp-client (5.5.4-4)
>
> So the plan could be this:
>
>- rebuild freerdp (v1.1) as a shared libs package only, drop  
> freerdp-x11 (which
>  contains the command line tool)
>
>- backport freerdp2 from Debian unstable to jessie/stretch
>- backport remmina from Debian unstable to jessie/stretch
>- rebuild vlc in jessie (and possibly stretch, too) without RDP support
>- ltsp-client: adapt command line syntax to new FreeRDP2 cli style

That sounds like a large change, especially about dropping RDP support
from VLC... Do we have any idea about how VLC uses RDP and how many of
our users expect that to work in the first place? How about changes in
remmima?

>- libguac-client-rdp0: leave as is... Guacamole upstream still believes in
>  FreeRDP v1.1 shared lib API...

"Believes"? I don't understand this point...

> Summary
> ---
>
> Before going any deeper into this, I'd love to get some feedback from  
> the LTS and the security team about the proposed strategies. Are there  
> other possible pathways to go? If so, please share yours.
>
> The FreeRDP v1.1 backporting work (8-10 hours) would have to be  
> outsourced to ThinCast in Austria (where most FreeRDP upstream devs  
> work these days).

I don't know of any other pathways, but from what I understand we have
some extra hours to spare, so we could allow ourselves such an expense
to keep jessie ... "stable". :)

A.
-- 
Dans vos mensonges de pierre
Vous gaspillez le soleil
- Gilles Vigneault

Re: Xen 4.4 updates vs. Xen Stretch backport

[Antoine Beaupré]

On 2018-12-03 20:40:08, Ben Hutchings wrote:

[...]

> I don't see this as an acceptable option for LTS.  We could maybe add a
> xen-4.8 package if it was popular in jessie-backports, but that doesn't
> excuse us from having to support 4.4.

As I was repeatedly told during my work on Enigmail / GnuPG, I will
myself remind us all that jessie-backports is unfortunately not an
option anymore. :)

A.

-- 
Qui vit sans folie n'est pas si sage qu'il croit.
- François de La Rochefoucauld

Re: Xen 4.4 updates vs. Xen Stretch backport

[Antoine Beaupré]

On 2018-11-28 22:44:52, Moritz Muehlenhoff wrote:
> On Wed, Nov 28, 2018 at 12:59:11PM +0100, Peter Dreuw wrote:
>> Hi out there,
>> Another option would be backporting the Xen
>> 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from
>> Stretch to Jessie.
>
> What would be the point? If you migrate to a complete new Xen release,
> then you can just as well migrate to stretch (which will also have
> proven, compatible matching versions of libvirt/Linux/qemu/ etc.
>
> If some of the Spectre mitigations can't be backported, make a detailed
> writeup of what people are missing in 4.4 and let them handle it
> based on that data (update to stretch or stick with 4.4/jessie); there's
> still plenty of legitimate use cases which can be run in a secure
> manner with 4.4 (internal VMs with trusted users etc).

I agree. It's not like Spectre is trivial to exploit either, so the
tradeoff might be acceptable for some users.

Xen upgrades are usually fairly smooth, but considering the dom0 is most
likely *only* running Xen, upgrading to stretch is probably equivalent
than upgrading to a Xen backported from stretch.

So while I usually am a proponent of aggressive backports, I think that,
in this case, we would actually be doing a disservice to our users by
forcibly backporting a version from stretch. :)

Peter, are there non-speculative vulnerabilities remaining we could look
at?

Otherwise I would just publish a DLA saying we simply stop supporting
that aspect of Xen...

A.

-- 
The future is already here – it's just not very evenly distributed.
   - William Gibson

Re: unclaiming packages claimed for 3 weeks or more (Re: november report)

[Antoine Beaupré]

On 2018-11-26 21:20:14, Holger Levsen wrote:
> On Mon, Nov 26, 2018 at 04:04:48PM -0500, Antoine Beaupré wrote:
>> Did you try "--exclude linux linux 4.9"? That should work.
>
> doh, it does. Thanks! (Though I think thats somewhat unusual... but meh.)

that's the way all python-argparsed-based commandline parsers work, for
what that's worth.

a.

-- 
The good news about computers is that they do what you tell them to
do. The bad news is that they do what you tell them to do.
- Ted Nelson

Re: unclaiming packages claimed for 3 weeks or more (Re: november report)

[Antoine Beaupré]

On 2018-11-26 20:48:07, Holger Levsen wrote:
> On Fri, Nov 23, 2018 at 11:06:43AM -0500, Antoine Beaupré wrote:
>> $ ./bin/review-update-needed --exclude linux linux-4.9 --lts --unclaim 3w
>> [...]
>> Editing file to unclaim: salt
>> 
>> I've pushed that, I hope it works for you.
>
> this indeed works, however I didnt find a way to ignore both linux and
> linux-4.9, neither "--exclude linux --exclude linux-4.9" nor "exclude
> linux,linux-4.9" nor a bunch of other combinations worked.

Did you try "--exclude linux linux 4.9"? That should work.

> Also, I found another small bug: when I used the script without
> --exclude option (and with --unclaim 3w --lts) it would currently
> unclaim salt, linux and linux-4.9, however the generated diff/edit is
> (with context lines removed)
>
> -linux (Ben Hutchings)
> +linux
> -linux-4.9 (Ben Hutchings)
> +linux
> -salt (Mike Gabriel)
> +salt
>
> while it should be:
>
> -linux (Ben Hutchings)
> +linux
> -linux-4.9 (Ben Hutchings)
> +linux-4.9
> -salt (Mike Gabriel)
> +salt
>
> (the diff is +linux-4.9 instead of twice +linux)

oops. fixed.

a.
-- 
Modern man has a kind of poverty of the spirit which stands
in great contrast to his remarkable scientific and technological
achievements. We've learned to walk in outer space and yet we
haven't learned to walk to earth as brothers and sisters.
- Martin Luther King, Jr.

Re: unclaiming packages claimed for 3 weeks or more (Re: november report)

[Antoine Beaupré]

On 2018-11-22 21:00:15, Holger Levsen wrote:
> On Thu, Nov 22, 2018 at 11:54:16AM -0500, Antoine Beaupré wrote:
>> Right. That's the one I had in mind as well. :)
>
> :)
>
>> So how *do* we make that "whitelist"? Commandline param? And what will
>> it list? Packages? People? Package/people combination?
>
> commandline param with a list of (src) packages to ignore.

Okay, I added a --exclude param. Example without:

$ ./bin/review-update-needed --lts --unclaim 3w
[...]
Editing file to unclaim: linux, linux-4.9, salt

With:

$ ./bin/review-update-needed --exclude linux linux-4.9 --lts --unclaim
3w
[...]
Editing file to unclaim: salt

I've pushed that, I hope it works for you.

A.

-- 
The secret of life is to have no fear; it's the only way to function.
- Stokely Carmichael

Re: the way to enigmail: gnupg 2.1 backport considerations

[Antoine Beaupré]

On 2018-11-22 17:32:09, Holger Levsen wrote:
> On Thu, Nov 22, 2018 at 10:54:41AM -0500, Antoine Beaupré wrote:
>> On 2018-11-20 12:55:16, Daniel Kahn Gillmor wrote:
>> > All that said, i don't think that upgrading jessie to the versions of
>> > these libraries that are in debian stretch will break jessie.  I do wish
>> > we had more substantive autopkgtest-style coverage in jessie, so that we
>> > could feel more confident about this, but i don't think we currently do.
>> So this goes back to the question of whether we should test this
>> further, either ourselves or through this list's participants.
>  
> more tests are always good. sorry, i'm a bit lost here: are (source and 
> binary)
> packages  available for testing?

Yes, the head email on 87r2fqnja0@curie.anarc.at links to the test
packages:

https://people.debian.org/~anarcat/debian/jessie-lts/gnupg2_2.1.18-8~deb8u3_amd64.changes

The dependencies are in backports.

A.
-- 
La seule excuse de Dieu, c'est qu'il n'existe pas.
- Stendhal

Re: unclaiming packages claimed for 3 weeks or more (Re: november report)

[Antoine Beaupré]

On 2018-11-20 16:17:57, Holger Levsen wrote:
> Hi,
>
> So I ran it asking it to unclaim packages which didnt see activity in
> dla-needed.txt for more than 3 weeks. These are the results from running 
> ./bin/review-update-needed --lts --unclaim 1814400

[...]

> -linux (Ben Hutchings)
> +linux
> and
> -linux-4.9 (Ben Hutchings)
> +linux
> (here I think I would like to be able to whitelist this as Ben currently
> always takes these packages.)

Right. That's the one I had in mind as well. :)

So how *do* we make that "whitelist"? Commandline param? And what will
it list? Packages? People? Package/people combination?

Before you answer, consider that all entries are manually maintained and
I sometimes write my name "Antoine Beaupre", "Antoine Beaupré" or
"anarcat" depending on what I remember I used last, and that last time
we dealt we accents, the script crashed. :p

> -nsis (Thorsten Alteholz)
> +nsis
> last NOTE: 20181110: waiting for email answer
> so here the script is buggy, this should not have been unclaimed!
>
> -openjpeg2 (Hugo Lefeuvre)
> +openjpeg2
> last NOTE: *doesnt have a date to it*
> still there is last-update in the output and it says "Last-Update: 2018-11-19 
> 19:02"
> so I believe the script is buggy.
>
> -qemu (Santiago)
> +qemu
> NOTE: 20181026: no fix yet for recent dsa issues, but start working on
> NOTE: pending no-dsa issues
> Technically correctly unclaimed (as last edit was 26 days ago), however
> given the notes I think this should stay as it is.
>
> -symfony (Thorsten Alteholz)
> +symfony
> NOTE: 20181110: patches ready, struggling with test suite, waiting for email
> another bug in the script, this should not have been unclaimed.
>
> Conclusion: the script has potential but is still too buggy ;)

Yep. Silly me, I only looked at claimed-date and not "last-update".

I pushed this fix and the output changes to implement the things we
discussed. Hopefully it will help us move forward. :) I bypassed the MR
process as indicated in private: I am going under the assertion that the
secteam is not using this script anyways and we shouldn't bother them
with our administrativia any further.

The only thing that remains unclear to me is the opt-out mechanisms. I
believe everyone should be "opted in" by default and we can add
exceptions. The only question is how. I can think of two ways:

 1. manually: the operator (or cronjob) passes a list of "things" to the
script that then get ignored

 2. automatically: the script reads "things" from a file next to or
close to the dla-needed file

We also need to figure out what the "things" are (package, owner, or
package-owner tuple), as I mentioned above.

Thanks!

A.
-- 
Modern man has a kind of poverty of the spirit which stands
in great contrast to his remarkable scientific and technological
achievements. We've learned to walk in outer space and yet we
haven't learned to walk to earth as brothers and sisters.
- Martin Luther King, Jr.

Re: feedback on review-update-needed --lts --unclaim (Re: november report)

[Antoine Beaupré]

On 2018-11-20 16:06:53, Holger Levsen wrote:
> hi,
>
> this reply is mostly about using the tool itself, see below. I will now write
> another mail about the results from using it...
>

[...]

> So, third, what did "./bin/review-update-needed --unclaim --lts" do? Too
> much, so I ran (in a sid schroot where I have python3-humanfriendly
> installed) this: "schroot -- ./bin/review-update-needed --lts --unclaim 3w"
> and got:
>
> [output and]
> Traceback (most recent call last):
>   File "./bin/review-update-needed", line 129, in 
> args.quiet or print("Claimed-By: {}".format(entry['claimed-by']))
> UnicodeEncodeError: 'ascii' codec can't encode character '\xe1' in position 
> 24: ordinal not in range(128)
>
> (This only happens if I run ./bin/review-update-needed in schroot.)

Strange. I can't reproduce this in buster! It's especially strange that
this occurs in that segment, which I haven't really touched... I only
addded that "args.quiet or" there, but the "Claimed-by" has been there
for a while...

> However no changes were made.

Yeah, that's a total, typical, python unicode crash. :p Could you give
me more information on your locale? It looks like you don't have a UTF-8
locale, which will, naturally, cause problems when trying to display
non-ASCII characters in Python. There are workarounds for this, but I'm
not sure we should go through that trouble considering we control that
environment pretty well and it's fair to assume utf8...

> Fourth, the order of entries in the output and in data/dla-needed.txt is
> different, which is confusing and makes it harder to find entries, could
> that be fixed?

the list is sorted according to the `--sort-by`. We could add a
"unsorted" argument to that (or make that the default). What do you
prefer?

> Fifth, if a package is unclaimed, it would be good to include this in
> the package related output (and not just in the summary in the end), so 
> instead of for example:
>
> Package: icecast2
> Claimed-By: Abhijith PA
> Claimed-Date: 2018-11-04 11:25 (16 days ago)
> Last-Update: 2018-11-06 09:46 (14 days ago)
>
> it would be nicer if the output were
>
> Package: icecast2
> Claimed-By: Abhijith PA
> Claimed-Date: 2018-11-04 11:25 (16 days ago)
> Last-Update: 2018-11-06 09:46 (14 days ago)
> Unclaimed because last update was more than $timespan ago.

That's totally doable though. How does that look for you?

diff --git i/bin/review-update-needed w/bin/review-update-needed
index 976c0e9c82..fe4103b0d1 100755
--- i/bin/review-update-needed
+++ w/bin/review-update-needed
@@ -133,6 +133,7 @@ for entry in all_entries:
 date_to_format = datetime.utcfromtimestamp(entry['claimed-date'])
 if datetime.utcnow() - date_to_format > unclaim_delta:
 unclaim_pkgs.append(entry['pkg'])
+args.quiet or print("Unclaimed: idle for more than {}: 
{}".format(unclaim_delta, datetime.utcnow() - date_to_format))
 else:
 args.quiet or print("Unclaimed-Since: 
{}".format(format_date(entry['claimed-date'])))
 if entry['last-update'] > entry['claimed-date']:
@@ -149,7 +150,7 @@ for entry in all_entries:
 print("")
 
 if args.unclaim:
-args.quiet or print("Packages to unclaim: {}".format(", 
".join(unclaim_pkgs)))
+args.quiet or print("Editing file to unclaim: {}".format(", 
".join(unclaim_pkgs)))
 in_preamble = True
 with open(dsa_dla_needed) as orig, open(dsa_dla_needed + '.new', 'w') as 
new:
 for line in orig:

> Six, I ran "./bin/review-update-needed --lts --unclaim 1814400" on
> stretch and got useful output which I will summarize in another mail,
> so that we have one thread about improving the tool and another about
> unclaiming specific packages.

Awesome.

I'm surprised you're not getting the unicode error there though. Maybe
it's because UTF-8 locales are not setup in the schroot?

A.
-- 
Isn't man but a blossom taken by the wind, and only the mountains and
the sea and the stars and this Land of the Gods real and everlasting?
   - James Clavell, Shōgun

Re: the way to enigmail: gnupg 2.1 backport considerations

[Antoine Beaupré]

On 2018-11-20 12:55:16, Daniel Kahn Gillmor wrote:
> All that said, i don't think that upgrading jessie to the versions of
> these libraries that are in debian stretch will break jessie.  I do wish
> we had more substantive autopkgtest-style coverage in jessie, so that we
> could feel more confident about this, but i don't think we currently do.

So this goes back to the question of whether we should test this
further, either ourselves or through this list's participants.

I was hoping publishing the test package would trigger some feedback; it
didn't. While I can do some tests of my own, the surface area of this is
so vast that it feels somewhat pointless to run discrete tests.

What's the best way to resolve this?

A.

-- 
Blind respect for authority is the greatest enemy of truth.
   - Albert Einstein

Re: the way to enigmail: gnupg 2.1 backport considerations

[Antoine Beaupré]

On 2018-11-20 15:19:45, Ben Hutchings wrote:
> On Mon, 2018-11-19 at 15:48 -0500, Antoine Beaupré wrote:
>> On 2018-11-13 22:02:45, Ben Hutchings wrote:
>> > On Tue, 2018-11-13 at 12:31 -0500, Daniel Kahn Gillmor wrote:
>> > > On Mon 2018-11-12 15:16:39 -0500, Antoine Beaupré wrote:
>> > > 
>> > > >  * libgcrypt20 (part of GnuTLS, 1.6 -> 1.7)
>> > > 
>> > > libgcrypt is not a part of GnuTLS.  GnuTLS has used nettle instead of
>> > > gcrypt for years.  gcrypt is more properly "part of GnuPG" than anything
>> > > else.
>> > > 
>> > > basically, all of these libraries are gnupg libraries.
>> > > 
>> > > It's a little bit distressing that upstream's attempt to split them out
>> > > as distinct libraries (which i think was intended to make them more
>> > > useful to other consumers) might be a roadblock on the way to updating
>> > > GnuPG itself.
>> > > 
>> > > Ben's suggestion of shipping them in a non-default location ("vendor
>> > > bundling"?) sounds pretty dubious to me -- i wouldn't want to reason
>> > > about (let alone vouch for) the upgrade path from such a hybridized
>> > > variant of jessie to standard debian stretch myself.
>> > 
>> > I was thinking that those libraries would be included in the same
>> > binary package as /usr/bin/gpg2 and other executables, which would all
>> > have a run-path set.  No-one should need to set LD_LIBRARY_PATH so no
>> > other executables would use those libraries, and the libraries would be
>> > removed when the executables that use them are removed or replaced.
>> > 
>> > Since gnupg2 actually spreads executables across multiple binary
>> > packages, I realise the libraries would have to be an additional binary
>> > package and that would remain after an upgrade.  But it would be
>> > harmless cruft that "apt autoremove" would deal with.
>> > 
>> > (I assume that GnuPG 2.1 would be packaged as "gnupg2", replacing GnuPG
>> > 2.0 since that is no longer supported upstream.  If not then I do see a
>> > problem of how to make, say, gnupg2.1 in jessie upgrade to gnupg2 in
>> > stretch.  But that's independent of the library issue.)
>> 
>> I think this is overengineered. I still haven't heard exactly what the
>> problem would be with upgrading those libraries. They are present in
>> jessie-backports and presumably well tested.
> [...]
>
> Those updated library packages are installed and used by people that
> specifically choose to use GnuPG 2.1 in jessie.  I don't think we can
> assume they are well-tested in conjunction with GnuPG 1.4.

My understanding is that GnuPG 1.4 does not use those libraries at all,
and from what I can tell, gpg 1.4 does not link against them either.

A.
-- 
On reconnait la grandeur et la valeur d'une nation à la façon dont
celle-ci traite ses animaux.
- Mahatma Gandhi

automating process for publishing DLAs on the website

[Antoine Beaupré]

Hi!

Many of you probably already know this website and its precious RSS
feed:

https://www.debian.org/security/

Few of you might already know that DLAs are *supposed* to show up in
there as well, and did for a while. For example, here's a few DLAs in
2014:

https://www.debian.org/security/2014/

The process broke down a while back, and reasons don't matter. We need
to figure out how to fix this.

So I opened #859122 to import the missing DLAs and I've made good
progress.

But I've opened this bug report (#859123) to fix the process. So far,
the idea we had was to make LTS contributors submit a patch to the
website as part of the DLA publication process. You'd run the little
"parse-dla.pl" script which would create two files in the webwml git
repository, separate from the security tracker! that's where the
debian.org website lives.. Then you'd commit those and send a merge
request to the project (or just push if you have the rights). The
webmaster folks seemed to be open to grant us access to the repo to
remove friction as well..

How does that sound?

Another thing I thought we could do would be to hook that script into a
mailbox that would receive mail from the debian-lts-announce list and
automatically publish the results into git. But so far my efforts at
automating things on Debian infrastructure have mostly failed, so I'm
not sure it's the way to go. Besides, the parse-dsa.pl script isn't
exactly solid, and don't like the idea of parsing arbitrary input like
this without a human oversight. But it would certainly reduce friction
to a minimum, which I like.

Any other ideas?

Thanks!

A.
-- 
Only in the darkness can you see the stars.
- Martin Luther King, Jr.

november report

[Antoine Beaupré]

An early report, this month, as I've ran out of work hours earlier than
expected...

GnuPG & Enigmail


To get Enigmail working properly with the Thunderbird upload from last
week, we need GnuPG 2.1 in jessie. I [backported GnuPG 2.1][] to Debian
jessie directly, using work already done to backport the required
libraries from jessie-backports.

It was [proposed][2] to ship the libraries as private libraries or
statically link GnuPG itself. I believe this is the wrong approach and
besides I'm unsure as to how this would work in practice, so I recommend
going forward with the libraries backport. I provided a [summary][3] of
the conversation to try and bring a conclusion.

 [1]: https://lists.debian.org/87r2fqnja0@curie.anarc.at
 [2]: https://lists.debian.org/0c03ba38-26f5-8e45-d792-5b1871a4d...@gmail.com
 [3]: https://lists.debian.org/87sgzw7q7k@curie.anarc.at

Spamassassin


Once Spamassassin 3.4.2 was [accepted][4] in the latest stable point
release, I went back to work on the jessie upgrade I [proposed last
month][5] and uploaded the resulting package as [DLA-1578-1][].


 [4]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912198#36
 [5]: https://lists.debian.org/87h8h39she@curie.anarc.at
 [DLA-1578-1]: https://lists.debian.org/20181113190619.ga15...@curie.anarc.at

Security tracker


I worked on a few sticky parts of the security tracker.

Automatic unclaimer
---

After an internal discussion about work procedures, a friend pointed me
at the [don't lick the cookie][6] article which I found really
interesting. The basic idea is that our procedure for work distribution
is based on "claims" which mean some packages remain claimed for
extended periods of time.

 [6]: https://www.benday.com/2016/10/21/scrum-dont-lick-the-cookie/

For some packages it makes sense: the kernel updates, for example, have
been consistently and dilligently performed by Ben Hutchings for as long
as I remember, and I myself would be very hesitant in claiming that
package myself. In that case it makes sense that the package remains
claimed for a long time.

But for some other packages, it's just an oversight: you claim the
package, work on it for a while, then get distracted by more urgent
work. It happens all the time, to everyone. The problem is then that the
work is stalled and, in the meantime, other people looking for work are
faced with a long list of claimed packages.

In theory, we are allowed to "unclaim" a package that's been idle for
too long, but as the article describes, there's a huge "emotional cost"
associated with making such a move.

So I looked at automating this process and [unclaim packages
automatically][7]. This was originally rejected by the security team
which might have confused the script implementation with a separate
[proposal][8] to add a cronjob on the security tracker servers to
automate the process there.

 [7]: 
https://salsa.debian.org/security-tracker-team/security-tracker/merge_requests/23
 [8]: 
https://salsa.debian.org/security-tracker-team/security-tracker-service/merge_requests/2

After some tweaking and bugfixing, I believe the script is ready for use
and our new LTS coordinator will give it a try, in what I would describe
as a "manually triggered automatic process" while with figure out if the
process will work for us.

Splitting huge files in the repository
--

I once again looked at splitting the large (17MB and counting)
`data/CVE/list` file in the security tracker. While my [first
attempt][9] was just trying to improve performance in my own checkouts,
the heaviness of the repository has now been noticed by the Salsa
administrators (bug #908678) as it triggers several performance issues
in GitLab.

 [9]:
https://salsa.debian.org/security-tracker-team/security-tracker/issues/2

And while my first attempt clearly not a good tradeoff and made
performance worse (by splitting each CVE in its own file), the new
proposal (split by year) actually brings significant performance
improvements. Clones takes 11 times less space (145MB vs 1.6GB) and
resolve ten times faster (2 vs 21 minutes, local only).

Running annotate on one year takes 26 seconds while running this takes
around 10 minutes over the whole file. This arguably, is less
impressive: there are, after all, twenty years of history in that
repository, so to be fair, we'd need to run annotate against all of
those. But obviously, earlier years are smaller than the latest, so the
total is also faster (2 minutes). And besides, we don't really need to
run annotate against the *entire* file: when I do this, I usually want
to know who to contact about a comment in the file, which is usually a
recent change.

The conversion itself was an interesting exercise in optimisation. The
original tool was a simple bash script, which split the file in 15
seconds, which is fine if we are ready to lose history in the
repository, But that is probably un

Re: the way to enigmail: gnupg 2.1 backport considerations

[Antoine Beaupré]

On 2018-11-19 22:32:17, Alexander Wirt wrote:
> I can't stress thos often enough. Jessie-backports doesn't exist anymore.
> They are unsupported for months and I do really hope that they get archived
> soon. 

I'm sorry I implied we might use backports for this. I didn't mean to: I
mean we should take what has been backported in jessie-backports and
upload that to jessie-security.

A.

-- 
If builders built houses the way programmers built programs,
The first woodpecker to come along would destroy civilization.
- Gerald Weinberg

Re: the way to enigmail: gnupg 2.1 backport considerations

[Antoine Beaupré]

On 2018-11-13 22:02:45, Ben Hutchings wrote:
> On Tue, 2018-11-13 at 12:31 -0500, Daniel Kahn Gillmor wrote:
>> On Mon 2018-11-12 15:16:39 -0500, Antoine Beaupré wrote:
>> 
>> >  * libgcrypt20 (part of GnuTLS, 1.6 -> 1.7)
>> 
>> libgcrypt is not a part of GnuTLS.  GnuTLS has used nettle instead of
>> gcrypt for years.  gcrypt is more properly "part of GnuPG" than anything
>> else.
>> 
>> basically, all of these libraries are gnupg libraries.
>> 
>> It's a little bit distressing that upstream's attempt to split them out
>> as distinct libraries (which i think was intended to make them more
>> useful to other consumers) might be a roadblock on the way to updating
>> GnuPG itself.
>> 
>> Ben's suggestion of shipping them in a non-default location ("vendor
>> bundling"?) sounds pretty dubious to me -- i wouldn't want to reason
>> about (let alone vouch for) the upgrade path from such a hybridized
>> variant of jessie to standard debian stretch myself.
>
> I was thinking that those libraries would be included in the same
> binary package as /usr/bin/gpg2 and other executables, which would all
> have a run-path set.  No-one should need to set LD_LIBRARY_PATH so no
> other executables would use those libraries, and the libraries would be
> removed when the executables that use them are removed or replaced.
>
> Since gnupg2 actually spreads executables across multiple binary
> packages, I realise the libraries would have to be an additional binary
> package and that would remain after an upgrade.  But it would be
> harmless cruft that "apt autoremove" would deal with.
>
> (I assume that GnuPG 2.1 would be packaged as "gnupg2", replacing GnuPG
> 2.0 since that is no longer supported upstream.  If not then I do see a
> problem of how to make, say, gnupg2.1 in jessie upgrade to gnupg2 in
> stretch.  But that's independent of the library issue.)

I think this is overengineered. I still haven't heard exactly what the
problem would be with upgrading those libraries. They are present in
jessie-backports and presumably well tested. They are rarely directly
consumed by third-parties and mostly encapsulated behind GPGME, at least
that's my understanding. The SONAMEs don't change, so they should be
backwards compatible anyways.

Right?

Doing otherwise would be a massive change and would mean we would be
maintaining multiple copies of those four libraries in jessie, and in an
obscure location as well. I don't know how we would proceed to do this
as source packages anyways - would they all get merged into the gnupg2
source package?

In any case, I don't feel confident starting down that path and I'm
running out of time for the month, so I'll let others figure that out
for the next two weeks.

A.

-- 
Premature optimization is the root of all evil
- Donald Knuth

Re: the way to enigmail: gnupg 2.1 backport considerations

[Antoine Beaupré]

Hi,

As I'm running out of time to work on this problem for the month, I
figured I would at least try to wrap up the conversation we had on the
topic here so we can find a solution to move forward on.

The current situation is that I have a backport of GnuPG 2.1 available
for testing here:

https://people.debian.org/~anarcat/debian/jessie-lts/

It should work with the libraries from jessie-backports, and I haven't
heard any negative (or positive) feedback on the build, so I'm going
under the assertion that it doesn't cause too much trouble.

The blocker is it depends on those four jessie-backports libraries:

  * libassuan (2.1 -> 2.4)
  * libgcrypt20 (1.6 -> 1.7)
  * libgpg-error (1.17 -> 1.26)
  * npth (1.0 -> 1.3)

All four libraries are GnuPG-specific libraries that GnuPG 1.4 does
*not* currently use. They *are*, however, used by GPGME so that means
they are (transitively) linked into any package linking against libgpgme
(and there are quite a few of those). I do hope that GPGME would
insulate consumers from such changes however.

Updating gpg through backports is not possible: -backports is closed and
will be archived soon.

I have therefore proposed to simply ship the four libraries backports in
jessie directly. The concern is that those library updates are not
"bugfix-only" releases and might not be suitable fo sur updates.

An alternative approach would be to statically link gnupg2 against those
libraries or ship them as private copies, possibly as a separate binary
package, that would remain as cruft that a stretch upgrade would 'apt
autoremove'.

So that's the state of affairs. How do we move forward?

I've unassigned myself the Enigmail package to allow others to take a
shot at this in the next two weeks.

Have fun!

A.

-- 
You can't conquer a free man; the most you can do is kill him.
   -  Robert A. Heinlein

systemd test packages, without tmpfiles fixes

[Antoine Beaupré]

Hi,

Tl;DR: partial fixes for systemd issues pending upload, test packages at
usual location.

I've been working for the last two days on backporting the four pending
CVEs for systemd. Those are:

CVE-2018-1049   In systemd prior to 234 a race condition exists between .mount 
and ...
CVE-2018-15688  buffer overflow vulnerability in the dhcp6 client of systemd 
allows ...
CVE-2018-15686  A vulnerability in unit_deserialize of systemd allows an 
attacker to ...
CVE-2018-6954   systemd-tmpfiles in systemd through 237 mishandles symlinks 
present in ...

The first three were fairly easy to backport. CVE-2018-15686 required a
bit more work, but that was nothing compared to CVE-2018-6954.

The tempfiles "fixes" are ... challenging, to put it mildly. The
implementation between jessie and sid varies quite a bit (no
ACL/subvolumes support, major API differences) so backporting the
changes is definitely non-trivial. I've been battling quilt and upstream
patchsets for hours now, and I can't see the end. Every time I go
through the "backport, compile, fix" cycle, I uncover a new thread of
code I need to backport upstream for the code to make sense.

So I'm giving up on this fix for now. It' just too huge. In comparison,
the fix for the previous tmpfiles security issue (CVE-2017-18078,
currently unfixed) was a breeze - I backported it in a few minutes,
thinking it would help resolve the fuzz for the next patches. Far from
it.

As a safety precaution, I  had uploaded a test package to the usual
location before working on the tmpfiles work, here:

https://people.debian.org/~anarcat/debian/jessie-lts/

So I intend to upload *those* packages some time next week unless
otherwise noted.

An alternative to backporting the numerous tmpfiles patches from
upstream would be to backport *all* of tmpfiles.c itself from buster or
sid. Unfortunately, like many parts of systemd, it's not exactly
standalone and would imply significant behavior changes, although we
could remove the extra functionality introduced in the later releases
and focus on the pieces already present in jessie. I believe that it
would be the simplest and safest way to approach this, because
backporting the patches themselves is a complete nightmare: upstream is
constantly going back and forth in critical API changes (like passing a
fd or path) which makes it near impossible to settle on a target across
releases.

I must also admit that it doesn't help that I'm doing this only with
quilt, as opposed to cherry-picking upstream patches through
git. Unfortunately, even that is a significant challenge: the complete
tmpfiles fix is in #8822, which is a whopping 26 commits, rewriting most
of tmpfiles.c functions and doing a significant refactoring of
everything.

Now if you'll excuse me I'll go out enjoy this beautiful snow and nurse
that damaged brain of mine for sunnier days. ;)

A.

-- 
They say that time changes things, but you actually have to change
them yourself.   - Andy Warhol

Re: the way to enigmail: gnupg 2.1 backport considerations

[Antoine Beaupré]

On 2018-11-13 18:41:47, Emilio Pozuelo Monfort wrote:
> I can think of two options:
>
> 1) Ship them in a private dir (e.g. /usr/lib/gnupg2/), and link them to those
> libs. Then ld should add an RPATH, otherwise an LD_LIBRARY_PATH hack could be 
> used.
>
> 2) Statically link the libraries into gpg2

But then that means double the work to maintain those libraries in the
future, with duplicate code copies and all.

What are we actually worried about regarding those libs? They are only
used by gnupg, really - gnutls uses nettle now - so the one thing they
would break would be gnupg 1.4...

Maybe we could just test that and see where it brings us instead of
mangling those libraries? :)

A.

-- 
Brief is this existence, as a fleeting visit in a strange house.
The path to be pursued is poorly lit by a flickering consciousness.
   - Albert Einstein

Re: the way to enigmail: gnupg 2.1 backport considerations

[Antoine Beaupré]

On 2018-11-13 13:24:39, Ben Hutchings wrote:
> On Mon, 2018-11-12 at 15:16 -0500, Antoine Beaupré wrote:
>> Hi,
>> 
>> So I've been looking at Enigmail again, after a long journey helping
>> people in stable getting that stuff fixed. It's pretty obvious there's
>> no way to upload that without first doing a GnuPG 2.1 backport into
>> jessie.
>> 
>> That, it turns out, requires *four* more source package
>> backports. Fortunately for us, *all* of those are already in
>> jessie-backports. They would, unfortunately, probably need to be
>> uploaded straight into jessie-security, however, if only for
>> consistency's sake.
>> 
>> That would mean, however, a more or less forced update on the following
>> libraries in jessie:
>> 
>>  * libassuan (part of GPG, 2.1 -> 2.4)
>>  * libgcrypt20 (part of GnuTLS, 1.6 -> 1.7)
>>  * libgpg-error (GPG, 1.17 -> 1.26)
>>  * npth (GPG, 1.0 -> 1.3)
>>
>> How should we handle this? I haven't looked at each backport in detail
>> to see if ABI changes are significant, but the version numbers seem to
>> indicate they are not (for what that's worth of course).
> [...]
>
> Unless these are bug-fix-only updates, I don't think they are suitable
> for jessie-security.

I doubt they are:

https://tracker.debian.org/media/packages/liba/libassuan/changelog-2.4.3-2~bpo8%2B1
https://tracker.debian.org/media/packages/libg/libgcrypt20/changelog-1.7.6-1~bpo8%2B1
https://tracker.debian.org/media/packages/libg/libgpg-error/changelog-1.26-2~bpo8%2B1
https://tracker.debian.org/media/packages/n/npth/changelog-1.3-1~bpo8%2B1

Lots of "new upstream release" in there which can basically mean
anything. Here are the respective changelogs:

https://sources.debian.org/src/libassuan/2.4.3-2%7Ebpo8+1/ChangeLog/
https://sources.debian.org/src/libgcrypt20/1.7.6-1%7Ebpo8+1/ChangeLog/
https://sources.debian.org/src/libgpg-error/1.26-2%7Ebpo8+1/ChangeLog/
https://sources.debian.org/src/npth/1.3-1%7Ebpo8+1/ChangeLog/

None of those are patch releases. In fact, in some cases, there *are* no
patch releases (e.g. libpth) and I doubt minor releases are really minor
anyways... 

So yes, those are significant upgrades.

I take solace in the fact that those packages are on jessie-backports
already and that if they would have broken stuff, people would have
noticed already...

... right? :)

> Would it be possible to bundle the libraries with gpg 2.1, and install
> them somewhere that doesn't conflict with the existing versions?

That is a possibility. libassuan, for example, is basically this in
jessie right now:

/usr/lib/x86_64-linux-gnu/libassuan.so.0.4.2

jessie-backports ships:

/usr/lib/x86_64-linux-gnu/libassuan.so.0.7.3

both share the same major SONAME, unfortunately. So they is a clash on
the .so.0 symlink. I am not sure how the linker could handle duplicates
of those entries. And we'd have trouble in /usr/share/doc/libassuan0,
for example.

libgcrypt is similar:

/lib/x86_64-linux-gnu/libgcrypt.so.20.0.3
/lib/x86_64-linux-gnu/libgcrypt.so.20.1.6

libgpg-error:

/lib/x86_64-linux-gnu/libgpg-error.so.0.13.0
/lib/x86_64-linux-gnu/libgpg-error.so.0.21.0

libnpth0:

/usr/lib/x86_64-linux-gnu/libnpth.so.0.0.3
/usr/lib/x86_64-linux-gnu/libnpth.so.0.0.6

I am not sure how we could ship both versions of those libraries in
jessie - that's beyond my linker skill level, i'm afraid. ;)

A.

-- 
A genius is someone who discovers that the stone that falls and the
moon that doesn't fall represent one and the same phenomenon.
 - Ernesto Sabato

the way to enigmail: gnupg 2.1 backport considerations

[Antoine Beaupré]

Hi,

So I've been looking at Enigmail again, after a long journey helping
people in stable getting that stuff fixed. It's pretty obvious there's
no way to upload that without first doing a GnuPG 2.1 backport into
jessie.

That, it turns out, requires *four* more source package
backports. Fortunately for us, *all* of those are already in
jessie-backports. They would, unfortunately, probably need to be
uploaded straight into jessie-security, however, if only for
consistency's sake.

That would mean, however, a more or less forced update on the following
libraries in jessie:

 * libassuan (part of GPG, 2.1 -> 2.4)
 * libgcrypt20 (part of GnuTLS, 1.6 -> 1.7)
 * libgpg-error (GPG, 1.17 -> 1.26)
 * npth (GPG, 1.0 -> 1.3)

How should we handle this? I haven't looked at each backport in detail
to see if ABI changes are significant, but the version numbers seem to
indicate they are not (for what that's worth of course).

That said, with minor changes (to keep "gpg" pointing at the legacy 1.4
version, most notably), I've got a GPG 2.1 backport ready for jessie, at
the usual location:

https://people.debian.org/~anarcat/debian/jessie-lts/

I would very much welcome testing of this. There are still some clunky
things in there, for example critical lintian warnings I need to fix. I
haven't even tried to installed the thing yet, but I figured I would
share my work early and get feedback before going on a wild goose chase
after the dependencies.

Any feedback appreciated.

Thanks,

A.

-- 
For once you have tasted flight,
You will walk the earth with your eyes turned skyward;
For there you have been,
And there you long to return.
- Leonardo da Vinci

Re: updates on the gnupg/enigmail/thunderbird/firefox situation

[Antoine Beaupré]

On 2018-11-11 23:03:07, Emilio Pozuelo Monfort wrote:
> On 11/11/2018 15:47, Antoine Beaupré wrote:
>> On 2018-11-11 13:21:05, Emilio Pozuelo Monfort wrote:
>>> Hi Antoine,
>>>
>>> On 09/11/2018 20:37, Antoine Beaupré wrote:
>>>> On 2018-11-05 16:26:44, Emilio Pozuelo Monfort wrote:
>>>>> Hi,
>>>>>
>>>>> On 30/10/2018 16:46, Antoine Beaupré wrote:
>>>>>> Which brings us to Thunderbird (and Firefox) themselves. The last I
>>>>>> heard of this is that LLVM was NEW in jessie. I wrote Emilio to see if
>>>>>> he needed help on that last week, but haven't got a response. Hopefully
>>>>>> all that work will come to fruitition synchronously in a grand fanfare
>>>>>> of uploads all working out perfectly in the end. :)
>>>>>
>>>>> Sorry if I missed your mail. Anyway, here's an update:
>>>>>
>>>>> LLVM (and the necessary deps) were accepted. Unfortunately I run into some
>>>>> trouble while bootstrapping rustc and cargo. I tried some different ways 
>>>>> and
>>>>> finally fixed the first one (bootstrap using upstream binaries). I am 
>>>>> uploading
>>>>> the packages now and will follow up with firefox/thunderbird if all goes 
>>>>> well.
>>>>
>>>> Just so I see how fast I should be moving on Enigmail, when do you plan
>>>> on uploading Thunderbird?
>>>
>>> The update is ready, and the blocker was an update to stretch, which has 
>>> already
>>> happen. So I believe we are ready, and this could happen anytime now.
>>>
>>> However since we don't have a working enigmail, should we delay the update 
>>> until
>>> we do? Given the security issues in thunderbird and the fact that the new
>>> version has a Breaks on the old enigmail, I would say that we can go ahead 
>>> with
>>> thunderbird, and enigmail can be fixed asynchronously. However if the 
>>> update is
>>> not too far ahead, we could also delay this a bit longer.
>>>
>>> Thoughts?
>> 
>> I think we could manage a resolution with Enigmail soon enough, and
>> considering how fast those updates were deployed on stretch, i don't
>> know if we have a reasonable excuse to delay those in jessie.
>
> Just to be clear, with 'those' are you referring to thunderbird, i.e. saying
> that we should release the update now, and update enigmail asynchronously? 
> That
> is what I think you meant, but perhaps you were referring to enigmail instead,
> maybe suggesting that we shouldn't delay the enigmail updates, i.e. we should
> block the thunderbird update until the enigmail changes are ready.
>
> Maybe I'm just being too dense, but if you could clarify which one you meant,
> I'd appreciate it.

Sorry for being unclear - I meant that the Thunderbird and Firefox
updates were deployed quickly, without waiting for Enigmail to be
ready. So we should do the same with Jessie (upload FF and TB before
Enigmail) especially since we had a long ways to prepare ourselves and
indeed have a plan already.

So please do go ahead.

A.

-- 
We won't have a society if we destroy the environment.
- Margaret Mead

Re: updates on the gnupg/enigmail/thunderbird/firefox situation

[Antoine Beaupré]

On 2018-11-11 13:21:05, Emilio Pozuelo Monfort wrote:
> Hi Antoine,
>
> On 09/11/2018 20:37, Antoine Beaupré wrote:
>> On 2018-11-05 16:26:44, Emilio Pozuelo Monfort wrote:
>>> Hi,
>>>
>>> On 30/10/2018 16:46, Antoine Beaupré wrote:
>>>> Which brings us to Thunderbird (and Firefox) themselves. The last I
>>>> heard of this is that LLVM was NEW in jessie. I wrote Emilio to see if
>>>> he needed help on that last week, but haven't got a response. Hopefully
>>>> all that work will come to fruitition synchronously in a grand fanfare
>>>> of uploads all working out perfectly in the end. :)
>>>
>>> Sorry if I missed your mail. Anyway, here's an update:
>>>
>>> LLVM (and the necessary deps) were accepted. Unfortunately I run into some
>>> trouble while bootstrapping rustc and cargo. I tried some different ways and
>>> finally fixed the first one (bootstrap using upstream binaries). I am 
>>> uploading
>>> the packages now and will follow up with firefox/thunderbird if all goes 
>>> well.
>> 
>> Just so I see how fast I should be moving on Enigmail, when do you plan
>> on uploading Thunderbird?
>
> The update is ready, and the blocker was an update to stretch, which has 
> already
> happen. So I believe we are ready, and this could happen anytime now.
>
> However since we don't have a working enigmail, should we delay the update 
> until
> we do? Given the security issues in thunderbird and the fact that the new
> version has a Breaks on the old enigmail, I would say that we can go ahead 
> with
> thunderbird, and enigmail can be fixed asynchronously. However if the update 
> is
> not too far ahead, we could also delay this a bit longer.
>
> Thoughts?

I think we could manage a resolution with Enigmail soon enough, and
considering how fast those updates were deployed on stretch, i don't
know if we have a reasonable excuse to delay those in jessie.

A.

-- 
To be naive and easily deceived is impermissible, today more than
ever, when the prevailing untruths may lead to a catastrophe because
they blind people to real dangers and real possibilities.
- Erich Fromm

Re: updates on the gnupg/enigmail/thunderbird/firefox situation

[Antoine Beaupré]

On 2018-11-05 16:26:44, Emilio Pozuelo Monfort wrote:
> Hi,
>
> On 30/10/2018 16:46, Antoine Beaupré wrote:
>> Which brings us to Thunderbird (and Firefox) themselves. The last I
>> heard of this is that LLVM was NEW in jessie. I wrote Emilio to see if
>> he needed help on that last week, but haven't got a response. Hopefully
>> all that work will come to fruitition synchronously in a grand fanfare
>> of uploads all working out perfectly in the end. :)
>
> Sorry if I missed your mail. Anyway, here's an update:
>
> LLVM (and the necessary deps) were accepted. Unfortunately I run into some
> trouble while bootstrapping rustc and cargo. I tried some different ways and
> finally fixed the first one (bootstrap using upstream binaries). I am 
> uploading
> the packages now and will follow up with firefox/thunderbird if all goes well.

Just so I see how fast I should be moving on Enigmail, when do you plan
on uploading Thunderbird?

Thanks!

A.

-- 
Nature hides her secret because of her essential loftiness, but not by
means of ruse.
   - Albert Einstein

Re: updates on the gnupg/enigmail/thunderbird/firefox situation

[Antoine Beaupré]

On 2018-11-06 10:57:12, Holger Levsen wrote:
> On Tue, Nov 06, 2018 at 02:25:37PM +0700, Daniel Kahn Gillmor wrote:
>> On Tue 2018-10-30 11:46:35 -0400, Antoine Beaupré wrote:
>> >  5. backport the required GnuPG patchset from stretch to jessie
>> fwiw, i don't see how this is going to work, since jessie has only gpg
>> 1.4.18 and 2.0.26 -- modern enigmail requires gnupg 2.0.14 at least, so
>> that rules out the 1.4 series.  And the 2.0 branch has been EOLed and
>> unsupported upstream for nearly a year, and represents a significantly
>> different codebase than the 2.1/2.2 series.
>> 
>> Or if you are talking about backporting 2.1.x or 2.2.x, that might be a
>> different situation; but just backporting the gnupg patches from stretch
>> to jessie sounds pretty tough. (i haven't tried though)
>
> so I'd say this leaves us with two options: a.) getting gnupg 2.1 into
> jessie or b.) declaring thunderbird/enigmail unsupported in jessie.

i think it should be possible to do a) - as "gpg2" of course. it would
require modifications to enigmail to call that binary instead of legacy
1.4, but it might just work without breaking too much stuff as people
probably don't rely on gnupg2 in jessie.

a.

-- 
Soyons réalistes, faisons l'impossible.
- Ernesto "Che" Guevara

Spamassassin 3.4.2 jessie upgrade ready for testing

[Antoine Beaupré]

Hi,

As discussed with the SpamAssassin (SA) maintainer, we are following
upstream's advice of upgrading to the latest 3.4.2 release in jessie.

There's a stable update pending in stretch (#912198) which served as a
basis for this upload. I've kept to the strict minimal set of changes
but also included critical fixes (like #889501) and ensuring we run the
test suite during build (which passes, thankfully).

Other unrelated packaging changes were skipped to keep the change
minimal. Besides, many of the changes in buster and stretch just don't
apply at all in jessie.

As long as the update doesn't land in stretch, this should not be
updated in jessie either, as the version number proposed here
(3.4.2-0+deb8u1) is higher than the one currently in stretch. If the
update ends up being refused there, I'll reroll the upload here with a
different version number, but it seems to be on track so far.

Because SA upstream doesn't follow semantic versionning, the 3.4.0 to
3.4.2 upgrade is deceptively large:

 400 files changed, 18289 insertions(+), 13973 deletions(-)

About a third (~6000 lines?) of this are rules changes which trickle
down to jessie already through sa-update. There's also 8000 lines of
diff in the upstream changelog file we can ignore, which leaves us at a
more reasonable 4000 lines of diff, although that's still significant.

The one change which might break things in deployments is that spamc
dropped support for SSLv3. If spamd is updated first, this should not
cause any problems. The UPGRADE.gz file has all the details of the
upstream changes.

Test packages are available in the usual location, along with the
debdiff:

https://people.debian.org/~anarcat/debian/jessie-lts/

A.


-- 
One of the things the Web teaches us is that everything is connected
(hyperlinks) and we all should work together (standards). Too often
school teaches us that everything is separate (many different
'subjects') and that we should all work alone.  - Aaron Swartz

updates on the gnupg/enigmail/thunderbird/firefox situation

[Antoine Beaupré]

Hi,

In the last month, I have work with dkg (in CC) to see how to
(ultimately) deal with the end of life of Firefox and Thunderbird ESR as
we know them in jessie. He has been hard at work updating GnuPG in
stable (#910398) so that Enigmail works with that older version of GnuPG
without introducing new security issues. Next step is an update of
Enigmail in stable (in #912194) so that it works with the latest
Thunderbird 60 upload approved by the security team in mid-september.

Because Emilio (also in CC) had claimed the Thunderbird and Firefox
package, I figured I would see what would be required to deal with the
consequences of such an update in jessie. It seemed obvious an update to
at least Enigmail would be required, so I started to drill down into
that. I provided code reviews, rubber-ducking and support to dkg in the
Enigmail and GnuPG updates, mostly in private, but those are now
trickling down in stable updates.

Now, unfortunately, I am back here asking you what we should do about
those packages again. About a month ago, I offered 5 different options:

 1. pretend Enigmail works without changing GnuPG, possibly introducing
security issues

 2. ship a backport of GnuPG and Enigmail through jessie-sloppy-backports

 3. package OpenPGP.js and backport all the way down to jessie

 4. remove Enigmail from jessie

 5. backport the required GnuPG patchset from stretch to jessie

I believe we have now actively researched most of those issues in one
way or the other:

 1. I verified that Enigmail does indeed has security issues with the
current versions of GnuPG, particularly in the Autocrypt mechanism.

 2. was never seriously considered

 3. I investigated the OpenPGP.js dependency tree and determined it was
an impassable forest

 4. hasn't been seriously considered yet, as far as I can tell

 5. I have helped dkg backport the patches from GnuPG 2.2 to 2.1 for
stretch

Now I come back to you again for advice. Which path should we take? So
far I'm sticking to option #5 above, but I would welcome other opinions.

I would suggest we wait for Enigmail and GnuPG to trickle down to
stretch and see if any critical issues come out. There are specifically
concerns that the backported GnuPG changes might break unrelated
software that depend on the brittle dialect GnuPG imposes on its
consumers, which *does* change in the backport. I am aware of at least
one program (Monkeysphere) which could FTBFS because of a too brittle,
build-time, test suite. dkg and I are maintainers on that package and
will be able to handle the followup.

That should eventually settle Enigmail/GnuPG: either we backport GnuPG
patches, or we deem the GnuPG patchset is too invasive to backport to
jessie and we remove Enigmail from jessie. The result will be that users
will run an outdated version (if they don't notice the package's removed
or the announcement) or will run an up to date but possibly insecure
version (if they install the Addons version from Mozilla which downloads
an arbitrary binary from the network, see #891882). So I think there's a
strong incentive in backporting the changes, but we should wait and see
what breaks in stable before venturing any further into this dark alley.

Which brings us to Thunderbird (and Firefox) themselves. The last I
heard of this is that LLVM was NEW in jessie. I wrote Emilio to see if
he needed help on that last week, but haven't got a response. Hopefully
all that work will come to fruitition synchronously in a grand fanfare
of uploads all working out perfectly in the end. :)

Voilà. I felt I had been working in the dark on this for a part of
October and figured it would be useful to post a refresher on my
work. Let me know if that's useful / too long / or have any more
questions.

A.

-- 
Si les triangles avaient un Dieu, ils lui donneraient trois côtés.
- Montesquieu, Lettres persanes

Re: Wheezy update of spamassassin?

[Antoine Beaupré]

On 2018-10-29 09:50:41, Moritz Muehlenhoff wrote:
> On Sun, Oct 28, 2018 at 10:19:34PM -0700, Noah Meyerhans wrote:
>> On Mon, Oct 22, 2018 at 11:23:50AM -0400, Antoine Beaupré wrote:
>> > Ping! Any update here? Do you want us to help with the jessie or stretch
>> > update?
>> 
>> I'll be posting a message about the stretch update to debian-release
>> shortly. If you want to work on further backporting its update to
>> jessie, that is fine with me. The packaging changes for stretch are at
>> https://salsa.debian.org/debian/spamassassin/tree/3.4.2-stretch
>
> Make sure to only release anything after stretch 9.6 has been released, 
> though.
> Otherwise having a higher version in oldstable will cause update problems to
> stretch.

In any case I'll post a lower version number, if/when I do. Thanks!

A.

-- 
Premature optimization is the root of all evil
- Donald Knuth

Re: backported gnutls28 3.3.30 packages availabled for jessie LTS

[Antoine Beaupré]

Last call for testing on this, I'll upload the 3.3.30 package on Monday
if there's no objection until then.

On 2018-10-23 14:00:14, Antoine Beaupré wrote:
> Hi,
>
> After the lengthy discussion[1] regarding the pending security issues in
> GnuTLS (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846), I have
> determined it might be simpler to just upgrade to the latest upstream
> 3.3.x version for which upstream is still providing updates. Upstream
> agrees with the approach. This removes 35 Debian-specific, backported
> patches and fixes other unrelated bugs. The API/ABI *changes*, but it
> only adds *new* symbols so the soname versions do not change.
>
> [1]: CABY6=0nu1qg9beb5qc-mbzfubmqgxp9dbgnicfupppiwz+o...@mail.gmail.com
>
> I have uploaded the test package in the usual location here:
>
> https://people.debian.org/~anarcat/debian/jessie-lts/
>
> Direct link to the .changes file:
>
> https://people.debian.org/~anarcat/debian/jessie-lts/gnutls28_3.3.30-1+deb8u_amd64.changes
>
> The debdiff is obviously quite large so I haven't audited the whole
> diff, which would have basically meant reviewing all the releases
> between upstream 3.3.8 and 3.3.0:
>
>  2151 files changed, 65784 insertions(+), 60661 deletions(-)
>
> Note that about 3000 lines of those are from debian/patches removals
> that were now unnecessary.
>
> The upstream changelog details all the changes:
>
> https://gitlab.com/gnutls/gnutls/blob/gnutls_3_3_x/NEWS
>
> Our branch point was 3.3.8, over four years ago. The latest 3.3.30
> release was last july.
>
> It should be possible to backport the upstream patches for those issues
> as well. But considering the amount of work that represented and how
> sensitive the issue is, I felt more confident going with upstream's
> recommendation.
>
> Extensive testing is recommended. The test suite obviously passes here
> (otherwise the package does not build) but there might be other problems
> that I haven't foreseen.
>
> Thanks for any feedback.
>
> A.
> -- 
> Information is not knowledge. Knowledge is not wisdom.
> Wisdom is not truth. Truth is not beauty.
> Beauty is not love. Love is not music.
> Music is the best.  - Frank Zappa

-- 
La guerre, c'est le massacre d'hommes qui ne se connaissent pas,
au profit d'hommes qui se connaissent mais ne se massacreront pas.
- Paul Valéry

Re: Confusing our users - who is supporting LTS?

[Antoine Beaupré]

On 2018-10-26 13:02:57, Thadeu Lima de Souza Cascardo wrote:
>> > 5) Is that not true anymore with Extended LTS and CIP?
>> 
>> Sorry, what is not true? #4? If so, I think people should *still*
>> install the latest supported Debian release (stable or stretch right
>> now) and not LTS or ELTS, when deploying new systems.
>
> Yeah, not true that Stretch would have a latest term support compared to
> any earlier release. So, if one needs something that lasts 12 years,
> should one be picking up Stretch, Jessie or Wheezy?

"12 years" ... it depends when you start counting. Do you count from the
release date of the software? Or "now"? Because if you want 12 years
support, jessie, even less so wheezy is not going to help you.

>From that perspective, you might stand a better chance of installing
*unstable* or *buster* right now if you want the longer support schedule
from *right now* because then you'll get the buster release cycle (three
years, starting from late 2019 if not 2020), then LTS (two years) and
maybe even an extra ELTS (a year or more) slapped on top, which will
bring you somewhere somewhere close to 2027. That's 9 years from now, a
far cry from your 12 years objective, but it's pretty much the best shot
we have.

12-year support cycle is the crazy stuff they do at Solaris, or at least
did. Since Oracle bought it, they bumped that up to *twenty* years:

https://en.wikipedia.org/wiki/Solaris_(operating_system)#Version_history

We're still far away from that goal. And keep in mind the Solaris that
is supported there is a very limited operating system when compared with
the scope of packages supported in Debian...

A.

-- 
La seule excuse de Dieu, c'est qu'il n'existe pas.
- Stendhal

Re: Confusing our users - who is supporting LTS?

[Antoine Beaupré]

On 2018-10-26 10:26:09, Thadeu Lima de Souza Cascardo wrote:
> On Wed, Oct 24, 2018 at 09:30:46AM +0800, Paul Wise wrote:
>> On Wed, Oct 24, 2018 at 4:15 AM Sean Whitton wrote:
>> >
>> > On Tue 23 Oct 2018 at 05:06PM +0200, Markus Koschany wrote:
>> > >
>> > > In short: Make it very clear if you want to provide long-term support
>> > > for your project. Talk to the LTS team in case you need help. Nobody is
>> > > forced to do anything.
>> >
>> > This is a good idea, but ISTM the assumption should be that the
>> > subproject does not participate unless it explicitly says that it does.
>> 
>> This thread started because users have the opposite assumption. So I
>> think it would be better to be explicit about support teams and
>> timelines.
>> 
>> -- 
>> bye,
>> pabs
>> 
>> https://wiki.debian.org/PaulWise
>> 
>
> I am guessing one of the other (incorrect) assumption users might make
> is that the "LTS version" is preferred over other versions. That's how
> LTS works for Linux and Ubuntu, for example. So, a user would rather
> install Ubuntu 18.04 that is supported for 5 years than Ubuntu 18.10,
> that is supported for 9 months. The same happens with Linux 4.14 versus
> Linux 4.18.

I agree that is a concern...

> I am not sure it's clear to users that all Debian stable versions would
> have Long Term Support, because the releases are not *labeled* as LTS. I
> know the wiki says:
>
> "Debian Long Term Support (LTS) is a project to extend the lifetime of
> *all* Debian stable releases to (at least) 5 years." (emphasis mine)
>
> But I believe the table right below that would still confuse some users
> that would understand that Jessie is supported by LTS, while Stretch is
> not, even though there is a schedule column there.

... but, well, that is pretty clear isn't it? "All" releases are
supported, and "stretch" is explicitely mentioned in the table. I think
we've done our part.

> Using the LTS term in a slightly different way than the "industry
> standard" now means we need to spend a little more effort on users
> education.

I'm not sure we're using it that differently. But it's true normal
stable releases don't immediately get marked as LTS. There are good
reasons for that, and those would be very hard to work around. To get
more explicit, we can answer your questions one by one:

> Should we:
>
> 1) Start calling the stable releases as LTS releases?

No. That would be very confusing, as the stable releases are (to
simplify greatly) under the responsability of the security team (ST) and
the stable release managers (SRM), not the LTS team.

> 2) Say "supported by Security team" versus "supported by Freexian",
> instead of just saying "supported by LTS"?

Hm... I'm not sure what that refers to or what you're proposing, but LTS
releases are *not* supported by the security team, but by the LTS team.

> 3) Stop using LTS as a "label" for oldstable releases?

I am not sure how that would help anything. :) I do like, however, the
idea brought by Jeremy Stanley in a reply to your email of using the
"Extended Maintenance" label instead of "Long Term Support" because the
latter is usually attached to a *current* release, while the former is
seen as an *extension*.

But renaming the project seems like a huge undertaking and I'm not sure
it would really resolve this conendrum.

> 4) Just advise users all the time that they should prefer the latest
> stable release, as that is going to have the "latest term support"?

Right. So maybe that's a piece that's been missing in our
communications, and that could be the reason why people still think they
should install jessie cloud images. ;)

So maybe we could make some proeminent statement on the LTS and
LTS/Using pages in the wiki?

> 5) Is that not true anymore with Extended LTS and CIP?

Sorry, what is not true? #4? If so, I think people should *still*
install the latest supported Debian release (stable or stretch right
now) and not LTS or ELTS, when deploying new systems.

I think the idea here is that we think Debian rocks. It's solid, stable,
and we love it. But we want to support it for even longer than what our
volunteer team can deal with right now, so we're hiring a bunch of
dedicated fanatics who can figure out how to fit a square peg in a round
hole for you.

But please don't make us any more square pegs and install Debian
normally. Don't break Debian! :)

https://wiki.debian.org/DontBreakDebian

Thanks!

A.

-- 
Work expands so as to fill the time available for its completion.
- Parkinson's law

Re: Xen 4.4 updates - request for feedback

[Antoine Beaupré]

On 2018-10-23 14:03:37, Peter Dreuw wrote:
> The testing packages are available here: 
>
> https://share.credativ.com/~pdr/xen-test/ 

One more thing about those... The .deb packages are provided completely
without signatures. I understand that the site is protected by HTTPS,
but it is customary to actually provide a signed .changes file so that
people can double-check the signatures against the web of trust without
relying on the third-party CA system.

Thanks!

A.

-- 
Work expands so as to fill the time available for its completion.
- Parkinson's law

Re: Xen 4.4 updates - request for feedback

[Antoine Beaupré]

On 2018-10-24 19:33:45, Peter Dreuw wrote:
> Am 24.10.18 um 17:24 schrieb Antoine Beaupré:
>> On 2018-10-23 14:03:37, Peter Dreuw wrote:
>>> Hello, everyone, 
>>>
>>> I prepared another set of fixes based on the current Xen package on 
>>> jessie-security (4.4.4lts2-0+deb8u1, DLA-1549).
>>>
>>> These fixes include 
>>>
>>> CVE-2017-15595 / xsa 240 
>>> CVE-2017-15593 / xsa 242 
>>> CVE-2017-15592 / xsa 243 
>>> CVE-2017-16693 / xsa 244 
>>> CVE-2017-17044 / xsa 246 
>>> CVE-2017-17045 / xsa 247 
>>> CVE-2018-10472 / xsa 258 
>>> CVE-2018-10981 / xsa 262
>>>
>>> The testing packages are available here: 
>>>
>>> https://share.credativ.com/~pdr/xen-test/ 
>> I'll be reviewing those diffs shortly, thanks!
> Thank you very much.
>>> These testing packages are auto generated by our new build system, so the 
>>> package name is somewhat cryptic as it reflects the date and time of build 
>>> as well as parts of the git hash it is based on. 
>>>
>>> You can find the repository here: https://github.com/credativ/xen-lts 
>>>
>>> dpkg might tell you about a potential downgrade, but you can ignore this 
>>> for testing purposes safely. I expect them to be working but I would 
>>> appreciate some feedback on this version before passing them to the public 
>>> repository. 
>> Did you do any kind of smoke testing or is that something that could be
>> useful per se?
>>
>> I always find it tricky to test Xen packages because, well... In what
>> environment do you test it? Qemu? Xen? Virtualbox? :)
>
> I am testing the x86 packages on real hardware and virtual box. But of
> course, my hardware spectrum available for this is not to broad. In
> general, I make shure that my packages work for me before I would
> release them in any way ;)  I'm working on integration of Xen fixes into
> old versions for a while, now. I already did this on the Xen 4.1 in
> Wheezy, fyi.
>
> The arm packages - which are currently not included in my request for
> feedback - are tested on Qemu only. But the arm-only bugs/fixes are
> mostly easy to done as the upstream patches apply and upstream does a
> great amount of testing. So I consider the work already done not harmful
> to the arm systems right now - at least if the x86 tests don't fail ;)

That makes sense. Thanks! I won't be doing additional smoke testing
then.

I encourage others who *have* running Xen systems to give the test
packages a shot and will ping a partner here who does.

>>> I will head on to the next issues to fix. 
>> I'm curious: what is your take on XSA-254 and the Meltdown/Spectre
>> issues in Xen? Are those fixable?
>
> I am not sure if this can be done with Xen 4.4 - at least not to a level
> of a 100% solution. Looking into the upstream code for e.g. 4.6 there
> are many changes that would need to be considered. I am thinking of
> this, currently, yes. The same goes to
>
>
> XSA 263 / CVE-2018-3639
>
> XSA 267 / CVE-2018-3665
>
> XSA 273 / CVE-2018-3620,CVE-2018-3646
>
> The upstream fixes for these XSA rely on the XSA 254 work already done. 
> So getting xsa 263/267/273 fixed would need to adapt much of the work
> done for xsa 254.

Right. It's a huge challenge and sensitive if not confusing code.

>> Should we consider encouraging people to switch to other virtualization
>> solutions in LTS/jessie considering the difficulty of mitigation in Xen
>> environments?
>
> Hum, this looks like a need for a political answer ;)

Well, you know what they say in french: if you don't care about
politics, politics will take care of you. ;)

> I honestly don't know if the difficulty level of mitigation in other
> old virtualization solutions is really lower.

I am going with the assertion that Linux and KVM, in particular, is
being fixed in jessie. It may be flawed, but I know a lot of effort was
put in resolving those issues in the kernel, for obvious reasons.

My impression was that mitigation has been much harder in Xen and that
many hosting providers were migrating away. For example, RedHat
recommends to migrate to KVM here as well:

https://access.redhat.com/solutions/3307791

> An alternative might be offering a version of a more recent Xen package.
> AFAIK there is a Xen 4.9 package in Jessie backports already, but this
> is not too fresh, I think. I know, LTS users might not like the idea of
> shifting to new versions but the spectre/meltdown issue is a class of
> its own when it comes to solutions. 

My comments were not specifically regarding 4.4. From what I understand,
those iss

Re: Xen 4.4 updates - request for feedback

[Antoine Beaupré]

On 2018-10-24 11:24:28, Antoine Beaupré wrote:
> On 2018-10-23 14:03:37, Peter Dreuw wrote:
>> Hello, everyone, 
>>
>> I prepared another set of fixes based on the current Xen package on 
>> jessie-security (4.4.4lts2-0+deb8u1, DLA-1549).
>>
>> These fixes include 
>>
>> CVE-2017-15595 / xsa 240 
>> CVE-2017-15593 / xsa 242 
>> CVE-2017-15592 / xsa 243 
>> CVE-2017-16693 / xsa 244 
>> CVE-2017-17044 / xsa 246 
>> CVE-2017-17045 / xsa 247 
>> CVE-2018-10472 / xsa 258 
>> CVE-2018-10981 / xsa 262
>>
>> The testing packages are available here: 
>>
>> https://share.credativ.com/~pdr/xen-test/ 
>
> I'll be reviewing those diffs shortly, thanks!

I've given that a shot and, unfortunately, the actual contents of the
patchset goes over my head, so I cannot provide useful feedback on
those. When I worked on Xen/qemu before, I was content to just adapt the
upstream patches without auditing the fix itself, for what it's worth.

So I have reviewed the patches in that context and they generally seem
to reflect upstreams' intention, for what that's worth.

The only issues I could find were whitespace and shouldn't affect
functionality.

(In XSA-240 [20c8d60a5c], a comment block present in the upstream patch
[0003-x86-dont-wrongly-trigger-linear-page-table-assertion.patch] is
missing. Purely cosmetic. Whitespace noise is introduced in 49721ad27a
which might make future merges needlessly harder. There's a similar
issue in XSA-247 [06d16d9c].)

Again, that's assuming that upstream patchsets backport logically into
4.4. Many XSAs have 4.5 patches (or in some cases 4.6) so it's not that
big of a leap.

Thanks for the hard work!

A.

Re: Xen 4.4 updates - request for feedback

[Antoine Beaupré]

On 2018-10-23 14:03:37, Peter Dreuw wrote:
> Hello, everyone, 
>
> I prepared another set of fixes based on the current Xen package on 
> jessie-security (4.4.4lts2-0+deb8u1, DLA-1549).
>
> These fixes include 
>
> CVE-2017-15595 / xsa 240 
> CVE-2017-15593 / xsa 242 
> CVE-2017-15592 / xsa 243 
> CVE-2017-16693 / xsa 244 
> CVE-2017-17044 / xsa 246 
> CVE-2017-17045 / xsa 247 
> CVE-2018-10472 / xsa 258 
> CVE-2018-10981 / xsa 262
>
> The testing packages are available here: 
>
> https://share.credativ.com/~pdr/xen-test/ 

I'll be reviewing those diffs shortly, thanks!

> These testing packages are auto generated by our new build system, so the 
> package name is somewhat cryptic as it reflects the date and time of build as 
> well as parts of the git hash it is based on. 
>
> You can find the repository here: https://github.com/credativ/xen-lts 
>
> dpkg might tell you about a potential downgrade, but you can ignore this for 
> testing purposes safely. I expect them to be working but I would appreciate 
> some feedback on this version before passing them to the public repository. 

Did you do any kind of smoke testing or is that something that could be
useful per se?

I always find it tricky to test Xen packages because, well... In what
environment do you test it? Qemu? Xen? Virtualbox? :)

> I will head on to the next issues to fix. 

I'm curious: what is your take on XSA-254 and the Meltdown/Spectre
issues in Xen? Are those fixable?

Should we consider encouraging people to switch to other virtualization
solutions in LTS/jessie considering the difficulty of mitigation in Xen
environments?

Thanks,

A.

-- 
The idea that Bill Gates has appeared like a knight in shining armour to
lead all customers out of a mire of technological chaos neatly ignores
the fact that it was he who, by peddling second-rate technology, led
them into it in the first place. - Douglas Adams (1952-2001)

Re: backported gnutls28 3.3.30 packages availabled for jessie LTS

[Antoine Beaupré]

On 2018-10-23 19:26:32, Ben Hutchings wrote:
> On Tue, 2018-10-23 at 14:00 -0400, Antoine Beaupré wrote:
>> Hi,
>> 
>> After the lengthy discussion[1] regarding the pending security issues in
>> GnuTLS (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846), I have
>> determined it might be simpler to just upgrade to the latest upstream
>> 3.3.x version for which upstream is still providing updates. Upstream
>> agrees with the approach. This removes 35 Debian-specific, backported
>> patches and fixes other unrelated bugs. The API/ABI *changes*, but it
>> only adds *new* symbols so the soname versions do not change.
> [...]
>
> I don't know exactly what gnutls's policy is for stable updates, but
> based on a quick look at the NEWS file it seems like these changes are
> probably suitable for a stable/LTS update.
>
> I did spot some incompatible changes in behaviour which might need to
> be called out in the Debian changelog or NEWS file, or even reverted,
> depending on how many users they might affect:
>
> ** libgnutls: Refuse to import v1 or v2 certificates that contain
> extensions.
>
> ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities
>list. It has to be explicitly enabled, e.g., with a string like
>"NORMAL:+ARCFOUR-128". The previous behavior can be restored using
>the flag --with-arcfour128 to configure.
>
> ** libgnutls: SSL 3.0 is no longer included in the default priorities
>list. It has to be explicitly enabled, e.g., with a string like
>"NORMAL:+VERS-SSL3.0". The previous behavior can be restored using
>the flag --with-ssl3 to configure.
>
> ** libgnutls: require strict DER encoding for certificates, OCSP requests, 
> private
>keys, CRLs and certificate requests.  This backports the already default 
> behavior
>from the 3.5.x branch, in order to reduce issues due to the complexity of 
> BER rules.

Good catches. I should really go through those again with a NEWS.Debian
update in mind.

One thing they did to fix those 'pseudo-constant time' vulnerabilities
is to remove certain algorithms as well, and I don't see those above. So
we shold probably warn about that as well.

A.
-- 
That's one of the remarkable things about life: it's never so bad that
it can't get worse.
- Calvin

Re: backported gnutls28 3.3.30 packages availabled for jessie LTS

[Antoine Beaupré]

Ah, and I pushed my changes here:

https://salsa.debian.org/debian/gnutls/tree/gnutls28_jessie_3.3.30+

A.

-- 
We should act only in such away that if everyone 
else acted as we do, we would accept the results.
- Emmanuel Kant

backported gnutls28 3.3.30 packages availabled for jessie LTS

[Antoine Beaupré]

Hi,

After the lengthy discussion[1] regarding the pending security issues in
GnuTLS (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846), I have
determined it might be simpler to just upgrade to the latest upstream
3.3.x version for which upstream is still providing updates. Upstream
agrees with the approach. This removes 35 Debian-specific, backported
patches and fixes other unrelated bugs. The API/ABI *changes*, but it
only adds *new* symbols so the soname versions do not change.

[1]: CABY6=0nu1qg9beb5qc-mbzfubmqgxp9dbgnicfupppiwz+o...@mail.gmail.com

I have uploaded the test package in the usual location here:

https://people.debian.org/~anarcat/debian/jessie-lts/

Direct link to the .changes file:

https://people.debian.org/~anarcat/debian/jessie-lts/gnutls28_3.3.30-1+deb8u_amd64.changes

The debdiff is obviously quite large so I haven't audited the whole
diff, which would have basically meant reviewing all the releases
between upstream 3.3.8 and 3.3.0:

 2151 files changed, 65784 insertions(+), 60661 deletions(-)

Note that about 3000 lines of those are from debian/patches removals
that were now unnecessary.

The upstream changelog details all the changes:

https://gitlab.com/gnutls/gnutls/blob/gnutls_3_3_x/NEWS

Our branch point was 3.3.8, over four years ago. The latest 3.3.30
release was last july.

It should be possible to backport the upstream patches for those issues
as well. But considering the amount of work that represented and how
sensitive the issue is, I felt more confident going with upstream's
recommendation.

Extensive testing is recommended. The test suite obviously passes here
(otherwise the package does not build) but there might be other problems
that I haven't foreseen.

Thanks for any feedback.

A.
-- 
Information is not knowledge. Knowledge is not wisdom.
Wisdom is not truth. Truth is not beauty.
Beauty is not love. Love is not music.
Music is the best.  - Frank Zappa

Re: Confusing our users - who is supporting LTS?

[Antoine Beaupré]

Hi Steve!

On 2018-10-23 04:26:18, Steve McIntyre wrote:
> So I'm worried that those of us who have *not* volunteered to support
> LTS are being pressured into spending our time on it anyway. What can
> we do to fix that? How/where do we clarify for our users (and
> developers!) what LTS means, and what expectations are fair?

TL;DR: Why not just delegate image management to the LTS team once
oldstable because LTS just like we do with security? Zobel also provided
a good template for the images life cycle which could clarify this on
debian-cloud@, which I fully support.

I acknowledge this is, indeed, a problem Debian volunteers have
sometimes mentioned. It's a broader issue than just the cloud team of
course, but if I may, I would like to try and fix that specific issue in
itself. I know there's the larger debate of separation of duty and
infrastructure, paid-vs-unpaid work and other questions, but I do not
think it's productive to fix that particular issue by addressing the
larger ones up front, as they seem intractable unless we address
specific cases.

In this case, it seems to me we have a flawed assumption in the way we
handle Debian LTS: we assume people will not actually install it and
instead just upgrade machines installed when LTS was "stable". It's a
fair assumption in the case of workstations and long-lived, "pet"
servers. I know I wouldn't install a new bare-metal server with an
unsupported release: I would install stretch, if not buster, not jessie.

But in the cloud infrastructure, things are slightly different. The base
image isn't as important as the application and/or data that runs on
top. In the cloud, we install new "machines" all the time, sometimes as
part of CI/CD processes and those machines are not "pets", they are
"cattle" and recycled constantly. In that sense, switching the base OS
is, paradoxically, a big deal so it actually makes sense to install an
older release for newer machines. This is why Travis CI still supports
Ubuntu LTS Precise (12.04) and Trusty (14.04), the former which isn't
supported by Canonical, and it's missing *two* more recent LTS releases,
Xenial (16.04) and Bionic (18.04).

So while we haven't taken up the work of managing the debian-installer
parts of Debian LTS (because there was no need or demand for it), it
seems to me like a fair request that the Debian LTS team should manage
the Debian Cloud images once the official support window closes. Just
like the security team delegates oldstable to LTS, the cloud team could
hand off unsupported images to the LTS team. In a way, just like APT and
the normal archive, "cloud images" are just another way to "upgrade" an
existing Debian install.

It seems like a nice, symmetrical approach to solve the problem: just
punt this over to the LTS team. We have some capacity and knowledge. I
know I would be happy to work on those images.

That's for the expectations part of the question. As for how to clarify
this to our users, Martin Zobel-Helas made a good proposal for a
workflow of how and when the team updates the images and when they
become unsupported. The /etc/motd in the images could mention this, for
example and the last build could add a warning pointing to it. If we
agree to delegate to the LTS team, the document should also mention that
transition.

Sorry for the long email, I hope it's useful!

a.

-- 
We have to talk about liberating minds as well as liberating society.
- Angela Davis

Re: Gnutls investigation and request for advice for Jessie

[Antoine Beaupré]

I am looking at how we diverged from 3.3.30 right now and if it's worth
keeping our diversion.

Upstream explicitely said they would prefer us to migrate to 3.3.30 so I
will the advice seriously. :)

a.

On 2018-10-22 20:05:52, Ola Lundqvist wrote:
> Hi Antoine
>
> My thinking was that it was easy to check how complicated a backport would
> be. If we conclude that it is complicated (patches do not apply and it is
> clear that code need to be re-written) then I think we can consider going
> for 3.3.30 instead. What do you think?
>
> // Ola
>
> On Mon, 22 Oct 2018 at 17:22, Antoine Beaupré 
> wrote:
>
>> On 2018-10-18 11:26:04, Ola Lundqvist wrote:
>> > Hi
>> >
>> > Sorry for the late reply. We can consider updating to the 3.3.30, but I
>> > suggest you first check how easy it is to backport it.
>>
>> What do you mean exactly? Backporting it is about as hard as figuring
>> out how hard it would be to backport, no? :)
>>
>> A.
>>
>> --
>> We will create a civilization of the Mind in Cyberspace. May it be
>> more humane and fair than the world your governments have made
>> before.
>>  - John Perry Barlow
>>
>
>
> -- 
>  --- Inguza Technology AB --- MSc in Information Technology 
> /  o...@inguza.comFolkebogatan 26\
> |  o...@debian.org   654 68 KARLSTAD|
> |  http://inguza.com/Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---

-- 
Omnis enim ex infirmitate feritas est.
All cruelty springs from weakness.
 - Lucius Annaeus Seneca (58 AD)

Re: Wheezy update of spamassassin?

[Antoine Beaupré]

On 2018-09-25 16:03:45, Antoine Beaupré wrote:
> On 2018-09-19 19:16:32, Noah Meyerhans wrote:
>> On Wed, Sep 19, 2018 at 08:26:28PM +0200, Ola Lundqvist wrote:
>>> The Debian LTS team would like to fix the security issues which are
>>> currently open in the Wheezy version of spamassassin:
>>> https://security-tracker.debian.org/tracker/CVE-2018-11780
>>> https://security-tracker.debian.org/tracker/CVE-2018-11781
>>> https://security-tracker.debian.org/tracker/CVE-2018-15705
>>> 
>>> Would you like to take care of this yourself?
>>
>> It's not yet clear how these will even be fixed in stretch, so it may be
>> premature to think about wheezy.
>>
>> At the moment, upstream is advocating strongly for us to move to the
>> newly released 3.4.2 upstream version in our stable branches. We're
>> considering it, in part because upstream isn't providing a discrete set
>> of patches to address the security issues.
>>
>> I will keep you informed (or worst case, you'll learn via
>> debian-security-announce) as to the status of fixes for stable and LTS.
>
> It would make sense to package 3.4.2 everywhere to me, considering it's
> a minor point release. Unfortunately, it seems they bundle quite a bit
> of stuff in their point release... :/
>
> In the meantime, I'll make a note in the LTS process to hold off while
> we figure this out.
>
> In any case, I'd be happy to help with updates to any suite, since it
> will likely be the same across all suites.

Ping! Any update here? Do you want us to help with the jessie or stretch
update?

A.

-- 
Nothing in life is to be feared, it is only to be understood.
Now is the time to understand more, so that we may fear less.
 - Marie Curie

Re: Gnutls investigation and request for advice for Jessie

[Antoine Beaupré]

On 2018-10-18 11:26:04, Ola Lundqvist wrote:
> Hi
>
> Sorry for the late reply. We can consider updating to the 3.3.30, but I
> suggest you first check how easy it is to backport it.

What do you mean exactly? Backporting it is about as hard as figuring
out how hard it would be to backport, no? :)

A.

-- 
We will create a civilization of the Mind in Cyberspace. May it be
more humane and fair than the world your governments have made
before.
 - John Perry Barlow

Re: Gnutls investigation and request for advice for Jessie

[Antoine Beaupré]

I contacted three parties to try and settle this:

 * the original authors of the paper
 * the GnuTLS upstream
 * the RedHat security team

The original authors "still stand behind what is written in the paper"
and believe only a constant-time implementation is the proper fix. They
point to BoringSSL, OpenSSL and WolfSSL as properly implementing this
now, but acknowledge such a fix might impose API breakage, at least in
the low-level hash functions.

Upstream GnuTLS replied the following:

https://gitlab.com/gnutls/gnutls/issues/456#note_105621260

> The solution applied in gnutls 3.3.30 is a mitigation against the
> attack published by the authors. As such these CVEs are
> addressed. What the authors claim is that these mitigations may not be
> sufficient to address a future attack similar in principle to that
> one; they indeed have a point but I guess that's with all attacks one
> way or another. So backporting these mitigations (or preferably by
> updating to 3.3.30) is sufficient to address that vulnerability. A
> more general solution is tracked at #503.

In other words: that's the solution we got now, use it or wait (possibly
for months) for a longer term fix.

RedHat security hasn't answered yet, but GnuTLS upstream also replied
there:

https://bugzilla.redhat.com/show_bug.cgi?id=1582571#c12

> That is, the existing counter-measures present were improved to
> protect against this attack. Indeed the paper authors mention that
> this may not be sufficient to counter other future attacks, and they
> are correct in that. How critical however would be such future
> attacks? For that one must note what is the actual impact of this
> attack. This type of attacks does only affect the legacy HMAC-based
> ciphersuites and only when the gnutls peer does not implement the
> encrypt-then-mac construction. That's why the majority of HMAC
> ciphersuites are now disabled by default keeping HMAC-SHA1 for
> compatibility only.

In other words: yes, an attack is still possible, but it's not critical
because the impact is smaller.

I agree with this analysis: the fix is imperfect, but it's all we
got. So I'll be looking at backporting this shortly.

Or should we update jessie to 3.3.30 as recommended upstream? There
*were* API/ABI changes since 3.3.8, but only new symbols were added - no
signatures were changed or removed...

A.
-- 
Music gives a soul to the universe, wings to the mind, flight to the
imagination and life to everything
 - Plato

Re: removing enigmail from jessie?

[Antoine Beaupré]

On 2018-09-27 10:51:25, Antoine Beaupré wrote:
> So thinking about this again, I see three options:
>
>  1. Make Enigmail work with GnuPG 2 in Debian and ship the result in
> jessie-securtiy. As mentioned above, I think this has huge
> implications and risks breaking unrelated software, so it's not
> really an option.
>
>  2. Same as #1, but ship the updates through sloppy backports. We could
> then have gnupg2.2 and enigmail live together. It could still break
> things, but at least we could say "told you so" and parade around
> like it's not our fault. Obviously not ideal either.
>
>  3. Package the missing dependencies for openpgp.js that make Enigmail
> work without GnuPG. That's another big undertaking and it requires
> making Javascript packages cross NEW, which is a challenge onto
> itself. I've done the little magic thing to list the dependencies
> and document this in #787774 but we're far from having this
> ready. But at least this would work without damaging unrelated
> software.
>
>  4. Just give up on Enigmail in jessie and remove it from the list of
> supported packages. Enigmail is listed in the addons and works well
> from there as it's pure Javascript. I'm not sure how that could be
> handled: just removing the package from the archive would leave
> people without upgrades or a notification that the package is gone
> (a recurring problem we should solve, IMHO).

>From apo's comment and discussions with one of the enigmail maintainers
(dkg), a fifth option came up:

 5. backport enigmail with the patches to GPG 2.0. the reason the
build-dep version was bumped is there are critical security issues
in the way GPG 2 operates under certain circumstances which are used
by Enigmail (at least T4017 and T4018 in GnuPG's bts)

This seems like the best approach right now. Yes, enigmail works with
GPG 2.1 in stretch, but it doesn't mean it's safe. It seems, in fact,
particularly vulnerable to arbitrary key injection if I read the above
bug reports correctly.

==

In any case, backporting Enigmail to stretch or jessie is not simple .

The problem right now is that Enigmail itself is in a state of flux. The
versions compatible with TB 60 are the latest versions and those are,
well, in development, to put it mildly. For example, from what I
understand, OpenPGP.js is used by Enigmail, but not everywhere: Enigmail
still requires a functioning GnuPG installation, which surprised
me. [Autocrypt] support is still in development and Debian CI breaks as
the test suite fails in some critical code paths which make the current
implementation more or less insecure.

[Autocrypt]: https://autocrypt.org/

So in short, according to dkg, to get Enigmail working properly, we need
to fix the test suite, which involves going deep in some pretty nasty
multilayered, vendored and copied Javascript code.

The alternative, of course, would be to fork off some Enigmail version
and remove Autocrypt support for stable/oldstable. But then we end up
living with that fork for a long time as well.

So right now I've taken the approach of fixing stuff for unstable and
helping dkg deal with this mess. I'll be reviewing his code in the hope
we can push an update forward.

In the meantime, of course, work on TB60 can proceed - worse case an
upload happens before enigmail is ready, like happened in enigmail but
obviously it would be better to coordinate this.

Whee, what a mess! :)

A.

-- 
If you have come here to help me, you are wasting our time.
But if you have come because your liberation is bound up with mine, then
let us work together.- Aboriginal activists group, Queensland, 1970s

Re: enigmail will break with TB upgrade

[Antoine Beaupré]

On 2018-09-27 17:27:46, Markus Koschany wrote:
> Am 27.09.18 um 17:12 schrieb Antoine Beaupré:
> [...]
>> I wonder what that was all about...
>> 
>> Was the solution for stretch finally to remove enigmail from stable and
>> use backports?
>
> AFAIK he hasn't made a decision yet and I doubt he will use backports
> because it's not for fixing bugs in stable. ;-) I can only say for
> myself that my private backport of enigmail works on Stretch and I have
> only removed the versioned dependency on gnupg2. If it turns out this is
> not feasible for Jessie, then we should make an announcement with the
> next Firefox update that Firefox addons are no longer supported. However
> I am willing to backport ublock-origin and https-everywhere with my
> maintainer hat on and I believe this is doable.

Yeah, that makes sense for such extensions, but I think gpg is a whole
other ballgame. :)

A.

-- 
In serious work commanding and discipline are of little avail.
 - Peter Kropotkin

Re: enigmail will break with TB upgrade

[Antoine Beaupré]

On 2018-09-27 17:05:08, Markus Koschany wrote:
> Am 27.09.18 um 04:52 schrieb Antoine Beaupré:
> [...]
>> Enigmail's work, then, might be better targeted at helping the folks in
>> stretch, although I do wonder how we could possibly upgrade GnuPG 2
>> (required to get a new version of Enigmail compatible with TB 60) in
>> jessie without causing all sorts of unrelated trouble. Keep in mind that
>> Jessie still runs the old 2.0 release instead of the (recommended) 2.1
>> (stretch) or 2.2 (buster) releases.
>
> Just for the record. I have backported the Buster version of Enigmail to
> Stretch and it works simply by removing the versioned dependency on
> gnupg2. So far I haven't noticed any issues.

But stretch has GnuPG 2.1 and it's the default gpg binary. jessie will
be a whole other story...

dkg was saying the reason Enigmail used openpgp.js is because gpg was
outdated somehow on some platforms:

 * instead, i realized that the OpenPGP.js node package was only needed
   by enigmail for a few things, in particular to avoid needing a newer
   version of GnuPG.

 * there were a few small changes that needed to be made to GnuPG to
   make enigmail pass its test suites properly without OpenPGP.js, so i
   got them made upstream in GnuPG.

 * then i stripped OpenPGP.js from enigmail, and bumped enigmail's
   dependency on GnuPG.

Source: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909000

I wonder what that was all about...

Was the solution for stretch finally to remove enigmail from stable and
use backports?

A.

-- 
Le pouvoir n'est pas à conquérir, il est à détruire
- Jean-François Brient, de la servitude moderne

removing enigmail from jessie?

[Antoine Beaupré]

On 2018-09-26 22:52:01, Antoine Beaupré wrote:
> So one problem we have with maintaining the post-XUL programs like
> Thunderbird and Firefox is not only backporting the build toolchain, but
> also the leaf dependencies.
>
> Enigmail, for example, is broken since Thunderbird 60 landed in stretch:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909000
>
> Fixing this in stretch will be a significant challenge, let alone in
> jessie. I wonder how we want to approach this.
>
> Presumably, Emilio, while working on Firefox, would also backport the
> toolchain necessary for Thunderbird, is that correct?
>
> Enigmail's work, then, might be better targeted at helping the folks in
> stretch, although I do wonder how we could possibly upgrade GnuPG 2
> (required to get a new version of Enigmail compatible with TB 60) in
> jessie without causing all sorts of unrelated trouble. Keep in mind that
> Jessie still runs the old 2.0 release instead of the (recommended) 2.1
> (stretch) or 2.2 (buster) releases.

So thinking about this again, I see three options:

 1. Make Enigmail work with GnuPG 2 in Debian and ship the result in
jessie-securtiy. As mentioned above, I think this has huge
implications and risks breaking unrelated software, so it's not
really an option.

 2. Same as #1, but ship the updates through sloppy backports. We could
then have gnupg2.2 and enigmail live together. It could still break
things, but at least we could say "told you so" and parade around
like it's not our fault. Obviously not ideal either.

 3. Package the missing dependencies for openpgp.js that make Enigmail
work without GnuPG. That's another big undertaking and it requires
making Javascript packages cross NEW, which is a challenge onto
itself. I've done the little magic thing to list the dependencies
and document this in #787774 but we're far from having this
ready. But at least this would work without damaging unrelated
software.

 4. Just give up on Enigmail in jessie and remove it from the list of
supported packages. Enigmail is listed in the addons and works well
from there as it's pure Javascript. I'm not sure how that could be
handled: just removing the package from the archive would leave
people without upgrades or a notification that the package is gone
(a recurring problem we should solve, IMHO).

I'm leaning towards working a bit towards #3 since that would benefit
everyone in the long term, but I suspect the endgame will be #4:
removal.

Comments?

-- 
Men are taught to apologize for their weaknesses, women for their
strengths.
- Lois Wyse

enigmail will break with TB upgrade

[Antoine Beaupré]

So one problem we have with maintaining the post-XUL programs like
Thunderbird and Firefox is not only backporting the build toolchain, but
also the leaf dependencies.

Enigmail, for example, is broken since Thunderbird 60 landed in stretch:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909000

Fixing this in stretch will be a significant challenge, let alone in
jessie. I wonder how we want to approach this.

Presumably, Emilio, while working on Firefox, would also backport the
toolchain necessary for Thunderbird, is that correct?

Enigmail's work, then, might be better targeted at helping the folks in
stretch, although I do wonder how we could possibly upgrade GnuPG 2
(required to get a new version of Enigmail compatible with TB 60) in
jessie without causing all sorts of unrelated trouble. Keep in mind that
Jessie still runs the old 2.0 release instead of the (recommended) 2.1
(stretch) or 2.2 (buster) releases.

So before anyone jumps both feet into patching enigmail for whatever
issues are pending there, this should be taken into account.

A.

-- 
Growth for the sake of growth is the ideology of the cancer cell.
- Edward Abbey

Re: CVE-2018-14624 - testing 389-ds-base update

[Antoine Beaupré]

On 2018-09-15 12:04:02, Hugo Lefeuvre wrote:
> Hi,
>
> I have just prepared a Jessie security update for 389-ds-base, addressing
> CVE-2018-14624. I will go through the test procedure myself, however I am
> not a 389-ds user, so it might be good if someone more experienced with
> this LDAP server could double check the update before upload.

I have no experience with that LDAP server either - I have only used
OpenLDAP in the past. But that experience did allow me to smoke-test
your packages and they can live through an upgrade without crashing on
restart and ldapsearch still works.

So I would say it's good enough for now.

A.

-- 
The history of any one part of the earth, like the life of a soldier,
consists of long periods of boredom and short periods of terror.
   - British geologist Derek V. Ager

Re: Wheezy update of spamassassin?

[Antoine Beaupré]

On 2018-09-19 19:16:32, Noah Meyerhans wrote:
> On Wed, Sep 19, 2018 at 08:26:28PM +0200, Ola Lundqvist wrote:
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of spamassassin:
>> https://security-tracker.debian.org/tracker/CVE-2018-11780
>> https://security-tracker.debian.org/tracker/CVE-2018-11781
>> https://security-tracker.debian.org/tracker/CVE-2018-15705
>> 
>> Would you like to take care of this yourself?
>
> It's not yet clear how these will even be fixed in stretch, so it may be
> premature to think about wheezy.
>
> At the moment, upstream is advocating strongly for us to move to the
> newly released 3.4.2 upstream version in our stable branches. We're
> considering it, in part because upstream isn't providing a discrete set
> of patches to address the security issues.
>
> I will keep you informed (or worst case, you'll learn via
> debian-security-announce) as to the status of fixes for stable and LTS.

It would make sense to package 3.4.2 everywhere to me, considering it's
a minor point release. Unfortunately, it seems they bundle quite a bit
of stuff in their point release... :/

In the meantime, I'll make a note in the LTS process to hold off while
we figure this out.

In any case, I'd be happy to help with updates to any suite, since it
will likely be the same across all suites.

A.

-- 
There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult.
- C.A.R. Hoare

Re: git-annex security update ready for testing and review

[Antoine Beaupré]

On 2018-09-06 15:42:41, Joey Hess wrote:
> Antoine Beaupré wrote:
>> I'm now more confident the patchset is complete. There are one tiny bit
>> I'm still slightly unsure of. In Command.Reinject.perform, there was a
>> `boolSystem "mv"` call lying around that was turned into a `moveFile`
>> some time between the jessie version and 2fb3722ce. I figured this was
>> the last instance of such an "mv" call and that moveFile does what it's
>> supposed to do in the jessie version. So to avoid any compiler mishaps,
>> I figured I would just use moveFile there but I'm not certain of the
>> implications.
>
> I don't think this change was strictly necessary, but I do think it's correct.
>
>> I'm also wondering if there are reproducers for those vulnerabilities so
>> that I can test the new packages to see if they actually fix the
>> problems.
>
> No, I don't have any. You can test downloads from localhost and non-http
> url schemes to make sure they're blocked.
>
>> So I've uploaded the test packages to my repository again:
>> 
>> https://people.debian.org/~anarcat/debian/jessie-lts/
>> 
>> This time, testing would be greatly appreciated. And of course, a review
>> of the patchset would be great as well.
>
> I've looked over the patchset and nothing stands out to me as a problem,
> but it is of course a big patchset against a very old version so it
> would be easy to miss something.

Thanks so much for the review (and the quote on your devblog, btw! :). I
understand it's a huge patch and I'm of course not asking for any
warranties. Just having an extra pair of eyes on this is great in any
case.

Cheers!

A.
-- 
The fundamental cause of the trouble is that in the modern world the
stupid are cocksure while the intelligent are full of doubt.
   - Bertrand Russell, The Triumph of Stupidity, 1933

Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042

[Antoine Beaupré]

On 2018-09-02 17:08:09, Brian May wrote:
> Antoine Beaupré  writes:
>
>> What do you think? Should we push this forward?
>
> I am somewhat concerned that by fixing this we might be breaking
> something. Even if it is 100% broken behaviour, maybe some application
> depends on this?
>
> Is the potential attack bad enough to justify potential breakage? I am
> not absolutely convinced.

Well there *are* probably some XSS left. The solution would be similar
to the one I did in the DLA with little or no breakage.

A.

-- 
The class which has the power to rob upon a large scale has also the
power to control the government and legalize their robbery.
- Eugene V. Debs

Re: Gnutls investigation and request for advice for Jessie

[Antoine Beaupré]

On 2018-08-31 16:18:39, Antoine Beaupré wrote:
> On 2018-08-31 21:30:14, Ola Lundqvist wrote:
>> Hi Antoine
>>
>> Thank you for the input this is valuable. I have some comments below.
>>
>> On Fri, 31 Aug 2018 at 21:03, Antoine Beaupré  
>> wrote:
>>>
>>> On 2018-08-31 13:29:29, Ola Lundqvist wrote:
>>> > Hi all LTS contributors
>>> >
>>> > My question is whether removing default ciphers and introducing new
>>> > options is acceptable so late in the release cyckle. My assumption is
>>> > no, but let me know if you have another opinion. More details below.
>>>
>>> A priori, I think it is if it fixes serious security vulnerabilities and
>>> there is no easier way to do so.
>>
>> I'm not so sure this is a serious issue as it is only exploitable in a
>> rather uncommon case, that is when Encrypt-then-MAC (RFC7366) is
>> unsupported by the peer.
>> Most software do have that support as I understand it.
>
> That's the crucial part, I guess. :) I am not sure.

The paper actually makes that claim which seems important:

> The “Encrypt-then-MAC” countermeasure from RFC 7366 is supported in
> mbed TLS and GnuTLS, but requires client-side support and has seen
> little uptake elsewhere (e.g.  neither Firefox nor Chrome supports the
> EtM extension).

In other words, EtM is not well supported in clients at all, and just
forcing that mode does not seem to be a good strategy for mitigation.

The paper does refer to a good source for TLS adoption numbers.

https://notary.icsi.berkeley.edu/

With that as a source, it says that 10% of TLS traffic is still in CBC
mode. The site does not load here so I cannot make further research,
unfortunately.

[...]

> If you are unsure about updates, upload a test package somewhere and ask
> people for feedback. I do it all the time and it actually works, if you
> give people time (sometimes a week or more). For an update as critical,
> it would certainly be warranted.

Also, I would be happy to review patches and packages you propose,
unless that wasn't clear already. :)

>>> It seems that upstream did the right thing here and backported a bunch
>>> of stuff for us already - it'd be too bad to waste that effort and skip
>>> those CVEs. ;)
>>
>> :-D on the other hand maybe we break backwards compatibility. If it
>> wasn't for the backwards compatibility I would not have asked. :-)
>
> Yeah, I guess I don't know what's in those updates exactly, that's a
> good point.

Another important point I found while (finally) reading the whole
paper is that:

> However, we believe that the GnuTLS code is still vulnerable to
> variants of the attacks presented in our paper due to its
> padding-dependent memory accesses. We notified the GnuTLS team of our
> concerns about this on June 13th 2018. Our understanding is that the
> GnuTLS team does not plan to address the issues, but prefers to
> promote the use of Encrypt-then-MAC (as specified in RFC 7366) when
> legacy cipher suites are required.

Considering this and the lack of EtM support in the wild, I'm starting
to seriously question the claims of the GnuTLS upstream. It does not
seem like they really have fixed this at all, again, I should add.

I'm sorry I am not bringing a more positive note here, but it does seem
like things are a mess on GnuTLS' side. Maybe we should consider asking
upstream for more information about their stance on the paper author's
claims to get a clearer picture. 

Finally, the paper mentions that the Red Hat security team issued those
CVEs, so they might have something up their sleeve as well, although a
look at their Bugzilla does not yield anything conclusive.

Good luck!

A.

-- 
If it's important for you, you'll find a way.
If it's not, you'll find an excuse.
- Unknown

Re: Gnutls investigation and request for advice for Jessie

[Antoine Beaupré]

On 2018-08-31 21:30:14, Ola Lundqvist wrote:
> Hi Antoine
>
> Thank you for the input this is valuable. I have some comments below.
>
> On Fri, 31 Aug 2018 at 21:03, Antoine Beaupré  wrote:
>>
>> On 2018-08-31 13:29:29, Ola Lundqvist wrote:
>> > Hi all LTS contributors
>> >
>> > My question is whether removing default ciphers and introducing new
>> > options is acceptable so late in the release cyckle. My assumption is
>> > no, but let me know if you have another opinion. More details below.
>>
>> A priori, I think it is if it fixes serious security vulnerabilities and
>> there is no easier way to do so.
>
> I'm not so sure this is a serious issue as it is only exploitable in a
> rather uncommon case, that is when Encrypt-then-MAC (RFC7366) is
> unsupported by the peer.
> Most software do have that support as I understand it.

That's the crucial part, I guess. :) I am not sure.

[...]

>> > Upstream do in fact not even plan to do this as the problem only occur
>> > in the following cases:
>> > - CBC cipher
>> > - If Encrypt-then-MAC (RFC7366) is unsupported by the peer
>> >
>> > Instead upstream have done the following:
>> > 1) Introduced a new option to enforce Encrypt-then-MAC (for CVE-2018-10846)
>> > 2) Do a fix with SHA384 (for  CVE-2018-10845)
>> > 3) Remove SHA256 and SHA384 from the default MAC ciphers (for
>> > CVE-2018-10844 and CVE-2018-10845)
>> > 4) A try to fix the problem (CVE-2018-10844 and potentially CVE-2018-10845)
>> >
>> > 1: I do not think we can do 1 such late in the release cycle. I mean
>> > new options now would be rather pointless. I will mark  CVE-2018-10846
>> > as ignored due to this. Or do you think new options is ok also in
>> > Jessie?
>>
>> I looked at the upstream patch (MR#657) for this and it doesn't look
>> that invasive. According to GitLab, it is "21 files with 738 additions
>> and 148 deletions", which seems fairly small considering the scope of
>> the change:
>>
>> https://gitlab.com/gnutls/gnutls/merge_requests/657.patch
>
> I agree on that. But introducing an option will not help in most cases
> that use gnutls. I mean gnutls is used in most cases as a library and
> unless the other software is changed then there is no use of
> introducing the option.

That's true! I'm not sure how to deal with that... I guess it means
library users need to do the right thing then? Unless they mess around
with cipher lists the way charybdis does?

[...]

>> This, again, is also part of the larger fix in MR#657.
>>
>> Combined, those last two patches make about +- 50 lines of diff,
>> compared to the 700+ lines of diff for the larger merge request. But do
>> consider that a large part of MR#657 (+400 lines) is the introduction of
>> tests/tls-force-etm.c, a standalone file which shouldn't cause conflicts
>> at the very least.
>>
>> > I think I should do 2 and 4, but not 1 and 3.
>> >
>> > What do you think? If I do not hear any objections I'll do so.
>>
>> I would give it a shot and try to backport the whole thing. I would also
>> carefully look at the 3.3.x series to see if there's an official commit
>> shipping those. At first glance, it does look like a release was made on
>> all branches, including a 3.3.30 release that bundles some of those
>> patches.
>
> But not the default cipher removal, right?

Actually, looking at the NEWS file, they *did* remove the ciphers from
the defaults list as well.

>> In fact, I'd be tempted to seriously consider upgrading to that upstream
>> release after comparing our changelog with theirs to see if there's
>> anything missing either side...
>
> That is another way. I'm not so comfortable with doing that
> considering that I broke some software I did that with a library
> package. I do not remember what library it was now but some browser
> did not work after that.

You mean the NSS library and #843624? :) That was a hairy issue and it
affected an unsupported package (chromium). I don't think you should
stop from working on difficult package because of one difficulty. If
anything, that was a learning experience and you are now *more*
qualified to deal with such packages now. ;)

If you are unsure about updates, upload a test package somewhere and ask
people for feedback. I do it all the time and it actually works, if you
give people time (sometimes a week or more). For an update as critical,
it would certainly be warranted.

>> It seems that upstream did the right thing here and backported a bunch
>> of stuff for us already - it'd be too bad to waste that effort and skip
>> those CVEs. ;)
>
> :-D on the other hand maybe we break backwards compatibility. If it
> wasn't for the backwards compatibility I would not have asked. :-)

Yeah, I guess I don't know what's in those updates exactly, that's a
good point.

> Again thank you for the input.

Glad to be of service!

A.

Re: tiff / CVE-2018-15209

[Antoine Beaupré]

On 2018-08-29 12:24:30, Brian May wrote:
> Antoine Beaupré  writes:
>
>> Brian, are you sure you're getting those failures in jessie? Which
>> architecture? Here my tests were done in a VirtualBox VM using an up to
>> date Debian jessie amd64 box.
>
> My tests were done in a schroot. Not sure if I used i386 or amd64 now.

Well, as I can't reproduce any issue at all with this, I've left it as
N/A for jessie.

A.
-- 
Secrecy is the keystone to all tyranny. Not force, but secrecy and
censorship.
   -  Robert A. Heinlein

Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042

[Antoine Beaupré]

On 2018-08-29 12:23:54, Brian May wrote:
> Antoine Beaupré  writes:
>
>> On 2018-08-08 17:35:52, Brian May wrote:
>>> If I got this right, we cannot use $(xyz) unless the value of xyz is
>>> trusted. Otherwise executing $(xyz) can result in the execution of code
>>> if xyz is something like "". This
>>> happens immediately, and even if you don't use the return value.
>>
>> I am a bit puzzled as to how this attack works, but I'm ready to accept
>> that as yet another jQuery excentricity. :)
>
> So my understanding only, $(...) has been overloaded and has a number of
> distinct uses.
>
> You can use it to look up a value, e.g.:
>
> $("#myid")
>
> You can use it to create a DOM element:
>
> $("ABC")
>
> Or:
>
> $("")
>
> This will not only create the dom element, and try to preload the
> image. When this fails, the onerror hook is called.
>
> You could also use it to wrap a JS DOM element in a jquery selector, but
> this use isn't so relevant here.

Right, of course. That makes sense, somewhat.

> The problem occurs as this code does lookups on untrusted values like:
>
> $(untrusted_input)
>
> The problem being if untrusted_input can change the mode from "lookup"
> to "create" which in turn assumes that the data passed is trusted.
>
> I think the real problem here is poor jquery API, however I doubt this
> is going to change anytime soon as this would break everything that uses
> jquery.

Indeed. As far as Bootstrap is concerned, they are just going away from
that API at this point and use native lookups without side-effects:

https://github.com/twbs/bootstrap/issues/26643

But unfortunately, that work was done only in Bootstrap 4, which is not
even in Debian yet.

There are, unfortunately, a non-trivial number of packages depending on
bootstrap (even v2!) in the archive still, otherwise I would propose to
just remove the damn things and get it over with.

I guess the proper process here would be to actually test a few
instances to see if we are still vulnerable and open issues (CVE?
upstream?) to track those.

What do you think? Should we push this forward?

A.
-- 
Freedom of speech is a principal pillar of a free government; when
this support is taken away, the constitution of a free society is
dissolved, and tyranny is erected on its ruins.
- Benjamin Franklin, 1737