Re: upload leptonlib
El 26/02/18 a las 10:55, Jeff Breidenbach escribió: > >Was upstream's position also to remove those binaries? > > Yes. > > >Upstream was unable to provide a patch? > > Yes. Upstream decided that it was not worth the time to make a patch. > > Leptonica is a large image processing library. It also contains source code > for many (over 200) example programs that use the library. From these example > programs, a small number (about 10) are built and ship as part of the > leptonica-progs > binary package. > > Bug #830660 noticed that some of these programs were insecure. The affected > programs were not very important, and my best guess is nobody uses them. So > after discussion with upstream, I removed them from the Debian package. > Because > the programs are probably not used, I don't have a strong opinion about what > happens with Wheezy. > > Does this help? Yes, thank you. Since the affected programs are note very important, I'd say now the issue is not serious enough to modify the jessie and wheezy packages. Other opinions? signature.asc Description: PGP signature
Re: upload leptonlib
>Was upstream's position also to remove those binaries? Yes. >Upstream was unable to provide a patch? Yes. Upstream decided that it was not worth the time to make a patch. Leptonica is a large image processing library. It also contains source code for many (over 200) example programs that use the library. From these example programs, a small number (about 10) are built and ship as part of the leptonica-progs binary package. Bug #830660 noticed that some of these programs were insecure. The affected programs were not very important, and my best guess is nobody uses them. So after discussion with upstream, I removed them from the Debian package. Because the programs are probably not used, I don't have a strong opinion about what happens with Wheezy. Does this help?
Re: upload leptonlib
Hi Ben, MITRE did assign the following: On Thu, Feb 22, 2018 at 05:38:16PM +0100, Ben Hutchings wrote: > > > 1. #890548 > > > > This one has CVE-2018-7186. > > > > > 2. Incomplete fix for #889759 / CVE-2018-3836 CVE-2018-7440 > > > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so > > > there is a possibility of path traversal and arbitrary file overwrite CVE-2018-7442 > > > 4. #885704 CVE-2017-18196 > > > 5. The remaining hardcoded paths in /tmp CVE-2018-7441 Regards, Salvatore signature.asc Description: PGP signature
Re: upload leptonlib
El 23/02/18 a las 10:08, Jeff Breidenbach escribió: > >So these files should be also removed from the package in wheezy and jessie? > > Yes. Sorry if my previous message was maybe too brief. It is not common to remove a file from the packages of a released debian suite. I find it surprising that the fix was to remove the binaries. It seems that upstream keeps their the source code (prog/printtiff.c, prog/printsplitimage.c, prog/splitimage2pdf.c, prog/printimage.c) and making reference to printimage and printsplitimage in README.html. They are included in CMakeLists.txt, but debian doesn't rely on CMake to build the package, it's some confusing. Was upstream's position also to remove those binaries? Upstream was unable to provide a patch? Could you please elaborate more on why removing the mentioned files is the right thing to do? Cheers, and thanks for your work, -- Santiago signature.asc Description: PGP signature
Re: upload leptonlib
>So these files should be also removed from the package in wheezy and jessie? Yes.
Re: upload leptonlib
Security team: sorry for the lack of context in the message. Please see https://lists.debian.org/debian-lts/2018/02/msg00054.html and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830660 El 22/02/18 a las 22:35, Jeff Breidenbach escribió: >These binaries were removed in #830660. >>$ strings /usr/bin/printsplitimage | grep ^/tmp/ >>/tmp/split >>$ strings /usr/bin/splitimage2pdf | grep ^/tmp/ >>/tmp/[1]junk_split_image.ps > > References > >Visible links >1. http://junk_split_image.ps/ So these files should be also removed from the package in wheezy and jessie? Cheers, -- Santiago signature.asc Description: PGP signature
Re: upload leptonlib
These binaries were removed in #830660. >$ strings /usr/bin/printsplitimage | grep ^/tmp/ >/tmp/split >$ strings /usr/bin/splitimage2pdf | grep ^/tmp/ >/tmp/junk_split_image.ps prune_unsafe_binaries.diff.gz Description: GNU Zip compressed data
Re: upload leptonlib
The remaining hardcoded /tmp filenames are believed to be in test and debug code paths.
Re: upload leptonlib
Hi Ben, On Thu, Feb 22, 2018 at 05:38:16PM +0100, Ben Hutchings wrote: > On Thu, 2018-02-22 at 07:26 +0100, Salvatore Bonaccorso wrote: > > Hi Ben, > > > > On Sat, Feb 17, 2018 at 09:28:19PM +, Ben Hutchings wrote: > > > On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote: > > > > On 2018-02-15 21:34:48, Ben Hutchings wrote: > > > > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > > > > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > > > > > > Hello. > > > > > > > > > > > > > > I prepared LTS security update for leptonlib. Please review and > > > > > > > upload. > > > > > > > You can find debdiff along with the mail. > > > > > > > link: > > > > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > > > > > > > > > > > > > > > > Abhijith, > > > > > > > > > > > > I have reviewed and uploaded the package. While you backported the > > > > > > upstream fix, I feel like their approach falls under item #2 of > > > > > > "The Six > > > > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I > > > > > > cannot > > > > > > help but wonder if another vulnerability will be uncovered later > > > > > > that > > > > > > uses different characters that are not being checked. > > > > > > > > > > I found one already: it filters out `command` but not $(command). > > > > > > > > > > I'm afraid this library appears to have been written without any > > > > > regard > > > > > for security, or even the existence of multiuser systems. > > > > > > > > > > Bug #890548 (stack buffer overflows) is probably exploitable in > > > > > wheezy, > > > > > and I think there are more instances. > > > > > > > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but > > > > > I > > > > > can still see: > > > > > > > > [...] > > > > > > > > I've re-added the package to dla-needed.txt for #889759 / > > > > CVE-2018-3836. Should a new CVE be issued for #885704? > > > > > > I think additional CVEs are needed for: > > > > > > 1. #890548 > > > > This one has CVE-2018-7186. > > > > > 2. Incomplete fix for #889759 / CVE-2018-3836 > > > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so > > > there is a possibility of path traversal and arbitrary file overwrite > > > 4. #885704 > > > 5. The remaining hardcoded paths in /tmp > > > > Have you already requested CVEs for the other issues? > > No I haven't. Alright, I will try to request the pending ones tonight. Regards, Salvatore
Re: upload leptonlib
On Thu, 2018-02-22 at 07:26 +0100, Salvatore Bonaccorso wrote: > Hi Ben, > > On Sat, Feb 17, 2018 at 09:28:19PM +, Ben Hutchings wrote: > > On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote: > > > On 2018-02-15 21:34:48, Ben Hutchings wrote: > > > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > > > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > > > > > Hello. > > > > > > > > > > > > I prepared LTS security update for leptonlib. Please review and > > > > > > upload. > > > > > > You can find debdiff along with the mail. > > > > > > link: > > > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > > > > > > > > > > > > > Abhijith, > > > > > > > > > > I have reviewed and uploaded the package. While you backported the > > > > > upstream fix, I feel like their approach falls under item #2 of "The > > > > > Six > > > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot > > > > > help but wonder if another vulnerability will be uncovered later that > > > > > uses different characters that are not being checked. > > > > > > > > I found one already: it filters out `command` but not $(command). > > > > > > > > I'm afraid this library appears to have been written without any regard > > > > for security, or even the existence of multiuser systems. > > > > > > > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, > > > > and I think there are more instances. > > > > > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I > > > > can still see: > > > > > > [...] > > > > > > I've re-added the package to dla-needed.txt for #889759 / > > > CVE-2018-3836. Should a new CVE be issued for #885704? > > > > I think additional CVEs are needed for: > > > > 1. #890548 > > This one has CVE-2018-7186. > > > 2. Incomplete fix for #889759 / CVE-2018-3836 > > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so > > there is a possibility of path traversal and arbitrary file overwrite > > 4. #885704 > > 5. The remaining hardcoded paths in /tmp > > Have you already requested CVEs for the other issues? No I haven't. Ben. -- Ben Hutchings [W]e found...that it wasn't as easy to get programs right as we had thought. ... I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs. - Maurice Wilkes, 1949 signature.asc Description: This is a digitally signed message part
Re: upload leptonlib
Hi Ben, On Sat, Feb 17, 2018 at 09:28:19PM +, Ben Hutchings wrote: > On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote: > > On 2018-02-15 21:34:48, Ben Hutchings wrote: > > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > > > > Hello. > > > > > > > > > > I prepared LTS security update for leptonlib. Please review and > > > > > upload. > > > > > You can find debdiff along with the mail. > > > > > link: > > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > > > > > > > > > > Abhijith, > > > > > > > > I have reviewed and uploaded the package. While you backported the > > > > upstream fix, I feel like their approach falls under item #2 of "The Six > > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot > > > > help but wonder if another vulnerability will be uncovered later that > > > > uses different characters that are not being checked. > > > > > > I found one already: it filters out `command` but not $(command). > > > > > > I'm afraid this library appears to have been written without any regard > > > for security, or even the existence of multiuser systems. > > > > > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, > > > and I think there are more instances. > > > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I > > > can still see: > > > > [...] > > > > I've re-added the package to dla-needed.txt for #889759 / > > CVE-2018-3836. Should a new CVE be issued for #885704? > > I think additional CVEs are needed for: > > 1. #890548 This one has CVE-2018-7186. > 2. Incomplete fix for #889759 / CVE-2018-3836 > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so > there is a possibility of path traversal and arbitrary file overwrite > 4. #885704 > 5. The remaining hardcoded paths in /tmp Have you already requested CVEs for the other issues? Regards, Salvatore
Re: upload leptonlib
On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote: > On 2018-02-15 21:34:48, Ben Hutchings wrote: > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > > > Hello. > > > > > > > > I prepared LTS security update for leptonlib. Please review and upload. > > > > You can find debdiff along with the mail. > > > > link: > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > > > > > > > Abhijith, > > > > > > I have reviewed and uploaded the package. While you backported the > > > upstream fix, I feel like their approach falls under item #2 of "The Six > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot > > > help but wonder if another vulnerability will be uncovered later that > > > uses different characters that are not being checked. > > > > I found one already: it filters out `command` but not $(command). > > > > I'm afraid this library appears to have been written without any regard > > for security, or even the existence of multiuser systems. > > > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, > > and I think there are more instances. > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I > > can still see: > > [...] > > I've re-added the package to dla-needed.txt for #889759 / > CVE-2018-3836. Should a new CVE be issued for #885704? I think additional CVEs are needed for: 1. #890548 2. Incomplete fix for #889759 / CVE-2018-3836 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so there is a possibility of path traversal and arbitrary file overwrite 4. #885704 5. The remaining hardcoded paths in /tmp Ben. -- Ben Hutchings One of the nice things about standards is that there are so many of them. signature.asc Description: This is a digitally signed message part
Re: upload leptonlib
On 2018-02-15 21:34:48, Ben Hutchings wrote: > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: >> On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: >> > Hello. >> > >> > I prepared LTS security update for leptonlib. Please review and upload. >> > You can find debdiff along with the mail. >> > link: >> > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc >> > >> >> Abhijith, >> >> I have reviewed and uploaded the package. While you backported the >> upstream fix, I feel like their approach falls under item #2 of "The Six >> Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot >> help but wonder if another vulnerability will be uncovered later that >> uses different characters that are not being checked. > > I found one already: it filters out `command` but not $(command). > > I'm afraid this library appears to have been written without any regard > for security, or even the existence of multiuser systems. > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, > and I think there are more instances. > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I > can still see: [...] I've re-added the package to dla-needed.txt for #889759 / CVE-2018-3836. Should a new CVE be issued for #885704? A. -- If you have come here to help me, you are wasting our time. But if you have come because your liberation is bound up with mine, then let us work together.- Aboriginal activists group, Queensland, 1970s
Re: upload leptonlib
On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote: > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > > Hello. > > > > I prepared LTS security update for leptonlib. Please review and upload. > > You can find debdiff along with the mail. > > link: > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > > > > Abhijith, > > I have reviewed and uploaded the package. While you backported the > upstream fix, I feel like their approach falls under item #2 of "The Six > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot > help but wonder if another vulnerability will be uncovered later that > uses different characters that are not being checked. I found one already: it filters out `command` but not $(command). I'm afraid this library appears to have been written without any regard for security, or even the existence of multiuser systems. Bug #890548 (stack buffer overflows) is probably exploitable in wheezy, and I think there are more instances. Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I can still see: $ strings /usr/bin/printsplitimage | grep ^/tmp/ /tmp/split $ strings /usr/bin/splitimage2pdf | grep ^/tmp/ /tmp/junk_split_image.ps $ strings /usr/lib/x86_64-linux-gnu/liblept.so.5 | grep ^/tmp/ /tmp/lept/baseline/diff /tmp/lept/baseline/diff.png /tmp/lept/baseline/loc /tmp/lept/baseline/loc.png /tmp/lept/baseline/skew /tmp/lept/baseline/baselines.png /tmp/threshroot /tmp/lept/plots/sides.%s /tmp/lept/plots/sides.%d /tmp/lept/plots/size.%s /tmp/lept/plots/size.%d /tmp/linfit/boxalr.ba /tmp/linfit/boxatb.ba /tmp/linfit/ptal.pta /tmp/linfit/ptar.pta /tmp/linfit/ptat.pta /tmp/linfit/ptab.pta /tmp/smooth/boxae.ba /tmp/smooth/boxao.ba /tmp/smooth/boxalfe.ba /tmp/smooth/boxalfo.ba /tmp/smooth/boxame.ba /tmp/smooth/boxamo.ba /tmp/smooth/boxamede.ba /tmp/smooth/boxamedo.ba ... Ben. > In any event, once you receive the ACCEPT notice from the archive > software you should be able to publish the DLA. -- Ben Hutchings Everything should be made as simple as possible, but not simpler. - Albert Einstein signature.asc Description: This is a digitally signed message part
Re: upload leptonlib
On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > Hello. > > I prepared LTS security update for leptonlib. Please review and upload. > You can find debdiff along with the mail. > link: > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > Abhijith, I have reviewed and uploaded the package. While you backported the upstream fix, I feel like their approach falls under item #2 of "The Six Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot help but wonder if another vulnerability will be uncovered later that uses different characters that are not being checked. In any event, once you receive the ACCEPT notice from the archive software you should be able to publish the DLA. Regards, -Roberto -- Roberto C. Sánchez
