Re: DLA link is broken
On Tue, 6 Nov 2018 07:45:24 +0100 Salvatore Bonaccorso wrote: > Cf. #762255 and related bugs which added support for having the DLA's > included both in security-tracker source field and on the website. > Though this needs volunteers to actually import and translate the > DLAs. translate DLAs? At DebConf18 Web BoF, we've discussed about translations and security advisories are not necessary to translate (since it is for administrators, not general users and most of them are in the same pattern), not prior to other pages. -- Hideki Yamane
External check
CVE-2013-0642: missing from list CVE-2013-0643: missing from list CVE-2013-0644: missing from list CVE-2013-0645: missing from list CVE-2016-10729: TODO: check CVE-2016-10730: TODO: check CVE-2018-14667: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: Gaps in security coverage?
On Wed, Nov 7, 2018 at 6:28 AM Moritz Mühlenhoff wrote: > E.g. your specific example of busybox/CVE-2011-5325 is fixed in the > upcoming stretch point release. I noticed that this isn't reflected in the security tracker website but it is in data/next-point-update.txt. If anyone wants to get involved in enhancing the security tracker this would probably be an ideal place to start. -- bye, pabs https://wiki.debian.org/PaulWise
Re: Gaps in security coverage?
John Goerzen schrieb: Hi John, > So I recently started running debsecan on one of my boxes. debsecan hasn't seen any feature work for about a decade and is far too noisy to the point of being useless these days. > It's a > fairly barebones server install, uses unattended-upgrades and is fully > up-to-date. I expected a clean bill of health, but didn't get that. I > got pages and pages and pages of output. Some of it (especially kernel > related) I believe may be false positives, but not all. Some of it > simply isn't patched yet. No distro backports everything, that would be outright insane :-) As such there's no clean bill of health. We look at everything and if it's important enough it gets fixed via security.debian.org and if not, via point releases or not at all (there's plenty of cases where the tradeoff of changing stable clearly balances towards not fixing stuff!) E.g. your specific example of busybox/CVE-2011-5325 is fixed in the upcoming stretch point release. > Marked fixed in jessie After introducing a regression (https://packages.qa.debian.org/b/busybox/news/20180803T045026Z.html) which is a good example of the balance I mentioned above. > 2) If so, what kinds of volunteering would be appreciated? Sure! If you tell us what languages you feel comfortable to backport security fixes in, I'm sure we can find you some tasks to work on, best to reply to the team alias (t...@security.debian.org) and can pick it up from there. Thanks, Moritz
Re: Call for testing: Testers needed for ghostscript update
On 06/11/2018 16:16, Salvatore Bonaccorso wrote: We plan to rebase ghostscript via stretch-security to 9.25 plus cherry picked security fixes which happened after that release. Packages are at https://people.debian.org/~carnil/tmp/ghostscript/ I'm using Buster, but I have download ghostscript_9.25~dfsg-0+deb9u1~1.gbpb6a7bd_amd64.deb libgs9_9.25~dfsg-0+deb9u1~1.gbpb6a7bd_amd64.deb libgs9-common_9.25~dfsg-0+deb9u1~1.gbpb6a7bd_all.deb and installed. $ ghostscript a.pdf GPL Ghostscript 9.25 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Processing pages 1 through 1. Page 1 Loading NimbusSans-Regular font from /usr/share/ghostscript/9.25/Resource/Font/NimbusSans-Regular... 4451500 2921389 6492968 5150597 3 done. Loading NimbusSans-Bold font from /usr/share/ghostscript/9.25/Resource/Font/NimbusSans-Bold... 4517612 3103754 6513168 5168226 3 done. >>showpage, press to continue<< XIO: fatal IO error 0 (Success) on X server ":0" after 120 requests (120 known processed) with 0 events remaining. $ gs Linux-Voice-Issue-001.pdf GPL Ghostscript 9.25 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Processing pages 1 through 116. Page 1 >>showpage, press to continue<< XIO: fatal IO error 0 (Success) on X server ":0" after 1244 requests (1244 known processed) with 0 events remaining. This one is a multi-page PDF and it show only the first. I have open gimp and exported as PDF, I try to open and I see the drawing. $ gs /tmp/1/Senzanome.pdf GPL Ghostscript 9.25 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Processing pages 1 through 1. Page 1 >>showpage, press to continue<< XIO: fatal IO error 2 (No such file or directory) on X server ":0" after 84 requests (84 known processed) with 0 events remaining. I have converted the drawing to ps $ pdftops Senzanome.pdf $ gs Senzanome.ps GPL Ghostscript 9.25 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. >>showpage, press to continue<< XIO: fatal IO error 2 (No such file or directory) on X server ":0" after 84 requests (84 known processed) with 0 events remaining. I see the correct image in the PDF, I don't know what is these 2 fatal IO error I get. I have checked and I get the same fatal IO error with the gs present in Buster. Let me know if you want me to make more test and what type of test. Ciao Davide
Re: Gaps in security coverage?
On 06/11/2018 02:34, Paul Wise wrote: On Mon, Nov 5, 2018 at 10:29 PM John Goerzen wrote: So I recently started running debsecan on one of my boxes. It's a fairly barebones server install, uses unattended-upgrades and is fully up-to-date. I expected a clean bill of health, but didn't get that. I got pages and pages and pages of output. Some of it (especially kernel related) I believe may be false positives, but not all. Some of it simply isn't patched yet. That has been the normal state of things since I started running debsecan many many years ago. I'm not a security expert, but: * security bugs are found daily * security bugs are found also by people that don't work on the project and upstream can consider these bugs in different way: lower security bug; no security bug; no bug at all; ... * a software without security bugs (or fewer) is not intricately more secure than one with a lot of security bugs... the first one can be not checked for security bugs... * a security bug of a software that you are using can also not impact you, that depend on how you use that software and the system/network on which it is installed * ... Ciao Davide
Re: Bug#905332: debdiff
Hi Ferenc, On Tue, Nov 06, 2018 at 05:12:12PM +0100, Ferenc Wágner wrote: > "Adam D. Barratt" writes: > > > On 2018-11-06 14:43, wf...@niif.hu wrote: > > > >> Dear Security Team, please consider yourselves notified and please > > > > debian-security@lists.debian.org is *not* a contact point for the > > Security Team, it's a public discussion list. > > Ah, thanks, Adam (https://security-team.debian.org/contact.html is > pretty confusing in its current state). I sent a pointer to > t...@security.debian.org. For reference: https://www.debian.org/security/faq#contact the above is an attempt to try to centralize documentation and for now consist still of our notes what we want to write up. I just added a note to the site. Regards, Salvatore
Re: Working as a team, let's take care of all problems
) Em ter, 6 de nov de 2018 às 09:41, Aleksey Kravchenko escreveu: > > Hello, > > Status update on libpff. > > While I'm preparing libpff package, I found difficult to fix lintian warning > on the libpff.3 manpage [1]. The root cause is multiple warnings from coming > from man. The fix would require a very big rewrite of the manpage. If > somebody is good with man syntax and can help, please step in. I'm thinking > on just reporting this issue upstream. > > I will commit other fixes next days. So the next release will look much > better, than current package state. > > [1] > https://salsa.debian.org/pkg-security-team/libpff/blob/debian/master/manuals/libpff.3 > > Best regards, > Aleksey > Hi Aleksey, I will try help in some points. 1. The package fails to build from source (FTBFS) in a fresh jail (or from cowbuild command) and shows the following message: dh_auto_clean: Please use the third-party "pybuild" build system instead of python-distutils dh_auto_clean: This feature will be removed in compat 12. Can't exec "pyversions": No such file or directory at /usr/share/perl5/Debian/Debhelper/Buildsystem/python_distutils.pm line 124. dh_auto_clean: failed to run pyversions make: *** [debian/rules:8: clean] Error 2 I think that you need "python2-minimal | python-minimal" in Build-Depends field. You should use debhelper (>=11) instead of debhelper-compat (=11) in Build-Depends field. If yes, please, create a debian/compat file too (see other packages). 2. The package does not build twice with debuild command. A list with several files is shown in screen. You must delete the files that do not exist in original upstream source code (use debian/clean, # man dh_clean) and ignore files being changed[1]. I attached two files: clean and options. Please, read carefully these files and try understand their missions. [1] https://www.debian.org/doc/manuals/maint-guide/dother.en.html#sourceopt 3. There are some lintian messages about spelling errors in libpff.so.1.0.0 and pffexport. You can use grep to find these spellings in source code. $ grep intialize * -sr I attached a patch that will fix these errors. Note that the lintian message "libpff1: spelling-error-in-binary usr/lib/x86_64-linux-gnu/libpff.so.1.0.0 Nam Name" is a reference to: libfwnt/libfwnt_locale_identifier.c: { 0x042a, "vi-VN", "Vietnamese, Viet Nam" }, So it is a false positive and you can make a lintian override[2]. [2] https://www.debian.org/doc/manuals/maint-guide/dother.en.html#lintian 4. For the manpage errors (pffexport.1.gz, pffinfo.1.gz and libpff.3.gz), you must edit manual/* files. Commonly, it is a simple work, don't worry. Try to understand each lintian message (after a debuild, you can run '$ lintian -i' in upstream place). In this special case, the manpage was written using groff mdoc. In the most common cases, groff is used (not groff mdoc). There are manpages for mdoc and mdoc-samples ($ man mdoc). I attached a patch to fix the manpages. There are some warnings that can't be fixed (W: can't break line). In this special case, you can make a lintian override with a previous commented line to explain the problem. "If somebody is good with man syntax and can help, please step in" To make a manpage from zero (when needed) and understand the basics of grof syntax, you can use txt2man. Follow the steps: # apt-get install txt2man $ cd /tmp $ cp /usr/share/doc/txt2man/examples/mac-robber.txt . $ cat mac-robber.txt $ txt2man mac-robber.txt > mac-robber.1 $ cat mac-robber.1 $ man ./mac-robber.1 $ man txt2man See a final and simple example inside debian/ in my package iwatch. Cheers, Eriberto clean Description: Binary data options Description: Binary data Description: fix spelling errors in final binary Author: Joao Eriberto Mota Filho Last-Update: 2018-11-06 --- libpff-20180714.orig/include/libpff/features.h +++ libpff-20180714/include/libpff/features.h @@ -32,7 +32,7 @@ #define LIBPFF_HAVE_MULTI_THREAD_SUPPORT 1 #endif -#if defined( HAVE_LIBBFIO ) || ( !defined( WINAPI ) && 0 ) +#if defined( HAVE_LIBBFIO ) || ( !defined( WINAPI ) && 1 ) #define LIBPFF_HAVE_BFIO 1 #endif --- libpff-20180714.orig/libbfio/libbfio_handle.c +++ libpff-20180714/libbfio/libbfio_handle.c @@ -159,7 +159,7 @@ int libbfio_handle_initialize( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, - "%s: unable to intialize read/write lock.", + "%s: unable to initialize read/write lock.", function ); goto on_error; --- libpff-20180714.orig/libbfio/libbfio_pool.c +++ libpff-20180714/libbfio/libbfio_pool.c @@ -158,7 +158,7 @@ int libbfio_pool_initialize( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED, - "%s: unable to intialize read/write lock.", + "%s: unable to initialize read/write lock.", function ); goto on_error; @@ -396,7 +396,7 @@ int libbfio_pool_clone( error, LIBCERROR_ERROR_DOMAIN_RUNTIME,
Re: Bug#905332: debdiff
"Adam D. Barratt" writes: > On 2018-11-06 14:43, wf...@niif.hu wrote: > >> Dear Security Team, please consider yourselves notified and please > > debian-security@lists.debian.org is *not* a contact point for the > Security Team, it's a public discussion list. Ah, thanks, Adam (https://security-team.debian.org/contact.html is pretty confusing in its current state). I sent a pointer to t...@security.debian.org. -- Regards, Feri
Re: Bug#905332: debdiff
On 2018-11-06 14:43, wf...@niif.hu wrote: Dear Security Team, please consider yourselves notified and please debian-security@lists.debian.org is *not* a contact point for the Security Team, it's a public discussion list. Regards, Adam
Call for testing: Testers needed for ghostscript update
Hi We plan to rebase ghostscript via stretch-security to 9.25 plus cherry picked security fixes which happened after that release. Tests so far were limited, and thus we need a certain amount of further external testing before we can release an update. Packages are at https://people.debian.org/~carnil/tmp/ghostscript/ Please reply for both positive and negative test feedback directly to me or/and including t...@security.debian.org . Regards, Salvatore signature.asc Description: PGP signature
Re: Bug#905332: debdiff
wagner.fer...@kifu.gov.hu (Ferenc Wágner) writes: > Christian Fischer writes: > >> On Fri, 03 Aug 2018 14:42:16 +0200 wf...@niif.hu (Ferenc Wágner) wrote: >> >>> Unfortunately the CVE hasn't arrived yet; I'll >>> forward it to you once it does. My acknowledgement mail is of >>> subject "CVE Request 548000 for CVE ID Request" from >>> cve-requ...@mitre.org (just for the record). >> >> have you received a CVE for this issue yet? Tried to look around in >> various sources but wasn't able to identify a published CVE for this >> issue yet. > > I haven't received a CVE for this issue, unfortunately. My original > request was deflected by Mitre saying that the Apache Software > Foundation should issue this CVE. However, the Apache webpage states > that they issue IDs for undisclosed vulnerabilities only. My three > followup mails asking for clarification remained unanswered by Mitre. > > To add more bad news, according to http://santuario.apache.org/ the just > released 2.0.2 fixes a very similar bug, which might mean another DoS; I > couldn't investigate yet. But if it does, we'll need yet another CVE > for that. I'm sending out some queries. Shibboleth upstream confirmed that it's basically more of the same issue: https://alioth-lists.debian.net/pipermail/pkg-shibboleth-devel/2018-November/005382.html "I would suggest you just attach this to the same CVE as before and update it to reflect the versions involved." Dear Security Team, please consider yourselves notified and please advise how we should track/handle this. I'm looking into backporting the fix to the stable version 1.7.3-4+deb9u1. -- Regards, Feri
Re: Gaps in security coverage?
On Tue, Nov 06, 2018 at 07:08:20PM +0800, Paul Wise wrote: > Bug#908678: security-tracker - Breaks salsa.d.o thank you. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Working as a team, let's take care of all problems
Hello, Status update on libpff. While I'm preparing libpff package, I found difficult to fix lintian warning on the libpff.3 manpage [1]. The root cause is multiple warnings from coming from man. The fix would require a very big rewrite of the manpage. If somebody is good with man syntax and can help, please step in. I'm thinking on just reporting this issue upstream. I will commit other fixes next days. So the next release will look much better, than current package state. [1] https://salsa.debian.org/pkg-security-team/libpff/blob/debian/master/manuals/libpff.3 Best regards, Aleksey On Thu, Oct 25, 2018 at 12:59 PM Aleksey Kravchenko wrote: > > On Thu, Oct 25, 2018 at 11:57 AM Raphael Hertzog > wrote: > >> > I suggest 'rebasing' two Raphael commits over Imported package, as I've >> > done in a fork [2]. To do this we need to overwrite last to commits in >> > the main repository. >> >> Neither of this is needed. You can just do a proper merge. You >> run "gbp import-dsc" of 20120802-5.1 in a branch that contains the >> 20120802-5 tag. Then you switch back to debian/master and you merge >> your temporary branch. >> >> That's the correct solution that doesn't need history rewriting. >> > Ok, let's do it right way. > > >> You already have access to all pkg-security repositories. You can check by >> yourself: >> https://salsa.debian.org/pkg-security-team/libpff/project_members > > Oh! That's perfect :) > > Thanks, > Aleksey >
Re: DLA link is broken
Hi, On Tue, Nov 06, 2018 at 11:10:41AM +, Holger Levsen wrote: > On Tue, Nov 06, 2018 at 07:45:24AM +0100, Salvatore Bonaccorso wrote: > > > DLA link is broken. > > > e.g. https://security-tracker.debian.org/tracker/DLA-1445-1 page > > > "Source Debian LTS" points to > > > https://www.debian.org/security/2018/dla-1445 > > > but there's no such page. > > Cf. #762255 and related bugs which added support for having the DLA's > > included both in security-tracker source field and on the website. > > that bug and its clone are all closed. Yes, for the "infrastructure" part, but that is an ongoing work by the debian- team to import DSA's and translate them. The same holds for DLAs (if volunteers are present). > > Though this needs volunteers to actually import and translate the > > DLAs. > > import to where? > > (i'll leave out translations for now...) https://salsa.debian.org/webmaster-team/webwml/tree/master/english/security Regards, Salvatore
Re: DLA link is broken
On Tue, Nov 06, 2018 at 07:45:24AM +0100, Salvatore Bonaccorso wrote: > > DLA link is broken. > > e.g. https://security-tracker.debian.org/tracker/DLA-1445-1 page > > "SourceDebian LTS" points to > > https://www.debian.org/security/2018/dla-1445 > > but there's no such page. > Cf. #762255 and related bugs which added support for having the DLA's > included both in security-tracker source field and on the website. that bug and its clone are all closed. > Though this needs volunteers to actually import and translate the > DLAs. import to where? (i'll leave out translations for now...) -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Gaps in security coverage?
On Tue, Nov 6, 2018 at 7:01 PM Holger Levsen wrote: > is there a bug or wiki page describing the issues/requirements for that and > what has been tried / the status? Woops, I should have included that in the mail: Bug#908678: security-tracker - Breaks salsa.d.o https://bugs.debian.org/908678 -- bye, pabs https://wiki.debian.org/PaulWise
Re: Gaps in security coverage?
On Tue, Nov 06, 2018 at 02:42:59PM +0800, Paul Wise wrote: > Also, a much more important task is restructuring the git repo so that > it doesn't cause responsiveness and resource usage issues with salsa. is there a bug or wiki page describing the issues/requirements for that and what has been tried / the status? (I just cloned the tracker yesterday and could see the problem 'live'..) -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature