Secure testing commits - Aug 2009 - r12708 - data/CVE

Author: gilbert-guest
Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
New Revision: 12708

Modified:
   data/CVE/list
Log:
beginning of embedded code copies triage (5 down 395 to go)

Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-08-30 03:00:07 UTC (rev 12707)
+++ data/CVE/list	2009-08-30 17:09:16 UTC (rev 12708)
@@ -1286,6 +1286,7 @@
 CVE-2009-2660 (Multiple integer overflows in CamlImages 2.2 might allow ...)
 	{DSA-1857-1}
 	- camlimages 1:3.0.1-3 (medium; bug #540146)
+	- advi <not-affected> (affected code section not present in advi code
copy of camlimages)
 CVE-2009-2657 (nilfs-utils before 2.0.14 installs multiple programs with
unnecessary ...)
 	- nilfs2-tools <not-affected> (dh_fixperms removes the setuid and setgid
bits from all files)
 CVE-2009-2656 (Unspecified vulnerability in the com.android.phone process in
Android ...)
@@ -1303,6 +1304,8 @@
 CVE-2009-XXXX [VLC: integer underflow in Real RTSP]
 	- vlc 1.0.1-1
 	- mplayer <unfixed>
+	- xine-lib <unfixed>
+        NOTE: affected mplayer code copy present in xine-lib
 	NOTE: Posting on full-disclosure contains details
 CVE-2009-2655 (mshtml.dll in Microsoft Internet Explorer 7 and 8 on Windows XP
SP3 ...)
 	NOT-FOR-US: Microsoft Internet Explorer
@@ -1777,11 +1780,16 @@
 	- neon27 0.28.6-1 (medium; bug #542926)
 	- neon26 <unfixed> (medium; bug #542926)
 	- neon <removed> (medium; bug #542926)
+	- gnome-vfs2 <unfixed>
+	NOTE: affected neon code copy present in gnome-vfs2 [./imported/*]
+	- litmus <removed>
+	NOTE: affected neon code copy present in litmus [./libneon/*]
 CVE-2009-2473 (neon before 0.28.6, when expat is used, does not properly detect
...)
 	- neon27 <not-affected> (neon27 is compiled to use libxml2 instead of
expat)
 	- neon26 <not-affected> (neon26 is compiled to use libxml2 instead of
expat)
 	- neon <removed>
 	[etch] - neon <not-affected> (neon is compiled to use libxml2 instead of
expat)
+	TODO: check whether gnome-vfs2 and litmus are also not-affected; do they also
libxml2?
 CVE-2009-2472 (Mozilla Firefox before 3.0.12 does not always use ...)
 	{DSA-1840-1}
 	- xulrunner 1.9.0.12-1
@@ -1994,11 +2002,15 @@
 	NOT-FOR-US: Apple Safari
 CVE-2009-2419 (Use-after-free vulnerability in the servePendingRequests
function in ...)
 	- webkit 1.1.10-1
+	- qt4-x11 <unfixed>
+	NOTE: affected embedded webkit code copy present in qt4-x11
[./src/3rdparty/webkit/WebCore/*]
 CVE-2009-2418
 	RESERVED
 CVE-2009-2417 (lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when
OpenSSL is ...)
 	{DSA-1869-1}
 	- curl 7.19.5-1.1 (medium; bug #541991)
+	- wget <unfixed>
+	TODO: check whether wget affected [src/openssl.c]; not an embed, but similar
functionality
 CVE-2009-2416 (Multiple use-after-free vulnerabilities in libxml2 2.5.10,
2.6.16, ...)
 	{DSA-1861-1 DSA-1859-1}
 	- libxml2 2.7.3.dfsg-2.1 (low; bug #540865)
@@ -2975,6 +2987,8 @@
 	- libpng 1.2.37-1 (low; bug #533676)
 	[etch] - libpng <no-dsa> (Minor issue, only exploitable in rare setups)
 	[lenny] - libpng <no-dsa> (Minor issue, only exploitable in rare setups)
+	- xulrunner <unfixed>
+	NOTE: libpng code copy present in xulrunner [./modules/libimg/png/*] and
possibly [./gfx/cairo/cairo/*]
 CVE-2009-2041 (Cross-site scripting (XSS) vulnerability in A51 D.O.O.
activeCollab ...)
 	NOT-FOR-US: activeCollab
 CVE-2009-2040 (admin/options.php in Grestul 1.2 does not properly restrict
access, ...)

On Sun, Aug 30, 2009 at 05:09:16PM +0000, Michael Gilbert
wrote:
> Author: gilbert-guest
> Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
> New Revision: 12708
> 
> Modified:
>    data/CVE/list
> Log:
> beginning of embedded code copies triage (5 down 395 to go)
>
> +	- xulrunner <unfixed>
> +	NOTE: libpng code copy present in xulrunner [./modules/libimg/png/*] and
possibly [./gfx/cairo/cairo/*]
You should check whether the code is actually compiled in. 
xulrunner links dynamically against libpng, so it is not affected.

There''s no reason to track such embeddings in the security tracker,
since it''s very common that the source packages still contain the
local code copies even if they''re not used anymore.

Cheers,
        Moritz

On Sun, 30 Aug 2009 19:57:47 +0200 Moritz Muehlenhoff wrote:
> On Sun, Aug 30, 2009 at 05:09:16PM +0000, Michael Gilbert wrote:
> > Author: gilbert-guest
> > Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
> > New Revision: 12708
> > 
> > Modified:
> >    data/CVE/list
> > Log:
> > beginning of embedded code copies triage (5 down 395 to go)
> >
> > +	- xulrunner <unfixed>
> > +	NOTE: libpng code copy present in xulrunner [./modules/libimg/png/*]
and possibly [./gfx/cairo/cairo/*]
> 
> You should check whether the code is actually compiled in. 
> xulrunner links dynamically against libpng, so it is not affected.
> 
> There''s no reason to track such embeddings in the security
tracker,
> since it''s very common that the source packages still contain the
> local code copies even if they''re not used anymore.
actually, the state is somewhat uncertain for libpng.  looking at
embedded-code-copies, it says ''NOTE: Debian 1.9.0.6 uses embedded
copy'', ''1.8.* us system libpng'', and nowhere does it
say the embed has
been fixed, so i interpret that to mean that it is not yet done for
1.9.0.13. this, of course, could just be a mistake in that file. i
will manually check on the situation, and update embedded-code-copies
with the correct info.

this triage will probably bring to light a lot of inconsistencies like
this.

mike

On Sun, 30 Aug 2009 19:57:47 +0200 Moritz Muehlenhoff wrote:
> On Sun, Aug 30, 2009 at 05:09:16PM +0000, Michael Gilbert wrote:
> > Author: gilbert-guest
> > Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
> > New Revision: 12708
> > 
> > Modified:
> >    data/CVE/list
> > Log:
> > beginning of embedded code copies triage (5 down 395 to go)
> >
> > +	- xulrunner <unfixed>
> > +	NOTE: libpng code copy present in xulrunner [./modules/libimg/png/*]
and possibly [./gfx/cairo/cairo/*]
> 
> You should check whether the code is actually compiled in. 
> xulrunner links dynamically against libpng, so it is not affected.
> 
> There''s no reason to track such embeddings in the security
tracker,
> since it''s very common that the source packages still contain the
> local code copies even if they''re not used anymore.
oh, and wouldn''t a "complete" fix for an embedded code copy
involve a
patch that strips the embedded code from the debian source package?

maybe this isn''t the current state of play, but we should probably push
for this.

mike

> oh, and wouldn''t a "complete" fix for an embedded code
copy involve a
> patch that strips the embedded code from the debian source package?
> 
> maybe this isn''t the current state of play, but we should probably
push
> for this.
Absolutely not, this is a very intrusive packaging step and only needed
when dealing with non-distributable content.

Cheers,
        Moritz

On Sun, 30 Aug 2009 21:40:11 +0200 Moritz Muehlenhoff wrote:
> 
> > oh, and wouldn''t a "complete" fix for an embedded
code copy involve a
> > patch that strips the embedded code from the debian source package?
> > 
> > maybe this isn''t the current state of play, but we should
probably push
> > for this.
> 
> Absolutely not, this is a very intrusive packaging step and only needed
> when dealing with non-distributable content.
i meant that the patch should minus (''-'') out the embed, but
leave the
<source>.orig.tar.gz untouched.

this makes it 100% certain that the embed is not happening; whereas, if
the embed code remains, there is always the possibility of someone
coming along and making a change that ends up using the embed code
without realizing what they did (and more importantly probably not
notifying anyone), and since the embed code is there, and their code
works, it seems ok. minusing out the embedded code would make this
impossible.

it also makes it 100% clear which embeds have and have not been dealt
with.

mike

On Sun, 30 Aug 2009 19:57:47 +0200 Moritz Muehlenhoff wrote:
> On Sun, Aug 30, 2009 at 05:09:16PM +0000, Michael Gilbert wrote:
> > Author: gilbert-guest
> > Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
> > New Revision: 12708
> > 
> > Modified:
> >    data/CVE/list
> > Log:
> > beginning of embedded code copies triage (5 down 395 to go)
> >
> > +	- xulrunner <unfixed>
> > +	NOTE: libpng code copy present in xulrunner [./modules/libimg/png/*]
and possibly [./gfx/cairo/cairo/*]
> 
> You should check whether the code is actually compiled in. 
> xulrunner links dynamically against libpng, so it is not affected.
> 
> There''s no reason to track such embeddings in the security
tracker,
> since it''s very common that the source packages still contain the
> local code copies even if they''re not used anymore.
fyi, here is the output of ldd for xulrunner 1.9.0.13:

$ ldd /usr/lib/xulrunner-1.9.1/xulrunner-bin 
	linux-vdso.so.1 =>  (0x00007fff6db23000)
	libpthread.so.0 => /lib/libpthread.so.0 (0x00007f745ae3f000)
	libxpcom.so => not found
	libxul.so => not found
	libplc4.so.0d => /usr/lib/libplc4.so.0d (0x00007f745ac3b000)
	libnspr4.so.0d => /usr/lib/libnspr4.so.0d (0x00007f745a9fe000)
	libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f745a6f0000)
	libc.so.6 => /lib/libc.so.6 (0x00007f745a39f000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f745b05a000)
	libdl.so.2 => /lib/libdl.so.2 (0x00007f745a19b000)
	libm.so.6 => /lib/libm.so.6 (0x00007f7459f18000)
	libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007f7459cfe000)

it is thus evidently clear that xulrunner is *not* using the system copy
of libpng, so my tracking is indeed correct.

mike

Michael S Gilbert ha scritto:
> fyi, here is the output of ldd for xulrunner 1.9.0.13:
> 
> $ ldd /usr/lib/xulrunner-1.9.1/xulrunner-bin 
This is for xulrunner-1.9.1.
> 	libxul.so => not found
Try with /usr/lib/xulrunner-1.9/libxul.so

Cheers,
Giuseppe.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090831/f23418d3/attachment.pgp>

Hi,
* Michael Gilbert <gilbert-guest at alioth.debian.org> [2009-08-30
19:06]:
> Author: gilbert-guest
> Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
> New Revision: 12708
> 
> Modified:
>    data/CVE/list
> Log:
> beginning of embedded code copies triage (5 down 395 to go)
> 
> Modified: data/CVE/list
> ==================================================================> ---
data/CVE/list	2009-08-30 03:00:07 UTC (rev 12707)
> +++ data/CVE/list	2009-08-30 17:09:16 UTC (rev 12708)
> @@ -1286,6 +1286,7 @@
>  CVE-2009-2660 (Multiple integer overflows in CamlImages 2.2 might allow
...)
>  	{DSA-1857-1}
>  	- camlimages 1:3.0.1-3 (medium; bug #540146)
> +	- advi <not-affected> (affected code section not present in advi
code copy of camlimages)
>  CVE-2009-2657 (nilfs-utils before 2.0.14 installs multiple programs with
unnecessary ...)
>  	- nilfs2-tools <not-affected> (dh_fixperms removes the setuid and
setgid bits from all files)
>  CVE-2009-2656 (Unspecified vulnerability in the com.android.phone process
in Android ...)
> @@ -1303,6 +1304,8 @@
>  CVE-2009-XXXX [VLC: integer underflow in Real RTSP]
>  	- vlc 1.0.1-1
>  	- mplayer <unfixed>
> +	- xine-lib <unfixed>
> +        NOTE: affected mplayer code copy present in xine-lib
Did you only check if the code is present or also if it''s 
used?

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090831/9ee4eaec/attachment.pgp>

On Mon, 31 Aug 2009 00:01:08 +0200 Giuseppe Iuculano wrote:
> Michael S Gilbert ha scritto:
> > fyi, here is the output of ldd for xulrunner 1.9.0.13:
> > 
> > $ ldd /usr/lib/xulrunner-1.9.1/xulrunner-bin 
> 
> This is for xulrunner-1.9.1.
> 
> > 	libxul.so => not found
> 
> Try with /usr/lib/xulrunner-1.9/libxul.so
thanks for the suggestion.  this proves me wrong, the system libpng12 is
correctly used.

mike

On Mon, 31 Aug 2009 00:01:08 +0200 Giuseppe Iuculano wrote:
> Michael S Gilbert ha scritto:
> > fyi, here is the output of ldd for xulrunner 1.9.0.13:
> > 
> > $ ldd /usr/lib/xulrunner-1.9.1/xulrunner-bin 
> 
> This is for xulrunner-1.9.1.
> 
> > 	libxul.so => not found
> 
> Try with /usr/lib/xulrunner-1.9/libxul.so
as i continue this triage, is an ldd output containing the correct
library sufficient evidence to say that the embed is completely fixed?

if so, this makes the work much more straightforward.

mike

On Mon, 31 Aug 2009 00:23:00 +0200 Nico Golde wrote:
> Hi,
> * Michael Gilbert <gilbert-guest at alioth.debian.org> [2009-08-30
19:06]:
> > Author: gilbert-guest
> > Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
> > New Revision: 12708
> > 
> > Modified:
> >    data/CVE/list
> > Log:
> > beginning of embedded code copies triage (5 down 395 to go)
> > 
> > Modified: data/CVE/list
> > ==================================================================>
> --- data/CVE/list	2009-08-30 03:00:07 UTC (rev 12707)
> > +++ data/CVE/list	2009-08-30 17:09:16 UTC (rev 12708)
> > @@ -1286,6 +1286,7 @@
> >  CVE-2009-2660 (Multiple integer overflows in CamlImages 2.2 might
allow ...)
> >  	{DSA-1857-1}
> >  	- camlimages 1:3.0.1-3 (medium; bug #540146)
> > +	- advi <not-affected> (affected code section not present in
advi code copy of camlimages)
> >  CVE-2009-2657 (nilfs-utils before 2.0.14 installs multiple programs
with unnecessary ...)
> >  	- nilfs2-tools <not-affected> (dh_fixperms removes the setuid
and setgid bits from all files)
> >  CVE-2009-2656 (Unspecified vulnerability in the com.android.phone
process in Android ...)
> > @@ -1303,6 +1304,8 @@
> >  CVE-2009-XXXX [VLC: integer underflow in Real RTSP]
> >  	- vlc 1.0.1-1
> >  	- mplayer <unfixed>
> > +	- xine-lib <unfixed>
> > +        NOTE: affected mplayer code copy present in xine-lib
> 
> Did you only check if the code is present or also if it''s 
> used?
yes, i only checked that the embedded code is present.  after further
review of the full disclosure posting, it is clear that xine-lib is not
affected because it has additional an additional check.

mike

Hi,
* Michael S Gilbert <michael.s.gilbert at gmail.com> [2009-08-31
01:37]:
> On Mon, 31 Aug 2009 00:01:08 +0200 Giuseppe Iuculano wrote:
> 
> > Michael S Gilbert ha scritto:
> > > fyi, here is the output of ldd for xulrunner 1.9.0.13:
> > > 
> > > $ ldd /usr/lib/xulrunner-1.9.1/xulrunner-bin 
> > 
> > This is for xulrunner-1.9.1.
> > 
> > > 	libxul.so => not found
> > 
> > Try with /usr/lib/xulrunner-1.9/libxul.so
> 
> as i continue this triage, is an ldd output containing the correct
> library sufficient evidence to say that the embed is completely fixed?
I''d say no, maintainers are evil and there might be still 
the chance that parts are used from the copy, I think 
looking at the source is mandatory.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090831/73d42de6/attachment.pgp>

Hi,
* Michael S Gilbert <michael.s.gilbert at gmail.com> [2009-08-31
02:29]:
> On Mon, 31 Aug 2009 00:23:00 +0200 Nico Golde wrote:
> 
> > * Michael Gilbert <gilbert-guest at alioth.debian.org>
[2009-08-30 19:06]:
> > > Author: gilbert-guest
> > > Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
> > > New Revision: 12708
> > > 
> > > Modified:
> > >    data/CVE/list
> > > Log:
> > > beginning of embedded code copies triage (5 down 395 to go)
> > > 
> > > Modified: data/CVE/list
> > >
==================================================================> > >
--- data/CVE/list	2009-08-30 03:00:07 UTC (rev 12707)
> > > +++ data/CVE/list	2009-08-30 17:09:16 UTC (rev 12708)
> > > @@ -1286,6 +1286,7 @@
> > >  CVE-2009-2660 (Multiple integer overflows in CamlImages 2.2
might allow ...)
> > >  	{DSA-1857-1}
> > >  	- camlimages 1:3.0.1-3 (medium; bug #540146)
> > > +	- advi <not-affected> (affected code section not present
in advi code copy of camlimages)
> > >  CVE-2009-2657 (nilfs-utils before 2.0.14 installs multiple
programs with unnecessary ...)
> > >  	- nilfs2-tools <not-affected> (dh_fixperms removes the
setuid and setgid bits from all files)
> > >  CVE-2009-2656 (Unspecified vulnerability in the
com.android.phone process in Android ...)
> > > @@ -1303,6 +1304,8 @@
> > >  CVE-2009-XXXX [VLC: integer underflow in Real RTSP]
> > >  	- vlc 1.0.1-1
> > >  	- mplayer <unfixed>
> > > +	- xine-lib <unfixed>
> > > +        NOTE: affected mplayer code copy present in xine-lib
> > 
> > Did you only check if the code is present or also if it''s 
> > used?
> 
> yes, i only checked that the embedded code is present.  after further
> review of the full disclosure posting, it is clear that xine-lib is not
> affected because it has additional an additional check.
I wasn''t talking about this issue in specific, just noticed 
it in this commit. If you didn''t do that yet please do so to 
avoid lots of false-positives and someone needs to do the 
work anyway.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090831/db5f00a0/attachment.pgp>

On Mon, 31 Aug 2009 03:09:02 +0200 Nico Golde wrote:
> Hi,
> * Michael S Gilbert <michael.s.gilbert at gmail.com> [2009-08-31
02:29]:
> > On Mon, 31 Aug 2009 00:23:00 +0200 Nico Golde wrote:
> > 
> > > * Michael Gilbert <gilbert-guest at alioth.debian.org>
[2009-08-30 19:06]:
> > > > Author: gilbert-guest
> > > > Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
> > > > New Revision: 12708
> > > > 
> > > > Modified:
> > > >    data/CVE/list
> > > > Log:
> > > > beginning of embedded code copies triage (5 down 395 to go)
> > > > 
> > > > Modified: data/CVE/list
> > > >
==================================================================> > >
> --- data/CVE/list	2009-08-30 03:00:07 UTC (rev 12707)
> > > > +++ data/CVE/list	2009-08-30 17:09:16 UTC (rev 12708)
> > > > @@ -1286,6 +1286,7 @@
> > > >  CVE-2009-2660 (Multiple integer overflows in CamlImages 2.2
might allow ...)
> > > >  	{DSA-1857-1}
> > > >  	- camlimages 1:3.0.1-3 (medium; bug #540146)
> > > > +	- advi <not-affected> (affected code section not
present in advi code copy of camlimages)
> > > >  CVE-2009-2657 (nilfs-utils before 2.0.14 installs multiple
programs with unnecessary ...)
> > > >  	- nilfs2-tools <not-affected> (dh_fixperms removes
the setuid and setgid bits from all files)
> > > >  CVE-2009-2656 (Unspecified vulnerability in the
com.android.phone process in Android ...)
> > > > @@ -1303,6 +1304,8 @@
> > > >  CVE-2009-XXXX [VLC: integer underflow in Real RTSP]
> > > >  	- vlc 1.0.1-1
> > > >  	- mplayer <unfixed>
> > > > +	- xine-lib <unfixed>
> > > > +        NOTE: affected mplayer code copy present in
xine-lib
> > > 
> > > Did you only check if the code is present or also if
it''s
> > > used?
> > 
> > yes, i only checked that the embedded code is present.  after further
> > review of the full disclosure posting, it is clear that xine-lib is
not
> > affected because it has additional an additional check.
> 
> I wasn''t talking about this issue in specific, just noticed 
> it in this commit. If you didn''t do that yet please do so to 
> avoid lots of false-positives and someone needs to do the 
> work anyway.
if the affected code is present, isn''t it almost always the case that
it is actually used?  the only situation where this isn''t the case
(that
i can think of right now) is dead code, which the maintainer should
probably be working with upstream to remove anyway.

would it be ok for me to add a ''TODO: <x> code copy present,
check
whether it is used'' when i find that the code copy is in the package?
figuring out whether the affected code is present in these 400
instances is already quite an undertaking, and it will be significantly
more work to parse all the make files to determine if that code gets
built and gets called from somewhere.  i would hope others may be
willing/able to help out at that point?

mike

Hi,
* Michael S Gilbert <michael.s.gilbert at gmail.com> [2009-08-31
03:47]:
> On Mon, 31 Aug 2009 03:09:02 +0200 Nico Golde wrote:
> > * Michael S Gilbert <michael.s.gilbert at gmail.com> [2009-08-31
02:29]:
> > > On Mon, 31 Aug 2009 00:23:00 +0200 Nico Golde wrote:
> > > 
> > > > * Michael Gilbert <gilbert-guest at alioth.debian.org>
[2009-08-30 19:06]:
> > > > > Author: gilbert-guest
> > > > > Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
> > > > > New Revision: 12708
> > > > > 
> > > > > Modified:
> > > > >    data/CVE/list
> > > > > Log:
> > > > > beginning of embedded code copies triage (5 down 395 to
go)
> > > > > 
> > > > > Modified: data/CVE/list
> > > > >
==================================================================> > >
> > --- data/CVE/list	2009-08-30 03:00:07 UTC (rev 12707)
> > > > > +++ data/CVE/list	2009-08-30 17:09:16 UTC (rev 12708)
> > > > > @@ -1286,6 +1286,7 @@
> > > > >  CVE-2009-2660 (Multiple integer overflows in
CamlImages 2.2 might allow ...)
> > > > >  	{DSA-1857-1}
> > > > >  	- camlimages 1:3.0.1-3 (medium; bug #540146)
> > > > > +	- advi <not-affected> (affected code section
not present in advi code copy of camlimages)
> > > > >  CVE-2009-2657 (nilfs-utils before 2.0.14 installs
multiple programs with unnecessary ...)
> > > > >  	- nilfs2-tools <not-affected> (dh_fixperms
removes the setuid and setgid bits from all files)
> > > > >  CVE-2009-2656 (Unspecified vulnerability in the
com.android.phone process in Android ...)
> > > > > @@ -1303,6 +1304,8 @@
> > > > >  CVE-2009-XXXX [VLC: integer underflow in Real RTSP]
> > > > >  	- vlc 1.0.1-1
> > > > >  	- mplayer <unfixed>
> > > > > +	- xine-lib <unfixed>
> > > > > +        NOTE: affected mplayer code copy present in
xine-lib
> > > > 
> > > > Did you only check if the code is present or also if
it''s
> > > > used?
> > > 
> > > yes, i only checked that the embedded code is present.  after
further
> > > review of the full disclosure posting, it is clear that xine-lib
is not
> > > affected because it has additional an additional check.
> > 
> > I wasn''t talking about this issue in specific, just noticed 
> > it in this commit. If you didn''t do that yet please do so to 
> > avoid lots of false-positives and someone needs to do the 
> > work anyway.
> 
> if the affected code is present, isn''t it almost always the case
that
> it is actually used?  the only situation where this isn''t the case
(that
> i can think of right now) is dead code, which the maintainer should
> probably be working with upstream to remove anyway.
Yes unfortunately dead code is still a problem.
> would it be ok for me to add a ''TODO: <x> code copy present,
check
> whether it is used'' when i find that the code copy is in the
package?
Yes sure
> figuring out whether the affected code is present in these 400
> instances is already quite an undertaking, and it will be significantly
> more work to parse all the make files to determine if that code gets
> built and gets called from somewhere.  i would hope others may be
> willing/able to help out at that point?
That would be definitely good! At the moment I don''t have 
that much time but I hope I can do more soon and maybe I''ll 
join the fun.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090831/40526e22/attachment-0001.pgp>

On Sun, Aug 30, 2009 at 07:36:47PM -0400, Michael S Gilbert
wrote:
> On Mon, 31 Aug 2009 00:01:08 +0200 Giuseppe Iuculano wrote:
> 
> > Michael S Gilbert ha scritto:
> > > fyi, here is the output of ldd for xulrunner 1.9.0.13:
> > > 
> > > $ ldd /usr/lib/xulrunner-1.9.1/xulrunner-bin 
> > 
> > This is for xulrunner-1.9.1.
> > 
> > > 	libxul.so => not found
> > 
> > Try with /usr/lib/xulrunner-1.9/libxul.so
> 
> as i continue this triage, is an ldd output containing the correct
> library sufficient evidence to say that the embed is completely fixed?
Not necessarily, e.g. plugins which are dlopened at runtime.

Cheers,
        Moritz