Secure testing commits - May 2009 - r11870 - data/CVE

Author: gilbert-guest
Date: 2009-05-11 01:17:17 +0000 (Mon, 11 May 2009)
New Revision: 11870

Modified:
   data/CVE/list
Log:
CVE-2009-0754 has not yet been uploaded to stable (fix is currently in php5 git
repo and pending upload)


Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-05-11 01:01:39 UTC (rev 11869)
+++ data/CVE/list	2009-05-11 01:17:17 UTC (rev 11870)
@@ -2922,7 +2922,7 @@
 CVE-2009-0754 (PHP 4.4.4, 5.1.6, and other versions, when running on Apache,
allows ...)
 	{DSA-1789-1}
 	- php4 <removed> (low)
-	- php5 5.2.9.dfsg.1-1 (low; bug #523049)
+	- php5 <unfixed> (low; bug #523049)
 CVE-2008-6398 (sng_regress in SNG 1.0.2 allows local users to overwrite
arbitrary ...)
 	- sng 1.0.2-6 (bug #496407; unimportant)
 CVE-2008-6397 (rlatex in AlcoveBook sgml2x 1.0.0 allows local users to
overwrite ...)

On Mon, 11 May 2009 01:17:17 +0000 Michael Gilbert wrote:
> Author: gilbert-guest
> Date: 2009-05-11 01:17:17 +0000 (Mon, 11 May 2009)
> New Revision: 11870
> 
> Modified:
>    data/CVE/list
> Log:
> CVE-2009-0754 has not yet been uploaded to stable (fix is currently in php5
git repo and pending upload)
watch out for the type: i meant to say "unstable," not
"stable" in this
commit message.

(I''m in a bad mood, sorry if this mail sounds too harsh)

Michael S. Gilbert wrote:
> On Mon, 11 May 2009 01:17:17 +0000 Michael Gilbert wrote:
> 
>> Author: gilbert-guest
>> Date: 2009-05-11 01:17:17 +0000 (Mon, 11 May 2009)
>> New Revision: 11870
>> 
>> Modified:
>>    data/CVE/list
>> Log:
>> CVE-2009-0754 has not yet been uploaded to stable (fix is currently in
>> php5 git repo and pending upload)
> 
> watch out for the type: i meant to say "unstable," not
"stable" in this
> commit message.
WTF?
This was fixed in 5.2.9 by *upstream*, and 5.2.9-2 is in unstable.
Do you mind checking what the git commit notifications are talking about
before making such a change?

Thanks. And for the record, I always try to keep the php5 info up to date,
since I''m on both teams.

Regards,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

On Tue, 12 May 2009 20:56:20 -0500, Raphael Geissert
wrote:
> (I''m in a bad mood, sorry if this mail sounds too harsh)
> 
> Michael S. Gilbert wrote:
> 
> > On Mon, 11 May 2009 01:17:17 +0000 Michael Gilbert wrote:
> > 
> >> Author: gilbert-guest
> >> Date: 2009-05-11 01:17:17 +0000 (Mon, 11 May 2009)
> >> New Revision: 11870
> >> 
> >> Modified:
> >>    data/CVE/list
> >> Log:
> >> CVE-2009-0754 has not yet been uploaded to stable (fix is
currently in
> >> php5 git repo and pending upload)
> > 
> > watch out for the type: i meant to say "unstable," not
"stable" in this
> > commit message.
> 
> WTF?
> This was fixed in 5.2.9 by *upstream*, and 5.2.9-2 is in unstable.
> Do you mind checking what the git commit notifications are talking about
> before making such a change?
i apologize for the confusion.  i interpreted [1],[2] as commits to the
unstable version that happened after upload of 5.2.9.dfsg.1-2 to
unstable, but now realize that they were actually commits to your
etch/lenny branches.  i also did not see mention of this CVE in your
changelog or anywhere in the source:

$ grep -R 2009-0754 *

although now i have done a little more work and found that the patch
is indeed present in 5.2.9.dfsg.1-2.

if an upstream version fixes a CVE, that fact is supposed to be in the
debian changelog, correct?
> Thanks. And for the record, I always try to keep the php5 info up to date,
> since I''m on both teams.
do you want me to steer clear of anything related to php then?  i
didn''t realize that certain aspects of the archive were claimed by
specific individuals.

kind regards,
mike

[1]
http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=2d73f5fcd24b0a2692beed4784ffc5e530bbe4ea
[2]
http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=9917a8cb96dfa99d5af30cf4b1670edc81c669bd

Michael S. Gilbert wrote:
> On Tue, 12 May 2009 20:56:20 -0500, Raphael Geissert wrote:
> 
> i apologize for the confusion.  i interpreted [1],[2] as commits to the
> unstable version that happened after upload of 5.2.9.dfsg.1-2 to
> unstable, but now realize that they were actually commits to your
> etch/lenny branches.  i also did not see mention of this CVE in your
> changelog or anywhere in the source:
> 
> $ grep -R 2009-0754 *
I noticed the bug closer was not added to the changelog so I manually closed
the report (and now that I think about it, I forgot to add it to the
changelog for the -3 upload, will have to do it in the next round.)
> 
> although now i have done a little more work and found that the patch
> is indeed present in 5.2.9.dfsg.1-2.
> 
> if an upstream version fixes a CVE, that fact is supposed to be in the
> debian changelog, correct?
Yes, but you shouldn''t trust maintainers, you should always check.
Sadly,
there have been cases where the patch was not really applied, shipped, or
whatever.
> 
>> Thanks. And for the record, I always try to keep the php5 info up to
>> date, since I''m on both teams.
> 
> do you want me to steer clear of anything related to php then? 
No, I didn''t mean to say that. Asking you to do that would be adverse,
and a
risk.
> i 
> didn''t realize that certain aspects of the archive were claimed by
> specific individuals.
> 
Regards,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

On Thu, 14 May 2009 16:17:11 -0500, Raphael Geissert
wrote:
> Michael S. Gilbert wrote:
> > On Tue, 12 May 2009 20:56:20 -0500, Raphael Geissert wrote:
> > 
> > i apologize for the confusion.  i interpreted [1],[2] as commits to
the
> > unstable version that happened after upload of 5.2.9.dfsg.1-2 to
> > unstable, but now realize that they were actually commits to your
> > etch/lenny branches.  i also did not see mention of this CVE in your
> > changelog or anywhere in the source:
> > 
> > $ grep -R 2009-0754 *
> 
> I noticed the bug closer was not added to the changelog so I manually
closed
> the report (and now that I think about it, I forgot to add it to the
> changelog for the -3 upload, will have to do it in the next round.)
> 
> > 
> > although now i have done a little more work and found that the patch
> > is indeed present in 5.2.9.dfsg.1-2.
> > 
> > if an upstream version fixes a CVE, that fact is supposed to be in the
> > debian changelog, correct?
> 
> Yes, but you shouldn''t trust maintainers, you should always check.
Sadly,
> there have been cases where the patch was not really applied, shipped, or
> whatever.
in an ideal world, we should be able to fully trust the maintainer; and
also expect them to take full responsibility to address security
issues in their packages.  alas, the real world rather not like this...
> >> Thanks. And for the record, I always try to keep the php5 info up
to
> >> date, since I''m on both teams.
> > 
> > do you want me to steer clear of anything related to php then? 
> 
> No, I didn''t mean to say that. Asking you to do that would be
adverse, and a
> risk.
ok, glad we''ve cleared this up.  i''m trying to do a good job,
and i''m
getting better.  there is a lot to learn, and there is a lot of
potential for mistakes.

mike

hi everyone,

On Thu, May 14, 2009 at 01:58:05PM -0400, Michael S. Gilbert
wrote:
> i apologize for the confusion.  i interpreted [1],[2] as commits to the
> unstable version that happened after upload of 5.2.9.dfsg.1-2 to
> unstable, but now realize that they were actually commits to your
> etch/lenny branches.  i also did not see mention of this CVE in your
> changelog or anywhere in the source:
> 
> $ grep -R 2009-0754 *
it might clear up the confusion a bit to point out that 5.2.9.dfsg.1-1, which
fixed this problem for testing/unstable, was uploaded on or around 24/03/2009,
whereas the bug was reported afterwards on 07/04/2009.  so there was no
action on the part of the maintainers to "fix" this bug, we got it for
free.
> if an upstream version fixes a CVE, that fact is supposed to be in the
> debian changelog, correct?
yes, assuming we know about it when we''re preparing the new release.

in this case i think that the bug should have been reported against
php5/lenny (with a "found" added for the etch version), but
it''s pretty
understandable that the relevant data was missed/overlooked, or not present
at all as is often the case with php related security issues.  i hope this
gives a bit of justification towards the individual bug reports approach
i was advocating earlier, as it helps decrease the chances of stuff like
this :)

i suppose i could also see an argument for making updates to the older
changelog entries for posterity.  personally though, i''m a fan of the
append-only model for all but the gravest factual/spelling/encoding
errors and omissions.  
> > Thanks. And for the record, I always try to keep the php5 info up to
date,
> > since I''m on both teams.
> 
> do you want me to steer clear of anything related to php then?  i
> didn''t realize that certain aspects of the archive were claimed by
> specific individuals.
i can''t speak for raphael but i appreciate any and all help.  i just
hope
that if anything i say ever comes off as a bit... surly... that you
take it with a grain of salt.  dealing with upstream security issues in
php is probably the shittiest task i have in debian :(


	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20090515/08b4c347/attachment.pgp>