Secure testing team - Mar 2006 - Status of unfixed security issues

Moritz Muehlenhoff wrote:
> slash CAN-2002-1647
>  - Maintainer doesn''t consider possible disclosure of user account
passwords
>    a security problem. It should be explained to him, why this _is_ indeed
>    a (minor) security problem.
I tried and he ignored me with the comment that he''s ignored others who
have tried to explain it to him. :-/

The fact that upstream apparently fixed it years ago and he''s not even
updating the package is just weird.
> ssh CAN-2004-1653
>  - This can be closed, it''s known and documented SSH behaviour.
Any objections?
I''d been waiting for Colin to close it as the ssh maintainer. No
objections though.
> openwebmail CAN-2005-0445
>  - Fixed upstream and no maintainer reaction since six weeks. Given the
fact that
>    another security issue is open for 2.5 months without reaction and
291478
>    describes the security state of the code as rather poor this package
should
>    be given up for adoption or removed from sid as well. It''s
currently not part
>    of Sarge, but there''s still about 100 sid users in popcon alone
which use the
>    vulnerable version.
You should contact the MIA handling guys for this I think.
> tftpd-hpa CAN-2004-1485
>   - No maintainer reaction for seven weeks, but the proposed solution from
Joey
>     seems correct.
I''ll re-ping him, he''s been responsive about non-security
issues in the
past.
> mozilla-firefox CAN-2005-0233
>   - I guess we can marked this fixed for the testing tracking purposes.
Spoofing
>     is no longer possible with IDN disabled and the punycode representation
>     present. It''s a problem implicit in Unicode representations.
Konqueror fixed
>     this by allowing IDN only for TLDs that have an anti-scam policy on
Unicode,
>     but that''s not necessarily a better solution. Objections?
I''ve been leaving it open only because the firefox maintainer noted
that
he''s not fully happy with the fix. OTOH, we could just throw in a NOTE
to that effect.
> tnftp CAN-2004-1294
>   - No maintainer reaction since 3.5 months. Someone prepared an updated
package
>     of fixed upstream. Any DD willing to review and upload?
Also not in testing, probably due to this hole. I''d say let MIA know
about it, I don''t know if I want to fix it if that ends up getting the
unmaintained package back into testing..
> lesstif1 CAN-2004-0914 and 0688 and 0687
>   - MOTIF 1.2 support is no longer maintained upstream and it has already
proven
>     to be difficult to support for this issue. Is it really a good idea to
keep
>     support for lesstif1 for at least three more years (till Sarge, Sarge
life
>     cycle, Sarge-oldstable)? Only about two dozen binary packages still
depend on
>     lesstif1, mostly legacy X11 applications that haven''t been
touched by their
>     maintainers for years. I just tried to "port" xsol simply by
changing
>     build-depends and it worked without problems. Maybe it''s
doable to fix the
>     few remaining packages and drop lesstif1 before Sarge freeze? Comments?
I count about 30 that use lesstif1. It surely wouldn''t hurt to file
bugs
on all of them but it seems likely some would need more than a rebuild
and without mass MMUing I doubt we''d get them all fixed for sarge.
Still, it''s probably the most viable way to avoid these CANs. We could
bring this up on debian-release and see what the RMs think about the
idea.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050405/64a691ca/attachment.pgp

Hi,
I just had a look at the unfixed issues older than two days and would
like to point your attention to some points:

smail CAN-2005-0893
 - It''s fixed for the upcoming version (to be released at 8th Apr for
the
   latest) by preallocating the message strings.

slash CAN-2002-1647
 - Maintainer doesn''t consider possible disclosure of user account
passwords
   a security problem. It should be explained to him, why this _is_ indeed
   a (minor) security problem.

ssh CAN-2004-1653
 - This can be closed, it''s known and documented SSH behaviour. Any
objections?

openwebmail CAN-2005-0445
 - Fixed upstream and no maintainer reaction since six weeks. Given the fact
that
   another security issue is open for 2.5 months without reaction and 291478
   describes the security state of the code as rather poor this package should
   be given up for adoption or removed from sid as well. It''s currently
not part
   of Sarge, but there''s still about 100 sid users in popcon alone
which use the
   vulnerable version.

imagemagick CAN-2005-0406
 - This requires more than a few one liners to fix, but it doesn''t seem
as
   it has reached upstream''s attention yet. There''s nothing on
-dev or -bugs.
   Someone should write up a summary and a proposal to fix this for upstream.

wget CAN-2004-1488 and 1487
  - IIRC upstream was working on the fixes, which were rather massive. As
there''s
    a recent wget-cvs in experimental it should be checked whether these issue
    are addressed in that version.

tftpd-hpa CAN-2004-1485
  - No maintainer reaction for seven weeks, but the proposed solution from Joey
    seems correct.

mozilla-firefox CAN-2005-0233
  - I guess we can marked this fixed for the testing tracking purposes. Spoofing
    is no longer possible with IDN disabled and the punycode representation
    present. It''s a problem implicit in Unicode representations.
Konqueror fixed
    this by allowing IDN only for TLDs that have an anti-scam policy on Unicode,
    but that''s not necessarily a better solution. Objections?

tnftp CAN-2004-1294
  - No maintainer reaction since 3.5 months. Someone prepared an updated package
    of fixed upstream. Any DD willing to review and upload?

lesstif1 CAN-2004-0914 and 0688 and 0687
  - MOTIF 1.2 support is no longer maintained upstream and it has already proven
    to be difficult to support for this issue. Is it really a good idea to keep
    support for lesstif1 for at least three more years (till Sarge, Sarge life
    cycle, Sarge-oldstable)? Only about two dozen binary packages still depend
on
    lesstif1, mostly legacy X11 applications that haven''t been touched
by their
    maintainers for years. I just tried to "port" xsol simply by
changing
    build-depends and it worked without problems. Maybe it''s doable to
fix the
    few remaining packages and drop lesstif1 before Sarge freeze? Comments?

Cheers,
        Moritz

Joey Hess wrote:
> > slash CAN-2002-1647
> >  - Maintainer doesn''t consider possible disclosure of user
account passwords
> >    a security problem. It should be explained to him, why this _is_
indeed
> >    a (minor) security problem.
> 
> I tried and he ignored me with the comment that he''s ignored
others who
> have tried to explain it to him. :-/
> 
> The fact that upstream apparently fixed it years ago and he''s not
even
> updating the package is just weird.
The latest stable slash release still seems to be 2.2.6, as shipped in Debian.
Maybe it''s more convincing with a patch from upstream?
> > ssh CAN-2004-1653
> >  - This can be closed, it''s known and documented SSH
behaviour. Any objections?
> 
> I''d been waiting for Colin to close it as the ssh maintainer. No
> objections though.
Ok, I''ve removed it from the list of unfixed bugs and we can leave it
to Colin to
close the bug itself.
> > tnftp CAN-2004-1294
> >   - No maintainer reaction since 3.5 months. Someone prepared an
updated package
> >     of fixed upstream. Any DD willing to review and upload?
> 
> Also not in testing, probably due to this hole. I''d say let MIA
know
> about it, I don''t know if I want to fix it if that ends up getting
the
> unmaintained package back into testing..
Well yes, that''s probably for the best.
The maintainer is not MIA, probably just overloaded with more important packages
like
Mozilla.
> I count about 30 that use lesstif1. It surely wouldn''t hurt to
file bugs
> on all of them but it seems likely some would need more than a rebuild
> and without mass MMUing I doubt we''d get them all fixed for sarge.
> Still, it''s probably the most viable way to avoid these CANs. We
could
> bring this up on debian-release and see what the RMs think about the
> idea.
Yes, that sounds like a plan. But before this is done the situation should be
evaluated further wrt affected src packages, their interdependencies and a
deeper look at the MOTIF documentation. I can do this, but I''m busy
until
friday. 

Cheers,
        Moritz

On Tue, Apr 05, 2005 at 06:15:45PM -0400, Joey Hess
wrote:
> 
> > openwebmail CAN-2005-0445
> >  - Fixed upstream and no maintainer reaction since six weeks. Given
the fact that
> >    another security issue is open for 2.5 months without reaction and
291478
> >    describes the security state of the code as rather poor this
package should
> >    be given up for adoption or removed from sid as well. It''s
currently not part
> >    of Sarge, but there''s still about 100 sid users in popcon
alone which use the
> >    vulnerable version.
> 
> You should contact the MIA handling guys for this I think.
> 
openwebmail is already orphaned. I''ll be making a QA upload once it
hits the
14 day mark.

If the attached patch applies, I''ll apply it as part of the QA upload.

regards

Andrew

On Wed, Apr 06, 2005 at 08:54:34AM +1000, Andrew Pollock
wrote:
> On Tue, Apr 05, 2005 at 06:15:45PM -0400, Joey Hess wrote:
> > 
> > > openwebmail CAN-2005-0445
> > >  - Fixed upstream and no maintainer reaction since six weeks.
Given the fact that
> > >    another security issue is open for 2.5 months without reaction
and 291478
> > >    describes the security state of the code as rather poor this
package should
> > >    be given up for adoption or removed from sid as well.
It''s currently not part
> > >    of Sarge, but there''s still about 100 sid users in
popcon alone which use the
> > >    vulnerable version.
> > 
> > You should contact the MIA handling guys for this I think.
> > 
> 
> openwebmail is already orphaned. I''ll be making a QA upload once
it hits the
> 14 day mark.
> 
> If the attached patch applies, I''ll apply it as part of the QA
upload.
> 
That said, I''ve read the bug, and apparently the patch doesn''t
fully address
the issues in the bug. I''m inclined to lean towards reassigning the
WNPP bug
to ftp.debian.org and request its removal.

regards

Andrew

Andrew Pollock wrote:
> > > You should contact the MIA handling guys for this I think.
> > 
> > openwebmail is already orphaned. I''ll be making a QA upload
once it hits the
> > 14 day mark.
> > 
> > If the attached patch applies, I''ll apply it as part of the
QA upload.
> 
> That said, I''ve read the bug, and apparently the patch
doesn''t fully address
> the issues in the bug. I''m inclined to lean towards reassigning
the WNPP bug
> to ftp.debian.org and request its removal.
There are actually four security related bugs:

290848 - openwebmail chowns all perl scripts to suid root in the postinst!
297914 - openwebmail uses suidperl instead of perl (upstream documentation
         seems to imply that it''s mandatory, though)
291478 - insecure tempfile handling (maybe fixed upstream according to
         changelog, but I''m not sure how complete
295756 - Cross Site Scripting issue CAN-2005-0445

But I just saw in 297919 that Peter Gervai offered to NMU with a more recent
version, maybe you he''s interested in adopting and preparing a decent
package.
Otherwise the removal from sid seems the best solution.

Cheers,
        Moritz