So I''ve noticed that we are all avoiding some particularly hard TODO
items, and I was thinking about how we can tackle these. Specifically
there are 6 of these that seem pretty vague, mostly because they
potentially cover a number of packages and we dont know what those
packages are.
All of these are somewhat similar in their broad applicability (and
probably each of us has responded to them in the same way, "uff!":
TODO: see if anything in debian uses X.400 and is vulnerable.
TODO: see if anything else in debian uses S/MIME and is vulnerable.
TODO: check wget, ftp, ncftp, etc.
TODO: check Debian mailscanners, if any.
TODO: check all softwares that modifies JPEG images in Debian...
TODO: other packages containing libtiff code may be vulnerable (kfax?)
I was thinking that one way to try and grapple with these is to make a
post to debian-devel asking for a brainstorm on what packages contain
X.400, S/MIME, modify JPEG images, contain libtiff, etc. and see if we
can come up with a list of packages to look at. I dont know if this
will get us the complete list of all possible packages, but it is a
much better way of coming up with a list than me or you coming up with
the list, or even all of us here working together to devise it.
What do people think?
Here are the specific CANS:
CAN-2003-0565 (Multiple vulnerabilities in multiple vendor
implementations of the ...)
NOTE: affects many implementations of the X.400 protocol
TODO: see if anything in debian uses X.400 and is vulnerable.
CAN-2003-0564 (Multiple vulnerabilities in multiple vendor
implementations of the ...)
NOTE: affects multiple S/MIME implementations
NOTE: checked current mozilla, which contains safe NSS 3.9.1
- mozilla 2:1.7.3
TODO: see if anything else in debian uses S/MIME and is vulnerable.
CAN-2002-1345 (Directory traversal vulnerabilities in multiple FTP
clients on UNIX ...)
NOTE: multiple ftp client issues
TODO: check wget, ftp, ncftp, etc.
CAN-2002-1121 (SMTP content filter engines, including (1) GFI
MailSecurity for ...)
NOTE: Some SMTP mailscanners can be bypassed by fragmenting
NOTE: messages.
TODO: check Debian mailscanners, if any.
CAN-2005-0406 (A design flaw in image processing software that
modifies JPEG images ...)
TODO: check all softwares that modifies JPEG images in Debian...
CAN-2004-1308 (Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for
libtiff ...)
{DSA-617-1}
- libtiff4 3.6.1-4
TODO: other packages containing libtiff code may be vulnerable (kfax?)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050228/d292edef/attachment.pgp
Micah Anderson wrote: a> Here is the email that I prepared to ask for help, please review to> see if there are things missing, should be taken out, or changed. I > tried to make it fun so people would read it, but maybe it crosses a > line I am not aware of. > > I was thinking of sending this to debian-devel, but perhaps it should > also be sent to debian-security.I had been thinking about posting some kind of "bits from the testing security" team message (to -devel-announce), and I think you kinda just wrote that message.> I also need to figure out if people should send their suggestions to > secure-testing-team@lists.alioth.debian.org, or should the discussion > happen organically on the lists and then we can just collate any stray > information from there?If it goes to -devel-announce, then -devel is probably the natural place for followups. Asking people to post to a list they don''t read can be prolimatic.> 3. What packages modify JPEG images (CAN-2005-0406)[7]?Might be better to limit this to which ones do not modify the EXIF thumbnail. Otherwise it invites many reduandant emails of "imagemagick and the gimp". Hmm, if we could make a jpeg with an interesting and unique EXIF thumbnail, it would be easy for people to test this in many apps. I don''t know how to do that however..> Glad you asked! Any Debian developers with an interest in > participating are welcome to join the team, and we also welcome others > who have the skills and desire to help us. The team can be contacted > through its mailing list[12]. There is a second mailing > list[13] that receives commit messages to our repository. An alioth > project page[1] is also available. Have a read of this message[14] if > you are interested in participating, the details are there about how > to start helping check CANs on a regular basis.Might also link to http://secure-testing.alioth.debian.org/ ? -- see shy jo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050302/e192ba85/attachment.pgp
Here is the email that I prepared to ask for help, please review to see if there are things missing, should be taken out, or changed. I tried to make it fun so people would read it, but maybe it crosses a line I am not aware of. I was thinking of sending this to debian-devel, but perhaps it should also be sent to debian-security. I also need to figure out if people should send their suggestions to secure-testing-team@lists.alioth.debian.org, or should the discussion happen organically on the lists and then we can just collate any stray information from there? Thoughts? Hello, The Debian Testing Security Team[1] is in need of the larger community''s brain to help identify some difficult sarge security problems that are sticking points in getting ready for release. Contents of this message: Intro Background information How can I leverage my powerful brain to help sarge release? Let the games begin! This is fun, how else can I help? What do I win? huh? Huh?! Background information ---------------------- The first thing the Debian Testing Security Team did was to check all security holes since the release of Debian 3.0 to ensure that all the holes are fixed in Sarge. Now that this has finished, we are busy checking to make sure that security problems that have already been fixed in unstable and stable do not continue to affect testing, as well as dealing with new holes as they are made known. Every day we get an updated list of Mitre''s comprehensive list of known security problems, known affectionatly as CAN numbers[2]. We go through old CANs as well as these new CANs and check changelogs, advisories, test proof-of-conecpts, whatever is needed to confidently determine whether sarge is vulnerable or not. We then record our findings in our file and file bugs, write patches, do NMUs as necessary, track fixed packages and work with the Debian Release Managers to make sure fixes reach testing quickly. The result of this is the web page[2] which shows how many holes are unfixed (that we know of) in testing, as well as indicates how many unprocessed TODO items are still remaining for us to process.[4] How can I leverage my powerful brain to help sarge release? ----------------------------------------------------------- I''m glad you asked! Your brain is much bigger than our individual brains, so we need the collective help of everyone to brainstorm solutions to some difficult remaining CANs. There are a few CANs that are pretty vague in their broad applicability, they potentially cover a number of packages and we need help figuring out which packages those would be. Bonus points if you can tell us if the package is affected by its associated CAN, extra bonus points if you tell us the bug number that you filed to alert the package maintainer of the security hole, tagged it security and added a patch (if you can, you''ll still get bonus points if you dont have the patch). So without further ado, here they are, if you have any information that can help us, please send it to ??? Let the games begin! -------------------- 1. What packages contain X.400 (CAN-2003-0565)[5]? 2. What packages contain S/MIME besides mozilla, because the current version (mozilla 2:1.7.3) contains safe NSS 3.9.1 (CAN-2003-0564)[6]? 3. What packages modify JPEG images (CAN-2005-0406)[7]? 4. What packages contain libtiff code, besides libtiff4 3.6.1-4 which is not affected due to DSA-617-1? (CAN-2004-1308)[8]? 5. What ftp programs are affected by directory traversal vulnerabilities (CAN-2002-1345)[9]? 6. What packages in Debian are SMTP mailscanners that can be potentially bypassed by fragmenting messages (CAN-2002-1121)[10]. 7. Is our xpdf vulnerable to CAN-2005-0206[11]? This is fun, how else can I help? --------------------------------- Glad you asked! Any Debian developers with an interest in participating are welcome to join the team, and we also welcome others who have the skills and desire to help us. The team can be contacted through its mailing list[12]. There is a second mailing list[13] that receives commit messages to our repository. An alioth project page[1] is also available. Have a read of this message[14] if you are interested in participating, the details are there about how to start helping check CANs on a regular basis. What do I win? huh? Huh?! ------------------------- You get a random little sticker that says either: "I donated to Sarge today!" or "What did YOU do to help Sarge release today?" or "Ask me why Sarge hasn''t released yet!" or "What are you lookin'' at? I''m part of the solution!" Ok, just kidding, but you also get our gratitude, these are annoying and difficult. Thanks. [1] http://secure-testing.alioth.debian.org/ [2] http://cve.mitre.org/cve/candidates/downloads/full-can.html [3] http://merkel.debian.org/~joeyh/testing-security.html [4] An alternate page tracks archive changes more quickly, but may be inaccurate due to bugs in madison on newraff is here: http://newraff.debian.org/~joeyh/testing-security.html [5]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0565 [6]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0564 [7]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0406 [8]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1308 [9]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1345 [10]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1121 [11]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0206 [12]http://secure-testing.alioth.debian.org/secure-testing-team@lists.alioth.debian.org [13]http://secure-testing.alioth.debian.org/secure-testing-commits@lists.alioth.debian.org [14]http://lists.debian.org/debian-security/2004/10/msg00166.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050302/410632eb/attachment.pgp
On Wed, 02 Mar 2005, Joey Hess wrote:> Micah Anderson wrote: > a> Here is the email that I prepared to ask for help, please review to > > see if there are things missing, should be taken out, or changed. I > > tried to make it fun so people would read it, but maybe it crosses a > > line I am not aware of. > > > > I was thinking of sending this to debian-devel, but perhaps it should > > also be sent to debian-security. > > I had been thinking about posting some kind of "bits from the testing > security" team message (to -devel-announce), and I think you kinda just > wrote that message.In writing this, I just sort of did a mashup of the alioth page, and a couple emails that you''d sent out in order to get a quick overview of what I was talking about so people would understand what we were asking for. Because of this, I don''t feel like it is all that new of information, except for the queries for help, so I am not so sure it fits for giving an update to our progress... but then again I am not sure what you had in mind. If you want to just modify what I sent out and make a "bits from the testing security team" message, by all means do so, I have no ego involved with this message, so it can be cut up, changed, modified or sent as someone else, whatever may be appropriate.> > I also need to figure out if people should send their suggestions to > > secure-testing-team@lists.alioth.debian.org, or should the discussion > > happen organically on the lists and then we can just collate any stray > > information from there? > > If it goes to -devel-announce, then -devel is probably the natural place > for followups. Asking people to post to a list they don''t read can be > prolimatic.I agree.> > 3. What packages modify JPEG images (CAN-2005-0406)[7]? > > Might be better to limit this to which ones do not modify the EXIF > thumbnail. Otherwise it invites many reduandant emails of "imagemagick > and the gimp". > > Hmm, if we could make a jpeg with an interesting and unique EXIF > thumbnail, it would be easy for people to test this in many apps. I > don''t know how to do that however..Yeah, I have no clue about this either... I was hoping that if replies/follow-ups were sent to debian-devel then people would/should read other people''s responses before they contributed their "gimp" message. I assume that we''ll have a certain amount of cruft to cut away, but having extra is much better than having none, which we have now.> > Glad you asked! Any Debian developers with an interest in > > participating are welcome to join the team, and we also welcome others > > who have the skills and desire to help us. The team can be contacted > > through its mailing list[12]. There is a second mailing > > list[13] that receives commit messages to our repository. An alioth > > project page[1] is also available. Have a read of this message[14] if > > you are interested in participating, the details are there about how > > to start helping check CANs on a regular basis. > > Might also link to http://secure-testing.alioth.debian.org/ ?The first link reference was just that: "An alioth project page[1] is also available..." [1] http://secure-testing.alioth.debian.org/
Micah Anderson wrote:> I was thinking that one way to try and grapple with these is to make a > post to debian-devel asking for a brainstorm on what packages contain > X.400, S/MIME, modify JPEG images, contain libtiff, etc. and see if we > can come up with a list of packages to look at. I dont know if this > will get us the complete list of all possible packages, but it is a > much better way of coming up with a list than me or you coming up with > the list, or even all of us here working together to devise it. > > What do people think?It''s a good idea. At some point it does become more a security audit type of thing, and I wonder if the people who are doing debian security audits would be interested in looking at these. BTW, another CAN that I have been finding hard to check for some reason is CAN-2005-0206. -- see shy jo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050228/b751bea3/attachment.pgp
Hi, On Friday 04 March 2005 01:39, Micah Anderson wrote:> > > 3. What packages modify JPEG images (CAN-2005-0406)[7]? > > > > Might be better to limit this to which ones do not modify the > > EXIF thumbnail. Otherwise it invites many reduandant emails of > > "imagemagick and the gimp". > > > > Hmm, if we could make a jpeg with an interesting and unique EXIF > > thumbnail, it would be easy for people to test this in many apps. > > I don''t know how to do that however.. > > Yeah, I have no clue about this either... I was hoping that if > replies/follow-ups were sent to debian-devel then people > would/should read other people''s responses before they contributed > their "gimp" message. I assume that we''ll have a certain amount of > cruft to cut away, but having extra is much better than having > none, which we have now.I have created a jpg [1] whith a Debian logo where the thumbnail contains a green swirl instead of the red one. If the file is loaded into a program doing the right thing (e.g. gimp) and saved again, the swirl in the thumbnail turns read. If a program is doing the wrong thing (e.g. convert [2]), the thumbnail stays green. An even better demonstration is for example convert exiftest.jpg -draw "rectangle 0,0 300,300 fill black" out.jpg draws a black rectangle over the swirl, but the thumbnail in out.jpg still has the green swirl. What do you think? I don''t know an image viewer that will always use the exif thumbnail. Konqueror and gwenview will sometimes use the exif thumbnail and sometimes create their own. The only reliable way to view the thumbnail I know is "exif -e exiftest.jpg" [2] and look at the created file. Cheers, Stefan [1] http://www.sfritsch.de/debian/exiftest.jpg [2] convert is from package "imagemagick" and exif is from "exif"
On Wed, Mar 16, 2005 at 03:22:58AM -0500, Joey Hess wrote:> I noticed this: http://people.ubuntu.com/~pitti/ubuntu-cve.html > > It''s generated from the changelogs of packages in ubuntu. The script is > linked at the bottom. I wonder if someone who knows python would be able > to adapt that to scan the debian changelogs and either generate a > similar page or better, add notes to CAN/list? >Ah, this probably explains why some address space that belongs to Mark Shuttleworth slurps the living daylights out of changelogs.debian.net... I''m trying to learn Python, so I might try and have a crack at this, but if someone else has more time and clue, feel free... regards Andrew -- linux.conf.au 2005 - http://linux.conf.au/ - Birthplace of Tux April 18th to 23rd - http://linux.conf.au/ - LINUX Canberra, Australia - http://linux.conf.au/ - Get bitten!
Here is a revised/reworded version of this email: Subject: Bits from the Testing Security Team Cc: debian-security@lists.debian.org Reply-To: debian-devel@lists.debian.org Hello, This is a quick summary of the Debian Testing Security Team[1] work and a request for some aid to help sort out some difficult Sarge security problems. Contents of this message: What the Testing Security Team has been up to How can I leverage my powerful brain to aid you? Let the games begin! This is fun, how else can I help? Background information ---------------------- The first thing the Debian Testing Security Team did was to check all security holes since the release of Debian 3.0 to ensure that all the holes are fixed in Sarge. Now that this has finished, we are busy checking to make sure that security problems that have already been fixed in unstable as well as stable do not continue to affect testing. We are also dealing with new holes as they are made known. Every day we get an updated list of Mitre''s comprehensive list of known security problems, known affectionatly as CAN numbers[2]. We''ve been going through old CANs as well as the newly released CANs and check changelogs, advisories, test proof-of-conecpts, dig out patches from other vendor''s kernels, whatever is needed to confidently determine whether sarge is vulnerable to the particular CAN or not. We then record our findings, file bugs, write patches, do NMUs as necessary, track fixed packages and work with the Debian Release Managers to make sure fixes reach testing quickly. The result of this is the Testing Security issues page[2] which shows how many holes are unfixed (that we know of) in testing, the associated bugs and debian package versions required to plug the hole. In addition to this, it also indicates how many unprocessed TODO items are still remaining for us to process.[4] How can I leverage my powerful brain to aid you? ------------------------------------------------ I''m glad you asked! Your brain is much bigger than our individual brains, so we need the collective help of everyone to brainstorm solutions to some difficult remaining CANs. There are a few CANs that are pretty vague in their broad applicability, they potentially cover a number of packages and we need help figuring out which packages those would be. Bonus points if you can tell us if the package is affected by its associated CAN, extra bonus points if you tell us the bug number that you filed to alert the package maintainer of the security hole, tagged it security and added a patch. So without further ado, here they are, if you have any information that can help us, please follow-up to debian-devel. Let the games begin! -------------------- 1. What packages contain X.400 (CAN-2003-0565)[5]? 2. What packages contain S/MIME besides mozilla, because the current version (mozilla 2:1.7.3) contains safe NSS 3.9.1 (CAN-2003-0564)[6]? 3. What packages modify JPEG images (CAN-2005-0406)[7]? Please limit your answers to those packages that do not modify the EXIF thumbnail, we dont need to hear "imagemagick" or "the gimp." If you use this jpg[8] whose thumbnail contains a green swirl instead of the red one you can test this. Basically if the file is loaded into a program doing the right thing (e.g. gimp) and saved again, the swirl in the thumbnail turns red. If a program is doing the wrong thing (e.g. convert[9]), the thumbnail stays green. convert exiftest.jpg -draw "rectangle 0,0 300,300 fill black" out.jpg will draw a black rectangle over the swirl, but the thumbnail in out.jpg still has the green swirl. 4. What packages contain libtiff code (besides libtiff4 3.6.1-4 which is not affected due to DSA-617-1)? (CAN-2004-1308)[10]? 5. What ftp programs are affected by directory traversal vulnerabilities (CAN-2002-1345)[11]? 6. What packages in Debian are SMTP mailscanners that can be potentially bypassed by fragmenting messages (CAN-2002-1121)[12]. 7. Is our xpdf vulnerable to CAN-2005-0206[13]? This is fun, how else can I help? --------------------------------- Glad you asked! Any Debian developers with an interest in participating are welcome to join the team, and we also welcome others who have the skills and desire to help us. The team can be contacted through its mailing list[14]. There is a second mailing list[15] that receives commit messages to our repository. An alioth project page[1] is also available. Have a read of this message[16] if you are interested in participating, the details are there about how to start helping check CANs on a regular basis. What do I win? huh? Huh?! ------------------------- You get a little sticker that says: "I donated to Sarge today!" Ok, not really, but you do get our gratitude, these are annoying and difficult. Thanks. [1] http://secure-testing.alioth.debian.org/ [2] http://cve.mitre.org/cve/candidates/downloads/full-can.html [3] http://merkel.debian.org/~joeyh/testing-security.html [4] An alternate page tracks archive changes more quickly, but may be inaccurate due to bugs in madison on newraff is here: http://newraff.debian.org/~joeyh/testing-security.html=20 [5] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2003-0565 [6] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2003-0564 [7] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0406 [8] http://www.sfritsch.de/debian/exiftest.jpg [9] convert is from package "imagemagick" and exif is from "exif" [10] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-1308 [11] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-1345 [12] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-1121 [13] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0206 [14] http://secure-testing.alioth.debian.org/secure-testing-team@lists.alioth.debian.org [15] http://secure-testing.alioth.debian.org/secure-testing-commits@lists.alioth.debian.org [16] http://lists.debian.org/debian-security/2004/10/msg00166.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050315/ef703fe5/attachment.pgp
Hi, On Wed, Mar 16, 2005 at 03:22:58AM -0500, Joey Hess wrote:> I noticed this: http://people.ubuntu.com/~pitti/ubuntu-cve.html > > It''s generated from the changelogs of packages in ubuntu. The script is > linked at the bottom. I wonder if someone who knows python would be able > to adapt that to scan the debian changelogs and either generate a > similar page or better, add notes to CAN/list?I have contacted Martin Pitt <martin.pitt@ubuntu.com>, the author of the script and asked him whether it''s freely available (as it contained no license header). He was kind enough to release it under the terms of the GPL (a notice has been added to the script itself in a comment). He also gave me some more descriptions about how to customize it for Debian (in German), but he''ll probably add those notes to a README or something, later... Anyone with some Python knowledge can now give it a try on a Debian Mirror (it must run on a mirror it seems). If noone else steps forward _and_ I have some spare time in the next few weeks (very unlikely), I might try to adapt the script... HTH, Uwe. -- Uwe Hermann <uwe@hermann-uwe.de> http://www.hermann-uwe.de | http://www.crazy-hacks.org http://www.it-services-uh.de | http://www.phpmeat.org http://www.unmaintained-free-software.org | http://www.holsham-traders.de
I noticed this: http://people.ubuntu.com/~pitti/ubuntu-cve.html It''s generated from the changelogs of packages in ubuntu. The script is linked at the bottom. I wonder if someone who knows python would be able to adapt that to scan the debian changelogs and either generate a similar page or better, add notes to CAN/list? -- see shy jo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050316/b7678a7e/attachment.pgp
Back in March Joey pointed out this useful script and both Andrew and Uwe mentioned that they might try their hands at adapting the script. Did any/either of you get anywhere with this? It would be a shame if it were a dropped ball as it looks really useful! micah On Wed, 16 Mar 2005, Joey Hess wrote:> I noticed this: http://people.ubuntu.com/~pitti/ubuntu-cve.html > > It''s generated from the changelogs of packages in ubuntu. The script is > linked at the bottom. I wonder if someone who knows python would be able > to adapt that to scan the debian changelogs and either generate a > similar page or better, add notes to CAN/list? > > -- > see shy jo-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050518/f59e62ae/attachment.pgp
On Wed, May 18, 2005 at 10:00:25AM -0500, Micah Anderson wrote:> Back in March Joey pointed out this useful script and both Andrew and > Uwe mentioned that they might try their hands at adapting the script. > Did any/either of you get anywhere with this? It would be a shame if > it were a dropped ball as it looks really useful! >Unfortunately I haven''t had any time to do anything with it :-( regards Andrew