Secure testing team - Dec 2009 - Sorting out the Quake2 situation

On Wed, 2 Dec 2009 09:28:31 +0800 Paul Wise wrote:
> On Wed, Dec 2, 2009 at 2:24 AM, Guillem Jover <guillem at debian.org>
wrote:
> 
> > Right, as there''s at least 3 of them (Quake II/III) already
in the
> > archive: openarena, alien-arena and warsow.
> 
> Could someone let the Debian security team know about that? Their
> embedded-code-copies file doesn''t mention these three:
> 
> http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies
thanks for pointing this out.  i have added these to the list.  if you
all can check your packages and forward any other embedded code copies
included in your games packages, that would be immensely helpful.

best wishes,
mike

On Wed, Dec 2, 2009 at 11:44 AM, Michael Gilbert
<michael.s.gilbert at gmail.com> wrote:
> On Wed, 2 Dec 2009 09:28:31 +0800 Paul Wise wrote:
>
>> On Wed, Dec 2, 2009 at 2:24 AM, Guillem Jover <guillem at
debian.org> wrote:
>>
>> > Right, as there''s at least 3 of them (Quake II/III)
already in the
>> > archive: openarena, alien-arena and warsow.
>>
>> Could someone let the Debian security team know about that? Their
>> embedded-code-copies file doesn''t mention these three:
>>
>> http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies
>
> thanks for pointing this out. ?i have added these to the list. ?if you
> all can check your packages and forward any other embedded code copies
> included in your games packages, that would be immensely helpful.
On that note, not sure if the security team is aware of it, but this
site can be immensely useful for that:

http://source.debian.net/source/

Fun fact; there are 442 copies of different versions of md5.c in the archive:

http://source.debian.net/source/search?path=md5.c

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

On Wed, 2 Dec 2009 11:49:56 +0800 Paul Wise wrote:
> On Wed, Dec 2, 2009 at 11:44 AM, Michael Gilbert wrote:
> > On Wed, 2 Dec 2009 09:28:31 +0800 Paul Wise wrote:
> >
> >> On Wed, Dec 2, 2009 at 2:24 AM, Guillem Jover wrote:
> >>
> >> > Right, as there''s at least 3 of them (Quake II/III)
already in the
> >> > archive: openarena, alien-arena and warsow.
> >>
> >> Could someone let the Debian security team know about that? Their
> >> embedded-code-copies file doesn''t mention these three:
> >>
> >>
http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies
> >
> > thanks for pointing this out. ?i have added these to the list. ?if you
> > all can check your packages and forward any other embedded code copies
> > included in your games packages, that would be immensely helpful.
> 
> On that note, not sure if the security team is aware of it, but this
> site can be immensely useful for that:
> 
> http://source.debian.net/source/
yes. this is useful when you are looking for a specific duplicated code
set, but it doesn''t really help to determine which embedded copies a
particular package has.  that depends more on human
experience/familiarity, and is what i am asking for.
> Fun fact; there are 442 copies of different versions of md5.c in the
archive:
> 
> http://source.debian.net/source/search?path=md5.c
yikes!

mike

Hi Michael,

Am Wednesday 02 December 2009 04:44:38 schrieb Michael Gilbert:
[..]
> if you
> all can check your packages and forward any other embedded code copies
> included in your games packages, that would be immensely helpful.
trigger-rally links statically against an embedded copy of glew. It''s
already
on my list to get this sorted out.

Cheers,
    Stefan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20091202/9f40d396/attachment.pgp>

On Wed, Dec 2, 2009 at 6:07 PM, Stefan Potyra
<stefan.potyra at informatik.uni-erlangen.de>
wrote:
> Hi Michael,
>
> Am Wednesday 02 December 2009 04:44:38 schrieb Michael Gilbert:
> [..]
>> if you
>> all can check your packages and forward any other embedded code copies
>> included in your games packages, that would be immensely helpful.
>
> trigger-rally links statically against an embedded copy of glew.
It''s already
> on my list to get this sorted out.
Added to embedded-code-copies.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

On Tue, 2009-12-01 at 22:44:38 -0500, Michael Gilbert
wrote:
> On Wed, 2 Dec 2009 09:28:31 +0800 Paul Wise wrote:
> > Could someone let the Debian security team know about that? Their
> > embedded-code-copies file doesn''t mention these three:
> > 
> > http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies
> 
> thanks for pointing this out.  i have added these to the list.  if you
> all can check your packages and forward any other embedded code copies
> included in your games packages, that would be immensely helpful.
I tend to file bug reports when I find embedded copies, with the
security tag set, which AFAIK gets the team notified. And note them
down as candidates to look for in other places.

Anyway, few I''ve found recently, which I had noted down to report:

* tinyxml

This one is not (yet) packaged in Debian.

Found in libphysfs, cal3d and crystalspace.

There seems to be several more:

  <http://source.debian.net/source/search?path=tinyxml.h>

* lzma

Understandable as there''s not been a liblzma until recently, now
provided by the xz-utils package which is supposed to deprecate the
lzma one in the future. It would be great to switch all of those to
use the new shared library, and remove the embedded copies.

Found in libphysfs.

There''s lots of this, but not all are embedded copies:

  <http://source.debian.net/source/search?path=lzma>

regards,
guillem

On Wed, 2 Dec 2009 18:24:21 +0100 Guillem Jover wrote:
> * lzma
> 
> Understandable as there''s not been a liblzma until recently, now
> provided by the xz-utils package which is supposed to deprecate the
> lzma one in the future. It would be great to switch all of those to
> use the new shared library, and remove the embedded copies.
> 
> Found in libphysfs.
> 
> There''s lots of this, but not all are embedded copies:
so, what is the normal approach for handling non-issue embeds?  it
seems like it would be quite an undertaking to submit bugs for all the
lzma and tinyxml embeds (and of course a bunch of other packages
currently tracked) without a whole lot of reward.

at one point, one of the maintainers of one of the prototype-embedding
packages mentioned that they had fixed that embed in the past because
there was a lintian warning. perhaps a good approach would be to add
more lintian checks for additional known embeds?

in the prototype case, it somewhat reduced the scope of the problem
ahead of time, but still most maintainers ignored the warning.
perhaps a warning that said SECURITY would be more authoritative?

in terms of detecting specific file names to flag, it looks pretty
straightforward; simply add additional names/wildcards to lintian''s
''files'' check.  but a robust solution that detects specific
code sets
in any file would take some (perhaps significant) work (especially
since those code sets may differ in different packages).

mike

* Guillem Jover <guillem at debian.org>, 2009-12-02,
18:24:
>* tinyxml
>
>This one is not (yet) packaged in Debian.
>
>Found in libphysfs,
Maybe I''m blind, but I can''t see an embedded copy of tinyxml
in
libphysfs...
>cal3d and crystalspace.
>
>There seems to be several more:
>
>  <http://source.debian.net/source/search?path=tinyxml.h>
I''ve triaged these and added to the embedded-code-copies file. 
Unfortunately, there were almost no false positives...

-- 
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20091204/0e0597c7/attachment.pgp>

On Fri, 4 Dec 2009 10:36:22 +0100, Jakub Wilk wrote:
> * Guillem Jover <guillem at debian.org>, 2009-12-02, 18:24:
> >* tinyxml
> >
> >This one is not (yet) packaged in Debian.
> >
> >Found in libphysfs,
> 
> Maybe I''m blind, but I can''t see an embedded copy of
tinyxml in
> libphysfs...
> 
> >cal3d and crystalspace.
> >
> >There seems to be several more:
> >
> >  <http://source.debian.net/source/search?path=tinyxml.h>
> 
> I''ve triaged these and added to the embedded-code-copies file. 
> Unfortunately, there were almost no false positives...
thanks Jakub!