On 2017-11-14 08:58:33, Roberto C. Sánchez wrote: > All, > > Some of the last few updates I have done have required building the > package with ASAN in order to reproduce the bug and/or confirm the fix. > > After some searches did not come up with anything that captured the > issues I have encountered, I have written up some notes [0] on building > packages with ASAN while doing Wheezy LTS work. Those notes are now > also linked from our main documentation [1]. > > If anyone out there has used ASAN in order to reproduce vulnerabilities > and/or verify their fixes, please review the notes. Updates and > improvements are most welcome.
So I have tried to use those notes to reproduce the pending issues on exiv2 (CVE-2017-1000126, CVE-2017-1000127, CVE-2017-1000128). The first problem I had was that DEB_*_APPEND environment didn't propagate through to the package. Maybe it's sbuild sanitizing the environment or something. So I ended up adding it to the debian/rules file, but that wasn't enough either - I had to add "export" to every line so it shows up in the environment. This could be because of the way exiv2 is built there: override_dh_auto_configure: dh_auto_configure -- --disable-rpath $(shell dpkg-buildflags --export=configure) I suspect that dpkg-buildflags override may be failing to pick up the Make variables... So i changed the documentation to export explicitly: it can't hurt anyways: export DEB_CFLAGS_APPEND=-fsanitize=address export DEB_CPPFLAGS_APPEND=-fsanitize=address export DEB_CXXFLAGS_APPEND=-fsanitize=address export DEB_LDFLAGS_APPEND=-static-libasan The next problem I had was that linking the package failed with errors like: undefined reference to `__asan_register_globals' So I tried adding -lasan to the LDFLAGS, but then *configure* segfaults: configure:2919: g++ -o conftest -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fsanitize=address -D_FORTIFY_SOURCE=2 ddress -Wl,-z,relro -static-libasan -lasan conftest.cpp >&5 configure:2930: ./conftest ./configure: line 2932: 18325 Segmentation fault ./conftest$ac_cv_exeext Fun times. So I'm stuck now - I reported the CVE issues upstream so they're at least aware of the issue: https://github.com/Exiv2/exiv2/issues/174 ... but I am not sure what to do with the package in Wheezy. I'm tempted to mark this as no-dsa because there's no upstream fix and we can't reproduce, but I wonder if we should just mark it as not-affected instead. Opinions? A. -- The greatest crimes in the world are not committed by people breaking the rules but by people following the rules. It's people who follow orders that drop bombs and massacre villages. - Bansky