Bug#987537: RM: scrollz -- RoQA unmaintained, dead upstream, has security issues
On Mon, May 03, 2021 at 07:58:06AM +0200, Tobias Frost wrote: > I just gave upstream a pointer to the ircii code that fixes this CVE. Maybe > they have tested it? I reached out via email yesterday and I'm awaiting a response. > (MIA Team hat partly on) That sounds a bit like the package should be > orphaned or some RFH/RFA bug being filed? Or join efforts in some team? > As said, you can use mentors.debian.net for uploading. The only hard > point I can't give you advice is the time issue… Well, there was a time issue and a potential employer issue (and I can't expect advice from you on either :). I've spoken with my employer and confirmed that there actually isn't an issue there. > But maybe you'll find a bit of time working to update your package; > But note, we are currently frozen, uploads to unstable should be > minimal and targeted fixes only… Understood; I've updated the 2.2.3-1 package from the PR and from a small patch upstream made to that, and, as noted above, just want to make sure it's tested before bugging mentors.debian.net for assistance uploading. (I'm still unclear on if the package version should be updated to indicate that this is a security fix, but that's obviously a very small detail overall that can be dealt with at any point before upload.) On Thu, May 13, 2021 at 02:10:05PM +0300, Adrian Bunk wrote: > https://security-tracker.debian.org/tracker/CVE-2021-29376 > [buster] - scrollz (Minor issue) > > So the correct instructions are in this case > https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-case-uploads-to-the-stable-and-oldstable-distributions I can build/test on a stable and an oldstable system, but per those instructions, I'll first focus on getting a 2.2.3-2 uploaded to unstable that contains just the fix that would then go into 2.2.3-1+deb10u1 (and potentially 2.2.3-1+deb9u1, if that even makes sense timing-wise anymore). Given the existence of a CVE and a security-tracker entry, what is the appropriate urgency for these uploads? (I'm happy to reach out to the team if that's more appropriate.) -- Mike Markley
Bug#987537: RM: scrollz -- RoQA unmaintained, dead upstream, has security issues
On Mon, May 03, 2021 at 07:58:06AM +0200, Tobias Frost wrote: >... > > I don't actually know the procedures for a security update, in any case. > > so if anyone has advice on next steps, I'd appreciate it. > > https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security > and > https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security-building >... https://security-tracker.debian.org/tracker/CVE-2021-29376 [buster] - scrollz (Minor issue) So the correct instructions are in this case https://www.debian.org/doc/manuals/developers-reference/pkgs.html#special-case-uploads-to-the-stable-and-oldstable-distributions > tobi cu Adrian
Bug#987537: RM: scrollz -- RoQA unmaintained, dead upstream, has security issues
On Tue, Apr 27, 2021 at 10:02:13AM -0600, Mike Markley wrote: > I do see that there's a recent PR upstream to fix this CVE: > https://github.com/ScrollZ/ScrollZ/pull/26 I see that this PR has now been merged. I rebuilt 2.2.3-1 with the ctcp.c portion of the patch locally, but I haven't installed it yet as I don't have exploit code to test against the old build (I'd like to verify that it crashes my client before upgrading). I don't actually know the procedures for a security update, in any case. so if anyone has advice on next steps, I'd appreciate it. -- Mike Markley
Bug#987537: RM: scrollz -- RoQA unmaintained, dead upstream, has security issues
X-MIA-Summary; - ; acks inactivity/key issue in scrollz bug. On Sun, May 02, 2021 at 09:58:30PM -0600, Mike Markley wrote: Hi Mike, many thanks for your reply! > On Tue, Apr 27, 2021 at 10:02:13AM -0600, Mike Markley > wrote: > > I do see that there's a recent PR upstream to fix this CVE: > > https://github.com/ScrollZ/ScrollZ/pull/26 Yeah, after I've reported the issue, they quickly came up with the PR. > I see that this PR has now been merged. I rebuilt 2.2.3-1 with the ctcp.c > portion of the patch locally, but I haven't installed it yet as I don't > have exploit code to test against the old build (I'd like to verify that > it crashes my client before upgrading). I just gave upstream a pointer to the ircii code that fixes this CVE. Maybe they have tested it? > I don't actually know the procedures for a security update, in any case. > so if anyone has advice on next steps, I'd appreciate it. https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security and https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security-building (You need to talk to the security team anyways, as they have expressed concerns about the package) On Tue, 27 Apr 2021 10:02:13 -0600 Mike Markley wrote: > Unfortunately, though I'm still listed as the maintainer, I haven't had > a key in the keyring since 1024-bit GPG keys were removed and am not in > a position to actively upload. You can user mentors.debian.net and use the regular RFS procedure. (It is also quite easy to find sponsors these days, much better than a couple years ago.) (This can be used to bridge the time until you can fix your key situation.) > > I do see that there's a recent PR upstream to fix this CVE: > https://github.com/ScrollZ/ScrollZ/pull/26 > > I pinged the upstream author last week on IRC and didn't get a response, > so I don't know what the chances are that it will be merged. He may pay > more attention to GitHub email these days, though. > > I haven't looked at the state of debhelper and the rest of the packaging > toolchain since my last upload. I could take a look at the latest version > and this patch and see about updating the existing source package with > those, but I don't know how much time I'll have to put into updating > anything that's changed, and I would still need help uploading. (MIA Team hat partly on) That sounds a bit like the package should be orphaned or some RFH/RFA bug being filed? Or join efforts in some team? As said, you can use mentors.debian.net for uploading. The only hard point I can't give you advice is the time issue… But maybe you'll find a bit of time working to update your package; But note, we are currently frozen, uploads to unstable should be minimal and targeted fixes only… (For the avoidance of doubt, I'm still going reassign the package to ftp.debian.org in 3 months; to avoid, do as described in the initial mail.) -- tobi
Bug#987537: RM: scrollz -- RoQA unmaintained, dead upstream, has security issues
On Sun, Apr 25, 2021 at 11:33:32AM +0200, Tobias Frost wrote: > Additionally, even if there was a new upstream version in 2016, it was never > packaged for Debian. This lets me believe that the package is no longer > maintained in Debian. > > Due to the fact that the scrollz has an open security issue, is not maintained > upstream and Debian, having a very low popcon value and ircii being available, > I think it is probably best to remove the package from Debian at this point. > > If there is no answer to this bug within 3 months, I will reassign this bug to > ftp.debian.org for the actual removal. > > If you disagree, just close the bug, but it would be great if the package > could > be fixed into back into an releasble state. Unfortunately, though I'm still listed as the maintainer, I haven't had a key in the keyring since 1024-bit GPG keys were removed and am not in a position to actively upload. I do see that there's a recent PR upstream to fix this CVE: https://github.com/ScrollZ/ScrollZ/pull/26 I pinged the upstream author last week on IRC and didn't get a response, so I don't know what the chances are that it will be merged. He may pay more attention to GitHub email these days, though. I haven't looked at the state of debhelper and the rest of the packaging toolchain since my last upload. I could take a look at the latest version and this patch and see about updating the existing source package with those, but I don't know how much time I'll have to put into updating anything that's changed, and I would still need help uploading. -- Mike Markley
Bug#987537: RM: scrollz -- RoQA unmaintained, dead upstream, has security issues
On Sun, Apr 25, 2021 at 11:33:32AM +0200, Tobias Frost wrote: > Package: scrollz > Severity: serious > > user debian-rele...@lists.debian.org > usertags -1 + bsp-2021-04-AT-Salzburg > thank you > > Dear maintainers, > > according to my research, scrollz is a fork of ircii, also in Debian. > However, > scrollz last update was 2016 while icrii is still frequently releasing new > versions. > > Additionally, even if there was a new upstream version in 2016, it was never > packaged for Debian. This lets me believe that the package is no longer > maintained in Debian. > > Due to the fact that the scrollz has an open security issue, is not maintained > upstream and Debian, having a very low popcon value and ircii being available, > I think it is probably best to remove the package from Debian at this point. > > If there is no answer to this bug within 3 months, I will reassign this bug to > ftp.debian.org for the actual removal. > > If you disagree, just close the bug, but it would be great if the package > could > be fixed into back into an releasble state. > > If you agree, please reassign the bug to ftp.debian.org. FWIW, from security team perspective we think scrollz (and possibly ircii) should both not be included in bullseye in this form. Regards, Salvatore
Bug#987537: RM: scrollz -- RoQA unmaintained, dead upstream, has security issues
Package: scrollz Severity: serious user debian-rele...@lists.debian.org usertags -1 + bsp-2021-04-AT-Salzburg thank you Dear maintainers, according to my research, scrollz is a fork of ircii, also in Debian. However, scrollz last update was 2016 while icrii is still frequently releasing new versions. Additionally, even if there was a new upstream version in 2016, it was never packaged for Debian. This lets me believe that the package is no longer maintained in Debian. Due to the fact that the scrollz has an open security issue, is not maintained upstream and Debian, having a very low popcon value and ircii being available, I think it is probably best to remove the package from Debian at this point. If there is no answer to this bug within 3 months, I will reassign this bug to ftp.debian.org for the actual removal. If you disagree, just close the bug, but it would be great if the package could be fixed into back into an releasble state. If you agree, please reassign the bug to ftp.debian.org. Thanks, tobi