Bug#929662: docker.io: CVE-2018-15664 - upstream backport of patch for 18.09

2019-06-22 Thread Fabrice Dagorn 

Hi,

it seems that docker.io would be removed from buster if nothing changes 
in the next 3 days [0].


Do you need help to fix this ?


Fabrice

[0] https://lists.debian.org/debian-release/2019/06/msg00542.html

On Mon, 10 Jun 2019 11:54:08 +0700 Arnaud Rebillout 
 wrote:


>   Hi,
>
> thanks for reaching out. I applied the patch, that is no problem.
> However the new tests that were added makes my machine go crazy and
> reach the maximum number of process. Right now I'm configured like that:
>
>     $ ulimit -u
>     62688
>
> I will bumb this number but I also want to check a bit more in details
> what's happening and report that upstream, as I don't know if this is
> expected behavior or not.
>
> You can checkout the branch at
> https://salsa.debian.org/docker-team/docker/tree/arnaudr/cve-2018-15664
> and try it by yourself if you're curious.
>
> In the meantime, I reached out to the release team at #930293 to prepare
> for the next unblock.
>
> So things are in progress, no need for help on this particular issue,
> but in general if you're interested in the docker package, then help
> with the packaging is more than welcome :)
>
>   Arnaud
>
>
> On 6/9/19 9:31 AM, Afif Elghraoui wrote:
> > Hello,
> >
> > Is any help needed on this? Upstream has a backport of the patch 
for the

> > 18.09 series (same as Unstable):
> >
> > https://github.com/docker/engine/pull/253
> >
> > Hopefully it won't be too much work to incorporate it.
> >
> > thanks and regards
> > Afif
> >
>
>

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-04-01 Thread Fabrice Dagorn 

The POC is a simple Eclipse java project.

UnsafeReceiver will open a ServerSocketReceiver on  port and wait 
forever.


Injector will then open a client Socket to the ServerSocketReceiver and 
serialize a Calculator instance through the wire.


Calculator implements ILoggingEvent to prevent ClassCastException on 
deserialization but Logback won't check more and getLoggerName() is called.


In this case, the gnome calculator is executed.


Regards,

Fabrice


Le 31/03/2017 à 14:10, Markus Koschany a écrit :

You could also attach the POC to this bug report. The vulnerability is
publicly known by now anyway.

Markus





poc_logback.tar.gz
Description: GNU Zip compressed data

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-31 Thread Fabrice Dagorn 

Hi,
I  have made a quick and dirty POC for this issue.
This results in a remote code execution in the JVM that exposes a 
ServerSocketReceiver.


Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x.

The POC is available on demand.

Regards,
Fabrice Dagorn

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-29 Thread Fabrice Dagorn 

Thank you for your upload.

But i think that the issue is not completely solved, upstream made it in 
several commits (https://github.com/qos-ch/logback/commits/v_1.2.0).


The comment is not meaningful but this one is related to the 
vulnerability : 
https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9


Fabrice Dagorn

Le 28/03/2017 à 18:09, Debian Bug Tracking System a écrit :

This is an automatic notification regarding your Bug report
which was filed against the liblogback-java package:

#857343: logback: CVE-2017-5929: serialization vulnerability affecting the 
SocketServer and ServerSocketReceiver components

It has been closed by Markus Koschany <a...@debian.org>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Markus Koschany 
<a...@debian.org> by
replying to this email.

Bug#857343: (no subject)

2017-03-23 Thread Fabrice Dagorn 

Dear Maintainer,
it's a serious security bug IMO, feel free to switch back to important 
if you disagree.

Bug#856187: (no subject)

2017-02-26 Thread Fabrice Dagorn 

Dear Maintainer,

here is a patch for your 2.8-2 package fixing this bug.
Sorry for #856198, I thought it would help.

Regards,
 Fabrice Dagorn

Index: entropybroker-2.8/handle_client.cpp
===
--- entropybroker-2.8.orig/handle_client.cpp
+++ entropybroker-2.8/handle_client.cpp
@@ -698,23 +698,35 @@ void main_loop(std::vector *
 			// this way we go through each fd in the process_pipe_from_client_thread part
 			// so that we detect closed fds
 			int set = 0;
+			int failed = 0;
 			for(unsigned int i=0; i<fds.size(); i++) {
-if(fds.at(i).fd == clients -> at(loop) -> to_main[0] && fds.at(i).revents & POLLIN) {
-	set = 1;
-	break;
+if(fds.at(i).fd == clients -> at(loop) -> to_main[0])
+{
+	if(fds.at(i).revents & POLLIN)
+	{
+		set = 1;
+		break;
+	}
+	if(fds.at(i).revents & (POLLERR|POLLHUP|POLLNVAL))
+	{
+		failed = 1;
+		break;
+	}
 };
 			};
 			if(rc > 0 && set == 1 ) {
 
 if (process_pipe_from_client_thread(clients -> at(loop), _clients, _servers) == -1)
-{
-	dolog(LOG_INFO, "main|connection with %s/%s lost", clients -> at(loop) -> host.c_str(), clients -> at(loop) -> type.c_str());
+	failed = 1;
+			}
+			if(rc > 0 && failed == 1 ) {
 
-	user_map -> inc_misc_errors(clients -> at(loop) -> username);
-	gs -> inc_misc_errors();
+dolog(LOG_INFO, "main|connection with %s/%s lost", clients -> at(loop) -> host.c_str(), clients -> at(loop) -> type.c_str());
 
-	delete_ids.push_back( -> at(loop) -> th);
-}
+user_map -> inc_misc_errors(clients -> at(loop) -> username);
+gs -> inc_misc_errors();
+
+delete_ids.push_back( -> at(loop) -> th);
 			}
 		}

Bug#856187: (no subject)

2017-02-26 Thread Fabrice Dagorn 

I uploaded a fixed version to mentors.debian.net :
https://mentors.debian.net/debian/pool/main/e/entropybroker/entropybroker_2.9-0.1.dsc

Bug#856187: entropybroker 2.8 : 100% cpu load in master/slave setup

2017-02-26 Thread Fabrice Dagorn 
Package: entropybroker
Version: 2.8-2
Severity: grave
Tags: upstream
Justification: renders package unusable

Dear Maintainer,

upstream fixed an issue (https://github.com/flok99/entropybroker/issues/5) that 
may lead the system to a 100% CPU load.
I will try to package this new version (2.9) as it contains this fix and your 
patches for debian.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages entropybroker depends on:
ii  init-system-helpers  1.47
ii  libasound2   1.1.3-5
ii  libc62.24-9
ii  libcrypto++6 5.6.4-6
ii  libftdi1 0.20-4
ii  libgcc1  1:6.3.0-6
ii  libgd3   2.2.4-2
ii  libpcsclite1 1.8.20-1
ii  libpng16-16  1.6.28-1
ii  libstdc++6   6.3.0-6
ii  libusb-1.0-0 2:1.0.21-1
ii  zlib1g   1:1.2.8.dfsg-5

entropybroker recommends no packages.

entropybroker suggests no packages.

-- no debconf information