Bug#929662: docker.io: CVE-2018-15664 - upstream backport of patch for 18.09
Hi, it seems that docker.io would be removed from buster if nothing changes in the next 3 days [0]. Do you need help to fix this ? Fabrice [0] https://lists.debian.org/debian-release/2019/06/msg00542.html On Mon, 10 Jun 2019 11:54:08 +0700 Arnaud Rebillout wrote: > Hi, > > thanks for reaching out. I applied the patch, that is no problem. > However the new tests that were added makes my machine go crazy and > reach the maximum number of process. Right now I'm configured like that: > > $ ulimit -u > 62688 > > I will bumb this number but I also want to check a bit more in details > what's happening and report that upstream, as I don't know if this is > expected behavior or not. > > You can checkout the branch at > https://salsa.debian.org/docker-team/docker/tree/arnaudr/cve-2018-15664 > and try it by yourself if you're curious. > > In the meantime, I reached out to the release team at #930293 to prepare > for the next unblock. > > So things are in progress, no need for help on this particular issue, > but in general if you're interested in the docker package, then help > with the packaging is more than welcome :) > > Arnaud > > > On 6/9/19 9:31 AM, Afif Elghraoui wrote: > > Hello, > > > > Is any help needed on this? Upstream has a backport of the patch for the > > 18.09 series (same as Unstable): > > > > https://github.com/docker/engine/pull/253 > > > > Hopefully it won't be too much work to incorporate it. > > > > thanks and regards > > Afif > > > >
Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
The POC is a simple Eclipse java project. UnsafeReceiver will open a ServerSocketReceiver on port and wait forever. Injector will then open a client Socket to the ServerSocketReceiver and serialize a Calculator instance through the wire. Calculator implements ILoggingEvent to prevent ClassCastException on deserialization but Logback won't check more and getLoggerName() is called. In this case, the gnome calculator is executed. Regards, Fabrice Le 31/03/2017 à 14:10, Markus Koschany a écrit : You could also attach the POC to this bug report. The vulnerability is publicly known by now anyway. Markus poc_logback.tar.gz Description: GNU Zip compressed data
Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Hi, I have made a quick and dirty POC for this issue. This results in a remote code execution in the JVM that exposes a ServerSocketReceiver. Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x. The POC is available on demand. Regards, Fabrice Dagorn
Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Thank you for your upload. But i think that the issue is not completely solved, upstream made it in several commits (https://github.com/qos-ch/logback/commits/v_1.2.0). The comment is not meaningful but this one is related to the vulnerability : https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9 Fabrice Dagorn Le 28/03/2017 à 18:09, Debian Bug Tracking System a écrit : This is an automatic notification regarding your Bug report which was filed against the liblogback-java package: #857343: logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components It has been closed by Markus Koschany <a...@debian.org>. Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Markus Koschany <a...@debian.org> by replying to this email.
Bug#857343: (no subject)
Dear Maintainer, it's a serious security bug IMO, feel free to switch back to important if you disagree.
Bug#856187: (no subject)
Dear Maintainer, here is a patch for your 2.8-2 package fixing this bug. Sorry for #856198, I thought it would help. Regards, Fabrice Dagorn Index: entropybroker-2.8/handle_client.cpp === --- entropybroker-2.8.orig/handle_client.cpp +++ entropybroker-2.8/handle_client.cpp @@ -698,23 +698,35 @@ void main_loop(std::vector * // this way we go through each fd in the process_pipe_from_client_thread part // so that we detect closed fds int set = 0; + int failed = 0; for(unsigned int i=0; i<fds.size(); i++) { -if(fds.at(i).fd == clients -> at(loop) -> to_main[0] && fds.at(i).revents & POLLIN) { - set = 1; - break; +if(fds.at(i).fd == clients -> at(loop) -> to_main[0]) +{ + if(fds.at(i).revents & POLLIN) + { + set = 1; + break; + } + if(fds.at(i).revents & (POLLERR|POLLHUP|POLLNVAL)) + { + failed = 1; + break; + } }; }; if(rc > 0 && set == 1 ) { if (process_pipe_from_client_thread(clients -> at(loop), _clients, _servers) == -1) -{ - dolog(LOG_INFO, "main|connection with %s/%s lost", clients -> at(loop) -> host.c_str(), clients -> at(loop) -> type.c_str()); + failed = 1; + } + if(rc > 0 && failed == 1 ) { - user_map -> inc_misc_errors(clients -> at(loop) -> username); - gs -> inc_misc_errors(); +dolog(LOG_INFO, "main|connection with %s/%s lost", clients -> at(loop) -> host.c_str(), clients -> at(loop) -> type.c_str()); - delete_ids.push_back( -> at(loop) -> th); -} +user_map -> inc_misc_errors(clients -> at(loop) -> username); +gs -> inc_misc_errors(); + +delete_ids.push_back( -> at(loop) -> th); } }
Bug#856187: (no subject)
I uploaded a fixed version to mentors.debian.net : https://mentors.debian.net/debian/pool/main/e/entropybroker/entropybroker_2.9-0.1.dsc
Bug#856187: entropybroker 2.8 : 100% cpu load in master/slave setup
Package: entropybroker Version: 2.8-2 Severity: grave Tags: upstream Justification: renders package unusable Dear Maintainer, upstream fixed an issue (https://github.com/flok99/entropybroker/issues/5) that may lead the system to a 100% CPU load. I will try to package this new version (2.9) as it contains this fix and your patches for debian. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages entropybroker depends on: ii init-system-helpers 1.47 ii libasound2 1.1.3-5 ii libc62.24-9 ii libcrypto++6 5.6.4-6 ii libftdi1 0.20-4 ii libgcc1 1:6.3.0-6 ii libgd3 2.2.4-2 ii libpcsclite1 1.8.20-1 ii libpng16-16 1.6.28-1 ii libstdc++6 6.3.0-6 ii libusb-1.0-0 2:1.0.21-1 ii zlib1g 1:1.2.8.dfsg-5 entropybroker recommends no packages. entropybroker suggests no packages. -- no debconf information