Re: Proposed mass prototypejs bug filing for multiple security issues
On Sun, Oct 18, 2009 at 08:43:35PM -0400, Michael S Gilbert wrote: The prototypejs script has been found to be vulnerable to a couple security issues [0],[1]. This script is embedded in about 32 other - smokeping unfixed (embed) Only the lenny version (2.3.6-3) is affected. The squeeze/sid versions depend on libjs-prototype, and the etch one doesn't use prototypejs at all yet. Filed as #552549, will look at a stable update. Help with extracting the minimal patches for prototypejs 1.5.0_rc0 would be appreciated. Thanks for your work, -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Proposed mass prototypejs bug filing for multiple security issues
On Sun, Oct 18, 2009 at 08:43:35PM -0400, Michael S Gilbert wrote: Here are the affected source packages: - rails unfixed (embed) ~$ apt-file list rails | grep prototype.js rails: /usr/share/rails/actionpack/test/fixtures/public/javascripts/prototype.js rails: /usr/share/rails/railties/html/javascripts/prototype.js -rw-r--r-- 1 root root 15 2009-09-21 13:03 /usr/share/rails/actionpack/test/fixtures/public/javascripts/prototype.js lrwxrwxrwx 1 root root 45 2009-09-21 13:38 /usr/share/rails/railties/html/javascripts/prototype.js - ../../../../javascript/prototype/prototype.js This is from rails in testing/sid. In stable the package depends on the prototype package too. I'm not sure how you get the unfixed and (embed). Seems a little rushed. - Adam -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Proposed mass prototypejs bug filing for multiple security issues
On Mon, 26 Oct 2009 14:04:06 -0500, Adam Majer wrote: On Sun, Oct 18, 2009 at 08:43:35PM -0400, Michael S Gilbert wrote: Here are the affected source packages: - rails unfixed (embed) ~$ apt-file list rails | grep prototype.js rails: /usr/share/rails/actionpack/test/fixtures/public/javascripts/prototype.js rails: /usr/share/rails/railties/html/javascripts/prototype.js -rw-r--r-- 1 root root 15 2009-09-21 13:03 /usr/share/rails/actionpack/test/fixtures/public/javascripts/prototype.js lrwxrwxrwx 1 root root 45 2009-09-21 13:38 /usr/share/rails/railties/html/javascripts/prototype.js - ../../../../javascript/prototype/prototype.js Thank you very much for the info on the rails package. This makes one less bug to deal with. This is from rails in testing/sid. In stable the package depends on the prototype package too. I was hoping that the statement in my original message, ...the only checking done so far is a version comparison..., would be clear. 32 different packages are a lot to deal with, and I am expecting maintainers to do the real legwork since they are responsible for their own code. I'm not sure how you get the unfixed and (embed). Seems a little rushed. That list was taken from the secure-testing tracker's embedded code copies list, which is hard to keep up to date and accurate. It could use some more care and better maintaining; but code copies are plentiful, making it very difficult to track progress on all of them. I have not yet sent any reports because I am still in the process of generating a more accurate list. Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Proposed mass prototypejs bug filing for multiple security issues
Hi! On Mon, 2009-10-26 at 15:39:37 -0400, Michael Gilbert wrote: That list was taken from the secure-testing tracker's embedded code copies list, which is hard to keep up to date and accurate. It could use some more care and better maintaining; but code copies are plentiful, making it very difficult to track progress on all of them. I have not yet sent any reports because I am still in the process of generating a more accurate list. You might find http://source.debian.net/ very useful to find this kind of embedded copies. Althought it seems it's having some problem right now (Peter CCed). regards, guillem -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Proposed mass prototypejs bug filing for multiple security issues
Michael S Gilbert wrote: - asterisk unfixed (embed) It only shipped prototype as an example file, along with a demo webpage the used it. Since it was of limited usefulness and apparently also vulnerable, it has been removed from yesterday's upload (1:1.6.2.0~rc3-1). Thanks, Faidon -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Proposed mass prototypejs bug filing for multiple security issues
Op Mon, 26 Oct 2009 23:11:08 +0100 schreef Guillem Jover guil...@debian.org: You might find http://source.debian.net/ very useful to find this kind of embedded copies. Althought it seems it's having some problem right now (Peter CCed). Thanks for letting me know, source.d.n is running again. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Proposed mass prototypejs bug filing for multiple security issues
On Sun, 2009-10-18 at 20:43 -0400, Michael S Gilbert wrote: Hi, The prototypejs script has been found to be vulnerable to a couple security issues [0],[1]. This script is embedded in about 32 other packages and I would like to file bugs against all of those that are affected. Since this would probably be considered a mass filing, I am running it past -devel first. - ampache 3.4.1-2 (embed) Not shipped in the resulting binary package. See Depends:, Charlie signature.asc Description: This is a digitally signed message part
Re: Proposed mass prototypejs bug filing for multiple security issues
Michael S Gilbert dijo [Sun, Oct 18, 2009 at 08:43:35PM -0400]: Hi, The prototypejs script has been found to be vulnerable to a couple security issues [0],[1]. This script is embedded in about 32 other packages and I would like to file bugs against all of those that are affected. Since this would probably be considered a mass filing, I am running it past -devel first. (…) Just for the record, I agree with your mass filing (which is not massive anyway). However, I'd also suggest your bugs (and as a matter of general policy) should invite said maintainers to depend on libjs-prototype and symlink it instead of shipping the package's own versions, except if there is a _real_ need to do so (i.e. upstream-modified versions of prototype or dependance on specific API versions). As those packages are currently shipping, they are basically worse off than if they were statically linking a library: It leads to code duplication and cases such as this, where it becomes a serious and hard to fix security liability which not only must be hand-corrected, but must be hand-spotted. -- Gunnar Wolf • gw...@gwolf.org • (+52-55)5623-0154 / 1451-2244 signature.asc Description: Digital signature
Re: Proposed mass prototypejs bug filing for multiple security issues
On Mon, 19 Oct 2009 10:52:18 -0500, Gunnar Wolf wrote: Michael S Gilbert dijo [Sun, Oct 18, 2009 at 08:43:35PM -0400]: Hi, The prototypejs script has been found to be vulnerable to a couple security issues [0],[1]. This script is embedded in about 32 other packages and I would like to file bugs against all of those that are affected. Since this would probably be considered a mass filing, I am running it past -devel first. (…) Just for the record, I agree with your mass filing (which is not massive anyway). However, I'd also suggest your bugs (and as a matter of general policy) should invite said maintainers to depend on libjs-prototype and symlink it instead of shipping the package's own versions, except if there is a _real_ need to do so (i.e. upstream-modified versions of prototype or dependance on specific API versions). I think I'll have this covered. As I mentioned in the original message, I am submitting two bugs for each package. The second bug is a request for the maintainer to link to the system prototypejs, which is the source package for libjs-prototype. Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Proposed mass prototypejs bug filing for multiple security issues
Hi, The prototypejs script has been found to be vulnerable to a couple security issues [0],[1]. This script is embedded in about 32 other packages and I would like to file bugs against all of those that are affected. Since this would probably be considered a mass filing, I am running it past -devel first. I intend to send the following two bug reports for each vulnerable package; one bug on the vulnerabilities themselves and the other bug asking for the maintainer to switch to the system/shared prototypejs. I will fill in affected version numbers (Y.Y.Y) on a per-package basis. Let me know if this is OK, and whether there is anything else I should be aware of. Here are the affected source packages: - auth2db unfixed (embed) - webcit unfixed (embed) - asterisk unfixed (embed) - doc-iana unfixed (embed) - libaws unfixed (embed) - libgettext-ruby unfixed (embed) - libjson-ruby unfixed (embed) - lucene2 unfixed (embed) - libopenid-ruby unfixed (embed) - solr unfixed (embed) - glpi unfixed (embed) - mnemo2 unfixed (embed) - nag2 unfixed (embed) - knowledgeroot unfixed (embed) - mediatomb unfixed (embed) - mt-daapd unfixed (embed) - op-panel unfixed (embed) - ebug-http unfixed (embed) - phpgedview removed (embed) - poker-network unfixed (embed) - webhelpers unfixed (embed) - qwik unfixed (embed) - rails unfixed (embed) - typo3-src unfixed (embed) - wordpress 2.5.0-2 (embed) - zope unfixed (embed) - smokeping unfixed (embed) - ampache 3.4.1-2 (embed) - exaile unfixed (embed) - hobix unfixed (embed) - pixelpost unfixed (embed) - symfony unfixed (embed) - zabbix unfixed (embed) - turba2 unfixed (embed) Mike - package: auth2db version: 0.2.5-2+dfsg-1 severity: serious tags: security Hi, Your package contains an embedded version of prototypejs that is vulnerable to either CVE-2007-2383 (affecting prototypejs 1.5.1 and earlier) [0], CVE-2008-7220 (affecting prototypejs 1.6.0.2 and earlier) [1], or both. Your package embeds prototypejs version Y.Y.Y and is affected [only by CVE-2007-2383 / only by CVE-2008-7220 / by both issues]. This is a mass-filing, and the only checking done so far is a version comparison, so please determine whether or not your package is itself affected or not. If it is not affected please close the bug with a message indicating this along with what you did to check. The version of your package specified above is the earliest version with the affected embedded code. If this version is in one or both of the stable releases and you are affected, please coordinate with the release team to prepare a proposed-update for your package to stable/oldstable. If you correct the problem in unstable, please make sure to include the CVE number in your changelog. Thank you for your attention to this problem. Mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2383 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220 - package: auth2db version: 0.2.5-2+dfsg-1 severity: important tags: security Hi, Your package embeds prototypejs version X.X.X, which makes security updates very cumbersome, difficult, and potentially error-prone. Please update your package to make use of the system prototypejsb provided by the prototypejs package. Thank you very much for your attention on this matter. Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Proposed mass prototypejs bug filing for multiple security issues
On Mon, Oct 19, 2009 at 8:43 AM, Michael S Gilbert michael.s.gilb...@gmail.com wrote: Let me know if this is OK, and whether there is anything else I should be aware of. Excellent, please go ahead. See also the lintian warning (you seem to miss a few): http://lintian.debian.org/tags/embedded-javascript-library.html Based on a cursory glance, your list also misses a few found by apt-file search -i prototype | grep -iF .js -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Proposed mass prototypejs bug filing for multiple security issues
On Mon, 19 Oct 2009 10:02:59 +0800 Paul Wise wrote: On Mon, Oct 19, 2009 at 8:43 AM, Michael S Gilbert michael.s.gilb...@gmail.com wrote: Let me know if this is OK, and whether there is anything else I should be aware of. Excellent, please go ahead. See also the lintian warning (you seem to miss a few): http://lintian.debian.org/tags/embedded-javascript-library.html Based on a cursory glance, your list also misses a few found by apt-file search -i prototype | grep -iF .js Thanks for the suggestions! I will add these packages to the list. Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Proposed mass prototypejs bug filing for multiple security issues
Michael S Gilbert michael.s.gilb...@gmail.com wrote: - mt-daapd unfixed (embed) Not shipped in the resulting binary package. See Depends:. JB. -- Julien BLACHE - Debian GNU/Linux Developer - jbla...@debian.org Public key available on http://www.jblache.org - KeyID: F5D6 5169 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org