LTS report for April 2019 - Abhijith PA (Slight correction)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 (Slight correction) April 2019 was my 15th month as a Debian LTS paid contributor. I was assigned 14 hours but I only able to do 4 hours. I will carry rest of the hours to next month. * mumble: I prepared 1.2.18[1] (version in stretch) for jessie. Tested with the PoC[2] and its still susceptible to attack, thus not uploaded. Thanks to Chris Knadle and DuckBoss for helping in testing. Regards Abhijith PA [1] - https://people.debian.org/~abhijith/upload/mumble_1.2.18-1+deb8u1.dsc [2] - https://people.debian.org/~abhijith/upload/reproduce-3505.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlzWU1UACgkQhj1N8u2c KO/z4Q/+MXtNikK7rsbI2fbSOnrB+cfV+yUTibOZ2muJEXRPb8atLzeXZuO7hi6z jd2FuzSsIiV9UMmSlQ9xBzKsU4fRPai6dvGNR+YbDYAZBPyC1k+nVZ+xJcYmJGPj yV4L4WIwWuiA16TjFROwUpw3EJF1Qv+i60bcgpuYGAmnfxqAcaveuU7KriycLjIJ UHq5H0ruTH4/109AkLf5D106NnDDZ+lVfc8SIyoiBp0xwJT693WP9d/1P1GeSqaC ziKu+OFEABZ2pyw6nT3LON6VBj+vj5HNmz3G4tW6VarNm9ElhstxLhltGwYlyydx 5GIe6M+6VFgGIEEVbDL9X7vYcz03Cmmp3YE4IaJ0EffOYA1QW4Qncip9/FATyCcj pq8kVR0nKxrDLea7T+qlmf4PsJ2MPB/ouGp5tgCN3YxT7nQIUcepstGxOhEkCh+f hOC+iwxtG0bmXWcqCnWRfC9eceSj/7aQNUSr3jB/s/mADtUmvEwQtj5+bOWjc4/n VbYNu0Vqp4iVsha0CXhofF0xEPiE/FOh7iYGmDWwqIojTkfXwqVS2n4Dgadsi3TI guPyafRIrOxzAoLHz2l42QA6lBJQu0BwPWV1EtU8ncOTcTIs5hBdJSMl7XonB1MH dpvF52k4wJtv9ftWMTLACRSiE6vcRhWB9M0tDFVWDXlt3JwIack= =voeJ -END PGP SIGNATURE-
LTS report for April 2019 - Abhijith PA
March 2019 was my 14th month as a Debian LTS paid contributor. I was assigned 14 hours but I only able to do 4 hours. I will carry rest of the hours to next month. * mumble: I prepared 1.2.18[1] (version in stretch) for jessie. Tested with the PoC[2] and its still susceptible to attack, thus not uploaded. Thanks to Chris Knadle and DuckBoss for helping in testing. Regards Abhijith PA [1] - https://people.debian.org/~abhijith/upload/mumble_1.2.18-1+deb8u1.dsc [2] - https://people.debian.org/~abhijith/upload/reproduce-3505.tar.xz
Backporting two dchpcd security patches to 6.0.5
[adding debian-lts@lists.debian.org to CC for visibility] Hi dhcpcd developers, I'm trying to backport two recent CVEs to the dhcpcd 6.0.5 (!) codebase as part of the Debian LTS [0] and I was just checking-in to get your response to a few thoughts of mine. The first is about CVE-2019-11579 regarding the 1-byte read overflow with the handling of DHO_OPTSOVERLOADED. The diff in question [1] that remedies this essentially just moves some code out of the case handling, but this code is not part of dhcpcd 6.0.5 which only has: case DHO_OPTIONSOVERLOADED: /* Ensure we only get this option once by setting * the last bit as well as the value. * This is valid because only the first two bits * actually mean anything in RFC2132 Section 9.3 */ if (!overl) overl = 0x80 | p[1]; break; … as part of the case statement. Does this mean that 6.0.5 is not vulnerable to CVE-2019-11579 or that it *is* because it lacks the underlying check? Secondly, I am looking at CVE-2019-11766 which is regarding the buffer over-read in D6_OPTION_PD_EXCLUDE, but I don't think support for DHCP prefix lengths was even implemented in 6.0.5. The two diffs that address this issue [2][3] appear to confirm this by referencing code that is not part of that version. Very much looking forward to hearing your input on these. [0] https://wiki.debian.org/LTS/ [1] https://roy.marples.name/cgit/dhcpcd.git/commit/?id=4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8 [2] https://roy.marples.name/cgit/dhcpcd.git/commit/?=c1ebeaafeb324bac997984abdcee2d4e8b61a8a8 [3] https://roy.marples.name/cgit/dhcpcd.git/commit/?=896ef4a54b0578985e5e1360b141593f1d62837b Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug in new libjs-jquery package from last week
I believe the update to libjs-jquery, released last week, contains a malformed jquery.min.js file. On a (legacy) system with multiple web apps that make use of /usr/share/javascript/jquery/jquery.min.js via symlink (specifically, icinga and pnp4nagios), web browsers throw a syntax error: jquery-1.8.0.min.js:3 Uncaught SyntaxError: Invalid or unexpected token (A dozen other errors cascade from that one, as the other jquery components also fail.) Unfortunately, knowing there's a syntax error on line 3 isn't very useful with minified js... I've pasted the entirety of jquery.min.js into several online js validators that fail to validate (https://codebeautify.org/jsvalidate and http://esprima.org/demo/validate.html) but I'm not sure this is conclusive. Running jquery.min.js through a "code beautifier" (https://beautifier.io/), and then running *that* output through the Esprima validator yields: Error: Line 4101: Invalid regular expression ... where line 4101 is, itself, about 4k in length. This is where I've given up debugging. Switching the symlink to point to /usr/share/javascript/jquery/jquery.js resolves the issue, meaning no errors are thrown and, more importantly, jquery works in the web applications. I can provide additional data and/or test any changes if necessary. Thanks, ~Keith
Accepted openjdk-7 7u221-2.6.18-1~deb8u1 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 09 May 2019 18:55:46 +0200
Source: openjdk-7
Binary: openjdk-7-jdk openjdk-7-jre-headless openjdk-7-jre openjdk-7-jre-lib
openjdk-7-demo openjdk-7-source openjdk-7-doc openjdk-7-dbg icedtea-7-jre-jamvm
openjdk-7-jre-zero
Architecture: source amd64 all
Version: 7u221-2.6.18-1~deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: OpenJDK Team
Changed-By: Emilio Pozuelo Monfort
Description:
icedtea-7-jre-jamvm - Alternative JVM for OpenJDK, using JamVM
openjdk-7-dbg - Java runtime based on OpenJDK (debugging symbols)
openjdk-7-demo - Java runtime based on OpenJDK (demos and examples)
openjdk-7-doc - OpenJDK Development Kit (JDK) documentation
openjdk-7-jdk - OpenJDK Development Kit (JDK)
openjdk-7-jre - OpenJDK Java runtime, using ${vm:Name}
openjdk-7-jre-headless - OpenJDK Java runtime, using ${vm:Name} (headless)
openjdk-7-jre-lib - OpenJDK Java runtime (architecture independent libraries)
openjdk-7-jre-zero - Alternative JVM for OpenJDK, using Zero/Shark
openjdk-7-source - OpenJDK Development Kit (JDK) source files
Changes:
openjdk-7 (7u221-2.6.18-1~deb8u1) jessie-security; urgency=medium
.
* IcedTea release 2.6.18 (based on 7u221).
* Security fixes:
- S8211936, CVE-2019-2602: Better String parsing
- S8218453, CVE-2019-2684: More dynamic RMI interactions
- S8219066, CVE-2019-2698: Fuzzing TrueType fonts: setCurrGlyphID()
Checksums-Sha1:
2f8c55400af274a7613a3cd0f1bdcf5f0d2c8094 4677
openjdk-7_7u221-2.6.18-1~deb8u1.dsc
796c117467604926ee32ad57326d7bf0fdf66ecc 54309555
openjdk-7_7u221-2.6.18.orig.tar.gz
6ea736b13fc8b0d365f03db9f7828ddc921e0ff5 173448
openjdk-7_7u221-2.6.18-1~deb8u1.debian.tar.xz
ad69de2eec5c51b32a4e847e7e625346d6952464 16290976
openjdk-7-jdk_7u221-2.6.18-1~deb8u1_amd64.deb
f859a78af9532e71c84dbb6ba30ba28599667747 40018396
openjdk-7-jre-headless_7u221-2.6.18-1~deb8u1_amd64.deb
782b2b687aacb3ef3adce40390bb2ae370fde39c 175908
openjdk-7-jre_7u221-2.6.18-1~deb8u1_amd64.deb
f5ed9dee1f03e8f16e796015f1ac86cf54e2cd86 1887520
openjdk-7-demo_7u221-2.6.18-1~deb8u1_amd64.deb
e3206c486bd0453e5b3e03b8b59a0ff059dd743b 178065000
openjdk-7-dbg_7u221-2.6.18-1~deb8u1_amd64.deb
e208086bba3f20f5bbc69dd6ebe03f016705fb49 723642
icedtea-7-jre-jamvm_7u221-2.6.18-1~deb8u1_amd64.deb
ef73b726b923d0ae6de86b6a4e6645501767aeba 1739236
openjdk-7-jre-zero_7u221-2.6.18-1~deb8u1_amd64.deb
fd80b306c27865ff96a6bb423d021bdba826fe32 314610
openjdk-7-jre-lib_7u221-2.6.18-1~deb8u1_all.deb
25f24ed398b4cacd819cc647c2bec1dcc6987501 40307440
openjdk-7-source_7u221-2.6.18-1~deb8u1_all.deb
840a128a24f9dfbf8e8d0e3aade653e15cfd051e 11180838
openjdk-7-doc_7u221-2.6.18-1~deb8u1_all.deb
Checksums-Sha256:
3dd30747294e7b2552fe1555ee44c0d703077da8b379c11068001956fcf52934 4677
openjdk-7_7u221-2.6.18-1~deb8u1.dsc
c1c85e5535abc02eda7adf2c8fa0d2f955e192fed9885c3115ea02faba645327 54309555
openjdk-7_7u221-2.6.18.orig.tar.gz
56af7fb821af766869f386d5f3a87a2f72dc51ab9d416dae6aca3ab7e42c8468 173448
openjdk-7_7u221-2.6.18-1~deb8u1.debian.tar.xz
d1f8f5bb136e5fe31759b59ea590cb95a92b84a6b74159062358db77d76df283 16290976
openjdk-7-jdk_7u221-2.6.18-1~deb8u1_amd64.deb
4950cc53d9bf4e8012bcb789384b2d7e82a348fdcd9838d4eb695a7907662f10 40018396
openjdk-7-jre-headless_7u221-2.6.18-1~deb8u1_amd64.deb
cb89ca3ea73ec0d89646418923ff9af7f1edbd958a3ea42cf7892c3584f9d351 175908
openjdk-7-jre_7u221-2.6.18-1~deb8u1_amd64.deb
280f50674d95ed36e165cbdbfd92daa282c9888f9ce7603a6e381e5bf48d364f 1887520
openjdk-7-demo_7u221-2.6.18-1~deb8u1_amd64.deb
f659c4dae960fa9cd4df7b820147f85c12a58875c18b76d398459c9d821bc187 178065000
openjdk-7-dbg_7u221-2.6.18-1~deb8u1_amd64.deb
c6711ca342727c164a391c80678f3eb9f578996330a89d269fd3b394519adf84 723642
icedtea-7-jre-jamvm_7u221-2.6.18-1~deb8u1_amd64.deb
9c860b833e0e7142223ae1767e7e383fac071a4061e4526afb3a47e8e62cdf22 1739236
openjdk-7-jre-zero_7u221-2.6.18-1~deb8u1_amd64.deb
8fca4a78c25f584a017e4b0f742d4d3a2bdbec20cbff422a0d20cf4a2d96f293 314610
openjdk-7-jre-lib_7u221-2.6.18-1~deb8u1_all.deb
b1a0403a45e1ceb8c4f322aef7f29c456e98da6733aad813369947c59c272fa0 40307440
openjdk-7-source_7u221-2.6.18-1~deb8u1_all.deb
56be405355eeddee2f2b1ce6655a123d7a64c3d93c84415ec43da411e1724b0e 11180838
openjdk-7-doc_7u221-2.6.18-1~deb8u1_all.deb
Files:
8d590f980fb407cdcacf9acdb99f0290 4677 java optional
openjdk-7_7u221-2.6.18-1~deb8u1.dsc
7b4a4b5af680a6ccf45edf200d5de5b1 54309555 java optional
openjdk-7_7u221-2.6.18.orig.tar.gz
65c9492d46e96a8f91e49f4eec874580 173448 java optional
openjdk-7_7u221-2.6.18-1~deb8u1.debian.tar.xz
87bb187438132f1f349cbd9a5269b721 16290976 java optional
openjdk-7-jdk_7u221-2.6.18-1~deb8u1_amd64.deb
fd2b667aedb44716d1c987b8e6e37868 40018396 java optional
openjdk-7-jre-headless_7u221-2.6.18-1~deb8u1_amd64.deb
5ea02c98846d8be8e4247f2c9b3c7375 175908 java optional
openjdk-7-jre_7u221-2.6.18-1~deb8u1_amd64.deb
a2d5ccabd084f19d08181459d6101dc1 1887520 java
LTS report for April 2019
Hours worked: 8 hours Work done: DLA-1768-1 checkstyle CVE-2019-9658 Work on an update of libmatio is still ongoing. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
