Re: ccextractor embeds unpatched and vulnerable source code from gpac in buster - 994746

2021-09-28 Thread Ola Lundqvist 
Hi Neil

Good summary.

Considering the high amount of  marked CVEs for ccextractor I think
the best way forward is to keep the same track. We mark the CVEs as no-dsa
if they are marked as no-dsa for later releases. It also follows the debian
security team track.

If we have issues in gpac that are not investigated further, it is worth
the effort to do so. But do not be shy about marking them as no-dsa. That
can typically be done easily by looking merely on the description. They
should be rather serious to warrant a fix.

I'm not sure we should "ignore" the issues. I have been of that opinion in
the past but I have learnt that we generally mark them as no-dsa instead,
unless there is a strong reason to not fix it.

Best regards

// Ola

On Mon, 27 Sept 2021 at 15:04, Neil Williams  wrote:

> Background
> ==
>
> https://tracker.debian.org/pkg/gpac
>  48 security issues in stretch
>  14 security issues in sid
>  47 security issues in buster
>  15 security issues in bullseye
>  14 security issues in bookworm
>
> https://tracker.debian.org/pkg/ccextractor
>  23 low-priority security issues in buster
>  23 low-priority security issues in bullseye
>
> ccextractor versions:
> oldstable: 0.87+ds1-1
> stable: 0.88+ds1-1
> testing: 0.93+ds2-1
> unstable: 0.93+ds2-1
>
> #994746 clones #994754 for the versions of ccextractor in buster and
> bullseye:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994746
> "ccextractor embeds unpatched and vulnerable source code from gpac"
>
> The bug has been fixed in unstable by repacking the orig.tar.gz as
> +ds2 and using the system gpac. This change has migrated into bookworm.
>
> Bullseye is fixable using a simple backport of ccextractor 0.932+ds2-1
> to bullseye, using the libgpac10 which is already in bullseye at version
> 1.0.1+dfsg1-4+deb11u1. So this would create a 0.93+ds2-1~bpo11+1
> version of ccextractor in bullseye-backports, with all CVEs handled via
> the system libgpac10 with a quick change in the security tracker CVE
> list.
>
> There was a version of ccextractor in Stretch (0.86+ds1) but the
> specific problem is usage of ccextractor in buster.
>
> Problems in buster
> ==
>
> 1. ccextractor only embeds some of the source code from gpac - the
> command line gpac code is not embedded and some of the code which goes
> into libgpac10 is also not embedded. gpac upstream have changed the mix
> of which files go into libgpac10 and which go into an application
> at each relevant version: 0.5.2, 0.7.1 and 1.0.1.
>
> 2. ccextractor prior to 0.9.3 embeds gpac 0.7.2-DEV (the 0.7.1 gpac
> git tag and a few small changes). 0.7.1 was packaged for Debian but
> never made it into any stable release. Bullseye has a newer system
> gpac (same as bookworm & sid), buster and stretch have an older system
> gpac (0.5.2 with some changes).
>
> 3. ccextactor upstream embeds gpac using an AppWizard which collapses
> and changes the *path* to the affected source code files, so patches
> have to be manually ported from gpac to ccextractor as well as coping
> with the different versions of gpac between the system and the
> embedded code. e.g. src/isomedia/box_code_base.c becomes
> src/gpacmp4/box_code_base .cand src/odf/odf_code.c becomes
> src/gpacmp4/odf_code.c
>
> 4. ccextractor from buster (0.87, embedding gpac 0.7.1) *does not
> compile* against the libgpac-dev from either bullseye (1.0.1) or buster
> (0.5.2). ccextractor upstream fixed their code to use gpac 1.0.1 only
> in 0.9.3.
>
> 5. Uploading gpac 0.7.1 from snapshots would be disruptive to other
> reverse dependencies of gpac and doesn't solve the problem of porting
> patches to multiple versions of gpac.
>
> CVEs in ccextractor
> ===
>
> A CVE in gpac is not necessarily a CVE in ccextractor - some source
> code is simply missing. What source code does exist is mostly reachable
> from the ccextractor command line, given a suitable input file.
> ccextractor upstream tests use multiple input files, each typically 3G
> in size.
>
> Every new CVE against gpac (and there are a LOT) would need to be
> checked twice:
>
> a) follow the CVE link to the upstream gpac git & locate the vulnerable
> file(s)
>
> b) Correlate those with the same filenames in a different path
> within the embedded ccextractor source code (that part could be
> scripted)
>
> c) If present, download the upstream test case & attempt to
> reproduce against ccextractor
>
> d) update the security tracker
>
> e) manually port the upstream commit to the different paths used in
> ccextractor and adjust the patch for changes between upstream 1.0.1
> and embedded 0.7.1 (having already done the port of the change from
> 1.0.1 to 0.5.2 for the system gpac).
>
> The security team have said that all CVEs against ccextractor would be
>  (Minor issue) unless some kind of code injection also
> occurred. So the current list of CVEs in ccextractor are all 
> (Minor issue).
>
> Buster isn't LTS yet and Debian security team are not planning a

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)

2021-09-28 Thread Holger Levsen 
Hi Jeremiah,

On Mon, Sep 06, 2021 at 08:57:04PM -0400, Jeremiah C. Foster wrote:
> > (Jeremiah, shall I explain how to gather this data?)

so there are three very simple scripts involved, which are attached and which
I used to run every Monday and then I massaged them into one email, where I 
basically
just resend the same but edited mail every week.

These scripts expect that you have clones of the security-tracker.git repo as 
well
as the extented-security-tracker.git repo and the webwml.git repo checked out in
these directories:
 ~/Projects/security-tracker
 ~/Projects/extended-security-tracker
 ~/Projects/debian-www/webwml 

I didn't sent that mail yesterday as I planned to send these instructions 
instead.
if you have any further questions, please ask.


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

„Guten Tag, ich rufe Sie an, um Ihnen mitzuteilen, dass Ihre Tochter seit
geraumer Zeit die schulischen Abläufe erheblich stört.“ - „Entschuldigen Sie,
meine Tochter ist 54 und Ministerin für Schule und Bildung in NRW.“ - „Gut,
dann wissen Sie also, von wem ich rede.“- Germany, early 2021
#!/bin/sh
# WTF licenced, copyright 2019 Holger Levsen

_unclaim(){
TARGET=$1
DIR=$2
figlet $TARGET
cd $DIR
git status
git pull
git status
./bin/review-update-needed --$TARGET --unclaim 1209600 --exclude linux 
linux-4.9 linux-4.19 xen
git commit -a -s -m 'semi-automatic unclaim after 2 weeks of inactivity'
git log -p -1
echo
echo "Don't forget to push..."
echo
git status
bash
}

unclaim_lts(){
_unclaim lts ~/Projects/security-tracker
}

unclaim_elts(){
_unclaim elts ~/Projects/extended-security-tracker
}

if [ -z "$1" ] ; then
xterm -e "$0 unclaim_lts" &
xterm -e "$0 unclaim_elts" &
else
$1
fi


#!/bin/bash

# WTF licenced, copyright 2020-2021 Holger Levsen

TRESHOLD=4

cd ~/Projects/security-tracker
git pull
echo

DLANEEDED=~/Projects/security-tracker/data/dla-needed.txt 
TMPFILE=$(mktemp)
egrep '^[A-Za-z0-9]+\ \(.*\)'  $DLANEEDED | cut -d ' ' -f2-| sort | tr -d 
'('|tr -d ')' | sort -u > $TMPFILE
WARNING=$(mktemp)

echo "Current number of package claims in LTS:"
echo ""
( while IFS= read -r  LINE ; do
HITS=$(grep -v '^ ' $DLANEEDED | grep -c "$LINE")
PACKAGES=$(grep -v '^ ' $DLANEEDED | grep "$LINE" | cut -d ' ' -f1 | 
xargs echo)
echo "$HITS: $LINE"
if [ $HITS -ge $TRESHOLD ] ; then
echo "Warning: $LINE probably claimed too many: $HITS packages: 
$PACKAGES" >> $WARNING
fi 
 done < $TMPFILE ) |sort -nr

echo
if [ -s $WARNING ] ; then
cat $WARNING | sort
else
echo "Nice, noone claimed $TRESHOLD packages or more."
fi
echo

rm $TMPFILE $WARNING
#!/bin/bash

# WTF licenced, copyright 2020 Holger Levsen

cd ~/Projects/security-tracker
git pull
cd ~/Projects/debian-www/webwml 
git pull
./english/security/find-missing-advisories --mode DLA --tracker 
../../security-tracker/ 2>&1



signature.asc
Description: PGP signature

Re: Lintian changes for LTS development?

2021-09-28 Thread Neil Williams 
On Tue, 28 Sep 2021 11:46:13 +0100
"Chris Lamb"  wrote:

> Hi Ola,
> 
> > My guess has been that we should not generally fix lintian warnings
> > unless they are really important.  
> 
> (Agree with this, of course.)
> 
> > So I assume quite a few of them could be removed. But maybe I'm
> > wrong here.  
> 
> That could work, although it would have the drawback of potentially
> hiding the "really important" tags. I suspect we should only consider
> removing/hiding tags if they were somehow introduced by the LTS update
> process itself. Or, putting it another way: in the usual case, there
> should probably be no difference between the Lintian output between
> before and after applying a fix for relevant CVE(s)?

That was where I was heading too.

Lintian doesn't have a comparative mode but I think that's essentially
what is needed. Extracting the lintian warnings from the build log or
running lintian explicitly against the pre-CVE version and running it
again after the build with the final CVE changes.

Lintian warnings in tracker.d.o aren't necessarily helpful for this as
those were output by lintian in unstable. It should be the appropriate
version of lintian for the prospective upload.

Maybe a lintian-diff script? - enough fuzzing to handle changes in
order in the output, changes in some things like line numbers within
the tag messages.

We've got debdiff, something like that for lintian would be useful.
Nice and simple, return zero on success, print out a diff and exit
non-zero on failure. If the script could parse an sbuild pre and post
build log file, so much the better.

-- 
Neil Williams
=
https://linux.codehelp.co.uk/


pgp7gFUcBvQOX.pgp
Description: OpenPGP digital signature

Re: Lintian changes for LTS development?

2021-09-28 Thread Adrian Bunk 
On Mon, Sep 27, 2021 at 04:58:02PM -, Chris Lamb wrote:
> Hi,
> 
> Whilst I think of it, are there any changes to Lintian that folks
> here might consider particularly useful when doing LTS development?

To which lintian?

Running stretch lintian tends to give more useful information for 
packages in stretch than running unstable lintian.

> I've already implemented some changes to not emit some specific
> warnings when doing security updates, particularly to do with version
> numbering.

The same problems exist with (old)stable-pu updates,
and lintian knowing about differing versioning rules
when uploading to anything other than unstable or
experimental would be useful.

> This is on the basis that if I automatically ignore some of
> them, I might be inadvertently 'training' myself to ignore other,
> more serious, ones.
> 
> However, I'm sure there is more low-hanging fruit that might prevent
> potential regressions. Thoughts welcome.

A suppressions list in debian-lts git to be used 
with --suppress-tags-from-file would be useful.

> Regards,

cu
Adrian

Re: Lintian changes for LTS development?

2021-09-28 Thread Chris Lamb 
Hi Ola,

> My guess has been that we should not generally fix lintian warnings
> unless they are really important.

(Agree with this, of course.)

> So I assume quite a few of them could be removed. But maybe I'm wrong
> here.

That could work, although it would have the drawback of potentially
hiding the "really important" tags. I suspect we should only consider
removing/hiding tags if they were somehow introduced by the LTS update
process itself. Or, putting it another way: in the usual case, there
should probably be no difference between the Lintian output between
before and after applying a fix for relevant CVE(s)?


Regards,

--
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-

Re: Lintian changes for LTS development?

2021-09-28 Thread Ola Lundqvist 
Hi Chris and others

My guess has been that we should not generally fix lintian warnings unless
they are really important.
So I assume quite a few of them could be removed. But maybe I'm wrong here.

Cheers

// Ola

On Mon, 27 Sept 2021 at 18:58, Chris Lamb  wrote:

> Hi,
>
> Whilst I think of it, are there any changes to Lintian that folks
> here might consider particularly useful when doing LTS development?
>
> I've already implemented some changes to not emit some specific
> warnings when doing security updates, particularly to do with version
> numbering. This is on the basis that if I automatically ignore some of
> them, I might be inadvertently 'training' myself to ignore other,
> more serious, ones.
>
> However, I'm sure there is more low-hanging fruit that might prevent
> potential regressions. Thoughts welcome.
>
>
> Regards,
>
> --
>   ,''`.
>  : :'  : Chris Lamb
>  `. `'`  la...@debian.org  chris-lamb.co.uk
>`-
>
>

-- 
 --- Inguza Technology AB --- MSc in Information Technology 
|  o...@inguza.como...@debian.org|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
 ---