tiff / CVE-2014-8127 / CVE-2018-5360

2019-02-07 Thread Brian May
According to https://security-tracker.debian.org/tracker/CVE-2014-8127:

tiff 4.0.3-12.3+deb8u5 is vulnerable to CVE-2014-8127.

But according to the changelog CVE-2014-8127 was fixed in version
4.0.3-12.3+deb8u3:

tiff (4.0.3-12.3+deb8u3) jessie-security; urgency=high

  * Backport fix for the following vulnerabilities:
- CVE-2014-8127 and CVE-2016-3658: out-of-bounds read in the tiffset tool,
- CVE-2016-9535: replace assertions by runtime checks to avoid assertions
  in debug mode, or buffer overflows in release mode,
- CVE-2016-10266: divide-by-zero in TIFFReadEncodedStrip,
- CVE-2016-10267: divide-by-zero in OJPEGDecodeRaw,
- CVE-2016-10269: heap-based buffer overflow in _TIFFmemcpy,
- CVE-2016-10270: heap-based buffer overflow in TIFFFillStrip,
- CVE-2017-5225: heap buffer overflow via a crafted BitsPerSample value,
- CVE-2017-7592: left-shift undefined behavior issue in putagreytile,
- CVE-2017-7593: unitialized-memory access from tif_rawdata,
- CVE-2017-7594: leak in OJPEGReadHeaderInfoSecTablesAcTable,
- CVE-2017-7595: divide-by-zero in JPEGSetupEncode,
- CVE-2017-7596, CVE-2017-7597, CVE-2017-7598, CVE-2017-7599,
  CVE-2017-7600, CVE-2017-7601 and CVE-2017-7602: multiple UBSAN crashes.
  * Add required _TIFFcalloc@LIBTIFF_4.0 symbol to the libtiff5 package.

  [ Tobias Lippert  ]
  * Fix a regression introduced by patch CVE-2014-8128-5 where enabling
compression of tif files results in corrupt files
(closes: #783555, #818360).

 -- Laszlo Boszormenyi (GCS)   Fri, 21 Apr 2017 20:22:02 +

I see this DSA, maybe somebody missed this CVE when uploading?

https://security-tracker.debian.org/tracker/DSA-3844-1

Just checking here, just in case there was some other reason...
-- 
Brian May 
https://linuxpenguins.xyz/brian/



[SECURITY] [DLA 1668-1] libarchive security update

2019-02-07 Thread Antoine Beaupré
Package: libarchive
Version: 3.1.2-11+deb8u7
CVE ID : CVE-2019-119 CVE-2019-120

Fuzzing found two further file-format specific issues in libarchive, a
read-only segfault in 7z, and an infinite loop in ISO9660.

CVE-2019-119

Out-of-bounds Read vulnerability in 7zip decompression, that can
result in a crash (denial of service, CWE-125)
   
CVE-2019-120

Vulnerability in ISO9660 parser that can result in DoS by infinite
loop (CWE-835)

For Debian 8 "Jessie", these problems have been fixed in version
3.1.2-11+deb8u7.

We recommend that you upgrade your libarchive packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature


Accepted libarchive 3.1.2-11+deb8u7 (source amd64) into oldstable

2019-02-07 Thread Antoine Beaupré
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Feb 2019 13:04:01 -0500
Source: libarchive
Binary: libarchive-dev libarchive13 bsdtar bsdcpio
Architecture: source amd64
Version: 3.1.2-11+deb8u7
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Libarchive Maintainers 
Changed-By: Antoine Beaupré 
Description:
 bsdcpio- Implementation of the 'cpio' program from FreeBSD
 bsdtar - Implementation of the 'tar' program from FreeBSD
 libarchive-dev - Multi-format archive and compression library (development 
files)
 libarchive13 - Multi-format archive and compression library (shared library)
Changes:
 libarchive (3.1.2-11+deb8u7) jessie-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Security Team.
   * Fix CVE-2019-119: Out-of-bounds Read vulnerability in 7zip
 decompression, that can result in a crash (denial of service, CWE-125)
   * Fix CVE-2019-120: vulnerability in ISO9660 parser that can result
 in DoS by infinite loop (CWE-835)
Checksums-Sha1:
 591696e41f6e74cd3721f391bb5cc8c0a6215aac 1982 libarchive_3.1.2-11+deb8u7.dsc
 58dd6b879a00e0292e128caccd8c923e6c26892a 42656 
libarchive_3.1.2-11+deb8u7.debian.tar.xz
 05011a5906a3b7a20dcfd94a91bed6fdbc6ea157 434828 
libarchive-dev_3.1.2-11+deb8u7_amd64.deb
 4e79927ac7e02ae0c42aec5207de3d188872629a 271150 
libarchive13_3.1.2-11+deb8u7_amd64.deb
 e31ef34bfcafaa1e56da1b432789ee666cd646ce 54646 bsdtar_3.1.2-11+deb8u7_amd64.deb
 5f6fe0b750c49ae4bd51011be80af36b795f22c5 40200 
bsdcpio_3.1.2-11+deb8u7_amd64.deb
Checksums-Sha256:
 36e8237ba3e554ed03e57a984f3bda296e40280671c9fbee7bc92aa181e3a5a8 1982 
libarchive_3.1.2-11+deb8u7.dsc
 188786a51ba927b8d498cb92c0939d66b771e7c5e974d399bddb6254c8f135b7 42656 
libarchive_3.1.2-11+deb8u7.debian.tar.xz
 3b5f07fa874e4b4d3abf4707e4f63cd006a9d1db2b4100283de74ff7989fd828 434828 
libarchive-dev_3.1.2-11+deb8u7_amd64.deb
 279f990382b6074d302913a87f48cad8ede1df7a390945c029b23015a5b7c2df 271150 
libarchive13_3.1.2-11+deb8u7_amd64.deb
 2a9edc94203a427966a53c79dacc99021ad961a2e8c478b16ff3fe78a6586af6 54646 
bsdtar_3.1.2-11+deb8u7_amd64.deb
 b149852b52a13cc9c991e9d74f969055cec0bcc7fe152351253f7009d43c368a 40200 
bsdcpio_3.1.2-11+deb8u7_amd64.deb
Files:
 832cc52c0a02dfc04c6fc780f116529f 1982 libs optional 
libarchive_3.1.2-11+deb8u7.dsc
 3cf3372dd630ec4c6d9baa74d4b55fc2 42656 libs optional 
libarchive_3.1.2-11+deb8u7.debian.tar.xz
 a20c5c0601a23a475e4b70ce0a6e3bfa 434828 libdevel optional 
libarchive-dev_3.1.2-11+deb8u7_amd64.deb
 ae1b3423cfe5d69c7dda16bac6ae017d 271150 libs optional 
libarchive13_3.1.2-11+deb8u7_amd64.deb
 3baee0842be12f726a6ca50d1fa5dfa5 54646 utils optional 
bsdtar_3.1.2-11+deb8u7_amd64.deb
 0584c893887c8865e4df4480cf02e021 40200 utils optional 
bsdcpio_3.1.2-11+deb8u7_amd64.deb

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAlxcfFkACgkQPqHd3bJh
2XsUwwf/Z056V8Dm6oHnsr0pyh8suGwsDvjfdtzGm+5763rt5jr5aaAxCKoWn4a/
mT9pNV+lhMnsM4/v2Mdx5C/FFfZdxeBMSWgptDbBmy1ABdXFVUcMdUMpa4HXwFxq
4gzQ5dtWRid1m4tmWx1rSVszWgDzWQ+KDnDHhGo9XXSpHsm4dLoQVLNQUuW1fkoO
gG7u99K1RCwvcJqZZ74nSA/UBvS6LXFnrtjB8o6bOhC4J6MO4O+MGWe9XncPUKo5
mZ94mRHLkCxQ+u/9j3gx5VJamEEvaywsWVkjCoURnLzGye9eo3seRVWqTCusDZNU
dvhrI8YErznBrtERdIQSXgV/bLwkIg==
=N0VG
-END PGP SIGNATURE-



Re: (when?) do we (still) contact maintainers?

2019-02-07 Thread Ola Lundqvist
Hi Antoine

It is my fault that python developers were not contacted. I added the
package to dla-needed.txt yesterday (or possibly the day before) and
planned to contact the maintainers. But before I had the chance to do so
the package was already fixed and then it did not feel appropriate to
contact the maintainer. I should have sent the email the same day and not
wait until another day.

On the other hand, we have mixed feedback from maintainers.

Some wants to be contacted.
Some other do not want to be contacted.
Some other want to be contacted, but just the people in "Maintainers:"
field and not the "Uploaders:". (This turned out to be a rather tricky
thing)

Tricky this.

I think I agree with you that we should change the process, but we should
discuss it first as you say.

Best regards

// Ola


On Thu, 7 Feb 2019 at 18:35, Antoine Beaupré 
wrote:

> On 2019-02-07 18:32:39, Markus Koschany wrote:
> > Please do not CC me. I am subscribed.
> >
> > Am 07.02.19 um 18:23 schrieb Antoine Beaupré:
> > [...]
> >> Well, I don't think we should make such calls without announcing it and
> >> documenting the new workflow clearly, first off.
> >>
> >> Second, I think I mostly agree with you, but we need to be certain we
> >> won't upset other people's workflow, and this should be discussed.
> >
> > How does my decision to not contact a maintainer interrupt your
> > workflow? You can still contact the maintainer before you start to work
> > on a package.
>
> I meant the debian package maintainers, not mine.
>
> A.
>
> --
> In a world where Henry Kissinger wins the Nobel Peace Prize,
> there is no need for satire.
> - Tom Lehrer
>
>

-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---


Re: (when?) do we (still) contact maintainers?

2019-02-07 Thread Antoine Beaupré
On 2019-02-07 18:32:39, Markus Koschany wrote:
> Please do not CC me. I am subscribed.
>
> Am 07.02.19 um 18:23 schrieb Antoine Beaupré:
> [...]
>> Well, I don't think we should make such calls without announcing it and
>> documenting the new workflow clearly, first off.
>> 
>> Second, I think I mostly agree with you, but we need to be certain we
>> won't upset other people's workflow, and this should be discussed.
>
> How does my decision to not contact a maintainer interrupt your
> workflow? You can still contact the maintainer before you start to work
> on a package.

I meant the debian package maintainers, not mine.

A.

-- 
In a world where Henry Kissinger wins the Nobel Peace Prize,
there is no need for satire.
- Tom Lehrer



Re: (when?) do we (still) contact maintainers?

2019-02-07 Thread Markus Koschany
Please do not CC me. I am subscribed.

Am 07.02.19 um 18:23 schrieb Antoine Beaupré:
[...]
> Well, I don't think we should make such calls without announcing it and
> documenting the new workflow clearly, first off.
> 
> Second, I think I mostly agree with you, but we need to be certain we
> won't upset other people's workflow, and this should be discussed.

How does my decision to not contact a maintainer interrupt your
workflow? You can still contact the maintainer before you start to work
on a package.



signature.asc
Description: OpenPGP digital signature


Accepted dovecot 1:2.2.13-12~deb8u5 (source amd64) into oldstable

2019-02-07 Thread Chris Lamb
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Feb 2019 17:57:04 +0100
Source: dovecot
Binary: dovecot-core dovecot-dev dovecot-imapd dovecot-pop3d dovecot-lmtpd 
dovecot-managesieved dovecot-pgsql dovecot-mysql dovecot-sqlite dovecot-ldap 
dovecot-gssapi dovecot-sieve dovecot-solr dovecot-lucene dovecot-dbg
Architecture: source amd64
Version: 1:2.2.13-12~deb8u5
Distribution: jessie-security
Urgency: high
Maintainer: Dovecot Maintainers 
Changed-By: Chris Lamb 
Description:
 dovecot-core - secure POP3/IMAP server - core files
 dovecot-dbg - secure POP3/IMAP server - debug symbols
 dovecot-dev - secure POP3/IMAP server - header files
 dovecot-gssapi - secure POP3/IMAP server - GSSAPI support
 dovecot-imapd - secure POP3/IMAP server - IMAP daemon
 dovecot-ldap - secure POP3/IMAP server - LDAP support
 dovecot-lmtpd - secure POP3/IMAP server - LMTP server
 dovecot-lucene - secure POP3/IMAP server - Lucene support
 dovecot-managesieved - secure POP3/IMAP server - ManageSieve server
 dovecot-mysql - secure POP3/IMAP server - MySQL support
 dovecot-pgsql - secure POP3/IMAP server - PostgreSQL support
 dovecot-pop3d - secure POP3/IMAP server - POP3 daemon
 dovecot-sieve - secure POP3/IMAP server - Sieve filters support
 dovecot-solr - secure POP3/IMAP server - Solr support
 dovecot-sqlite - secure POP3/IMAP server - SQLite support
Changes:
 dovecot (1:2.2.13-12~deb8u5) jessie-security; urgency=high
 .
   * CVE-2019-3814: Fix a vulnerability in the TLS username handling where an
 attacker could login as anyone else in the system if
 auth_ssl_{require_client_cert,username_from_cert} was enabled.
Checksums-Sha1:
 d2c220e975092a12246001dd886a673e496612f7 3335 dovecot_2.2.13-12~deb8u5.dsc
 ee8efc77cb9d502dc416ae4fba242adc5f01c163 4613824 dovecot_2.2.13.orig.tar.gz
 4abaf442e1eb40db5372654b8cbefc00b440b2b1 746672 
dovecot_2.2.13-12~deb8u5.debian.tar.xz
 d5ae56c34f7b83d40b41aa1b1f64674c9e7d05d0 2664922 
dovecot-core_2.2.13-12~deb8u5_amd64.deb
 b4272a28e034a67dba82876b9df9d79a17f00fc7 751444 
dovecot-dev_2.2.13-12~deb8u5_amd64.deb
 b2e2997e517e9b948d66c058cdaa5b72f28d89ff 647588 
dovecot-imapd_2.2.13-12~deb8u5_amd64.deb
 1fc5806ba92794181a95efee11434b42bf7eb0b7 550988 
dovecot-pop3d_2.2.13-12~deb8u5_amd64.deb
 aaeef90ebacb0406c39c02b0c68cab96fb80ff87 542830 
dovecot-lmtpd_2.2.13-12~deb8u5_amd64.deb
 b3e2cd5971f939dc946201d074d2d0db41e24cf2 569698 
dovecot-managesieved_2.2.13-12~deb8u5_amd64.deb
 2a8cab323c1bb7f4cb1d3f63443fac49c38be29f 534202 
dovecot-pgsql_2.2.13-12~deb8u5_amd64.deb
 58f0446142f5f64764d4b608de54f79376bc8998 531856 
dovecot-mysql_2.2.13-12~deb8u5_amd64.deb
 5ce714d7150f6747dab255bdf80ab41efd5b18e4 530056 
dovecot-sqlite_2.2.13-12~deb8u5_amd64.deb
 1f02c2447700545069be273538114886d7bf5fce 545300 
dovecot-ldap_2.2.13-12~deb8u5_amd64.deb
 db2b960d1eb0af3ef855abd7245aa7b7f8aa72ea 531248 
dovecot-gssapi_2.2.13-12~deb8u5_amd64.deb
 3b952640d4f95dbdf7126c62ff44b41fa716de91 767064 
dovecot-sieve_2.2.13-12~deb8u5_amd64.deb
 c75c636f8b9d99dcb44ef7b8769df2b62d452cf0 542172 
dovecot-solr_2.2.13-12~deb8u5_amd64.deb
 eee5ea4703c98359444c07b8c4d3c4d8b1713efc 549238 
dovecot-lucene_2.2.13-12~deb8u5_amd64.deb
 4d585d950603b29aa27e97235a34f2908c8d682a 6780626 
dovecot-dbg_2.2.13-12~deb8u5_amd64.deb
Checksums-Sha256:
 52e3746b91d8e6eb91f77b7359fbaf2d92fe845cca814a11e1953362d98a12f7 3335 
dovecot_2.2.13-12~deb8u5.dsc
 133cf3d2aa81733f6688ec986c91dbe07602fad81e856ba3d8046ffca85d9dce 4613824 
dovecot_2.2.13.orig.tar.gz
 eb9462d95896d0c6de5b2aa0f3f7c3a8eaadb13610cc32ab1f34017e795ca314 746672 
dovecot_2.2.13-12~deb8u5.debian.tar.xz
 d643ae2d3181b7c0e951fa7a8e030524a15533f4ac0f9c1d655b5023ea963b47 2664922 
dovecot-core_2.2.13-12~deb8u5_amd64.deb
 d789c90d0a3aadb91a2819abddb2108bcf3d4b396e33a0404f568ded2eb559f5 751444 
dovecot-dev_2.2.13-12~deb8u5_amd64.deb
 b562ba8b2087b8c87fe38d5325d058bac74101a7510f3cfb659e44a79a2cbc3b 647588 
dovecot-imapd_2.2.13-12~deb8u5_amd64.deb
 dadfbed30c131b787425e9ec9afe40cd63b5a1da531aee3b29330229d8c7b70a 550988 
dovecot-pop3d_2.2.13-12~deb8u5_amd64.deb
 7d0288f428beba5ec8b2eb62df7a0d1c48c90cfa7dfc6ebfa9df9dbde7ba1974 542830 
dovecot-lmtpd_2.2.13-12~deb8u5_amd64.deb
 5cf4a4e9e4497f4d86764113f89f859f74b1250d8c3472c9588461a8a1aaff6f 569698 
dovecot-managesieved_2.2.13-12~deb8u5_amd64.deb
 ded2d2c756b96309912421f52365398dd69ae33b70ca653a60d7c0404bbe0185 534202 
dovecot-pgsql_2.2.13-12~deb8u5_amd64.deb
 a4b48f53f441b9c3d7c22d4f56d929c4ac94e764049d104c297f9f47d6d13512 531856 
dovecot-mysql_2.2.13-12~deb8u5_amd64.deb
 a494a9d04d585b4507c1c652f0980896d4d04a70b2a4a48c883a637a355203ba 530056 
dovecot-sqlite_2.2.13-12~deb8u5_amd64.deb
 c35fa97d4974e500bed27488c4913d49bc0ab22df6fe023030312dd79ba6e894 545300 
dovecot-ldap_2.2.13-12~deb8u5_amd64.deb
 92ce9961623560a8e1aaa23fcb449194984470f5d70ef37dbd5162b910bbb58d 531248 
dovecot-gssapi_2.2.13-12~deb8u5_amd64.deb
 eb14eb52569b89e318b49feb9796c133586872976dad934d4792a5129a868191 767064 
dovecot-sieve_2.2.13-12~deb8u5_amd64.deb
 

Re: (when?) do we (still) contact maintainers?

2019-02-07 Thread Antoine Beaupré
On 2019-02-07 17:58:48, Markus Koschany wrote:
> Hello,
>
> Am 07.02.19 um 17:32 schrieb Antoine Beaupré:
> [...]
>> Am I missing something here? Did we change this practice, or is this an
>> oversight?
>
> I have been part of the team for three years now, from my experience
> almost all people are very happy when someone else fixes bugs in
> oldstable. Most of the time we get either no response at all or someone
> tells us to just go ahead. Since we have now the capacity to handle all
> those issues all by ourselves, I don't find it no longer necessary to
> contact every maintainer beforehand. Instead I decide on a case-by-case
> basis. I would rather change the current recommendation and the
> do-not-call list to a list of maintainers who want to be contacted first
> before we work on their packages or have always prepared updates
> themselves (e.g. postresql). This list will be quite short.

Well, I don't think we should make such calls without announcing it and
documenting the new workflow clearly, first off.

Second, I think I mostly agree with you, but we need to be certain we
won't upset other people's workflow, and this should be discussed.

A.

-- 
Tout ce qui n’est pas donné est perdu.
- Proverbe indien



[SECURITY] [DLA 1667-1] dovecot security update

2019-02-07 Thread Chris Lamb
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: dovecot
Version: 1:2.2.13-12~deb8u5
CVE ID : CVE-2019-3814

It was discovered that there was a vulnerability in the dovecot
IMAP/POP3 server.

A flaw in the TLS username handling could lead to an attacker
logging in as anyone else in the system if both
auth_ssl_{require_client,username_from}_cert were enabled.

For Debian 8 "Jessie", this issue has been fixed in dovecot version
1:2.2.13-12~deb8u5.

We recommend that you upgrade your dovecot packages.


Regards,

- -- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlxcZvAACgkQHpU+J9Qx
Hljjnw//cuBph+QmqAJ+sPiyv3enpJbbLjjQmkWC5XCEcWoNxFxH6nt9y6BjLusu
Cw5Ah6GxVujZvfw1gu0XsUu4p/6ghHLYz4dOC1otdi/1m6Mk6CbylpSOlo43n0R9
wsDp29i4FoLQdz9UwSaE7ErnMAXGI5hCmRRXnaaW2A8OxITCXy80qHjK0/icZi8r
rn9DnbtEwkt//kPdPRS/SHq7o7Gd+VFTIUSniS4PquYMZnG28QJNkRwSOzHhC51f
75DRkb23+C65605OLhLAMncqwWPrwixI7LXqMknrSsBQ+nhkanAVrXlrH1N+y86U
6Eim/XNm4mSK9RACe4TMLB1UE633bln4lveJsvBNU6WwDqSIm2aehsNOEx+46euv
3hCLZVXQkpuYwxGmSDz2Dvvt9cNIwbWGUrOC8KsKOtBxytBMA2qXOzdeCoJcfTe4
XIjelTZ0FinE/zqMO6o+GLKTSIqxXUUVh+Vfu0fqLw/bFL4JHnXHgnzD/bFN0v0o
iUZhz3h7M8csl5seZTdh9p6vM6yNti3aDKZA1kfW+JCXzB8WjOKDx9YiCt8+8uDG
ilbamJSo2dMpX+DPZsCDGSemkvPUSCoOH8QYPNx+63g78Kg3z9w51kMNQfwNZC6M
dkDO4V4p4dRN5nurvC4/wrjOXNEzvTCiB4NnIgWIFIFzGk8kWMY=
=PLha
-END PGP SIGNATURE-



Re: (when?) do we (still) contact maintainers?

2019-02-07 Thread Markus Koschany
Hello,

Am 07.02.19 um 17:32 schrieb Antoine Beaupré:
[...]
> Am I missing something here? Did we change this practice, or is this an
> oversight?

I have been part of the team for three years now, from my experience
almost all people are very happy when someone else fixes bugs in
oldstable. Most of the time we get either no response at all or someone
tells us to just go ahead. Since we have now the capacity to handle all
those issues all by ourselves, I don't find it no longer necessary to
contact every maintainer beforehand. Instead I decide on a case-by-case
basis. I would rather change the current recommendation and the
do-not-call list to a list of maintainers who want to be contacted first
before we work on their packages or have always prepared updates
themselves (e.g. postresql). This list will be quite short.

Markus



signature.asc
Description: OpenPGP digital signature


Re: concerns about the security reliability of python-gnupg

2019-02-07 Thread Antoine Beaupré
On 2019-02-07 16:48:56, Holger Levsen wrote:
> On Thu, Feb 07, 2019 at 11:44:45AM -0500, Antoine Beaupré wrote:
>> But maybe, instead, we should just mark it as unsupported in
>> debian-security-support and move on. There are few packages depending on
>> it, in jessie:
> [...]
>> in buster:
>> Note that the list is (slowly) growing.
>  
> marking it it unsupported in debian-security-support for jessie and
> stretch might be the right step forward, but if if it's really as bad as
> you describe, I think it should be kicked out of buster, instead of
> carried on.

That too. But I'd like to hear the maintainer's opinion before taking
any more drastic measures. :)

A.

-- 
Les plus beaux chants sont les chants de revendications
Le vers doit faire l'amour dans la tête des populations.
À l'école de la poésie, on n'apprend pas: on se bat!
- Léo Ferré, "Préface"



Re: concerns about the security reliability of python-gnupg

2019-02-07 Thread Holger Levsen
On Thu, Feb 07, 2019 at 11:44:45AM -0500, Antoine Beaupré wrote:
> But maybe, instead, we should just mark it as unsupported in
> debian-security-support and move on. There are few packages depending on
> it, in jessie:
[...]
> in buster:
> Note that the list is (slowly) growing.
 
marking it it unsupported in debian-security-support for jessie and
stretch might be the right step forward, but if if it's really as bad as
you describe, I think it should be kicked out of buster, instead of
carried on.


-- 
tschau,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature


Re: concerns about the security reliability of python-gnupg

2019-02-07 Thread Antoine Beaupré
On 2019-02-07 11:44:45, Antoine Beaupré wrote:
> https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html
> https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/

Oops, that second link should have been:

https://dev.gentoo.org/~mgorny/articles/attack-on-git-signature-verification.html

A.

-- 
Computer science is no more about computers
than astronomy is about telescopes
- E. Dijkstra



concerns about the security reliability of python-gnupg

2019-02-07 Thread Antoine Beaupré
Hi,

Recently, python-gnupg was triaged for maintenance in Debian LTS, which
brought my attention to this little wrapper around GnuPG that I'm
somewhat familiar with.

Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch
right now, with buster and sid marked as fixed, as you can see here:

https://security-tracker.debian.org/tracker/source-package/python-gnupg

I'm concerned about the security of this project in general. Even though
that specific instance might be fixed, there are many more bad security
practices used in this project. A fork was created by Isis Agora
Lovecruft to fix those issues:

https://github.com/isislovecruft/python-gnupg/

Those patches were not merged back upstream, which is disputing isis'
claims. The security issues found in the upstream package are partly
documented here:

https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html

I am concerned that fixing only this specific CVE will give users a
false sense of security, as many more similar issues might be lurking in
the code. Having, myself, dealt with writing such a library (lesson
learnt: don't do that), I can confirm it is very hard (if not
impossible) to properly talk with GnuPG in a reasonable way. There is
now a constant flow of vulnerabilities coming out that outline commonly
made mistakes when trying to talk the line dialog with GnuPG. For
example:

https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html
https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/

I suspect many such issues could be identified formally in the
python-gnupg package.

But maybe, instead, we should just mark it as unsupported in
debian-security-support and move on. There are few packages depending on
it, in jessie:

Reverse Depends:
  Dépend: hash-slinger
  Dépend: pyspread

in stretch:

Reverse Depends:
  Casse: gnupg (<< 0.3.8-3)
  Recommande: python-sleekxmpp
  Dépend: pyspread
  Dépend: hash-slinger
  Dépend: goopg
  Dépend: deken

in buster:

Reverse Depends:
  Casse: gnupg (<< 0.3.8-3)
  Dépend: hash-slinger
  Dépend: goopg
  Recommande: python-sleekxmpp
  Dépend: python-rosbag
  Dépend: pyspread

Note that the list is (slowly) growing.

What do people think?

A.

-- 
L'adversaire d'une vraie liberté est un désir excessif de sécurité.
- Jean de la Fontaine



(when?) do we (still) contact maintainers?

2019-02-07 Thread Antoine Beaupré
Hi,

I was under the impression that we were supposed to contact maintainers
when we add packages to dla-needed.txt, as part of the triage work. That
is, at least, the method documented here:

https://wiki.debian.org/LTS/Development#Triage_new_security_issues

Confident that people doing the triage would do so, I have stopped
double-checking that such work was being done but now, looking at the
python-gnupg package, I noticed nothing was sent out to the maintainer,
at least not with this list in CC. The maintainer and package are not in
data/packages/lts-do-not-call.txt so I think they should have been
contacted first.

Am I missing something here? Did we change this practice, or is this an
oversight?

A.
-- 
Arguing for surveillance because you have nothing to hide is no
different than making the claim, "I don't care about freedom of speech
because I have nothing to say."
- Edward Snowden


signature.asc
Description: PGP signature


Re: [SECURITY] [DSA 4371-1] apt security update

2019-02-07 Thread Emilio Pozuelo Monfort
Hi Steve,

On 07/02/2019 12:12, Steve McIntyre wrote:
> On Mon, Jan 28, 2019 at 12:26:54AM +, Steve McIntyre wrote:
>> On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote:
>>>
>>> I'll give it a try now...
>>
>> And that worked on the first attempt. Using this approach, I've done
>> jessie builds of the various LTS arches using casulana, the normal CD
>> build machine. Resulting test output at
>>
>>  http://cdimage.debian.org/cdimage/.jessie_release/debian-cd/
>>
>> if you'd like to have a look. I've tested the amd64 netinst with no
>> network connection (to ensure no updates from elsewhere), and it
>> happily installed the right version of apt (1.0.9.8.5) seamlessly.
>>
>> If you're happy with this, let me know and I'll spin a new version
>> ready for release (version 8.11.1, I guess?).
> 
> Ping?

Sorry for the delay, and thanks for preparing these updated images! I'll give
them some testing today and report back.

And yes, 8.11.1 sounds right.

Cheers,
Emilio



Re: [SECURITY] [DSA 4371-1] apt security update

2019-02-07 Thread Steve McIntyre
On Mon, Jan 28, 2019 at 12:26:54AM +, Steve McIntyre wrote:
>On Sun, Jan 27, 2019 at 06:33:29PM +, Steve McIntyre wrote:
>>
>>I'll give it a try now...
>
>And that worked on the first attempt. Using this approach, I've done
>jessie builds of the various LTS arches using casulana, the normal CD
>build machine. Resulting test output at
>
>  http://cdimage.debian.org/cdimage/.jessie_release/debian-cd/
>
>if you'd like to have a look. I've tested the amd64 netinst with no
>network connection (to ensure no updates from elsewhere), and it
>happily installed the right version of apt (1.0.9.8.5) seamlessly.
>
>If you're happy with this, let me know and I'll spin a new version
>ready for release (version 8.11.1, I guess?).

Ping?

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
Google-bait:   http://www.debian.org/CD/free-linux-cd
  Debian does NOT ship free CDs. Please do NOT contact the mailing
  lists asking us to send them to you.



(E)LTS report for January

2019-02-07 Thread Emilio Pozuelo Monfort
Hi,

During the month of January, I spent 42.5 hours working on LTS on the following
tasks:


- thunderbird 60.4.0 ESR security update
- tzdata and libdatetime-timezone-perl new releases
- investigated symfony test failures
- policykit-1 security update
- investigated lua vulnerability, which didn't affect old versions present in 
jessie
- prepared and tested ghostscript security update, called for testing
- firefox-esr and thunderbird 60.5.0 ESR security updates
- spice security update
- libvncserver security update
- prepared and tested rdesktop update to 1.8.4 to fix security issues, talked to
security team to coordinate an update to 1.8.4 in stretch too
- mariadb-10.0 security update
- prepared coturn security update. one of the changes disables a vulnerable
feature, contacted upstream to see if there was a fix for that feature now that
they released a new upstream version
- postgis security update
- CVE triaging

I also spent 6h on ELTS:

- tzdata and libdatetime-timezone-perl new releases
- php5/libgd2 review
- spice security update
- libsndfile security update
- triaging

Cheers,
Emilio



Re: [SECURITY] [DLA 1664-1] golang security update

2019-02-07 Thread Emilio Pozuelo Monfort
On 06/02/2019 23:47, Antoine Beaupré wrote:
> On 2019-02-06 23:42:12, Chris Lamb wrote:
>> Hi Antoine,
>>
>>> all golang Debian packages are (as elsewhere) statically compiled
>>> and linked so we'd need to rebuild all the rdeps
>>
>> Hm. Can we avoid /all/ the rdeps? I mean, grep the rdeps for ones
>> that use this library?
> 
> Yeah, that's what I was implying, sorry if that was unclear... I'm not
> actually sure how that works. I assume it's a bunch of binNMUs,

Note that due to the fact the security archive is a separate dak instance, it
doesn't contain all the sources from the main archive, only those that were
specifically uploaded to -security. Meaning: we can't binNMU packages that are
not in the security archive, they will need sourceful uploads instead (unless an
ftp-master uses some magic to copy packages to -security, I know there are plans
to make -security synced with the main archive but it hasn't happened yet).

See how Markus handled the agg (header-only lib) security update by following up
with no change uploads of the two rdeps.

> but we
> first need to figure out which packages actually use that specific lib.

The golang maintainers use the Built-Using field to keep track of what is using
what and what packages need to be rebuilt (e.g. when golang-defaults is
updated). But that may not be good enough in this case if only a part of golang
is affected. Better ask the golang or the security team to see how they handled 
it.

Cheers,
Emilio



[SECURITY] [DLA 1663-1] python3.4 security update

2019-02-07 Thread Brian May
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: python3.4
Version: 3.4.2-1+deb8u2
CVE ID : CVE-2016-0772 CVE-2016-5636 CVE-2016-5699 CVE-2018-20406 
 CVE-2019-5010

This DLA fixes a a problem parsing x509 certificates, an pickle integer
overflow, and some other minor issues:

CVE-2016-0772

The smtplib library in CPython does not return an error when StartTLS fails,
which might allow man-in-the-middle attackers to bypass the TLS protections 
by
leveraging a network position between the client and the registry to block 
the
StartTLS command, aka a "StartTLS stripping attack."

CVE-2016-5636

Integer overflow in the get_data function in zipimport.c in CPython
allows remote attackers to have unspecified impact via a negative data size
value, which triggers a heap-based buffer overflow.

CVE-2016-5699

CRLF injection vulnerability in the HTTPConnection.putheader function in
urllib2 and urllib in CPython allows remote attackers to inject arbitrary 
HTTP
headers via CRLF sequences in a URL.

CVE-2018-20406

Modules/_pickle.c has an integer overflow via a large LONG_BINPUT value
that is mishandled during a "resize to twice the size" attempt. This issue
might cause memory exhaustion, but is only relevant if the pickle format is
used for serializing tens or hundreds of gigabytes of data.

CVE-2019-5010

NULL pointer dereference using a specially crafted X509 certificate.

For Debian 8 "Jessie", these problems have been fixed in version
3.4.2-1+deb8u2.

We recommend that you upgrade your python3.4 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIyBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlxbSvYACgkQKpJZkldk
SvpZCg/2O42q+gk/3MjjIQH8d9xbhweiU/OvGCFcg8rAuy5q/lWXaX5V3lhWp3WA
tG+CHImU2aQ5HUA+yWnxVIKEYcwyxLx6oF/0Nim2F8avwhhTREnFT1GJpNSw+oBJ
vl6ue5svT33LJt9pYDeYhuLVZzsYVb0Jj1jMBQUkBm+kYyT8dcf5pF9Z6j1tlX/g
k0vM96+JvXhu9SXRTIo+OZoUx/tDhGydsw5f31krimcUnvmvevPDG9yjkaosaWK7
L90RdyraxhE8Fkszg9LReCSx7jWwkiIjZwy/mzSgXw6dxrUcCDWvSqURil4fjNyN
jBnA+tHH8wA3iFNYZqeAKP7CvIBq+0GM+vUxq43ujnuUZW6dYcBHiU+OTnkXCsHc
mDn680yga7U/+fpY0KeOYYOeDRdHw9agl7iQaeIaZQn+9dfP0Wve64gy5F8frObS
ai2HdsaaSRGUfrizqzMOEIvXrydcJ8LmBsZIR9IRrePkXUXSKdE4PKaKgGlv6gn+
/+dSXJzQhdAOgUPtsBuOphRDjgxEVgy/aQwR/enBq3LuKYP4Y4AjrKF+/jp4q6Lx
hGrbDFVHpuUgecC3QE2D4aX3Il2Aflckmz7x5/p2I4Uvtf0eBfDAIklalad8S2dG
ekueqni2xBKRa0g36LujaDILLRo37jse/WHm+uZ+xbaNGrbo+w==
=vGfe
-END PGP SIGNATURE-



Accepted python3.4 3.4.2-1+deb8u2 (source all amd64) into oldstable

2019-02-07 Thread Brian May
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 06 Feb 2019 16:55:11 +1100
Source: python3.4
Binary: python3.4 python3.4-venv libpython3.4-stdlib python3.4-minimal 
libpython3.4-minimal libpython3.4 python3.4-examples python3.4-dev 
libpython3.4-dev libpython3.4-testsuite idle-python3.4 python3.4-doc 
python3.4-dbg libpython3.4-dbg
Architecture: source all amd64
Version: 3.4.2-1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Matthias Klose 
Changed-By: Brian May 
Description:
 idle-python3.4 - IDE for Python (v3.4) using Tkinter
 libpython3.4 - Shared Python runtime library (version 3.4)
 libpython3.4-dbg - Debug Build of the Python Interpreter (version 3.4)
 libpython3.4-dev - Header files and a static library for Python (v3.4)
 libpython3.4-minimal - Minimal subset of the Python language (version 3.4)
 libpython3.4-stdlib - Interactive high-level object-oriented language 
(standard library
 libpython3.4-testsuite - Testsuite for the Python standard library (v3.4)
 python3.4  - Interactive high-level object-oriented language (version 3.4)
 python3.4-dbg - Debug Build of the Python Interpreter (version 3.4)
 python3.4-dev - Header files and a static library for Python (v3.4)
 python3.4-doc - Documentation for the high-level object-oriented language 
Python
 python3.4-examples - Examples for the Python language (v3.4)
 python3.4-minimal - Minimal subset of the Python language (version 3.4)
 python3.4-venv - Interactive high-level object-oriented language (pyvenv 
binary, v
Changes:
 python3.4 (3.4.2-1+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2016-0772: Check for StartTLS failure.
   * CVE-2016-5636: Fix integer overflow in the get_data.
   * CVE-2016-5699: Fix CRLF injection vulnerability in the
 HTTPConnection.putheader function in urllib2 and urllib.
   * CVE-2018-20406: Fix Modules/_pickle.c integer overflow.
   * CVE-2019-5010: Fix NULL pointer dereference using a specially crafted X509
 certificate.
Checksums-Sha1:
 2332513f26a2f3ed753f6fe30935bb3de70dda4c 3246 python3.4_3.4.2-1+deb8u2.dsc
 a22c157d09bcce7006b9d72e7da1cdf545435e5e 19380599 python3.4_3.4.2.orig.tar.gz
 d158d9c945b135b4bb5374f683f281e0ee97e7b3 358999 
python3.4_3.4.2-1+deb8u2.diff.gz
 e0acd8a648fbac3aab2dacbcd6eedd7d66d1b9ce 392134 
python3.4-examples_3.4.2-1+deb8u2_all.deb
 bc7cdc2805fb2bfc7dd7900cccfc631e75a8f509 3041976 
libpython3.4-testsuite_3.4.2-1+deb8u2_all.deb
 c1d35297d37931fd7024cae7cb40038a8724e390 82798 
idle-python3.4_3.4.2-1+deb8u2_all.deb
 d79e973aabd26bb22bdc945628466785d4809c5e 5256692 
python3.4-doc_3.4.2-1+deb8u2_all.deb
 cdaa1c180ee6f1e24ea361a5281d89cba82ef522 204680 
python3.4_3.4.2-1+deb8u2_amd64.deb
 842bd124be4ef17e8645271806af0bd273dcf96b 1438324 
python3.4-venv_3.4.2-1+deb8u2_amd64.deb
 9d935e490662d5322094037768bb74c19063f9e3 2088718 
libpython3.4-stdlib_3.4.2-1+deb8u2_amd64.deb
 5f228cffef54f9695dcc15518ab4b2d9246938eb 1646454 
python3.4-minimal_3.4.2-1+deb8u2_amd64.deb
 98f950ea4eddcf55efe2e68b5c803e5413d3ae67 493358 
libpython3.4-minimal_3.4.2-1+deb8u2_amd64.deb
 1b583021d3332d88ab804e44afb6ebaa7e60 1314550 
libpython3.4_3.4.2-1+deb8u2_amd64.deb
 022280a8bd073ed9986c9bfffd49500d07e4a44a 429032 
python3.4-dev_3.4.2-1+deb8u2_amd64.deb
 6495b967d8e79b85f6514625887147489fec6383 39510600 
libpython3.4-dev_3.4.2-1+deb8u2_amd64.deb
 4bb59e68f6bf3e371cb21e20aa2b35566fc8c5e1 7877802 
python3.4-dbg_3.4.2-1+deb8u2_amd64.deb
 65be2c46caba2e26bc05ca93843ef9189db2887a 5324744 
libpython3.4-dbg_3.4.2-1+deb8u2_amd64.deb
Checksums-Sha256:
 82802470d88abacf8587e5ddd9e55bf784d3ee13da1776f75381d273803533ab 3246 
python3.4_3.4.2-1+deb8u2.dsc
 29fe97d2e197ed25651beb233314121039477e96b4da5ec27cd317e9396a9d72 19380599 
python3.4_3.4.2.orig.tar.gz
 267ab21cd1139e576a923a30996b724f4acf6705b9d56cb45757db1d610b3427 358999 
python3.4_3.4.2-1+deb8u2.diff.gz
 fb2d5aff37c07bb9102df524a06c46451f68848f48c17d1ff4d57fa068323fce 392134 
python3.4-examples_3.4.2-1+deb8u2_all.deb
 a8ab0e825f1d7e1ca6a645e253b5c5d722eed6422470e1555944a934dc9dd808 3041976 
libpython3.4-testsuite_3.4.2-1+deb8u2_all.deb
 34db1f44418e6795a8b78809cc5d7a2c7e2be131a559723c2914e47f0688ff92 82798 
idle-python3.4_3.4.2-1+deb8u2_all.deb
 4727409e9bec6f002826551e8f97e5f7231d85f030327462c3af0a5451cff7e6 5256692 
python3.4-doc_3.4.2-1+deb8u2_all.deb
 c9eab237babfe65ee1484b14fd8b6f2f519a344cd83f0c483f9c48d0507c8381 204680 
python3.4_3.4.2-1+deb8u2_amd64.deb
 d52a768b80f32273aa62a90d62dfb199d45006387b91a101ae3ce1428c9c5e1d 1438324 
python3.4-venv_3.4.2-1+deb8u2_amd64.deb
 5976664f70f6a9dec809311c5b481978c068663c95dc8728aed40c2376d546b5 2088718 
libpython3.4-stdlib_3.4.2-1+deb8u2_amd64.deb
 60b18aedecb6a2073525de09baea465e78a6c198fa2426d2ea9a97f206c8666c 1646454 
python3.4-minimal_3.4.2-1+deb8u2_amd64.deb
 1e01134927af2ddedc0927b30f075120f55b6d8fe79e40c84c056c45728200fd 493358 
libpython3.4-minimal_3.4.2-1+deb8u2_amd64.deb