Re: Looking for issues affecting wheezy but fixed in squeeze

[Guido Günther]

Hi,
On Thu, Jan 28, 2016 at 07:27:20PM +0100, Moritz Mühlenhoff wrote:
> On Sat, Jan 23, 2016 at 02:22:22PM +0100, Guido Günther wrote:
> > Hi,
> > 
> > now that Wheezy LTS is approaching I wondered what would be the best
> > places to help out fixing issues in Wheezy so that upgrading from
> > Squeeze to Wheezy would not introduce new security issues.
> > 
> > Therefore I added bin/lts-needs-forward-port.py (based on
> > lts-cve-triage.py) that lists issues fixed in Squeeze that are unfixed
> > or marked no-dsa in wheezy. O.k. to apply?
> 
> That should also parse next-oldstable-point-update.txt, since several of
> those are likely scheduled for the next whezy point release.

Good point - I didn't even know about that file. New version
attached.

The CVE-- issues in are problematic since they're not unique
so we have some fuzziness there until the issues get updated.

Am I reading the SVN logs correctly that they are currently hand
maintained? If so should one add user tags when filing bugs about this
to release.debian.org so it gets easier to track.

Cheers,
 -- Guido
>From 18e502cbeeeae7c30966aec5db6ea2b3474042b7 Mon Sep 17 00:00:00 2001
Message-Id: <18e502cbeeeae7c30966aec5db6ea2b3474042b7.1454074057.git@sigxcpu.org>
From: =?UTF-8?q?Guido=20G=C3=BCnther?= 
Date: Sat, 23 Jan 2016 13:49:02 +0100
Subject: [PATCH] Add lts-needs-forward-port
To: debian-lts@lists.debian.org

This looks for issues fixed in LTS but yet unfixed in lts_next taking
into account next-oldstable-point-update.txt.
---
 bin/lts-needs-forward-port.py | 99 +++
 bin/tracker_data.py   | 22 ++
 2 files changed, 121 insertions(+)
 create mode 100755 bin/lts-needs-forward-port.py

diff --git a/bin/lts-needs-forward-port.py b/bin/lts-needs-forward-port.py
new file mode 100755
index 000..fbf859d
--- /dev/null
+++ b/bin/lts-needs-forward-port.py
@@ -0,0 +1,99 @@
+#!/usr/bin/python
+# vim: set fileencoding=utf-8 :
+#
+# Copyright 2016 Guido Günther 
+#
+# This file is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# This file is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file.  If not, see .
+
+import argparse
+import collections
+import sys
+
+from tracker_data import TrackerData, RELEASES
+
+# lts is currently squeeze, next_lts wheezy
+LIST_NAMES = (
+('needs_fix_in_next_lts',
+ ('Issues that are unfixed in {next_lts} but fixed in {lts}'
+  ).format(**RELEASES)),
+('needs_review_in_next_lts',
+ ('Issues that are no-dsa in {next_lts} but fixed in {lts}'
+  ).format(**RELEASES)),
+('fixed_via_pu_in_oldstable',
+ ('Issues that will be fixed via p-u in {oldstable}'
+  ).format(**RELEASES)),
+)
+
+
+def main():
+def add_to_list(key, pkg, issue):
+assert key in [l[0] for l in LIST_NAMES]
+lists[key][pkg].append(issue)
+
+parser = argparse.ArgumentParser(
+description='Find discrepancies between suites')
+parser.add_argument('--skip-cache-update', action='store_true',
+help='Skip updating the tracker data cache')
+parser.add_argument('--exclude', nargs='+', choices=[x[0] for x in LIST_NAMES],
+help='Filter out specified lists')
+
+args = parser.parse_args()
+
+lists = collections.defaultdict(lambda: collections.defaultdict(lambda: []))
+tracker = TrackerData(update_cache=not args.skip_cache_update)
+
+for pkg in tracker.iterate_packages():
+for issue in tracker.iterate_pkg_issues(pkg):
+status_in_lts = issue.get_status('lts')
+status_in_next_lts = issue.get_status('next_lts')
+
+if status_in_lts.status in ('not-affected', 'open'):
+continue
+
+if status_in_lts.status == 'resolved':
+#  Package will be updated via the next oldstable
+#  point release
+if (issue.name in tracker.oldstable_point_update and
+pkg in tracker.oldstable_point_update[issue.name]):
+add_to_list('fixed_via_pu_in_oldstable', pkg, issue)
+continue
+
+#  The security tracker marks "not-affected" as
+#  "resolved in version 0" (#812410)
+if status_in_lts.reason == 'fixed in 0':
+continue
+
+if status_in_next_lts.status == 'open':
+add_to_list('needs_fix_in_next_lts', pkg, 

Re: squeeze update of prosody?

[Guido Günther]

Hi Sergei,
On Fri, Jan 29, 2016 at 10:53:40AM +0300, Sergei Golovan wrote:
> Hi Guido,
> 
> On Thu, Jan 28, 2016 at 11:04 PM, Guido Günther  wrote:
> > Hello dear maintainer,
> >
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Squeeze version of prosody:
> > https://security-tracker.debian.org/tracker/CVE-2016-0756
> >
> > Would you like to take care of this yourself?
> >
> > If yes, please follow the workflow we have defined here:
> > http://wiki.debian.org/LTS/Development
> >
> > If that workflow is a burden to you, feel free to just prepare an
> > updated source package and send it to debian-lts@lists.debian.org
> > (via a debdiff, or with an URL pointing to the source package,
> > or even with a pointer to your packaging repository), and the members
> > of the LTS team will take care of the rest. Indicate clearly whether you
> > have tested the updated package or not.
> >
> > If you don't want to take care of this update, it's not a problem, we
> > will do our best with your package. Just let us know whether you would
> > like to review and/or test the updated package before it gets released.
> 
> I can prepare the patch for the package currently in squeeze and send it to
> you somehow. But I don't have much time to put it to the squeeze-lts
> repository, sorry.

I would be great to have a "maintainer blessed" patch for that
issue. Just send it to the list and we take care of the rest.

Cheers and thanks a lot!
 -- Guido

Re: squeeze update of openssh?

[Antoine Beaupré]

On 2016-01-23 06:50:51, Guido Günther wrote:
> Hi Colin,
> On Fri, Jan 15, 2016 at 02:01:44PM +, Colin Watson wrote:
>> On Fri, Jan 15, 2016 at 02:50:33PM +0100, Yves-Alexis Perez wrote:
>> > On ven., 2016-01-15 at 14:47 +0100, Guido Günther wrote:
>> > > > I believe Yves-Alexis Perez is handing this.
>> > > 
>> > > I figured Mike's mail is related to
>> > > 
>> > >     TEMP-000 Eliminate the fallback from untrusted X11-forwarding to
>> > > trusted forwarding for cases when the X server disables the SECURITY
>> > > extension
>> > > 
>> > > not to CVE-2016-0777 CVE-2016-0778?
>> > 
>> > We've not yet investigated the other, CVE-less vulnerabilities fixed by the
>> > last OpenSSH release (whether for the current stables or for LTS).
>> 
>> OpenSSH upstream decided not to fix the untrusted->trusted forwarding
>> issue in 7.1p2
>> (https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-January/034684.html).
>> I would recommend holding off on that until they've actually blessed a
>> fix for real.
>
> I had a look at RedHat's analysis[1] and at Squeeze, Wheezy and Jessie:
>
> * Squeeze and Wheezy don't run "xhost +si:localuser:`id -un`" from
>   xinit but we do so from Jessie on

I don't think this is accurate:

Xsession.d$ git lg 35x11-common_xhost-local
* 9b1d914 N debian/local/Xsession.d/35x11-common_xhost-local: add a new
script  to the default X session. It will give access to the running X
server to the logged on user. This is useful for gdm3 which does not
give access to $XAUTHORITY outside the session, but can also be of  use
for other display managers. Closes: #586685. (il y a 4 ans et 2 mois)

$ git describe 9b1d914
xorg-1_7.6+9-1-g9b1d914
$ rmadison xorg
debian:
 xorg | 1:7.5+8+squeeze1 | squeeze-security  | source, amd64, armel, i386, 
ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc
 xorg | 1:7.5+8+squeeze1 | squeeze   | source, amd64, armel, i386, 
ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc
 xorg | 1:7.6+8~bpo60+1  | squeeze-backports | source, amd64, armel, i386, 
ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, sparc
 xorg | 1:7.7+3~deb7u1   | wheezy| source, amd64, armel, armhf, 
i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, 
sparc
 xorg | 1:7.7+7  | jessie-kfreebsd   | source, kfreebsd-amd64, 
kfreebsd-i386
 xorg | 1:7.7+7  | jessie| source, amd64, arm64, armel, 
armhf, i386, mips, mipsel, powerpc, ppc64el, s390x
 xorg | 1:7.7+12 | stretch   | source, amd64, arm64, armel, 
armhf, i386, mips, mipsel, powerpc, ppc64el, s390x
 xorg | 1:7.7+13 | sid   | source, amd64, arm64, armel, 
armhf, hurd-i386, i386, kfreebsd-amd64, kfreebsd-i386, mips, mips64el, mipsel, 
powerpc, ppc64el, s390x

i.e. this was introduced in 1:7.6+9-1, and so was shipped with wheezy as
well.

So even if we weren't vulnerable, that would be in squeeze only and
we'll need to fix this for wheezy and above at the very least.

I'll investigate if squeeze is really not vulnerable as well.

a.

-- 
People arbitrarily, or as a matter of taste, assigning numerical values
to non-numerical things. And then they pretend that they haven't just
made the numbers up, which they have. Economics is like astrology in
that sense, except that economics serves to justify the current power
structure, and so it has a lot of fervent believers among the powerful.
- Kim Stanley Robinson, Red Mars

Re: Fixing CVE-2014-9674 (freetype) in wheezy

[Sébastien Delafond]

Hi Guido,

thanks for the debdiff. It looks good, except for the urgency which
you'll want to set to "high" before uploading. Once that's done, I'll
release the DSA.

Cheers,

--Seb

On Jan/24, Guido Günther wrote:
> Dear security team,
> while looking into CVEs that are fixed in Jessie and Squeeze but not yet
> in Wheezy I came across:
> 
> https://security-tracker.debian.org/tracker/CVE-2014-9674
> 
> Since the fix consists of several commits including a fix for
> CVE-2014-9673 (which already was fixed in the package) I pushed
> the repo I used to cp the fixes here:
> 
> https://github.com/agx/freetype2/commits/debian/wheezy
> 
> I'm happy about any review and and the possibility to upload this to
> security master.
> 
> Cheers,
>  -- Guido

> diff --git a/debian/changelog b/debian/changelog
> index afe415c..f706b95 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,12 @@
> +freetype (2.4.9-1.1+deb7u3) wheezy-security; urgency=medium
> +
> +  * Non-maintainer upload by LTS team.
> +  * CVE-2014-9674: integer overflow and heap-based buffer overflow
> +in Mac_Read_POST_Resource.  The added patch also includes the fixes for
> +CVE-2014-9673 since they overlap. Closes: #777656
> +
> + -- Guido Günther   Sun, 24 Jan 2016 19:41:13 +0100
> +
>  freetype (2.4.9-1.1+deb7u2) wheezy-security; urgency=high
>  
>* Non-maintainer upload.
> diff --git a/debian/patches-freetype/CVE-2014-9673.patch 
> b/debian/patches-freetype/CVE-2014-9673.patch
> deleted file mode 100644
> index 331f40f..000
> --- a/debian/patches-freetype/CVE-2014-9673.patch
> +++ /dev/null
> @@ -1,43 +0,0 @@
> -diff -aur freetype-2.4.9.orig/src/base/ftobjs.c 
> freetype-2.4.9/src/base/ftobjs.c
>  freetype-2.4.9.orig/src/base/ftobjs.c2012-02-11 10:29:31.0 
> +0100
> -+++ freetype-2.4.9/src/base/ftobjs.c 2015-02-19 11:27:54.271340093 +0100
> -@@ -1588,6 +1588,11 @@
> - goto Exit2;
> -   if ( FT_READ_LONG( rlen ) )
> - goto Exit;
> -+  if ( rlen < 0 )
> -+  {
> -+error = FT_Err_Invalid_Offset;
> -+goto Exit;
> -+  }
> -   if ( FT_READ_USHORT( flags ) )
> - goto Exit;
> -   FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, 
> flags=0x%04x\n",
> -@@ -1605,7 +1610,14 @@
> - rlen = 0;
> - 
> -   if ( ( flags >> 8 ) == type )
> -+  {
> -+if ( 0x7FFFL - rlen < len )
> -+{
> -+  error = FT_Err_Array_Too_Large;
> -+  goto Exit2;
> -+}
> - len += rlen;
> -+  }
> -   else
> -   {
> - if ( pfb_lenpos + 3 > pfb_len + 2 )
> -@@ -1634,6 +1646,11 @@
> -   }
> - 
> -   error = FT_Err_Cannot_Open_Resource;
> -+  if ( rlen > 0x7FFFL - pfb_pos )
> -+  {
> -+error = FT_Err_Array_Too_Large;
> -+goto Exit2;
> -+  }
> -   if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
> - goto Exit2;
> - 
> -Nur in freetype-2.4.9/src/base: ftobjs.c~.
> diff --git a/debian/patches-freetype/CVE-2014-9674+CVE-2014-9673.diff 
> b/debian/patches-freetype/CVE-2014-9674+CVE-2014-9673.diff
> new file mode 100644
> index 000..5de5b33
> --- /dev/null
> +++ b/debian/patches-freetype/CVE-2014-9674+CVE-2014-9673.diff
> @@ -0,0 +1,205 @@
> +commit c57ccea8fe7bbdc5194bf7f2bdaa3d84a788916c
> +Author: Guido Günther 
> +Date:   Sun Jan 24 12:13:04 2016 +0100
> +
> +Don't use FT_ERR or FT_THROW
> +
> +commit 920aebcc8fa6ec5dfb1f9eca86598414e2363261
> +Author: suzuki toshiya 
> +Date:   Thu Nov 27 00:20:48 2014 +0900
> +
> +* src/base/ftobj.c (Mac_Read_POST_Resource): Additional
> +overflow check in the summation of POST fragment lengths,
> +suggested by Mateusz Jurczyk .
> +
> +(cherry picked from commit cd4a5a26e591d01494567df9dec7f72d59551f6e)
> +
> +commit 8b51acd483ff65159e0af508a2d47d8f2753ad28
> +Author: suzuki toshiya 
> +Date:   Wed Nov 26 16:39:00 2014 +0900
> +
> +* src/base/ftobjs.c (Mac_Read_POST_Resource): Insert comments
> +and fold too long tracing messages.
> +
> +(cherry picked from commit 1720e81e3ecc7c266e54fe40175cc39c47117bf5)
> +
> +commit 72e8e7cf2c4931bf31046f70db07feb4c89b72ef
> +Author: suzuki toshiya 
> +Date:   Wed Nov 26 16:02:17 2014 +0900
> +
> +* src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long
> +variables to read the lengths in POST fragments.  Suggested by
> +Mateusz Jurczyk .
> +
> +(cherry picked from commit 453316792fee912cfced48e9e270e9eb19892e64)
> +
> +commit f8f730dd9399d6ef5709c672a7b3fa531caececb
> +Author: suzuki toshiya 
> +Date:   Wed Nov 26 15:52:23 2014 +0900
> +
> +Fix Savannah bug #43539.
> +
> +* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
> +by a broken POST table in resource-fork.
> + 

squeeze update of phpmyadmin?

[Guido Günther]

Hello dear maintainer,

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of phpmyadmin:
https://security-tracker.debian.org/tracker/CVE-2016-2039
https://security-tracker.debian.org/tracker/CVE-2016-2041

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Note that I marked several issues as no-dsa (basically what you marked
as low impact upstream since this all made sense to me).

Thank you very much.

Guido Günther,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

Re: squeeze update of prosody?

[Sergei Golovan]

Hi Guido,

On Fri, Jan 29, 2016 at 11:10 AM, Guido Günther  wrote:
>
> I would be great to have a "maintainer blessed" patch for that
> issue. Just send it to the list and we take care of the rest.

Here are the .dsc and the .diff.gz for the fixed prosody package.

Cheers!
-- 
Sergei Golovan


prosody_0.7.0-1squeeze1+deb6u2.dsc
Description: Binary data


prosody_0.7.0-1squeeze1+deb6u2.diff.gz
Description: GNU Zip compressed data

Re: squeeze update of openssh?

[Antoine Beaupré]

On 2016-01-23 06:50:51, Guido Günther wrote:
> I had a look at RedHat's analysis[1] and at Squeeze, Wheezy and Jessie:
>
> * Squeeze and Wheezy don't run "xhost +si:localuser:`id -un`" from
>   xinit but we do so from Jessie on
> * we have the security extension enabled
>
> however Debian uses ForwardX11Trused=yes so I wonder if we can safely
> flag this as no-dsa needed for at least Wheezy and Squeeze since it does
> not seem to affect the default configuration in any way?

So I have looked further into this. Besides the puzzle of setting up a
X11-enabled squeeze VM (fun times), I was able to reproduce the issue
well described in:

https://thejh.net/written-stuff/openssh-6.8-xsecurity

Indeed, by default, Debian is completely vulnerable *regardless* of the
xhost configuration or timeout problems in ssh. This got me really
confused because I couldn't see the "problem", because it's the default
behavior in Debian, deliberately.

To reproduce, the best is to use xdotool. We will use it to make the
remote server (supposedly hostile) type in a local window, but it could
also choose which window it would type in, sniff X11 traffic and more
pretty bad stuff:

$ ssh -X marcos xdotool type "this should not be working"
thisshouldnotbeworking$ thisshouldnotbeworking

So by default, in Debian, we set -X to behave like -Y. this works even
if xhost access is disabled, so it's not specific to jessie and up.

I tested it on Debian jessie (both client and server), but it should
also fail for all Debian packages up to 3.8p1-2, shipped around the time
sarge was released (!!). This was related to bug:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=237021

The reasoning for the setting is explained in the `README.Debian` file
and is justified by saying "this has some problems in implementation -
notably a very short timeout of the untrusted cookie - breaks large
numbers of existing setups, and generally seems immature. The Debian
package therefore sets the default for this option to "yes" (in ssh
itself, rather than in ssh_config)."

So to fix this, we'd have to remove that from patch
003a875a474100d250b6643270ef3874da6591d8 that lives in
debian/patches/debian-config.patch:

https://sources.debian.net/src/openssh/1:7.1p2-2/debian/patches/debian-config.patch/

It is somewhat a concern, in my opinion, that this is hardcoded in the
source: why not just ship different config file defaults?

Anyways, the immediate fix for this is at least to use
ForwardX11Trusted=no everywhere. It remains to be tested if the xhost
line needs to be removed to work around the timeout issues, but if so,
this requires changes in wheezy and up.

But all this work is useless if, by default, we bypass all those checks
anyways.

So this definitely need coordination with the openssh maintainers at
this point, to at least confirm or infirm the "usability over security"
decision that happened all that while ago.

I personnally think the decision should be reverted, that
ForwardX11Trusted should be set to the upstream "no" default. There's an
entry in the OpenSSH FAQ exactly for that, and -Y to work around bad
setups. It seems unreasonable to expose users to such a security issue
just for the convenience of some setups that could easily be fixed.

A.