Re: CVE-2017-9935 / tiff

2017-11-14 Thread Brian May 
I added a comment to the upstream bug report:

http://bugzilla.maptools.org/show_bug.cgi?id=2704#c14
-- 
Brian May

About libreoffice CVE

2017-11-14 Thread Raphael Hertzog 
Hello Emilio,

as the libreoffice entry is the oldest one without update[1] I decided
to take a look at the issues (even though it's assigned to you).

For CVE-2017-12607 I believe that wheezy is not affected as the patch
shown below merely ensures that nLevelAnz does not overflow nMaxPPTLevels (= 5).
https://cgit.freedesktop.org/libreoffice/core/commit/?id=334dba623dfb0c4fb2b5292c2d03741b7b33aef1

And in the wheezy code, we already have such a check (line 4112 of
filter/source/msfilter/svdfppt.cxx):

sal_uInt16 nLevelAnz;
rIn >> nLevelAnz;
if ( nLevelAnz > 5 )
{
OSL_FAIL( "PPTStyleSheet::Ppt-TextStylesheet hat mehr als 5 
Ebenen! (SJ)" );
nLevelAnz = 5;
}

For CVE-2017-12608, the problem seems to exist as the code is very close.
Applying/backporting the patch looks trivial.

Furthermore in both cases, the commit contains a test file that could be used
to (at least manually) verify the fix.

I don't really see why this update has been stalled for so long. Please go ahead
with the update or unlock the package so that someone else can take over.

Cheers,

[1] As shown by bin/review-update-needed --lts:
Package: libreoffice
Claimed-By: Emilio Pozuelo
Claimed-Date: 2017-05-31 17:29 (166 days ago)
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Re: About libreoffice CVE

2017-11-14 Thread Moritz Mühlenhoff 
On Tue, Nov 14, 2017 at 04:48:48PM +0100, Raphael Hertzog wrote:
> Package: libreoffice
> Claimed-By: Emilio Pozuelo
> Claimed-Date: 2017-05-31 17:29 (166 days ago)

There's some data error, CVE-2017-12607 and CVE-2017-12608 were only
disclosed on Oct 27.

Cheers,
Moritz

Re: About libreoffice CVE

2017-11-14 Thread Emilio Pozuelo Monfort 
On 14/11/17 17:02, Moritz Mühlenhoff wrote:
> On Tue, Nov 14, 2017 at 04:48:48PM +0100, Raphael Hertzog wrote:
>> Package: libreoffice
>> Claimed-By: Emilio Pozuelo
>> Claimed-Date: 2017-05-31 17:29 (166 days ago)
> 
> There's some data error, CVE-2017-12607 and CVE-2017-12608 were only
> disclosed on Oct 27.

Yes, that was added back then due to a regression with the fix for
https://security-tracker.debian.org/tracker/CVE-2017-3157

The regression causes some objects (e.g. charts) to not be shown, which may be
annoying for users but should be safe. Unfortunately, upstream didn't fix this
in 3.5 and the code there was quite different, so I had to manually backport the
patch. IIRC Rene reviewed at it and it seemed fine and my testing didn't show
any problems, but upstream wasn't helpful so I went with it. Looks like Red Hat
had the same or a similar regression, fwiw:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3157

At this point, I'm not sure what the best course of action is:
- revert the patch, leaving LO vulnerable to the original problem
- leave things as is, with the annoying effect of the regression, but a safe LO
- spend more time to try to fix the regression

The first option is probably unacceptable. I wonder which one of the other two
is better at this point, given that wheezy will be EOL in a few months and that
most LTS users at this point are likely for servers.

Thoughts?
Emilio

PS: My apologies for not dealing with this earlier. I looked at it a while ago
but couldn't fix it, and then wasn't motivated to look at it further.

Notes on building with ASAN

2017-11-14 Thread Roberto C . Sánchez 
All,

Some of the last few updates I have done have required building the
package with ASAN in order to reproduce the bug and/or confirm the fix.

After some searches did not come up with anything that captured the
issues I have encountered, I have written up some notes [0] on building
packages with ASAN while doing Wheezy LTS work.  Those notes are now
also linked from our main documentation [1].

If anyone out there has used ASAN in order to reproduce vulnerabilities
and/or verify their fixes, please review the notes.  Updates and
improvements are most welcome.

Regards,

-Roberto

[0] https://wiki.debian.org/LTS/Development/Asan
[1] https://wiki.debian.org/LTS/Development

-- 
Roberto C. Sánchez

Re: Notes on building with ASAN

2017-11-14 Thread Antoine Beaupré 
On 2017-11-14 08:58:33, Roberto C. Sánchez wrote:
> All,
>
> Some of the last few updates I have done have required building the
> package with ASAN in order to reproduce the bug and/or confirm the fix.
>
> After some searches did not come up with anything that captured the
> issues I have encountered, I have written up some notes [0] on building
> packages with ASAN while doing Wheezy LTS work.  Those notes are now
> also linked from our main documentation [1].
>
> If anyone out there has used ASAN in order to reproduce vulnerabilities
> and/or verify their fixes, please review the notes.  Updates and
> improvements are most welcome.

I have often been able to reproduce ASAN-related issues with valgrind,
FWIW...

a.

-- 
While the creative works from the 16th century can still be accessed
and used by others, the data in some software programs from the 1990s
is already inaccessible.
 - Lawrence Lessig