Re: CVE-2017-9935 / tiff
I added a comment to the upstream bug report: http://bugzilla.maptools.org/show_bug.cgi?id=2704#c14 -- Brian May
About libreoffice CVE
Hello Emilio, as the libreoffice entry is the oldest one without update[1] I decided to take a look at the issues (even though it's assigned to you). For CVE-2017-12607 I believe that wheezy is not affected as the patch shown below merely ensures that nLevelAnz does not overflow nMaxPPTLevels (= 5). https://cgit.freedesktop.org/libreoffice/core/commit/?id=334dba623dfb0c4fb2b5292c2d03741b7b33aef1 And in the wheezy code, we already have such a check (line 4112 of filter/source/msfilter/svdfppt.cxx): sal_uInt16 nLevelAnz; rIn >> nLevelAnz; if ( nLevelAnz > 5 ) { OSL_FAIL( "PPTStyleSheet::Ppt-TextStylesheet hat mehr als 5 Ebenen! (SJ)" ); nLevelAnz = 5; } For CVE-2017-12608, the problem seems to exist as the code is very close. Applying/backporting the patch looks trivial. Furthermore in both cases, the commit contains a test file that could be used to (at least manually) verify the fix. I don't really see why this update has been stalled for so long. Please go ahead with the update or unlock the package so that someone else can take over. Cheers, [1] As shown by bin/review-update-needed --lts: Package: libreoffice Claimed-By: Emilio Pozuelo Claimed-Date: 2017-05-31 17:29 (166 days ago) -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: About libreoffice CVE
On Tue, Nov 14, 2017 at 04:48:48PM +0100, Raphael Hertzog wrote: > Package: libreoffice > Claimed-By: Emilio Pozuelo > Claimed-Date: 2017-05-31 17:29 (166 days ago) There's some data error, CVE-2017-12607 and CVE-2017-12608 were only disclosed on Oct 27. Cheers, Moritz
Re: About libreoffice CVE
On 14/11/17 17:02, Moritz Mühlenhoff wrote: > On Tue, Nov 14, 2017 at 04:48:48PM +0100, Raphael Hertzog wrote: >> Package: libreoffice >> Claimed-By: Emilio Pozuelo >> Claimed-Date: 2017-05-31 17:29 (166 days ago) > > There's some data error, CVE-2017-12607 and CVE-2017-12608 were only > disclosed on Oct 27. Yes, that was added back then due to a regression with the fix for https://security-tracker.debian.org/tracker/CVE-2017-3157 The regression causes some objects (e.g. charts) to not be shown, which may be annoying for users but should be safe. Unfortunately, upstream didn't fix this in 3.5 and the code there was quite different, so I had to manually backport the patch. IIRC Rene reviewed at it and it seemed fine and my testing didn't show any problems, but upstream wasn't helpful so I went with it. Looks like Red Hat had the same or a similar regression, fwiw: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3157 At this point, I'm not sure what the best course of action is: - revert the patch, leaving LO vulnerable to the original problem - leave things as is, with the annoying effect of the regression, but a safe LO - spend more time to try to fix the regression The first option is probably unacceptable. I wonder which one of the other two is better at this point, given that wheezy will be EOL in a few months and that most LTS users at this point are likely for servers. Thoughts? Emilio PS: My apologies for not dealing with this earlier. I looked at it a while ago but couldn't fix it, and then wasn't motivated to look at it further.
Notes on building with ASAN
All, Some of the last few updates I have done have required building the package with ASAN in order to reproduce the bug and/or confirm the fix. After some searches did not come up with anything that captured the issues I have encountered, I have written up some notes [0] on building packages with ASAN while doing Wheezy LTS work. Those notes are now also linked from our main documentation [1]. If anyone out there has used ASAN in order to reproduce vulnerabilities and/or verify their fixes, please review the notes. Updates and improvements are most welcome. Regards, -Roberto [0] https://wiki.debian.org/LTS/Development/Asan [1] https://wiki.debian.org/LTS/Development -- Roberto C. Sánchez
Re: Notes on building with ASAN
On 2017-11-14 08:58:33, Roberto C. Sánchez wrote: > All, > > Some of the last few updates I have done have required building the > package with ASAN in order to reproduce the bug and/or confirm the fix. > > After some searches did not come up with anything that captured the > issues I have encountered, I have written up some notes [0] on building > packages with ASAN while doing Wheezy LTS work. Those notes are now > also linked from our main documentation [1]. > > If anyone out there has used ASAN in order to reproduce vulnerabilities > and/or verify their fixes, please review the notes. Updates and > improvements are most welcome. I have often been able to reproduce ASAN-related issues with valgrind, FWIW... a. -- While the creative works from the 16th century can still be accessed and used by others, the data in some software programs from the 1990s is already inaccessible. - Lawrence Lessig