My Work on Debian LTS (August 2018)

After some nice family vacation in Scandinavia, I did six hours of work on the Debian LTS project as a paid contributor at the end of this month. Thanks to all LTS sponsors for making this possible.

This is my list of work done in August 2018:

  • Research phpldapadmin (CVE-2018-12689) [1], overhead from July 2018, upload is still to come (planned for the coming week)
  • Upload of 389-ds-base (DLA 1483-1)
  • Upload of spice (DLA 1486-1).
    The patch that has been proposed by upstream to fix CVE-2018-10873 has been controversially discussed [2].
    Please refer to my review comment in the package's patch file for my reasoning [3] behind accepting upstream's patch for the fix of this package in Debian LTS.
  • Upload of spice-gtk (DLA 1489-1).
  • Fix a corner case flaw in the gen-DLA (and gen-DSA) script [4].

light+love
Mike

References

[1] https://lists.debian.org/debian-lts/2018/07/msg00123.html

[2] http://www.openwall.com/lists/oss-security/2018/08/17/4 (follow thread)

[3] from debian/patches/CVE-2018-10873.patch in spice and spice-gtk:

This patch adds checks to the generated demarshaller code files. These
checks bail out with an error if a pointer to the start of some message
data is strictly greater than the pointer to the end of the same
message's data.

A weakness of these checks is that the message data's start pointer needs
to be calculated (in some odd ways depending on the message type) and the
simple fix of this patch does not assure that the calculated pointers are
actually pointing to allocated memory. However, these calculated pointers
never seem to be used for accessing memory, so this should be safe.

Furthermore, this fix (as proposed by upstream) makes memory layout
assumptions of the supported platforms (MS Windows, Linux). The checks
from this patch could fail, if a pointer pointed to the very end of the
system's memory and the pointer addition operation would wrap the pointer.

See http://www.openwall.com/lists/oss-security/2018/08/17/3 for details.

[4] https://salsa.debian.org/security-tracker-team/security-tracker/commit/b...