sunweaver's NET

Recently, Bernhard Miklautz, Martin Fleisz and myself have been working on old FreeRDP code. Our goal was, to get FreeRDP in Debian jessie LTS and Debian stretch working again against recent Microsoft RDP servers.

It has been done now.

Context

In Debian LTS, we were discussing a complex update of the freerdp (v1.1) package. That was before X-mas.

The status of FreeRDP v1.1 (jessie/stretch) then was and still is:

• Since March 2018 freerdp in stretch (and jessie) (Git snapshot of never released v1.1) has been unusable against latest Microsoft Windows servers. All MS Windows OS versions switched to RDP proto version 6 plus CredSSP version 3 and the freerdp versions in Debian jessie/stretch do not support that, yet.
• For people using Debian stretch, the only viable work-around is using freerdp2 from stretch-backports.
• People using Debian jessie LTS don't have any options (except from upgrading to stretch and using freerdp2 from stretch-bpo).
• Currently, we know of four unfixed no-DSA CVE issues in freerdp (v1.1) (that are fixed in buster's freerdp2).

With my Debian LTS contributor hat on, I have started working on the open freerdp CVE issues (whose backported fixes luckily appeared in a Ubuntu security update, so not much work on this side) and ...

... I have started backporting the required patches (at least these: [0a,0b,0c]) to get RDP proto version 6 working in Debian jessie's and Debian stretch's freerdp v1.1 version.

In December 2018, I have worked on the Debian LTS project for 21 hours and on the Debian ELTS project for 5 hours as a paid contributor. The originally planned 11 LTS hours (one hour carried over from November) had been extended to 21 hours. Of the originally planned 6 ELTS hours I carry over one hour to January 2019.

LTS Work

• Fix several CVE issues in libav (DLA-1611-1 [1a] and DLA-1611-2 [1b]).
• Fix the Magellan vulnerability in sqlite3 (DLA-1631-1 [2]).
• Regression fix of poppler (DLA-1562-3 [3])
• Involve FreeRDP upstream into fixing FreeRDP v1.1 in Debian jessie (esp. big thanks to Bernhard Miklautz for giving feedback).
• Port FreeRDP CVE fixes over from Ubuntu [4].
• Backport RDP v6 proto code and CredSSP v3 code from FreeRDP upstream commits to Debian jessie's (and stretch's) FreeRDP v1.1 [5].
• An upload of a fixed FreeRDP v1.1 (both jessie and stretch) can be expected for January 2019. This work will be co-ordinated with the Debian stable release team [6] (feedback is still pending).

ELTS Work

• Setup test and build environment for Debian wheezy ELTS.
• Give feedback on problems when installing Debian wheezy from scratch (although this makes rarely sense for most scenarious, it might help future ELTS developers).
• Research on the Magellan vulnerability in Debian wheezy's sqlite3 [7] and request a second pair of eyes to look at sqlite3 in Debian wheezy (it might not be affected by it). The sqlite3 fix for Debian jessie (DLA-1613-1 [2]) was a zero-extra-effort outcome of this research.

In November 2018, I have worked on the Debian LTS project for nine hours as a paid contributor. Of the originally planned twelve hours (four of them carried over from October) I gave two hours back to the pool of available work hours and carry one hour over to December.

For November, I also signed up for four hours of ELTS work, but had to realize that at the end of the month, I hadn't even set up a test environment for Debian wheezy ELTS, so I gave these four hours back to the "pool". I have started getting an overview of the ELTS workflow now and will start fixing packages in December.

So, here is my list of work accomplished for Debian LTS in November 2018:

• Regression upload of poppler (DLA 1562-2 [1]), updating the fix for CVE-2018-16646
• Research on Saltstack salt regarding CVE-2018-15750 and CVE-2018-15751. Unfortunately, there was no reference in the upstream Git repository to the commit(s) that actually fixed those issues. Finally, it turned out that the REST netapi code that is affected by the named CVEs was added between upstream release 2014.1.13 and 2014.7(.0). As Debian jessie ships salt's upstream release 2014.1.13, I concluded that salt in jessie is not affected by the named CVEs.
• Last week I joined Markus Koschany with triaging a plentitude of libav issues that have/had status "undetermined" for Debian jessie. I was able to triage 21 issues, of which 15 have applicable patches. Three issues have patches that don't apply cleanly and need manual work. One issue only is valid to ffmpeg, but not to libav.

This is a quick HowTo that shows how to setup a Ubuntu MATE 19.04 development setup in which Ubuntu System Indicators [1] get replaced by Ayatana System Indicators [1].

The current development strategy is to use nightly DEB packages provided by the Arctica Project and Ayatana Indicators upstream on top of Ubuntu MATE 19.04 and see what details still require work.

Preparing Ubuntu MATE 19.04 development setup

First step is to download a Ubuntu MATE 18.10 (aka cosmic) ISO image and install Ubuntu MATE 18.10 into a test environment (e.g.

Over the last weekend, I have attended the FLOSS meeting "X2Go - The Gathering 2018" [1]. The event took place at the shackspace maker space in Ulmerstraße in Stuttgart-Wangen (near S-Bahn station S-Untertürkheim). Thanks to the people from shackspace for hosting us there, I highly enjoyed your location's environment. Thanks to everyone who joined us at the meeting. Thanks to all event sponsors (food + accomodation for me). Thanks to Stefan Baur for being our glorious and meticulous organizer!!!

Thanks to my family for letting me go for that weekend.

Especially, a big thanks to everyone, that I was allowed to bring our family dog "Capichera" with me to the event. While Capichera adapted quite ok to this special environment on sunny Friday and sunny Saturday, he was not really feeling well on rainy Sunday (aching joints, unwilling to move, walk interact).

For those interested and especially for our event sponsors, below you can find a list of produced results related to the gathering.

light+love

after some nice family vacation in Tuscany, I did four hours of work on the Debian LTS project as a paid contributor at the end of this month. Thanks to all LTS sponsors for making this possible.

I move over a backlog of 4h from October to November (so I will work 12h on Debian LTS in November 2018).

Furthermore, I have signed up for Debian ELTS work with another 4h (as a start, more availability planned for upcoming months).

This is my list of work done in October 2018:

• Upload of poppler (DLA 1562-1 [1]), fixing 4 CVEs
• Discuss my research on CVE-2018-12689 in phpldapadmin from August 2018 with Antoine Beaupré who identified the published exploit as 'false positive' (for details, see his monthly LTS report for Octobre 2018).

light+love
Mike

References

[1] https://lists.debian.org/debian-lts-announce/2018/10/msg00024.html

In September 2018, I did 10 hours of work on the Debian LTS project as a paid contributor. Thanks to all LTS sponsors for making this possible.

This is my list of work done in September 2018:

• Upload of polarssl (DLA 1518-1) [1].
• Work on CVE-2018-16831 discovered in the smarty3 package. Plan (A) was to backport latest smarty3 release to Debian stretch and jessie, but runtime tests against GOsa² (one of the PHP applications that utilize smarty3) already failed for Debian stretch. So, this plan was dropped. Plan (B) then was extracting a patch [2] for fixing this issue in Debian stretch's smarty3 package version from a manifold of upstream code changes; finally with the realization that smarty3 in Debian jessie is very likely not affected. Upstream feedback is still pending, upload(s) will occur in the coming week (first week of Octobre).

light+love
Mike

References

[1] https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html

[2] https://salsa.debian.org/debian/smarty3/commit/8a1eb21b7c4d971149e76cd2b...

I never fancied having accounts with the big players that much, so I never touched e.g. Twitter.

But Mastodon is the kind of service that works for me. You can find me on https://fosstodon.org.

My nick over there is sunweaver. I'll be posting intersting stuff of my work there, probably more regularly than on the blog.

After some nice family vacation in Scandinavia, I did six hours of work on the Debian LTS project as a paid contributor at the end of this month. Thanks to all LTS sponsors for making this possible.

This is my list of work done in August 2018:

• Research phpldapadmin (CVE-2018-12689) [1], overhead from July 2018, upload is still to come (planned for the coming week)
• Upload of 389-ds-base (DLA 1483-1)
• Upload of spice (DLA 1486-1).
  The patch that has been proposed by upstream to fix CVE-2018-10873 has been controversially discussed [2].
  Please refer to my review comment in the package's patch file for my reasoning [3] behind accepting upstream's patch for the fix of this package in Debian LTS.
• Upload of spice-gtk (DLA 1489-1).
• Fix a corner case flaw in the gen-DLA (and gen-DSA) script [4].

light+love
Mike

References

[1] https://lists.debian.org/debian-lts/2018/07/msg00123.html

[2] http://www.openwall.com/lists/oss-security/2018/08/17/4 (follow thread)

This month, after a longer pause, I have started working again for the Debian LTS project as a paid contributor. Thanks to all LTS sponsors for making this possible.

This is my list of work done in July 2018:

• Triage CVE issues of ~27 packages during my front desk week.
• Upload gosa 2.7.4+reloaded2-13+deb9u1 (DLA-1436-1) to jessie-security.
• Upload network-manager-vpnc 0.9.10.0-1+deb8u1 (DLA-1454-1) to jessie-security.
• At the end of the month, I started looking at one of two open issues in phpldapadmin. More details on this, I have sent to the Debian LTS mailing list [1].

light+love
Mike

[1] https://lists.debian.org/debian-lts/2018/07/msg00123.html