Hi I'm triaging the package "renderdoc" and it has three open CVEs. More information about the CVEs are available here with a good description. https://www.openwall.com/lists/oss-security/2023/06/06/3
One of them is clearly a minor issue, but two of them describe the possibility to execute arbitrate code for a remote attacker as the user running the software. So that is rather severe. It is only during the time the person in question run this software and since it is a debugger it is likely not that common. >From the popularity statistics it does not look to be very popular. When looking through the patches they will definitely not apply to the version in buster. To fix the problems at hand someone need to look through the code with the spirit of the one fixing this and do similar changes. The code has changed significantly so this is a non-trivial task. Doable, but will probably take quite some time and effort. My conclusion is that the severity is likely high (if the problem description is correct) if someone can exploit the issues. But the cost of fixing is quite high, and the likelihood of someone actually using this software is very low. I mean someone need to use this debugger on a completely unprotected machine (n public network) where someone happen to scan for this specific port that only this software happen to use. It is public information that this vulnerability exists but since hardly anyone use it I guess such scanners are rare, if even existing. So what do you think? Should I add this package to dla-needed, or what do you other think? If we only follow the regular rules, we should add it do dla-needed, but should we also the cost aspect for such a rarely used software component? It has not been triaged for bullseye yet. Cheers // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
