Hi Bastien Thank you for brining this up. We should also consider the severity of the problem. >From what i understand the worse case problem is a "use after free" vulnerability. The source is here: https://bugs.launchpad.net/ubuntu/+source/libusrsctp/+bug/2015448
I would say this is quite minor. I know I added it for buster, but that was just following the decision for bullseye. With the information you provide about the porting complexity and binary interface compatibility problem I would say I think we should ignore it instead. SCTP is not the most common protocol for mozilla I guess either. Please let me know what you think. You mention rebuild all reverse dependencies. Well I do not find any within Debian. This makes it even less important to fix it. ola@buster-lts:~/build$ apt-rdepends -r libusrsctp1 Reading package lists... Done Building dependency tree Reading state information... Done libusrsctp1 Reverse Depends: libusrsctp-dev (= 0.9.3.0+20190127-2) Reverse Depends: libusrsctp-examples (= 0.9.3.0+20190127-2) libusrsctp-dev libusrsctp-examples ola@buster-lts:~/build$ apt-rdepends -r libusrsctp-dev Reading package lists... Done Building dependency tree Reading state information... Done libusrsctp-dev Cheers // Ola On Sun, 18 Jun 2023 at 15:12, Bastien Roucariès <ro...@debian.org> wrote: > > Hi, > > The last two hours I tried to fix CVE-2022-46871 by backporting the timer > handling patch by patch until I get something approximativly sane. > > If believe it is not really the way to go: > - it is quite fragile > - upstream does not correctly create separate commit and create periodic > merge from Freebsd (huge commit) > - in all the case it break ABI and will need a rebuild of rdeps (public > structure changes, function changes) > - in will need other patch in order to fix the last parts, that cancel timer > depending of packet type. > - reading upstream commit, I see other interesting fixes like not checking > return of sprintf > - test suite does not test all the cases > > For me the safest way will be to backport the bulleyes version to buster and > rebuild if needed the rdeps > > I want to have some piece of advice on it. > > Bastien > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
