Le dim. 18 juin 2023 à 19:16, Ola Lundqvist <o...@inguza.com> a écrit : [adding security team] > > Hi Bastien > > Thank you for brining this up. We should also consider the severity of > the problem. > From what i understand the worse case problem is a "use after free" > vulnerability. > The source is here: > https://bugs.launchpad.net/ubuntu/+source/libusrsctp/+bug/2015448 > > I would say this is quite minor. > > I know I added it for buster, but that was just following the decision > for bullseye. With the information you provide about the porting > complexity and binary interface compatibility problem I would say I > think we should ignore it instead. > > SCTP is not the most common protocol for mozilla I guess either. > > Please let me know what you think.
I agree but it is used by webrtc when both end route it.. And they are the scpt over udp use case. > > You mention rebuild all reverse dependencies. Well I do not find any > within Debian. > This makes it even less important to fix it. Yes, but for firefox it is embeded (code duplication not nice). May be (so copy security team) deemded it and link to the lib. Less work > > ola@buster-lts:~/build$ apt-rdepends -r libusrsctp1 > Reading package lists... Done > Building dependency tree > Reading state information... Done > libusrsctp1 > Reverse Depends: libusrsctp-dev (= 0.9.3.0+20190127-2) > Reverse Depends: libusrsctp-examples (= 0.9.3.0+20190127-2) > libusrsctp-dev > libusrsctp-examples > ola@buster-lts:~/build$ apt-rdepends -r libusrsctp-dev > Reading package lists... Done > Building dependency tree > Reading state information... Done > libusrsctp-dev No it is incomplete: grep-dctrl -FBuild-Depends libusrsctp-dev -w -sPackage /var/lib/apt/lists/*Sources give me: - janus on o-o-stable-backport Do not know what to do with it. Bastien > > Cheers > > // Ola > > On Sun, 18 Jun 2023 at 15:12, Bastien Roucariès <ro...@debian.org> wrote: > > > > Hi, > > > > The last two hours I tried to fix CVE-2022-46871 by backporting the timer > > handling patch by patch until I get something approximativly sane. > > > > If believe it is not really the way to go: > > - it is quite fragile > > - upstream does not correctly create separate commit and create periodic > > merge from Freebsd (huge commit) > > - in all the case it break ABI and will need a rebuild of rdeps (public > > structure changes, function changes) > > - in will need other patch in order to fix the last parts, that cancel > > timer depending of packet type. > > - reading upstream commit, I see other interesting fixes like not checking > > return of sprintf > > - test suite does not test all the cases > > > > For me the safest way will be to backport the bulleyes version to buster > > and rebuild if needed the rdeps > > > > I want to have some piece of advice on it. > > > > Bastien > > > > > -- > --- Inguza Technology AB --- MSc in Information Technology ---- > | o...@inguza.com o...@debian.org | > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > ---------------------------------------------------------------
