Alberto Luaces writes:
> Moritz Muehlenhoff writes:
>
>> On Sun, Nov 07, 2010 at 10:20:50PM +0100, Alberto Luaces wrote:
>>> Moritz Muehlenhoff writes:
>>>
>>> > In gmane.linux.debian.devel.release, you wrote:
>>> >> --=-=-=
>>> >>
>>> >> Hello,
>>> >>
>>> >> recently a bug has been reported for the lenny version of the
>>> >> openscenegraph 2.4.0-1.1 source package, based upon the fact that this
>>> >> package includes an embedded, vulnerable copy of the lib3ds library:
>>> >>
>>> >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181
>>> >>
>>> >> The security team said that our proposed update did not warrant a
>>> >> security update, and that we should make a stable release instead.
>>> >>
>>> >> The Debian Developers of this package and me have now available a new
>>> >> version of the package which removes the embedded copy and makes the
>>> >> compilation process link the generated libraries against Debian system's
>>> >> lib3ds version. I'm attaching the diff in this mail for you to
>>> >> inspect. I wonder if the `high' priority that I have given to this
>>> >> release is fine or not.
>>> >
>>> > That wouldn't buy us much, since lib3ds isn't fixed in Lenny yet, it
>>> > would need to be updated along.
>>>
>>> Yes, that was my intention. It seemed sensible to me to pull out
>>> openscenegraph the insecure code and make it depend on the new lib3ds
>>> version. I thought that since lenny and squeeze versions of lib3ds are
>>> compatible, the latter could be backported in short by the security
>>> team.
>>>
>>> What do you think? Should I wait for lenny's lib3ds to get fixed or
>>> could we start updating openscenegraph to use the external library?
>>
>> lib3ds also has been labeled as not warranting a DSA, so it won't be
>> updated by the Security Team (we're barely keeping up with regular
>> DSAs currently). Since it's orphaned it's unlikely to be updated in
>> stable soon. Fixing it should be straight-forward, though. The patch
>> from my 1.3.0-5 NMU in unstable can be applied straight-away for Lenny.
>
> If that could be possible it would be great. In that case, I have
> attached the debdiff that Adam asked for. Otherwise we would have to
> remove 3DS support in openscenegraph, maybe breaking some end user
> program.
>
> Another possibility could be to fix the embedded lib3ds in
> openscenegraph, just following the error description in the CVE.
I have finally came across this and made a release patching
openscenegraph in the same way as it is done in lib3ds for
Squeeze. Please unblock.
diff -u openscenegraph-2.4.0/debian/changelog
openscenegraph-2.4.0/debian/changelog
--- openscenegraph-2.4.0/debian/changelog
+++ openscenegraph-2.4.0/debian/changelog
@@ -1,3 +1,11 @@
+openscenegraph (2.4.0-1.1+lenny1) stable; urgency=high
+
+ * A vulnerability (CVE-2010-0280) was detected in OSG's embedded copy of
+ lib3ds. Applying the same patch for lib3ds in Squeeze, since there are
+ few chances for lib3ds to get updated in Lenny (Closes: #601181).
+
+ -- Alberto Luaces <alua...@udc.es> Thu, 11 Nov 2010 10:08:03 +0100
+
openscenegraph (2.4.0-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -u openscenegraph-2.4.0/debian/patches/00list
openscenegraph-2.4.0/debian/patches/00list
--- openscenegraph-2.4.0/debian/patches/00list
+++ openscenegraph-2.4.0/debian/patches/00list
@@ -3,0 +4 @@
+lib3ds_vulnerability.dpatch
only in patch2:
unchanged:
--- openscenegraph-2.4.0.orig/debian/patches/lib3ds_vulnerability.dpatch
+++ openscenegraph-2.4.0/debian/patches/lib3ds_vulnerability.dpatch
@@ -0,0 +1,24 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## lib3ds_vulnerability.dpatch by <alua...@udc.es>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+...@dpatch@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git'
'--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr'
openscenegraph-2.4.0~/OpenSceneGraph/src/osgPlugins/3ds/mesh.cpp
openscenegraph-2.4.0/OpenSceneGraph/src/osgPlugins/3ds/mesh.cpp
+--- openscenegraph-2.4.0~/OpenSceneGraph/src/osgPlugins/3ds/mesh.cpp
2006-08-21 17:07:31.000000000 +0200
++++ openscenegraph-2.4.0/OpenSceneGraph/src/osgPlugins/3ds/mesh.cpp
2010-11-11 09:59:08.000000000 +0100
+@@ -93,8 +93,11 @@
+ faces=lib3ds_word_read(f);
+ for (i=0; i<faces; ++i) {
+ index=lib3ds_word_read(f);
+- ASSERT(index<mesh->faces);
+- strcpy(mesh->faceL[index].material, name);
++ if (index<mesh->faces) {
++ strncpy(mesh->faceL[index].material, name, 64);
++ } else {
++ // TODO warning
++ }
+ }
+ }
+ break;
Regards,
Alberto
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87mxpggqsk....@eps142.cdf.udc.es
