Re: wheezy update for libav

[Hugo Lefeuvre]

Hi Diego,

> I looked into backporting the fixes for
> 
> https://lists.debian.org/debian-lts/2016/09/msg00211.html
> 
> that the Mozilla people complained about from the 9 release branch to the
> 0.8 release branch. It's entirely nontrivial since the commits that fix
> the issue constitute a major refactoring. I'm about halfway into the
> process and my intermediate result is failing many tests. It's unclear to
> me at this point if the resulat is worth the trouble :-/

Well, the issue looks important, and I'd like to see it fixed, but if
you think it is not possible to do it without important risks of
regressions, then we should maybe consider dropping it.

However, I have to say I'm not very well informed about this issue; The
libav bug tracker is just mentionning a potentially exploitable attempt
to free a corrupted pointer. Does this issue has a CVE assigned yet ?

> > Let me know if I can speed up the process by preparing patches. If yes, 
> > please,
> > mention the issues you are currently working on, so we avoid duplicate work.
> > 
> > [0] https://security-tracker.debian.org/tracker/source-package/libav
> 
> CVE-2016-7424:
> 
> I cannot reproduce the crash with 0.8, so Wheezy should not have a problem.

I'd like to perform some tests before definitively marking libav 0.8 as
unaffected in the tracker; could you quickly explain me how you attempted
to reproduce it ?

The affected code in 11.x is almost the same as in 0.8.

> CVE-2016-8675 / CVE-2016-8676
> 
> I can reproduce the crash with 0.8 and 11 so both Wheezy and Jessie are
> affected.

From what I've seen on the tracker, there are some patches that could
(almost) be directly imported from ffmpeg, involving some testing. I'll
have a look at them.

Cheers,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E


signature.asc
Description: PGP signature

Debian LTS Report for October 2016

[Hugo Lefeuvre]

Hi,

October 2016 was my second month as a payed Debian LTS contributor.
I was allocated 12 hours. I have spent 12 hours doing the following tasks:

* Test and upload a security update for libav (0.8.18-0+deb7u1). Discussion
  with upstream to get more point releases.

  DLA: 644-1
  Closed CVEs: CVE-2015-1872, CVE-2015-5479, CVE-2016-7393

* Finish, test and upload of a security update for qemu (1.1.2+dfsg-6+deb7u16)
  and qemu-kvm (1.1.2+dfsg-6+deb7u16).

  DLA: 652-1, 653-1 
  Closed CVEs: CVE-2016-7161, CVE-2016-7170, CVE-2016-7908

* Investigations to develop a patch for CVE-2016-7466[0]. Thanks to Guido
  Günther we decided to mark it non-dsa (see security tracker for more
  explanations).

* Prepare, test and upload a security update for libxrandr (2:1.3.2-2+deb7u2).

  DLA: 660-1 
  Closed CVEs: CVE-2016-7947, CVE-2016-7948

* Various CVE triaging (e.g. add link to upstream commits for CVE-2016{8678,
  8577, 8576, 8669 ... }).

* Prepare, test and upload of a security update for qemu (1.1.2+dfsg-6+deb7u17)
  and qemu-kvm (1.1.2+dfsg-6+deb7u17).

  DLA: 678-1, 679-1 
  Closed CVEs: CVE-2016-8578, CVE-2016-8577, CVE-2016-8576, CVE-2016-8669

Cheers,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E


signature.asc
Description: PGP signature

Re: CVE-2016-9013 / django-python

[Ben Hutchings]

On Fri, 2016-11-04 at 08:31 +1100, Brian May wrote:
> Hello All,
> 
> Looking at CVE-2016-9013 for django-python in wheezy-security, I see
> that:
> 
> * It only occurs if you run the tests on an Oracle server.
> * The window for exploitation is reduced if you don't use the --keepdb
>   option. Not sure why you would want to use this option on a production 
> system.
> * A test user is created on the Oracle server with a known password. Bad.
> * If you used the --keepdb option, the upstream patch doesn't "fix"
>   existing installs. Fix must be done manually and doesn't require the patch.
> 
> In porting the patch across, I found it doesn't port easily. So the
> patch basically needs to be recreated. Shouldn't be too hard really - it
> is simple to understand. However I don't have an Oracle server to test
> the resultant patch against.
> 
> So just wondering if anybody uses django-python with Oracle, and if this
> security fix warrants getting fixed in wheezy-security.
> 
> Maybe this warrants a security advisory without a patch? Is that even
> possible?

I'm not convinced this even warrants a security advisory.  So far as I
can see, the old behaviour:
- is not triggered by normal usage, and cannot be triggered by a
  malicious user
- is documented, and can be overridden:
  


Ben.

-- 
Ben Hutchings
The world is coming to an end.  Please log off.


signature.asc
Description: This is a digitally signed message part

Re: linux-image-3.2.0-4-486

[Ben Hutchings]

On Wed, 2016-11-02 at 22:25 +0100, Miroslav Skoric wrote:
> Ten days ago I upgraded one of my older PCs running wheezy from kernel 
> 3.2.81-2 to 3.2.82-1 and soon after I realized that the system started 
> to "freeze" a couple of minutes after booting.

Does that happen while you are actively using the system, or while it
is idle?

> In fact nothing else 
> could be done but pressing the reset button. After downgrading the 
> kernel back to 3.2.81-2 everything seemed back to normal. Any idea?

Does this system use a GUI or text console?  If it uses a GUI, please
try switching to a text console after booting as the kernel may be able
to log some error messages there.

If the freeze is only triggered while you are using a GUI, please use
netconsole to capture kernel log messages on another computer:
https://www.kernel.org/doc/Documentation/networking/netconsole.txt

Ben.

-- 
Ben Hutchings
The world is coming to an end.  Please log off.


signature.asc
Description: This is a digitally signed message part

Re: CVE-2016-9013 / django-python

[Brian May]

Ben Hutchings  writes:

> I'm not convinced this even warrants a security advisory.

Same here. So maybe I should just mark it no-dsa? Possibly confirming
with the security-team first to see if I should also marke Jessie no-dsa
too.
-- 
Brian May