Re: unrealize mechanism in 9pfs
Hi, > Could you paste the commands / libvirt configs you used to test this? for handle: qemu -hda debian_wheezy_amd64_standard.qcow2 -fsdev handle,id=ninepfstest,path=/home/user/ -device virtio-9p-pci,fsdev=ninepfstest,mount_tag=ninepfstest for proxy: qemu -hda debian_wheezy_amd64_standard.qcow2 -fsdev proxy,id=ninepfstest,path=/home/user/,sock_fd=1 -device virtio-9p-pci,fsdev=ninepfstest,mount_tag=ninepfstest I've tested with several sock_fd values. For qemu-kvm, I've just replaced 'qemu' by 'kvm'. You can find the 'debian_wheezy_amd64_standard.qcow2' image here[0]. The libvirt config files are the default ones. I used the official wheezy livecd[1] as test system. A tarred copy of the /etc/libvirt directory is in attachment. Cheers, Hugo [0] https://people.debian.org/~aurel32/qemu/amd64/ [1] http://cdimage.debian.org/mirror/cdimage/archive/7.11.0-live/ -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E libvirt.tar.xz Description: application/xz signature.asc Description: PGP signature
Re: [Debian-med-packaging] Wheezy update of dcmtk?
On 12/19/2016 03:58 PM, Bálint Réczey wrote: > Hi, > > 2016-12-19 9:10 GMT+01:00 Sébastien Jodogne : >> Dear all, >> >>> On Sun, Dec 18, 2016 at 10:47:05PM +0100, Markus Koschany wrote: Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of dcmtk: https://security-tracker.debian.org/tracker/CVE-2015-8979 Would you like to take care of this yourself? >>> >>> I personally feel not capable to do so and Mathieu left the team - so I >>> would be astonished (but definitely happy!) if he would step in for this >>> task. If you do not receive a positive response from Gert I doubt that >>> anybody else from the team would take over. >> >> >> I personally consider this issue as severe, as any DCMTK 3.6.0-based DICOM >> SCP (server) is affected (including the well-known Horos/OsiriX viewer). >> >> Orthanc was also affected by this problem. Orthanc 1.2.0 was released last >> week in order to fix this vulnerability in its static builds (notably for >> Windows and OS X). The patch we applied can be found at the following >> location: >> https://bitbucket.org/sjodogne/orthanc/src/eb363ec95d863989abf5a59174ff3164c2831f2e/Resources/Patches/dcmtk-3.6.0-dulparse-vulnerability.patch?at=default&fileviewer=file-view-default >> >> As this patch is very simple (six lines of code), it should be easy to >> backport it to the DCMTK Debian package. >> >> Unfortunately, I do not know how to fix such issues in Wheezy, and I am >> currently under heavy pressure wrt. the Orthanc upstream project... maybe >> someone could do this backporting job? > > I'll do it in a few hours. > I have also claimed the package in dla-needed.txt. Thank you for the additional info and the potential patch. I have prepared the update for Wheezy based on the upstream patch instead to diverge less from upstream in case we have to patch the code further. The error reporting is also more verbose and accurate. Please see the diff to previous version attached. Changes: dcmtk (3.6.0-12+deb7u1) wheezy-security; urgency=medium . * LTS Team upload. * Fix remote stack buffer overflow (CVE-2015-8979) (Closes: #848830) * Enable tests for the fix I plan uploading the package today around 22:00 UTC. The binary packages for amd64 are also available for testing here: deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/ Cheers, Balint diff -Nru dcmtk-3.6.0/debian/changelog dcmtk-3.6.0/debian/changelog --- dcmtk-3.6.0/debian/changelog 2012-12-20 13:22:26.0 +0100 +++ dcmtk-3.6.0/debian/changelog 2016-12-20 03:23:36.0 +0100 @@ -1,3 +1,11 @@ +dcmtk (3.6.0-12+deb7u1) wheezy-security; urgency=medium + + * LTS Team upload. + * Fix remote stack buffer overflow (CVE-2015-8979) (Closes: #848830) + * Enable tests for the fix + + -- Balint Reczey Mon, 19 Dec 2016 20:41:08 +0100 + dcmtk (3.6.0-12) unstable; urgency=low [ Andrey Rahmatullin ] diff -Nru dcmtk-3.6.0/debian/patches/0001-Fixed-possible-underflows-and-overflows.patch dcmtk-3.6.0/debian/patches/0001-Fixed-possible-underflows-and-overflows.patch --- dcmtk-3.6.0/debian/patches/0001-Fixed-possible-underflows-and-overflows.patch 1970-01-01 01:00:00.0 +0100 +++ dcmtk-3.6.0/debian/patches/0001-Fixed-possible-underflows-and-overflows.patch 2016-12-20 16:47:41.0 +0100 @@ -0,0 +1,977 @@ +From 5475a01c74bdf6258eccd4238e5df42eaca8ba58 Mon Sep 17 00:00:00 2001 +From: Michael Onken +Date: Mon, 14 Dec 2015 21:50:43 +0100 +Subject: [PATCH] Fixed possible underflows and overflows. + +At several places in the code a wrong length of ACSE data structures received +over the network can cause overflows or underflows when processing those +data structures. Related checks have been added at various places in order +to prevent such (possible) attacks. + +Thanks to Kevin Basista for the report. + +Conflicts: + dcmnet/libsrc/dulparse.cc + ofstd/tests/tests.cc + ofstd/tests/tofstd.cc + +Cutting safeAdd() to not pull in many new files by Balint Reczey. +--- + dcmnet/libsrc/dulparse.cc | 93 +-- + ofstd/include/dcmtk/ofstd/ofstd.h | 27 +- + ofstd/include/dcmtk/ofstd/oftest.h | 519 + ofstd/tests/Makefile.in | 15 +- + ofstd/tests/taddsub.cc | 47 + ofstd/tests/tests-new-framework.exp | 1 + + ofstd/tests/tests.cc| 28 ++ + 7 files changed, 705 insertions(+), 25 deletions(-) + create mode 100644 ofstd/include/dcmtk/ofstd/oftest.h + create mode 100644 ofstd/tests/taddsub.cc + create mode 100644 ofstd/tests/tests-new-framework.exp + create mode 100644 ofstd/tests/tests.cc + +diff --git a/dcmnet/libsrc/dulparse.cc b/dcmnet/libsrc/dulparse.cc +index ee6a7bd..1a9f4f4 100644 +--- a/dcmnet/libsrc/dulparse.cc b/dcmnet/libsrc/dulparse.cc +@@ -1,6 +1,6 @@ + /* + * +- * Copyright (C) 1994-2010, OFFIS e.V. ++ * Copyright (C) 1994-2015, OFFIS e.V. + * All rights reserved.
Wheezy update of postgresql-common?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of postgresql-common: https://security-tracker.debian.org/tracker/CVE-2016-1255 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of postgresql-common updates for the LTS releases. Thank you very much. Ola Lundqvist, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
Wheezy update of libcrypto++?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of libcrypto++: https://security-tracker.debian.org/tracker/CVE-2016-9939 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libcrypto++ updates for the LTS releases. Thank you very much. Ola Lundqvist, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
Re: Wheezy update of postgresql-common?
Re: Ola Lundqvist 2016-12-20 <20161220215504.ga24...@inguza.net> > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of postgresql-common: > https://security-tracker.debian.org/tracker/CVE-2016-1255 > > Would you like to take care of this yourself? Yes. Christoph
Wheezy update of libgd2?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of libgd2: https://security-tracker.debian.org/tracker/CVE-2016-9933 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libgd2 updates for the LTS releases. Thank you very much. Ola Lundqvist, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
Updating pgpdump and shutter
Hello, jessie release team has accepted (#ticket) updates for pgpdump #773747 [CVE-2016-4021] (#848610) shutter #798862 [CVE-2015-0854] (#848908) in the next jessie point release. Since both issues apply to wheezy as well, I plan according uploads. I've already claimed the packages in data/dla-needed.txt, please object right now. Christoph signature.asc Description: Digital signature
Re: [Debian-med-packaging] Wheezy update of dcmtk?
Dear Andreas & Med Team, I have tested the the patch with the Jessie version, too, to see if the exploit stops working with orthanc and it does stop working indeed. (Wheezy does not have orthanc.) The debdiff is basically the same. Should I contact the Security Team about fixing it in Jessie, too, or someone else from the team will take care of this? Cheers, Balint 2016-12-20 17:17 GMT+01:00 Balint Reczey : > On 12/19/2016 03:58 PM, Bálint Réczey wrote: >> Hi, >> >> 2016-12-19 9:10 GMT+01:00 Sébastien Jodogne : >>> Dear all, >>> On Sun, Dec 18, 2016 at 10:47:05PM +0100, Markus Koschany wrote: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of dcmtk: > https://security-tracker.debian.org/tracker/CVE-2015-8979 > > Would you like to take care of this yourself? I personally feel not capable to do so and Mathieu left the team - so I would be astonished (but definitely happy!) if he would step in for this task. If you do not receive a positive response from Gert I doubt that anybody else from the team would take over. >>> >>> >>> I personally consider this issue as severe, as any DCMTK 3.6.0-based DICOM >>> SCP (server) is affected (including the well-known Horos/OsiriX viewer). >>> >>> Orthanc was also affected by this problem. Orthanc 1.2.0 was released last >>> week in order to fix this vulnerability in its static builds (notably for >>> Windows and OS X). The patch we applied can be found at the following >>> location: >>> https://bitbucket.org/sjodogne/orthanc/src/eb363ec95d863989abf5a59174ff3164c2831f2e/Resources/Patches/dcmtk-3.6.0-dulparse-vulnerability.patch?at=default&fileviewer=file-view-default >>> >>> As this patch is very simple (six lines of code), it should be easy to >>> backport it to the DCMTK Debian package. >>> >>> Unfortunately, I do not know how to fix such issues in Wheezy, and I am >>> currently under heavy pressure wrt. the Orthanc upstream project... maybe >>> someone could do this backporting job? >> >> I'll do it in a few hours. >> I have also claimed the package in dla-needed.txt. > > Thank you for the additional info and the potential patch. > > I have prepared the update for Wheezy based on the upstream patch > instead to diverge less from upstream in case we have to patch the code > further. The error reporting is also more verbose and accurate. > > Please see the diff to previous version attached. > > Changes: > dcmtk (3.6.0-12+deb7u1) wheezy-security; urgency=medium > . >* LTS Team upload. >* Fix remote stack buffer overflow (CVE-2015-8979) (Closes: #848830) >* Enable tests for the fix > > I plan uploading the package today around 22:00 UTC. > > The binary packages for amd64 are also available for testing here: > > deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/ > > Cheers, > Balint >
