CVE-2019-1551/openssl triage
Hi Utkarsh, You wrote for CVE-2019-1551: + [jessie] - openssl (Only affects OpenSSL > 1.1.0-pre1) However the advisory says: https://www.openssl.org/news/secadv/20191206.txt "OpenSSL versions 1.1.1 and 1.0.2 are affected by this issue." So the status for 1.0.1 (jessie, wheezy) isn't clear. Can you add more elements to your triage? Cheers! Sylvain
Re: CVE-2019-1551/openssl triage
Hi Sylvain, On 09/12/19 2:14 pm, Sylvain Beucler wrote: > Hi Utkarsh, > > You wrote for CVE-2019-1551: > + [jessie] - openssl (Only affects OpenSSL > 1.1.0-pre1) > > However the advisory says: > https://www.openssl.org/news/secadv/20191206.txt > "OpenSSL versions 1.1.1 and 1.0.2 are affected by this issue." > > So the status for 1.0.1 (jessie, wheezy) isn't clear. > > Can you add more elements to your triage? Sure thing. Here's what lead to this commit: - The upstream fix[1] provides a patch which is in the crypto/bn/asm/rsaz-x86_64.pl file. - Going back to the git history of this file, it leads to this commit[2], where the RSAZ assembly modules were first added. - The above commit[2] has been tagged as "OpenSSL_1_1_0-pre1". - Still to double check, I went to the release tag of the version in Jessie (that is, 1.0.1t), which leads to here[3]. - Checking the files in this release, there's no RSAZ assembly modules added here, which indeed confirms that the version in Jessie is actually not affected, since the affected modules were added in the later release. Hope that makes sense? P.S. Sent the same to the security team as well. Best, Utkarsh --- [1]: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98 [2]: https://github.com/openssl/openssl/commit/0b4bb91db65697ab6d3a0fc05b140887cbce3080#diff-e55cf156f8579e17800742c38b325e07 [3]: https://github.com/openssl/openssl/releases/tag/OpenSSL_1_0_1t signature.asc Description: OpenPGP digital signature
Re: CVE-2019-1551/openssl triage
Hi, On 09/12/2019 10:13, Utkarsh Gupta wrote: > Here's what lead to this commit: > > - The upstream fix[1] provides a patch which is in the > crypto/bn/asm/rsaz-x86_64.pl file. > - Going back to the git history of this file, it leads to this > commit[2], where the RSAZ assembly modules were first added. > - The above commit[2] has been tagged as "OpenSSL_1_1_0-pre1". > But the commit was cherry-picked to 1.0.2, and possibly other versions: https://github.com/openssl/openssl/commit/d5572bdc6432b900b669a0333fc2024b0cb0bc20 > > - Still to double check, I went to the release tag of the version in > Jessie (that is, 1.0.1t), which leads to here[3]. > - Checking the files in this release, there's no RSAZ assembly modules > added here, which indeed confirms that the version in Jessie is > actually not affected, since the affected modules were added in the > later release. > So the reason is that the code is not present in 1.0.1t, not that it's never present in < 1.1.0-pre1. Cheers! Sylvain
Re: CVE-2019-1551/openssl triage
Hi, On 09/12/19 2:48 pm, Sylvain Beucler wrote: > Hi, > > On 09/12/2019 10:13, Utkarsh Gupta wrote: >> Here's what lead to this commit: >> >> - The upstream fix[1] provides a patch which is in the >> crypto/bn/asm/rsaz-x86_64.pl file. >> - Going back to the git history of this file, it leads to this >> commit[2], where the RSAZ assembly modules were first added. >> - The above commit[2] has been tagged as "OpenSSL_1_1_0-pre1". >> > But the commit was cherry-picked to 1.0.2, and possibly other versions: > https://github.com/openssl/openssl/commit/d5572bdc6432b900b669a0333fc2024b0cb0bc20 >> - Still to double check, I went to the release tag of the version in >> Jessie (that is, 1.0.1t), which leads to here[3]. >> - Checking the files in this release, there's no RSAZ assembly modules >> added here, which indeed confirms that the version in Jessie is >> actually not affected, since the affected modules were added in the >> later release. >> > So the reason is that the code is not present in 1.0.1t, not that it's > never present in < 1.1.0-pre1. Ah, I should've been clearer. They have an unusual way of releasing that rather confused me. Thanks, indeed. I'll fix the note. Best, Utkarsh signature.asc Description: OpenPGP digital signature
Re: CVE-2019-1551/openssl triage
On 09/12/19 3:00 pm, Utkarsh Gupta wrote: > Hi, > > On 09/12/19 2:48 pm, Sylvain Beucler wrote: >> Hi, >> >> On 09/12/2019 10:13, Utkarsh Gupta wrote: >>> Here's what lead to this commit: >>> >>> - The upstream fix[1] provides a patch which is in the >>> crypto/bn/asm/rsaz-x86_64.pl file. >>> - Going back to the git history of this file, it leads to this >>> commit[2], where the RSAZ assembly modules were first added. >>> - The above commit[2] has been tagged as "OpenSSL_1_1_0-pre1". >>> >> But the commit was cherry-picked to 1.0.2, and possibly other versions: >> https://github.com/openssl/openssl/commit/d5572bdc6432b900b669a0333fc2024b0cb0bc20 >>> - Still to double check, I went to the release tag of the version in >>> Jessie (that is, 1.0.1t), which leads to here[3]. >>> - Checking the files in this release, there's no RSAZ assembly modules >>> added here, which indeed confirms that the version in Jessie is >>> actually not affected, since the affected modules were added in the >>> later release. >>> >> So the reason is that the code is not present in 1.0.1t, not that it's >> never present in < 1.1.0-pre1. > Ah, I should've been clearer. They have an unusual way of releasing that > rather confused me. Most of the 1.0.2(x) releases were after 1.1.0-pre1. Anyway, here's more clear summary (also on the tracker now): Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t). > Thanks, indeed. I'll fix the note. Fixed! Best, Utkarsh signature.asc Description: OpenPGP digital signature
RFS: htmldoc
Hiya, I request the sponsorship of htmldoc which fixes CVE-2019-19630. I've upload the package to mentors.d.net and the relevant .dsc could be found here[1]. Attaching the DLA file for the announcement. Shall send the patch to the maintainer by tomorrow or so. Best, Utkarsh --- [1]: https://mentors.debian.net/debian/pool/main/h/htmldoc/htmldoc_1.8.27-8+deb8u1.dsc From: Utkarsh Gupta To: debian-lts-annou...@lists.debian.org Subject: [SECURITY] [DLA 2026-1] htmldoc security update Package: htmldoc Version: 1.8.27-8+deb8u1 CVE ID : CVE-2019-19630 In HTMLDOC, there was a one-byte underflow in htmldoc/ps-pdf.cxx caused by a floating point math difference between GCC and Clang. For Debian 8 "Jessie", this problem has been fixed in version 1.8.27-8+deb8u1. We recommend that you upgrade your htmldoc packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: OpenPGP digital signature
RFS: htmldoc
Hiya, I request the sponsorship of htmldoc which fixes CVE-2019-19630. I've upload the package to mentors.d.net and the relevant .dsc could be found here[1]. Attaching the DLA file for the announcement. Shall send the patch to the maintainer by tomorrow or so. Best, Utkarsh --- [1]: https://mentors.debian.net/debian/pool/main/h/htmldoc/htmldoc_1.8.27-8+deb8u1.dsc From: Utkarsh Gupta To: debian-lts-annou...@lists.debian.org Subject: [SECURITY] [DLA 2026-1] htmldoc security update Package: htmldoc Version: 1.8.27-8+deb8u1 CVE ID : CVE-2019-19630 In HTMLDOC, there was a one-byte underflow in htmldoc/ps-pdf.cxx caused by a floating point math difference between GCC and Clang. For Debian 8 "Jessie", this problem has been fixed in version 1.8.27-8+deb8u1. We recommend that you upgrade your htmldoc packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: OpenPGP digital signature
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity
hi, today I unclaimed for LTS: -clamav (hle) -freeimage (hle) -libjpeg-turbo (Utkarsh Gupta) -python-reportlab (Hugo Lefeuvre) -tightvnc (Mike Gabriel) -xcftools (hle) for eLTS: -intel-microcode (Markus Koschany) -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: RFS: htmldoc
Hi Utkarsh, > I request the sponsorship of htmldoc which fixes CVE-2019-19630. > I've upload the package to mentors.d.net and the relevant .dsc could be > found here[1]. Uploaded htmldoc_1.8.27-8+deb8u1_amd64.changes and announced as DLA-2026-1. Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
Re: RFS: htmldoc
Hiya, On 09/12/19 4:55 pm, Chris Lamb wrote: > Hi Utkarsh, > >> I request the sponsorship of htmldoc which fixes CVE-2019-19630. >> I've upload the package to mentors.d.net and the relevant .dsc could be >> found here[1]. > Uploaded htmldoc_1.8.27-8+deb8u1_amd64.changes and announced as > DLA-2026-1. Many thanks :) Pushed the update for the website as well. Best, Utkarsh signature.asc Description: OpenPGP digital signature
LTS report for November 2019
Hours worked: 18 hours Work done: DLA 1698-2 file regression update DLA 2017-1 asterisk CVE-2019-18610 CVE-2019-18790 DLA 2018-1 proftpd-dfsg CVE-2019-19269
ibus/CVE-2019-14822/glibc
Apparently the fix for ibus creates a regression in glibc that must get fixed also: https://gitlab.gnome.org/GNOME/glib/merge_requests/1176 However this patch patches GIO in glibc, and it looks like glibc in Jessie (2.19-18+deb8u10) doesn't have this directory. Or anything related to GIO that I can see. Hence, I am inclined to think maybe glibc doesn't need to be fixed in Jessie. -- Brian May https://linuxpenguins.xyz/brian/
