From: "Léo Le Bouter" <lle-bout@zaclys.net>
To: Leo Famulari <leo@famulari.name>
Cc: zimoun <zimon.toutoune@gmail.com>, Guix Devel <guix-devel@gnu.org>
Subject: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?
Date: Tue, 16 Mar 2021 19:03:36 +0100 [thread overview]
Message-ID: <53199ccfb7ee6f7414eaddb764bee33ae3252517.camel@zaclys.net> (raw)
In-Reply-To: <YFDvhWwqN9ixKryV@jasmine.lan>
[-- Attachment #1: Type: text/plain, Size: 2332 bytes --]
On Tue, 2021-03-16 at 13:48 -0400, Leo Famulari wrote:
> This is off-topic, but I think that CVE scoring is not really that
> useful. This bug is a local TOCTOU race which is bad but hardly
> critical, IMO. For something to be critical, it should enable remote
> execution of arbitrary code.
Well you don't know what people use zstd for, easily escalates to more
critical issues depending on people's use case. Also I think CRITICAL
reasoning here is also because it's a trivial to understand and exploit
issue, it's not like an obscure memory safety issue with no known PoC
but probable exploitation.
I do not agree in general not patching CVEs even if low (publicized)
severity as long as it's possible for us to do it. Often the
vulnerabilities have an unobserved attack angle and severity may be
underevaluated. The zstd patch was tested on x86_64-linux it's
unfortunate the test suite fails (errornously, not an actual fault) on
32bit archs, otherwise it's no issue. I wish the zstd test suite was
more reliable in general, generating random data in their test suite
doesnt help determinism here. I think I tried on i686-linux to build as
well and it succeeded for me so I pushed, but it didnt fail on me and
when I retried later it did, so definitely some non-determinism here.
Since we know there's no actual fault in the test suite because it
passes I thought it was relatively fine to disable the test suite
temporarily until core-updates comes in (if we don't change versions in
between and revisit).
Zimoun:
> which fails for the value 19 but not other values as 18 or 20 or many
> others. After a quick reading of the doc, I am not sure to
> understand
> the meaning of such value. Input welcome.
https://github.com/facebook/zstd/issues/2528 - I asked upstream earlier
and see their answer
> I agree that security is important but we lived more than one and
> half
> year with 1.4.4 so the upgrade to 1.4.9 should only go to
> core-updates, not as a 'replacement' graft. IMHO.
To add, I don't think we should reason that way, it's not because we
lived with something that we should live with it longer, I don't want
unpatched zstd (or any other) CVEs on my system. Actually I am not sure
1.4.4 had any CVE before that one though, so that must also be why.
Léo
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-03-16 18:11 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-06 5:09 GNU Guix (pull?) on i686 broke after zstd grafting Léo Le Bouter
2021-03-06 5:30 ` Léo Le Bouter
2021-03-10 10:37 ` Ludovic Courtès
2021-03-10 10:43 ` Léo Le Bouter
2021-03-11 2:11 ` Léo Le Bouter
2021-03-11 9:37 ` zimoun
2021-03-11 9:40 ` Léo Le Bouter
2021-03-11 9:58 ` zimoun
2021-03-11 10:05 ` Léo Le Bouter
2021-03-16 16:34 ` Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates? zimoun
2021-03-16 17:06 ` Léo Le Bouter
2021-03-16 17:48 ` Leo Famulari
2021-03-16 18:03 ` Léo Le Bouter [this message]
2021-03-16 17:59 ` zimoun
2021-03-16 17:55 ` Leo Famulari
2021-03-16 18:08 ` Léo Le Bouter
2021-03-16 18:46 ` zimoun
2021-03-16 18:50 ` Léo Le Bouter
2021-03-16 19:04 ` zimoun
2021-03-16 18:19 ` zimoun
2021-03-16 18:26 ` Léo Le Bouter
2021-03-16 19:18 ` Leo Famulari
2021-03-16 19:25 ` zimoun
2021-03-16 19:29 ` Leo Famulari
2021-03-16 21:46 ` Security-czar needed? WAS: " Bengt Richter
2021-03-16 22:03 ` Leo Famulari
2021-03-17 6:24 ` Léo Le Bouter
2021-03-17 14:00 ` zimoun
2021-03-16 21:47 ` Maxime Devos
2021-03-16 20:53 ` Tobias Geerinckx-Rice
2021-03-16 21:18 ` Vincent Legoll
2021-03-16 21:56 ` Leo Famulari
2021-03-17 6:40 ` Léo Le Bouter
2021-03-30 0:35 ` Léo Le Bouter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53199ccfb7ee6f7414eaddb764bee33ae3252517.camel@zaclys.net \
--to=lle-bout@zaclys.net \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
--cc=zimon.toutoune@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).