On Tue, 2021-03-16 at 13:48 -0400, Leo Famulari wrote:
> This is off-topic, but I think that CVE scoring is not really that
> useful. This bug is a local TOCTOU race which is bad but hardly
> critical, IMO. For something to be critical, it should enable remote
> execution of arbitrary code.

Well you don't know what people use zstd for, easily escalates to more
critical issues depending on people's use case. Also I think CRITICAL
reasoning here is also because it's a trivial to understand and exploit
issue, it's not like an obscure memory safety issue with no known PoC
but probable exploitation.

I do not agree in general not patching CVEs even if low (publicized)
severity as long as it's possible for us to do it. Often the
vulnerabilities have an unobserved attack angle and severity may be
underevaluated. The zstd patch was tested on x86_64-linux it's
unfortunate the test suite fails (errornously, not an actual fault) on
32bit archs, otherwise it's no issue. I wish the zstd test suite was
more reliable in general, generating random data in their test suite
doesnt help determinism here. I think I tried on i686-linux to build as
well and it succeeded for me so I pushed, but it didnt fail on me and
when I retried later it did, so definitely some non-determinism here.

Since we know there's no actual fault in the test suite because it
passes I thought it was relatively fine to disable the test suite
temporarily until core-updates comes in (if we don't change versions in
between and revisit).

Zimoun:
> which fails for the value 19 but not other values as 18 or 20 or many
> others.  After a quick reading of the doc, I am not sure to
> understand
> the meaning of such value.  Input welcome.

https://github.com/facebook/zstd/issues/2528 - I asked upstream earlier
and see their answer

> I agree that security is important but we lived more than one and
> half
> year with 1.4.4 so the upgrade to 1.4.9 should only go to
> core-updates, not as a 'replacement' graft.  IMHO.

To add, I don't think we should reason that way, it's not because we
lived with something that we should live with it longer, I don't want
unpatched zstd (or any other) CVEs on my system. Actually I am not sure
1.4.4 had any CVE before that one though, so that must also be why.

Léo