From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 0givNMz0UGDKAwAA0tVLHw (envelope-from ) for ; Tue, 16 Mar 2021 18:11:24 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id +FL9L8z0UGBLCQAAB5/wlQ (envelope-from ) for ; Tue, 16 Mar 2021 18:11:24 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2ED491FBD4 for ; Tue, 16 Mar 2021 19:11:24 +0100 (CET) Received: from localhost ([::1]:37672 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMEA7-0006U2-6l for larch@yhetil.org; Tue, 16 Mar 2021 14:11:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54472) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lME2o-0002si-Ng for guix-devel@gnu.org; Tue, 16 Mar 2021 14:03:50 -0400 Received: from mail.zaclys.net ([178.33.93.72]:46365) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lME2m-0002qV-3R for guix-devel@gnu.org; Tue, 16 Mar 2021 14:03:50 -0400 Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12GI3f6c006594 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 16 Mar 2021 19:03:41 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12GI3f6c006594 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1615917821; bh=oCTXEmh+0jxY5lL5wpsS85xlRlzHHXLBT4vC8pomNZ4=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=qGU+6a2NAqZ918su4aFTwA87IKtKN4cvyGDKfrAoHU0GxTbFlcWr0vyC2cjmFT3qW xbAyU2eJjebXh1yoUx4msJqeLbXtErS3HIacwdqu70e54lICOHAkjD//31WSZ/IiA+ bEwy6fwP9ciPlV2PrlG2khzHl0+YmCi4lMJtrN88= Message-ID: <53199ccfb7ee6f7414eaddb764bee33ae3252517.camel@zaclys.net> Subject: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates? From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Leo Famulari Cc: zimoun , Guix Devel Date: Tue, 16 Mar 2021 19:03:36 +0100 In-Reply-To: References: <91998d12df3c4a279f46cf50b15d47c99e064a46.camel@zaclys.net> <276b294f71020e0139bd5a0c6ac4363c246b8a29.camel@zaclys.net> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-JBcRPS/+gRiCbDldKEYC" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615918284; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=oCTXEmh+0jxY5lL5wpsS85xlRlzHHXLBT4vC8pomNZ4=; b=Gp80/JGQFy1kK6T0Ih1sS/kWa2cHMfbXTPE/414izhflLFRAPFMloLfQoFgoqXcU/0b2zw ILcpvLaNDpbfHSsKkQfWWwnataHxkF+urRoRAJO+BuYJnD4PMWaANcl6a9PQMiNwniQBUC uxkyQkmo3eVn6KMfujlw3j9BC+mDPjm4WlVwxs3YxiD0lFf6OTtHB2vYC+o+bXITKjLNmB jJrwaL8gqvkO0Aw4k3NK8beqXtOOrSzzL3kiIwaBX4ryVqdxcqCubY6jpyJgXWstwL4deS CbS3949KVTtgqvSkszAExgNndccs/xNOWfyGsryEym0u7xZqvF1rP7+BuNrqWg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615918284; a=rsa-sha256; cv=none; b=VKBEHCitBLjRbzZlz23giZV+9aRdMtUAo23n5D81HpnwWpsC0mqA0t9sLcTnctPMWhpdMO vt5dam6a8NNICWmuzGV+/cmsNXP5w0AY7PqAk4v06PJXKoVMuyQZu99y8uNXcfeMO9AS3c EYi9rv15vhobydHoV3v25AQVdulTGrc1nI+Eh5QcoQ4KQGDR8kBbUBkaahTsLgSSLQurfG +5ctN1euwbxL9tAI0IE0MfZwsUbGJD85PK59f84n1xwqdKWoJjC6cr6vWnJmZvgRSjgrBl b6YeHj+VMHR9nY1COrPlJOkf4LapysPS4DSg6chtNQt7QTt9FGFBTg2oOwXCyA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=qGU+6a2N; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.70 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=qGU+6a2N; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 2ED491FBD4 X-Spam-Score: -2.70 X-Migadu-Scanner: scn0.migadu.com X-TUID: TTMAWr6YM8PR --=-JBcRPS/+gRiCbDldKEYC Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2021-03-16 at 13:48 -0400, Leo Famulari wrote: > This is off-topic, but I think that CVE scoring is not really that > useful. This bug is a local TOCTOU race which is bad but hardly > critical, IMO. For something to be critical, it should enable remote > execution of arbitrary code. Well you don't know what people use zstd for, easily escalates to more critical issues depending on people's use case. Also I think CRITICAL reasoning here is also because it's a trivial to understand and exploit issue, it's not like an obscure memory safety issue with no known PoC but probable exploitation. I do not agree in general not patching CVEs even if low (publicized) severity as long as it's possible for us to do it. Often the vulnerabilities have an unobserved attack angle and severity may be underevaluated. The zstd patch was tested on x86_64-linux it's unfortunate the test suite fails (errornously, not an actual fault) on 32bit archs, otherwise it's no issue. I wish the zstd test suite was more reliable in general, generating random data in their test suite doesnt help determinism here. I think I tried on i686-linux to build as well and it succeeded for me so I pushed, but it didnt fail on me and when I retried later it did, so definitely some non-determinism here. Since we know there's no actual fault in the test suite because it passes I thought it was relatively fine to disable the test suite temporarily until core-updates comes in (if we don't change versions in between and revisit). Zimoun: > which fails for the value 19 but not other values as 18 or 20 or many > others. After a quick reading of the doc, I am not sure to > understand > the meaning of such value. Input welcome. https://github.com/facebook/zstd/issues/2528 - I asked upstream earlier and see their answer > I agree that security is important but we lived more than one and > half > year with 1.4.4 so the upgrade to 1.4.9 should only go to > core-updates, not as a 'replacement' graft. IMHO. To add, I don't think we should reason that way, it's not because we lived with something that we should live with it longer, I don't want unpatched zstd (or any other) CVEs on my system. Actually I am not sure 1.4.4 had any CVE before that one though, so that must also be why. L=C3=A9o --=-JBcRPS/+gRiCbDldKEYC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQ8vgACgkQRaix6GvN EKbXABAAsiMzlqH+TOQSR0X9uhvMgx+Udp3wYCZkfU2977Pq9e2oy9P63eir4tW7 2TwHMiTij/vs2rjDlje0Gru0Zp6/ZNrRP4TdsekvdCoarr72jLp7rz/X4dbMZJoS x6uOAPRbT7VCH+A8NWoFSwKEUCBisSQpeKC6yj0vyfOPAb4jX192Qf1ZtqQ2rhbI yN6otVo2Dx8VYyzFHLeCtlaNAXAU04FL5MP159BrnvWQG/OlDlHGyNsW23NhpFnJ K+DsuDilQMWoX3eIGA0rsJyXcpmXjzGjkMZrya9KygYTHsPozzL7PVQ4902w4kMp 05Q4AbjFtYBt+huSvf3Pa70XonPeUpBDK1U8gwC7aM67KqKdA2Dlt9icA8rWCcF8 otQ/2A4NY15B7iOtySnNh906D3KpnOzb7vaMxSx3n8wPl2dF3Mfvt4f4GKyISjBH k71K/Iei+a/cR2miPBySmjd8woTEoefQQ424WnkhLnMAutqCfAgbzc/q9jKWjNbf 4Kd08xYVrtBrsQj8NkNetIeuLJ/K8nW2UVh6TYBsNxkLgMeLSKR34g2QnNKh+IwX IOxKJUz3ij3P9IuNAbXVPCFx51QID9pMSRJ/JzsHQ4O/nfm3y2l6ImiajdrOvDX8 O5wl0Z8W1dslIkW/XtsZxhKRzcjtOyr+YQVkmZyB1ln6GhXO/is= =pp+A -----END PGP SIGNATURE----- --=-JBcRPS/+gRiCbDldKEYC--