all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* kdesu security update needed
@ 2016-09-29 15:23 Leo Famulari
  2016-09-29 18:35 ` David Craven
  0 siblings, 1 reply; 11+ messages in thread
From: Leo Famulari @ 2016-09-29 15:23 UTC (permalink / raw)
  To: guix-devel

kdesu has a string handling bug, CVE-2016-7787:

http://seclists.org/oss-sec/2016/q3/653

David, since you added all the KDE packages, can you look into this bug
and see what we need to do to protect against it?

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: kdesu security update needed
  2016-09-29 15:23 kdesu security update needed Leo Famulari
@ 2016-09-29 18:35 ` David Craven
  2016-09-29 18:52   ` David Craven
  2016-09-29 21:34   ` Leo Famulari
  0 siblings, 2 replies; 11+ messages in thread
From: David Craven @ 2016-09-29 18:35 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

> David, since you added all the KDE packages, can you look into this bug
> and see what we need to do to protect against it?

They have a vendored kdesu. The source files look pretty different
now, and I'm having a little trouble seeing if the problem is in kde
kdesu or just kde-cli-tools kdesu. From what I can tell the source has
diverged and the problem seems to be with the cli client they wrote
for the kdesu deamon or something like that. Don't know if this is a
satisfying answer...

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: kdesu security update needed
  2016-09-29 18:35 ` David Craven
@ 2016-09-29 18:52   ` David Craven
  2016-09-29 20:49     ` Leo Famulari
  2016-09-29 21:34   ` Leo Famulari
  1 sibling, 1 reply; 11+ messages in thread
From: David Craven @ 2016-09-29 18:52 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Ah just checked our linter doesn't flag a CVE, so I think we're ok...

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: kdesu security update needed
  2016-09-29 18:52   ` David Craven
@ 2016-09-29 20:49     ` Leo Famulari
  2016-10-01 12:19       ` Ludovic Courtès
  0 siblings, 1 reply; 11+ messages in thread
From: Leo Famulari @ 2016-09-29 20:49 UTC (permalink / raw)
  To: David Craven; +Cc: guix-devel

On Thu, Sep 29, 2016 at 08:52:34PM +0200, David Craven wrote:
> Ah just checked our linter doesn't flag a CVE, so I think we're ok...

The linter is a good tool for catching things that we miss, but it's not
a substitute for manual investigation :)

First, our package's name might not match the name used by the Common
Platform Enumeration [0], which is the name that the linter looks up. We
can give packages a cpe-name property [1], which tells the linter to use
something besides the package's name.

Second, I've noticed that sometimes bugs are publicized on oss-sec or
elsewhere, but then they don't show up in the CVE database for a while.

An aside, the CVE linter gives false positives for grafted packages. For
example, try `guix lint -c cve openssl@1.0`.

[0]
https://nvd.nist.gov/cpe.cfm

[1] An example:
http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/gd.scm#n76

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: kdesu security update needed
  2016-09-29 18:35 ` David Craven
  2016-09-29 18:52   ` David Craven
@ 2016-09-29 21:34   ` Leo Famulari
  1 sibling, 0 replies; 11+ messages in thread
From: Leo Famulari @ 2016-09-29 21:34 UTC (permalink / raw)
  To: David Craven; +Cc: guix-devel

On Thu, Sep 29, 2016 at 08:35:53PM +0200, David Craven wrote:
> > David, since you added all the KDE packages, can you look into this bug
> > and see what we need to do to protect against it?
> 
> They have a vendored kdesu. The source files look pretty different
> now, and I'm having a little trouble seeing if the problem is in kde
> kdesu or just kde-cli-tools kdesu. From what I can tell the source has
> diverged and the problem seems to be with the cli client they wrote
> for the kdesu deamon or something like that. Don't know if this is a
> satisfying answer...

Yeah, that's my interpretation as well. Thanks for looking :)

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: kdesu security update needed
  2016-09-29 20:49     ` Leo Famulari
@ 2016-10-01 12:19       ` Ludovic Courtès
  2016-10-01 12:59         ` David Craven
  2016-10-01 16:37         ` Leo Famulari
  0 siblings, 2 replies; 11+ messages in thread
From: Ludovic Courtès @ 2016-10-01 12:19 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> skribis:

> On Thu, Sep 29, 2016 at 08:52:34PM +0200, David Craven wrote:
>> Ah just checked our linter doesn't flag a CVE, so I think we're ok...
>
> The linter is a good tool for catching things that we miss, but it's not
> a substitute for manual investigation :)

+1

> First, our package's name might not match the name used by the Common
> Platform Enumeration [0], which is the name that the linter looks up. We
> can give packages a cpe-name property [1], which tells the linter to use
> something besides the package's name.
>
> Second, I've noticed that sometimes bugs are publicized on oss-sec or
> elsewhere, but then they don't show up in the CVE database for a while.

Often, vulnerabilities and CVE IDs are publicized when the CVE ID is
still marked as “reserved” without additional info; reserved CVE IDs
don’t show up in the CVE database that ‘guix lint’ fetches.

> An aside, the CVE linter gives false positives for grafted packages. For
> example, try `guix lint -c cve openssl@1.0`.

That’s been annoying me for some time so I’d like to see if we can
improve grafting in a way that would allow us to use a different version
number in the package replacement, which in turn would allow ‘guix lint’
to see the right version number of the replacement.

Ludo’.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: kdesu security update needed
  2016-10-01 12:19       ` Ludovic Courtès
@ 2016-10-01 12:59         ` David Craven
  2016-10-02 13:34           ` Ludovic Courtès
  2016-10-01 16:37         ` Leo Famulari
  1 sibling, 1 reply; 11+ messages in thread
From: David Craven @ 2016-10-01 12:59 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

Thank you for the info @Leo and @Ludo, just noticed that it's
mentioned in the manual.

One question that wasn't answered yet in your description and the
manual is how the linter detects when a package is patched. I assume
it looks at the applied patch names see if they contain a CVE code?

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: kdesu security update needed
  2016-10-01 12:19       ` Ludovic Courtès
  2016-10-01 12:59         ` David Craven
@ 2016-10-01 16:37         ` Leo Famulari
  2016-10-03 21:36           ` Ludovic Courtès
  1 sibling, 1 reply; 11+ messages in thread
From: Leo Famulari @ 2016-10-01 16:37 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Sat, Oct 01, 2016 at 02:19:05PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > An aside, the CVE linter gives false positives for grafted packages. For
> > example, try `guix lint -c cve openssl@1.0`.
> 
> That’s been annoying me for some time so I’d like to see if we can
> improve grafting in a way that would allow us to use a different version
> number in the package replacement, which in turn would allow ‘guix lint’
> to see the right version number of the replacement.

That would be nice. The current situation (with misleading package
versions) is a huge improvement over what we had before, but I think
that users should not need to understand the implementation details of
grafting to determine the version of packages.

I always figured this quirky limitation was a side-effect of rushing to
implement recursive grafting before OpenSSL 1.0.2g was released.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: kdesu security update needed
  2016-10-01 12:59         ` David Craven
@ 2016-10-02 13:34           ` Ludovic Courtès
  0 siblings, 0 replies; 11+ messages in thread
From: Ludovic Courtès @ 2016-10-02 13:34 UTC (permalink / raw)
  To: David Craven; +Cc: guix-devel

David Craven <david@craven.ch> skribis:

> One question that wasn't answered yet in your description and the
> manual is how the linter detects when a package is patched. I assume
> it looks at the applied patch names see if they contain a CVE code?

Exactly: it checks the version number and the name of the applied
patches.

Ludo’.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: kdesu security update needed
  2016-10-01 16:37         ` Leo Famulari
@ 2016-10-03 21:36           ` Ludovic Courtès
  2016-10-03 21:47             ` Leo Famulari
  0 siblings, 1 reply; 11+ messages in thread
From: Ludovic Courtès @ 2016-10-03 21:36 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> skribis:

> On Sat, Oct 01, 2016 at 02:19:05PM +0200, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>> > An aside, the CVE linter gives false positives for grafted packages. For
>> > example, try `guix lint -c cve openssl@1.0`.
>> 
>> That’s been annoying me for some time so I’d like to see if we can
>> improve grafting in a way that would allow us to use a different version
>> number in the package replacement, which in turn would allow ‘guix lint’
>> to see the right version number of the replacement.
>
> That would be nice. The current situation (with misleading package
> versions) is a huge improvement over what we had before, but I think
> that users should not need to understand the implementation details of
> grafting to determine the version of packages.
>
> I always figured this quirky limitation was a side-effect of rushing to
> implement recursive grafting before OpenSSL 1.0.2g was released.

Done in commit 57bdd79e485801ccf405ca7389bd099809fe5d67!  And with
9bee2bd1b02c7ef91cc7232e8647bd07525d3382, ‘guix lint -c cve openssl@1.0’
reports the right thing (zero known CVEs).

Ludo’.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: kdesu security update needed
  2016-10-03 21:36           ` Ludovic Courtès
@ 2016-10-03 21:47             ` Leo Famulari
  0 siblings, 0 replies; 11+ messages in thread
From: Leo Famulari @ 2016-10-03 21:47 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Mon, Oct 03, 2016 at 11:36:48PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > On Sat, Oct 01, 2016 at 02:19:05PM +0200, Ludovic Courtès wrote:
> >> Leo Famulari <leo@famulari.name> skribis:
> >> > An aside, the CVE linter gives false positives for grafted packages. For
> >> > example, try `guix lint -c cve openssl@1.0`.
> >> 
> >> That’s been annoying me for some time so I’d like to see if we can
> >> improve grafting in a way that would allow us to use a different version
> >> number in the package replacement, which in turn would allow ‘guix lint’
> >> to see the right version number of the replacement.
> >
> > That would be nice. The current situation (with misleading package
> > versions) is a huge improvement over what we had before, but I think
> > that users should not need to understand the implementation details of
> > grafting to determine the version of packages.
> >
> > I always figured this quirky limitation was a side-effect of rushing to
> > implement recursive grafting before OpenSSL 1.0.2g was released.
> 
> Done in commit 57bdd79e485801ccf405ca7389bd099809fe5d67!  And with
> 9bee2bd1b02c7ef91cc7232e8647bd07525d3382, ‘guix lint -c cve openssl@1.0’
> reports the right thing (zero known CVEs).

Awesome :)

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2016-10-03 21:47 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-29 15:23 kdesu security update needed Leo Famulari
2016-09-29 18:35 ` David Craven
2016-09-29 18:52   ` David Craven
2016-09-29 20:49     ` Leo Famulari
2016-10-01 12:19       ` Ludovic Courtès
2016-10-01 12:59         ` David Craven
2016-10-02 13:34           ` Ludovic Courtès
2016-10-01 16:37         ` Leo Famulari
2016-10-03 21:36           ` Ludovic Courtès
2016-10-03 21:47             ` Leo Famulari
2016-09-29 21:34   ` Leo Famulari

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.