Ben's technical blog

Tue, 02 Jun 2015

Debian LTS work, May 2015

This was my sixth month working on Debian LTS. I was assigned 10.5 hours by Freexian's Debian LTS initiative. This was less than in previous months, but I was still able to work on several packages.

dpkg

This update was almost ready to release at the end of April. I had to rebuild from the upstream tarball as released by Guillem, then uploaded and issued DLA 220-1.

tiff

This update was also almost ready to release. I hoped to get some users to test it, but didn't get any response. I uploaded and issued DLA 221-1.

ruby1.8

Ruby 1.8 had a single CVE to fix. It was already fixed in wheezy against a similar upstream version, so it took little time to apply that patch. Ruby has an extensive test suite that reassured me this wouldn't cause a regression. I uploaded and issued DLA 224-1.

p7zip

p7zip allows arbitrary file overwrite via symlinks (CVE-2015-1038) when extracting a carefully constructed archive, and this bug is not fixed upstream. This sort of bug has been identified and fixed previously in similar tools such as GNU tar, so I looked at how that handles links and tried to apply a similar change in p7zip. This was somewhat complicated by the code style (C++ with COM-style interfaces and NIH containers), but not too hard. I came up with a patch that seems to work for the versions in Debian, and have attached it to the upstream bug report for review.

linux-2.6

I reviewed the patches for Linux 2.6.32.66 - many of which were my own backports - and then integrated this update into the SVN branch. I will probably upload a new version soon, whether or not there's a high severity issue, just to avoid piling up a large number of changes in one update.

posted at: 02:40 | path: / | permanent link to this entry

Thu, 07 May 2015

Debian LTS work, April 2015

This was my fifth month working on Debian LTS. I was assigned 16 hours by Freexian's Debian LTS initiative. I worked on several packages but haven't uploaded updates yet.

linux-2.6

There is a steady stream of security issues in all Linux kernel versions. As we don't want to prompt reboots too often, these won't necessarily result in an update every month; it depends on the severity of the issue(s). However, I triaged the current issues and committed the available fixes to version control.

dpkg

The PGP signature validation in dpkg-source has a number of bugs, including CVE-2015-0840 which allows the validation to be completely subverted. I backported fixes for these from the 1.16 (wheezy) branch to the 1.15 (squeeze) branch. dpkg has a test suite and the fixes all came with new regression tests, so this was easy to verify.

As dpkg is a native package (i.e. there is little separation between the 'upstream' and Debian packaging), I preferred that the dpkg maintainers would turn this into an 'upstream' release that I could upload. Guillem Jover has now reviewed and (semi-)released my changes, so I will complete this update soon.

tiff

A large number of bugs have been found in the venerable tiff library and tools, mostly by 'fuzzing' them with afl. The bugs have been unhelpfully grouped into a smaller number of CVE IDs, although it's not clear that these groups were introduced at the same time and they certainly weren't fixed at the same time.

Most of the upstream bug reports come with samples to reproduce the bug (crash or memory corruption detectable with valgrind), but many of these did not turn out to be reproducible (either upstream or with the version in 'squeeze'). Where they were reproducible, I've verified that the patches fix the issue.

Unfortunately tiff does not have a test suite, so I made a call for testing on the debian-lts list. If I don't get any responses soon, I'll run my own basic tests with programs that use libtiff before uploading.

posted at: 11:14 | path: / | permanent link to this entry

Wed, 08 Apr 2015

Call for testing: linux 3.16.7-ckt9-1

As it is nearly time to release Debian 8 (codename jessie), I've uploaded a new version of the Linux kernel to unstable which I hope will be the version to go into the initial release (8.0). The changes from the current version in testing are mostly bug fixes:

Please test this new version (which should be on mirrors within the next 24 hours) and report any regressions you spot.

It's now too late to add new hardware support for Debian 8.0, but we'll probably be able to improve it in subsequent point releases. So, please also report driver changes that should be backported from later kernel versions to improve hardware support, with severity of 'important'. If you can provide precise information about which upstream commits are needed, that makes things easier for us, and you should add the 'patch' tag.

posted at: 16:55 | path: / | permanent link to this entry

Thu, 02 Apr 2015

Debian LTS work, March 2015

This was my fourth month working on Debian LTS. I was assigned 14.5 hours by Freexian's Debian LTS initiative, but I only worked 11.5 as I had a week's holiday and then was ill for part of this week.

eglibc

My first task was to complete the eglibc update that I began at the end of February. There were a few unexpected failures in the regression test suite, but on inspection these turned out to be quirks of the build environment:

With those changes, the regression test results are the same as for previous package versions. (There is still one 'unexpected' failure, but I didn't investigate because it is not a regression within squeeze.)

I reviewed the backported patches again to check as well as I could that they did not depend on other upstream changes, and they did not seem to. I also received positive feedback from further testing - I can't find the message now, but I think it was that the Univention application test suite passed with the updated eglibc package installed.

With that confirmation and no regressions reported, I uploaded eglibc 2.11.3-4+deb6u5 and issued DLA 165-1.

freetype

A large number of vulnerabilities in font file parsing in Freetype were reported by Mateusz Jurczyk. I think these were less critical in squeeze than in wheezy, because while current web browsers use Freetype to render untrusted 'web fonts' we don't support any web browsers in squeeze LTS. But it seemed like they ought to be fixed anyway, and it was not too hard to backport the patches included in the wheezy security update.

Freetype doesn't have a regression test suite and I didn't have samples of the broken fonts, so I came up with some ad hoc tests for regressions. I viewed several of each of the affected font formats with the ftview demo application. I then wrote a script to match up the dependencies of a package (in this case, libfreetype6) with those used by Freexian's customers; the top results were fontconfig, xfonts-utils and imagemagick. So I ran some basic tests against each of the affected formats with each of these (fc-list, mkfontscale, and the simple text label recipe for ImageMagick) and found no regression. Uploaded freetype 2.4.2-2.1+squeeze5 and issued DLA 185-1.

posted at: 23:14 | path: / | permanent link to this entry

Sat, 28 Feb 2015

Debian LTS work, February 2015

This was my third month working on Debian LTS, and the first where I actually uploaded packages. I also worked on userland packages for the first time.

In the middle of February I finished and uploaded a security update for the kernel package (linux-2.6 version 2.6.32-48squeeze11, DLA 155-1). I decided not to include the fix for CVE-2014-9419 and the large FPU/MMX/SSE/AVX state management changes it depends on, as they don't seem to be worth the risk.

The old patch system used in linux-2.6 in squeeze still frustrates me, but I committed a script in the kernel subversion repository to simplify adding patches to it. This might be useful to any other LTS team members working on it.

In the past week I uploaded security updates for cups (version 1.4.4-7+squeeze7, DLA 159-1) and sudo (1.7.4p4-2.squeeze.5, DLA 160-1). My work on the cups package was slowed down by its reliance on dpatch, which thankfully has been replaced in later versions. sudo is a more modern quilt/debhelper package, but upstream has an odd way of building manual pages. In the version used in squeeze the master format is Perl POD, while in wheezy it's mandoc, but in both cases the upstream source includes pre-generated manual pages and doesn't rebuild them by default. debian/rules is supposed to fix this but doesn't (#779363), so I had to regenerate 'by hand' and fold the changes into the respective patches.

Finally, I started work on addressing the many remaining security issues in eglibc. Most of the patches applied to wheezy were usable with minimal adjustment, but I didn't have time left to perform any meaningful testing. I intend to upload what I've done to people.debian.org for testing by interested parties and then make an upload early in March (or let someone else on the LTS or glibc team do so).

Update: I sent mail about the incomplete eglibc update to the debian-lts list.

posted at: 21:39 | path: / | permanent link to this entry