[Pkg-iscsi-maintainers] Bug#885021: open-iscsi: CVE-2017-17840: buffer overflow in process_iscsid_broadcast()

Salvatore Bonaccorso carnil at debian.org
Sat Dec 23 12:17:09 UTC 2017


Hi Christian!

On Sat, Dec 23, 2017 at 12:32:32PM +0100, Christian Seiler wrote:
> Control: tags -1 + stretch
> 
> Hello,
> 
> On 12/22/2017 11:37 PM, Salvatore Bonaccorso wrote:
> > the following vulnerability was published for open-iscsi, whilest only
> > "one" of the issues from the qualys report has a CVE, cf. [1], all
> > fixes from [2] should preferably be applied. Cf. as well [3].
> 
> Thanks for reporting this. It wasn't mentioned on the official
> open-iscsi mailing list, and the fact that I've missed the pull
> request alerted me to the fact that I wasn't watching the upstream
> github repository. (Which I've now rectified.)
> 
> I've now uploaded -5 that includes all patches in the pull request
> you've mentioned.

And thanks for fixing that so quickly :)

> I've seen in the security tracker you've marked this no-DSA, so I
> assume I should ask the Release team for a p-u to get this fixed
> in Stretch?

That is right, I think the issue is not severe enough that we would
issue a DSA for it.

> Note: neither Wheezy nor Jessie include iscsiuio (this was added
> in Stretch), so they are not affected by this bug, so only
> Stretch is also vulnerable. (stretch-backports is vulnerable,
> which I'll fix once a fix for stretch has been uploaded.) It
> would be great if you could update the security tracker to reflect
> this.

Yes that's a bit tricky. We are interested to track source package
status, and in fact, the code looks there in jessie, so <not-affected>
would not be technically fully correct. I though changed the status to
<ignored>, that is, we will not further look into it, neither has the
maintainer, and added a note/explanation of "Minor issue, iscsiuio not
built in this version, source affected)".

Hope this explains on the status, if you strongly disagree we can try
to track it otherwise still as not-affected and explain why we marked
it as such.

Regards,
Salvatore



More information about the Pkg-iscsi-maintainers mailing list