[Secure-testing-team] resolving hard TODOs

Micah Anderson micah at debian.org
Tue Mar 1 01:08:42 UTC 2005 

So I've noticed that we are all avoiding some particularly hard TODO
items, and I was thinking about how we can tackle these. Specifically
there are 6 of these that seem pretty vague, mostly because they
potentially cover a number of packages and we dont know what those
packages are.

All of these are somewhat similar in their broad applicability (and
probably each of us has responded to them in the same way, "uff!":

TODO: see if anything in debian uses X.400 and is vulnerable.
TODO: see if anything else in debian uses S/MIME and is vulnerable.
TODO: check wget, ftp, ncftp, etc.
TODO: check Debian mailscanners, if any.
TODO: check all softwares that modifies JPEG images in Debian...
TODO: other packages containing libtiff code may be vulnerable (kfax?)		

I was thinking that one way to try and grapple with these is to make a
post to debian-devel asking for a brainstorm on what packages contain
X.400, S/MIME, modify JPEG images, contain libtiff, etc. and see if we
can come up with a list of packages to look at. I dont know if this
will get us the complete list of all possible packages, but it is a
much better way of coming up with a list than me or you coming up with
the list, or even all of us here working together to devise it.

What do people think?

Here are the specific CANS:

CAN-2003-0565 (Multiple vulnerabilities in multiple vendor
implementations of the ...)
        NOTE: affects many implementations of the X.400 protocol
        TODO: see if anything in debian uses X.400 and is vulnerable.

CAN-2003-0564 (Multiple vulnerabilities in multiple vendor
implementations of the ...)
        NOTE: affects multiple S/MIME implementations
        NOTE: checked current mozilla, which contains safe NSS 3.9.1
        - mozilla 2:1.7.3
        TODO: see if anything else in debian uses S/MIME and is vulnerable.

CAN-2002-1345 (Directory traversal vulnerabilities in multiple FTP
clients on UNIX ...)
        NOTE: multiple ftp client issues
        TODO: check wget, ftp, ncftp, etc.

CAN-2002-1121 (SMTP content filter engines, including (1) GFI
MailSecurity for ...)
        NOTE: Some SMTP mailscanners can be bypassed by fragmenting
        NOTE: messages.
        TODO: check Debian mailscanners, if any.

CAN-2005-0406 (A design flaw in image processing software that
modifies JPEG images ...)
        TODO: check all softwares that modifies JPEG images in Debian...

CAN-2004-1308 (Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff ...)
        {DSA-617-1}
        - libtiff4 3.6.1-4
        TODO: other packages containing libtiff code may be vulnerable (kfax?)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050228/d292edef/attachment.pgp

More information about the Secure-testing-team mailing list