[Secure-testing-team] resolving hard TODOs

Micah Anderson micah at debian.org
Wed Mar 16 02:42:53 UTC 2005 

Here is a revised/reworded version of this email:

Subject: Bits from the Testing Security Team
Cc: debian-security at lists.debian.org
Reply-To: debian-devel at lists.debian.org

Hello,

This is a quick summary of the Debian Testing Security Team[1] work
and a request for some aid to help sort out some difficult Sarge
security problems.

Contents of this message:
	What the Testing Security Team has been up to
	How can I leverage my powerful brain to aid you?
	Let the games begin!
	This is fun, how else can I help?


Background information
----------------------

The first thing the Debian Testing Security Team did was to check all
security holes since the release of Debian 3.0 to ensure that all the
holes are fixed in Sarge.

Now that this has finished, we are busy checking to make sure that
security problems that have already been fixed in unstable as well as
stable do not continue to affect testing. We are also dealing with new
holes as they are made known. Every day we get an updated list of
Mitre's comprehensive list of known security problems, known
affectionatly as CAN numbers[2]. We've been going through old CANs as
well as the newly released CANs and check changelogs, advisories, test
proof-of-conecpts, dig out patches from other vendor's kernels,
whatever is needed to confidently determine whether sarge is
vulnerable to the particular CAN or not. We then record our findings,
file bugs, write patches, do NMUs as necessary, track fixed packages
and work with the Debian Release Managers to make sure fixes reach
testing quickly. The result of this is the Testing Security issues
page[2] which shows how many holes are unfixed (that we know of) in
testing, the associated bugs and debian package versions required to
plug the hole. In addition to this, it also indicates how many
unprocessed TODO items are still remaining for us to process.[4]

How can I leverage my powerful brain to aid you?
------------------------------------------------

I'm glad you asked! Your brain is much bigger than our individual
brains, so we need the collective help of everyone to brainstorm
solutions to some difficult remaining CANs.

There are a few CANs that are pretty vague in their broad
applicability, they potentially cover a number of packages and we need
help figuring out which packages those would be. Bonus points if you
can tell us if the package is affected by its associated CAN, extra
bonus points if you tell us the bug number that you filed to alert the
package maintainer of the security hole, tagged it security and added
a patch. So without further ado, here they are, if you have any
information that can help us, please follow-up to debian-devel.

Let the games begin!
--------------------

1. What packages contain X.400 (CAN-2003-0565)[5]?

2. What packages contain S/MIME besides mozilla, because the current
version (mozilla 2:1.7.3) contains safe NSS 3.9.1 (CAN-2003-0564)[6]?

3. What packages modify JPEG images (CAN-2005-0406)[7]? Please limit
your answers to those packages that do not modify the EXIF thumbnail,
we dont need to hear "imagemagick" or "the gimp." If you use this jpg[8]
whose thumbnail contains a green swirl instead of the red one you can
test this. Basically if the file is loaded into a program doing the
right thing (e.g. gimp) and saved again, the swirl in the thumbnail
turns red. If a program is doing the wrong thing (e.g. convert[9]), the
thumbnail stays green. convert exiftest.jpg -draw "rectangle 0,0
300,300 fill black" out.jpg will draw a black rectangle over the
swirl, but the thumbnail in out.jpg still has the green swirl.

4. What packages contain libtiff code (besides libtiff4 3.6.1-4 which is
not affected due to DSA-617-1)? (CAN-2004-1308)[10]?

5. What ftp programs are affected by directory traversal
vulnerabilities (CAN-2002-1345)[11]?

6. What packages in Debian are SMTP mailscanners that can be
potentially bypassed by fragmenting messages (CAN-2002-1121)[12].

7. Is our xpdf vulnerable to CAN-2005-0206[13]?


This is fun, how else can I help?
---------------------------------

Glad you asked! Any Debian developers with an interest in
participating are welcome to join the team, and we also welcome others
who have the skills and desire to help us. The team can be contacted
through its mailing list[14]. There is a second mailing
list[15] that receives commit messages to our repository. An alioth
project page[1] is also available. Have a read of this message[16] if
you are interested in participating, the details are there about how
to start helping check CANs on a regular basis.


What do I win? huh? Huh?!
-------------------------

You get a little sticker that says:

"I donated to Sarge today!"

Ok, not really, but you do get our gratitude, these are annoying and
difficult. Thanks.


[1] http://secure-testing.alioth.debian.org/
[2] http://cve.mitre.org/cve/candidates/downloads/full-can.html
[3] http://merkel.debian.org/~joeyh/testing-security.html
[4] An alternate page tracks archive changes more quickly, but may be
inaccurate due to bugs in madison on newraff is here:
http://newraff.debian.org/~joeyh/testing-security.html=20
[5] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2003-0565
[6] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2003-0564
[7] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0406
[8] http://www.sfritsch.de/debian/exiftest.jpg
[9] convert is from package "imagemagick" and exif is from "exif"
[10] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-1308
[11] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-1345
[12] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-1121
[13] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0206
[14] http://secure-testing.alioth.debian.org/secure-testing-team@lists.alioth.debian.org
[15] http://secure-testing.alioth.debian.org/secure-testing-commits@lists.alioth.debian.org
[16] http://lists.debian.org/debian-security/2004/10/msg00166.html




-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050315/ef703fe5/attachment.pgp

More information about the Secure-testing-team mailing list