Re: Bits from the Testing Security team - Debian

This is a discussion on Re: Bits from the Testing Security team - Debian ; On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch wrote: > Embedded code copies > -------------------- > There are a number of packages including source code from external > libraries, for example poppler is included in xpdf, kpdf and ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Re: Bits from the Testing Security team

  1. Re: Bits from the Testing Security team

    On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch wrote:
    > Embedded code copies
    > --------------------
    > There are a number of packages including source code from external
    > libraries, for example poppler is included in xpdf, kpdf and others. To
    > ensure that we don't miss any vulnerabilities in packages that do so we
    > maintain a list[6] of embedded code copies in Debian. It is preferable
    > that you do not embed copies of code in your packages, but instead link
    > against packages that already exist in the archive. Please contact us
    > about any missing items you know about.
    >
    > [6]: http://svn.debian.org/wsvn/secure-te...ile&rev=0&sc=0


    After a first reading of this, I though you didn't care about statically
    linked libraries as that can be spotted by looking at build-depends.
    However, looking at [6] I noticed that some of the embeddings are
    reported as "(link statically)" or similar.

    So, question, do you want to have reports also of missing pieces of
    statically linked code snippets in that list?

    If so I've recently uploaded (still in NEW) OCaml bindings for syck
    which statically links parts of libsyck-dev. ATM it is not possible to
    do any better, since a shared version of libsyck is not produces by the
    syck source package.

    I think syck is potentially security risky, since it is often used to
    parse third party data. You might want to look at syck bindings for
    other languages; for sure in Debian we also have Python and Perl syck
    bindings ...

    Cheers.

    --
    Stefano Zacchiroli -*- PhD in Computer Science ............... now what?
    zack@{cs.unibo.it,debian.org,bononia.it} -%- http://www.bononia.it/zack/
    (15:56:48) Zack: e la demo dema ? /\ All one has to do is hit the
    (15:57:15) Bac: no, la demo scema \/ right keys at the right time

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFHEzLsZN5jenMUa9QRAhUHAJwJl0w5TGn8clGYSyh1Ow 9ODwDc0ACfe324
    1Z0wUDeZIQhfYcXJ2Wl3f34=
    =CJya
    -----END PGP SIGNATURE-----


  2. Re: Bits from the Testing Security team

    On Mon, Oct 15, 2007 at 11:29:16AM +0200, Stefano Zacchiroli wrote:
    > So, question, do you want to have reports also of missing pieces of
    > statically linked code snippets in that list?


    On request of Steffen Joeris I'm following up here with a chat log
    between we two:

    (15:34:40) white: hi
    (15:36:11) white: i read your mail, can you maybe elaborate it a bit?
    i am not quite sure, if i get your case of code duplication right
    (15:36:47) zack: my point is: ocaml-syck (but is just an example) is
    now statically linked with libsyck
    (15:37:04) zack: is the security team aware that they need to rebuild
    ocaml-syck if they found a security bug in libsyck?
    (15:40:34) white: no, at least i would not think about it
    (15:40:59) white: that is an interesing (and unfortunate) point
    (15:41:04) zack: ok, so we actually need a list also of statically
    linked stuff
    (15:41:13) zack: please reply on list with this reasoning of ours
    (15:41:57) white: please do me a favour and paste this log into an
    email and mail it to the list
    (15:42:03) white: i will look into it tomorrow
    (15:42:11) zack: ok
    (15:42:17) white: thanks

    Cheers.

    --
    Stefano Zacchiroli -*- PhD in Computer Science ............... now what?
    zack@{cs.unibo.it,debian.org,bononia.it} -%- http://www.bononia.it/zack/
    (15:56:48) Zack: e la demo dema ? /\ All one has to do is hit the
    (15:57:15) Bac: no, la demo scema \/ right keys at the right time

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFHE26nZN5jenMUa9QRAmsJAKCViollWMxwX6pDBSS4o9 40TGzQEwCfS6iS
    k5AaRddNOpV6lmwhHUVLeBs=
    =MLbb
    -----END PGP SIGNATURE-----


  3. Re: Bits from the Testing Security team

    On 2007-10-15, Stefano Zacchiroli wrote:
    >
    > --MGYHOYXEY6WxJCY8
    > Content-Type: text/plain; charset=us-ascii
    > Content-Disposition: inline
    > Content-Transfer-Encoding: quoted-printable
    >
    > On Mon, Oct 15, 2007 at 11:29:16AM +0200, Stefano Zacchiroli wrote:
    >> So, question, do you want to have reports also of missing pieces of
    >> statically linked code snippets in that list?


    Yes, this list has always included apps linking statically.

    Cheers,
    Moritz


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  4. Re: Bits from the Testing Security team

    On Mon, Oct 15, 2007 at 08:40:01PM +0200, Moritz Muehlenhoff wrote:
    > On 2007-10-15, Stefano Zacchiroli wrote:
    > >> So, question, do you want to have reports also of missing pieces of
    > >> statically linked code snippets in that list?

    >
    > Yes, this list has always included apps linking statically.
    >
    > Cheers,
    > Moritz
    >

    Anyway having a way to distinguish source-embedded by statically-linked
    would be useful. IMHO the second case is almost always an error, but
    for special cases (static linked shell for instance).

    --
    Francesco P. Lovergine


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  5. Re: Bits from the Testing Security team

    On Tue, Oct 16, 2007 at 12:20:52AM +0200, Francesco P. Lovergine wrote:
    > On Mon, Oct 15, 2007 at 08:40:01PM +0200, Moritz Muehlenhoff wrote:
    > > On 2007-10-15, Stefano Zacchiroli wrote:
    > > >> So, question, do you want to have reports also of missing pieces of
    > > >> statically linked code snippets in that list?

    > >
    > > Yes, this list has always included apps linking statically.
    > >
    > > Cheers,
    > > Moritz
    > >

    > Anyway having a way to distinguish source-embedded by statically-linked
    > would be useful. IMHO the second case is almost always an error, but
    > for special cases (static linked shell for instance).
    >

    Additionally, packages with embedded sources require patching, while
    packages which statically link only require rebuilding.

    Regards,

    -Roberto

    --
    Roberto C. Sánchez
    http://people.connexer.com/~roberto
    http://www.connexer.com

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFHE/+H5SXWIKfIlGQRAuVuAJ9e1/9+OcT/aBTtQwHqiOHrYb0BPACffZol
    LzOdb4KmrujVu63lX2aFjOo=
    =ncVB
    -----END PGP SIGNATURE-----


  6. Re: Bits from the Testing Security team

    On Mon, Oct 15, 2007 at 08:02:15PM -0400, Roberto C. Sánchez wrote:
    > > Anyway having a way to distinguish source-embedded by statically-linked
    > > would be useful. IMHO the second case is almost always an error, but
    > > for special cases (static linked shell for instance).
    > >

    > Additionally, packages with embedded sources require patching, while
    > packages which statically link only require rebuilding.
    >


    Yes, that was the ratio for distinguishing the two cases...

    --
    Francesco P. Lovergine


    --
    To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

+ Reply to Thread