Since agc called for an end of the pkgsrc freeze for the release of pkgsrc-2008Q2 tonight at 21:00 UTC, I had to put in a hackathlon to fix as many security problems as possible. This is an attempt to keep track of them.
pkgsrc has a very old version of WebSVN (1.x, current is 2.0) which comes with a whole bunch of cross-site-scripting issues (see also CVE-2007-3056). In order to fix them during the freeze I had to manually patch WebSVN because there wasn't enough time anymore to ask for a package upgrade of this dimension. Patches were mostly taken from upstream changeset 581. It seems however that both the programming and the English skills of the author are subterranean.
The next item was the silc-client buffer overflow which salo refused to fix for more than a year. I had already created patches for it but they weren't applied for half a year now, so I decided to just go ahead and commit them (especially since wiz suggested so in a prior conversation in April). They basically update the silc-client package from 1.0.4.1 to 1.1.4, which also fixes various character set issues.
Then our modular-xorg-server came with various vulnerabilities, namely those described in freedesktop.org bug 7447 and the release notes of xorg-server 1.4.2. Applying the patches in question fixed the problems, even though an upgrade would not appear to be a bad idea.
For relaxing I took a shot at an old one-liner in balsa. Gnome bug 4743662 has a neat little classic buffer overflow which was easily fixed by adding a range check to the buffer. Unfortunately my 10G slice allocated to packages started to run full here; Gnome is way too large these days.
The next station was the bacula information disclosure: passwords would be passed to various tools through the command line. The ”solution“ the bacula developers came up with was to document the fact. I guess since bacula is mainly a bunch of shell scripts, there isn't really a better way either, so I pulled their documentation.
A maintainer who clearly doesn't take anything seriously is the maintainer of vobcopy. I fixed an insecure temp file creation issue but it was rather hard to parse his changelog with all the smileys.
Perdition IMAP was another easy one; a buffer overflow check in IMAP command tag deparsing had to be rearranged to remain effective if the tag contained a NULL byte.
An encounter I would rather have avoided was pear-MDB2. That little beast has an information disclosure vulnerability in the structure of the respective drivers, so they all have to be updated individually. This was a rather tedious task, and in addition to that it was PHP code...
Worse than that, the package even shipped with an XML file containing MD5 sums of all source files et cetera. This made it even harder to patch since the package.xml file had to be updated as well with every change, and it was a downloaded file.
The Z shell featured a broken difflog script which created temporary files with predictable names. Most distributions simply removed the file from the distribution, but I decided to simply throw in a bit of File::Temp love. The result worked judging from my first small tests.
After I told Gendalia a while ago that she should fix OpenAFS, I did it myself now. The fix consisted in an upgrade to a newer version.
The last one handled today was wyrd, a simple privilege escalation in the ocaml code. The patch from Debian bug 466382 applied well.
Some pkgsrc-wip packages needed TODO entries, among those were jetty, e2fsprogs and Radiator.
A number of tickets were also simply outdated and had to be closed. The result of the day:
| Open tickets | Stalled tickets | |
|---|---|---|
| Before | 113 | 27 |
| After | 69 | 3 |
I also left some crazy patterns, not in the sand but in the mailing list archives.
The current stats in the (not serious) pkgsrc-security contest are:
| salo | tonnerre | adrianp | ghen | wiz | tron | joerg | 36 others |
|---|---|---|---|---|---|---|---|
| 2038 | 334 | 238 | 153 | 107 | 92 | 63 | 327 |
Welcome in life, pkgsrc-2008Q2!