Debian Bug report logs - #470065
debsecan: Better report for backports

version graph

Package: debsecan; Maintainer for debsecan is Florian Weimer <fw@deneb.enyo.de>; Source for debsecan is src:debsecan.

Reported by: Vincent Bernat <bernat@luffy.cx>

Date: Sat, 8 Mar 2008 22:39:02 UTC

Severity: wishlist

Tags: patch

Found in versions debsecan/0.4.10, debsecan/0.4.10+nmu2

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Florian Weimer <fw@deneb.enyo.de>:
Bug#470065; Package debsecan. Full text and rfc822 format available.

Acknowledgement sent to Vincent Bernat <bernat@luffy.cx>:
New Bug report received and forwarded. Copy sent to Florian Weimer <fw@deneb.enyo.de>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Vincent Bernat <bernat@luffy.cx>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: debsecan: Better report for backports
Date: Sat, 08 Mar 2008 23:36:28 +0100
[Message part 1 (text/plain, inline)]
Package: debsecan
Version: 0.4.10
Severity: wishlist
Tags: patch

Hi !

Suppose that xxxx 3.0.1-5 fixes a vulnerability. Therefore, 3.0.1-4 is
vulnerable. Assume that I backport 3.0.1-5 to etch. I will name this
version 3.0.1-5~bpo.1. Because of "~", this version will be considered
as inferior to 3.0.1-5 and will be marked as vulnerable.

I think that this "inferiority" should be changed to equality in term
of security. I suppose that __cmp__() in Version class could return 0
when all the following conditions are met:
 - upstream versions are equal
 - debian versions of the package without r'~.*$' pattern are equal
Otherwise, we just use return VersionCompare() result.

I attach a proposed (ugly) patch. If you think this behaviour is too
dangerous, you could add a flag '--enable-backports-support'.

Thanks.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24.2-zoro.18
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages debsecan depends on:
ii  debconf [debconf-2.0]         1.5.19     Debian configuration management sy
ii  python                        2.4.4-6    An interactive high-level object-o
ii  python-apt                    0.7.5      Python interface to libapt-pkg

Versions of packages debsecan recommends:
ii  cron                          3.0pl1-103 management of regular background p
ii  postfix [mail-transport-agent 2.5.1-1    High-performance mail transport ag

-- debconf information:
  debsecan/source:
  debsecan/mailto: root
* debsecan/suite: sid
* debsecan/report: true
[debsecan-bpo.patch (text/x-c++, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Florian Weimer <fw@deneb.enyo.de>:
Bug#470065; Package debsecan. Full text and rfc822 format available.

Acknowledgement sent to Vincent Bernat <bernat@luffy.cx>:
Extra info received and forwarded to list. Copy sent to Florian Weimer <fw@deneb.enyo.de>. Full text and rfc822 format available.

Message #10 received at 470065@bugs.debian.org (full text, mbox):

From: Vincent Bernat <bernat@luffy.cx>
To: 470065@bugs.debian.org
Subject: Re: debsecan: Better report for backports
Date: Sat, 08 Mar 2008 23:47:30 +0100
OoO La nuit ayant déjà recouvert d'encre ce jour du samedi 08 mars 2008,
vers 23:36, je disais:

> Suppose that xxxx 3.0.1-5 fixes a vulnerability. Therefore, 3.0.1-4 is
> vulnerable. Assume that I backport 3.0.1-5 to etch. I will name this
> version 3.0.1-5~bpo.1. Because of "~", this version will be considered
> as inferior to 3.0.1-5 and will be marked as vulnerable.

> I think that this "inferiority" should be changed to equality in term
> of security. I suppose that __cmp__() in Version class could return 0
> when all the following conditions are met:
>  - upstream versions are equal
>  - debian versions of the package without r'~.*$' pattern are equal
> Otherwise, we just use return VersionCompare() result.

> I attach a proposed (ugly) patch. If you think this behaviour is too
> dangerous, you could add a flag '--enable-backports-support'.

My patch  did not consider  the fact that  '~' was also used  in testing
security.  I don't really  understand what  '~' means  in this  case and
therefore, I don't know if my patch is still valid.
-- 
panic("aha1740.c"); /* Goodbye */
	2.2.16 /usr/src/linux/drivers/scsi/aha1740.c




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#470065; Package debsecan. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 470065@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Vincent Bernat <bernat@luffy.cx>
Cc: 470065@bugs.debian.org
Subject: Re: Bug#470065: debsecan: Better report for backports
Date: Sun, 09 Mar 2008 05:49:16 +0100
* Vincent Bernat:

> I think that this "inferiority" should be changed to equality in term
> of security. I suppose that __cmp__() in Version class could return 0
> when all the following conditions are met:
>  - upstream versions are equal
>  - debian versions of the package without r'~.*$' pattern are equal
> Otherwise, we just use return VersionCompare() result.

This doesn't work because "~" isn't really that special.  It's used by
maintainers as well, not just backports and testing-security.

Sorry, but the fix is more complex, and I'm not 100% sure what it would
look like.  It probably has to happen on the server side anyway.




Information forwarded to debian-bugs-dist@lists.debian.org, Florian Weimer <fw@deneb.enyo.de>:
Bug#470065; Package debsecan. Full text and rfc822 format available.

Acknowledgement sent to Vincent Bernat <bernat@luffy.cx>:
Extra info received and forwarded to list. Copy sent to Florian Weimer <fw@deneb.enyo.de>. Full text and rfc822 format available.

Message #20 received at 470065@bugs.debian.org (full text, mbox):

From: Vincent Bernat <bernat@luffy.cx>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 470065@bugs.debian.org
Subject: Re: Bug#470065: debsecan: Better report for backports
Date: Sun, 09 Mar 2008 09:18:19 +0100
OoO En cette  fin de nuit blanche du dimanche 09  mars 2008, vers 05:49,
Florian Weimer <fw@deneb.enyo.de> disait:

>> I think that this "inferiority" should be changed to equality in term
>> of security. I suppose that __cmp__() in Version class could return 0
>> when all the following conditions are met:
>> - upstream versions are equal
>> - debian versions of the package without r'~.*$' pattern are equal
>> Otherwise, we just use return VersionCompare() result.

> This doesn't work because "~" isn't really that special.  It's used by
> maintainers as well, not just backports and testing-security.

Do you  have other examples?  I did not  find one. I emphasize  the fact
that we  only consider '~' in  the debian version part,  not in upstream
version.

> Sorry, but the fix is more complex, and I'm not 100% sure what it would
> look like.  It probably has to happen on the server side anyway.

Backports  are   not  official  and   can  come  from   various  sources
(backports.org or  backports made  by hand). I  don't see how  you could
handle this on server side.
-- 
#ifdef STUPIDLY_TRUST_BROKEN_PCMD_ENA_BIT
        2.4.0-test2 /usr/src/linux/drivers/ide/cmd640.c




Information forwarded to debian-bugs-dist@lists.debian.org, Florian Weimer <fw@deneb.enyo.de>:
Bug#470065; Package debsecan. Full text and rfc822 format available.

Acknowledgement sent to Vincent Bernat <bernat@luffy.cx>:
Extra info received and forwarded to list. Copy sent to Florian Weimer <fw@deneb.enyo.de>. Full text and rfc822 format available.

Message #25 received at 470065@bugs.debian.org (full text, mbox):

From: Vincent Bernat <bernat@luffy.cx>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 470065@bugs.debian.org
Subject: Re: Bug#470065: debsecan: Better report for backports
Date: Wed, 12 Mar 2008 22:37:25 +0100
OoO En cette  fin de nuit blanche du dimanche 09  mars 2008, vers 05:49,
Florian Weimer <fw@deneb.enyo.de> disait:

>> I think that this "inferiority" should be changed to equality in term
>> of security. I suppose that __cmp__() in Version class could return 0
>> when all the following conditions are met:
>> - upstream versions are equal
>> - debian versions of the package without r'~.*$' pattern are equal
>> Otherwise, we just use return VersionCompare() result.

> This doesn't work because "~" isn't really that special.  It's used by
> maintainers as well, not just backports and testing-security.

> Sorry, but the fix is more complex, and I'm not 100% sure what it would
> look like.  It probably has to happen on the server side anyway.

Well, I  have another idea. We  could add an option  that will normalize
package versions by stripping some  data. For example, debsecan could be
invoked with  --normalize='~bpo.\d+' to  support backports. Or  we could
use  --normalize='(~bpo|+custom).\d+'  to  support  both  backports  and
custom packages.

I'll send you a patch implementing this.
-- 
Don't sacrifice clarity for small gains in "efficiency".
            - The Elements of Programming Style (Kernighan & Plauger)




Information forwarded to debian-bugs-dist@lists.debian.org, Florian Weimer <fw@deneb.enyo.de>:
Bug#470065; Package debsecan. Full text and rfc822 format available.

Acknowledgement sent to Vincent Bernat <bernat@luffy.cx>:
Extra info received and forwarded to list. Copy sent to Florian Weimer <fw@deneb.enyo.de>. Full text and rfc822 format available.

Message #30 received at 470065@bugs.debian.org (full text, mbox):

From: Vincent Bernat <bernat@luffy.cx>
To: 470065@bugs.debian.org
Subject: Re: Bug#470065: debsecan: Better report for backports
Date: Sat, 15 Mar 2008 21:31:13 +0100
[Message part 1 (text/plain, inline)]
OoO En cette  fin de nuit blanche du dimanche 09  mars 2008, vers 05:49,
Florian Weimer <fw@deneb.enyo.de> disait:

>> I think that this "inferiority" should be changed to equality in term
>> of security. I suppose that __cmp__() in Version class could return 0
>> when all the following conditions are met:
>> - upstream versions are equal
>> - debian versions of the package without r'~.*$' pattern are equal
>> Otherwise, we just use return VersionCompare() result.

> This doesn't work because "~" isn't really that special.  It's used by
> maintainers as well, not just backports and testing-security.

> Sorry, but the fix is more complex, and I'm not 100% sure what it would
> look like.  It probably has to happen on the server side anyway.

Here is  another proposition: we allow  the user to apply  a regexp that
will be stripped from the version. If debsecan is called with:
  --strip-version '~bpo.\d+$'
then, backports version will  be compared against their testing/unstable
counterparts.

[debsecan-strip-version.diff (text/x-diff, inline)]
--- /usr/bin/debsecan	2007-09-02 18:14:42.000000000 +0200
+++ debsecan	2008-03-15 21:27:17.000000000 +0100
@@ -308,6 +308,8 @@
                       help="display entries on the whitelist")
     parser.add_option("--update-config", action="store_true",
                       dest="update_config", help=None)
+    parser.add_option("--strip-version",
+                      help="strip the given regexp from version")
     (options, args) = parser.parse_args()
 
     def process_whitelist_options():
@@ -1229,6 +1231,10 @@
     re_source = re.compile\
                 (r'^([a-zA-Z0-9.+-]+)(?:\s+\((\S+)\))?$')
     formatter = formatters[options.format](target, options, history)
+    if options.strip_version:
+        strip_version = re.compile(options.strip_version)
+    else:
+        strip_version = None
     for pkg in packages:
         pkg_name = None
         pkg_status = None
@@ -1267,6 +1273,9 @@
             pkg_source_version = pkg_version
         if not pkg_source:
             pkg_source = pkg_name
+        if strip_version:
+            pkg_source_version = strip_version.sub('', pkg_source_version)
+            pkg_version = strip_version.sub('', pkg_version)
 
         try:
             pkg_version = Version(pkg_version)
[Message part 3 (text/plain, inline)]
-- 
BOFH excuse #360:
Your parity check is overdrawn and you're out of cache.

Information forwarded to debian-bugs-dist@lists.debian.org, Florian Weimer <fw@deneb.enyo.de>:
Bug#470065; Package debsecan. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Florian Weimer <fw@deneb.enyo.de>. Full text and rfc822 format available.

Message #35 received at 470065@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 470065@bugs.debian.org
Cc: Vincent Bernat <bernat@luffy.cx>
Subject: Re: Bug#470065: debsecan: Better report for backports
Date: Fri, 28 Mar 2008 13:33:44 +0100
[Message part 1 (text/plain, inline)]
> Here is  another proposition: we allow  the user to apply  a regexp that
> will be stripped from the version. If debsecan is called with:
>   --strip-version '~bpo.\d+$'
> then, backports version will  be compared against their testing/unstable
> counterparts.

Since backports.org is (pseudo?)official, and it's very unlikely to see a 
~bpo.\d+ version on a package not coming from backports.org, can't we just 
hardcode that any ~bpo.\d+ version is stripped off automatically before the 
compare?

Vincent's last patch can be useful but I would propose to add ~bpo.\d+ by 
default to the list of strippable regexps...


Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Florian Weimer <fw@deneb.enyo.de>:
Bug#470065; Package debsecan. (Mon, 18 Oct 2010 15:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jon Daley <debian@jon.limedaley.com>:
Extra info received and forwarded to list. Copy sent to Florian Weimer <fw@deneb.enyo.de>. (Mon, 18 Oct 2010 15:57:04 GMT) Full text and rfc822 format available.

Message #40 received at 470065@bugs.debian.org (full text, mbox):

From: Jon Daley <debian@jon.limedaley.com>
To: Debian Bug Tracking System <470065@bugs.debian.org>
Subject: debsecan: any progress on this? I think this is my problem as well
Date: Mon, 18 Oct 2010 11:47:27 -0400
Package: debsecan
Version: 0.4.10+nmu2
Followup-For: Bug #470065


I am not 100% sure if I have the same error as the OP, but I think so.

I am getting this warning:
CVE-2010-3315 authz.c in the mod_dav_svn module for the Apache HTTP...
  <http://security-tracker.debian.net/tracker/CVE-2010-3315>
  - libsvn-perl, subversion-tools, subversion, libapache2-svn, libsvn1,
    python-subversion (remotely exploitable, medium urgency)

I have subversion: 1.6.12dfsg-2~bpo50+1 installed.

But, that is reported as fixed here:
http://security-tracker.debian.org/tracker/CVE-2010-3315

Thanks.

-- System Information:
Debian Release: 5.0.6
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash

Versions of packages debsecan depends on:
ii  debconf [debconf-2.0]       1.5.24       Debian configuration management sy
ii  python                      2.5.2-3      An interactive high-level object-o
ii  python-apt                  0.7.7.1+nmu1 Python interface to libapt-pkg

Versions of packages debsecan recommends:
ii  cron                          3.0pl1-105 management of regular background p
ii  postfix [mail-transport-agent 2.5.5-1.1  High-performance mail transport ag

debsecan suggests no packages.

-- debconf information:
* debsecan/source:
* debsecan/mailto: root
* debsecan/suite: GENERIC
* debsecan/report: true




Information forwarded to debian-bugs-dist@lists.debian.org, Florian Weimer <fw@deneb.enyo.de>:
Bug#470065; Package debsecan. (Mon, 07 Feb 2011 06:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Bernat <bernat@luffy.cx>:
Extra info received and forwarded to list. Copy sent to Florian Weimer <fw@deneb.enyo.de>. (Mon, 07 Feb 2011 06:39:04 GMT) Full text and rfc822 format available.

Message #45 received at 470065@bugs.debian.org (full text, mbox):

From: Vincent Bernat <bernat@luffy.cx>
To: 470065@bugs.debian.org
Subject: debsecan still says that backported packages are not up-to-date
Date: Mon, 07 Feb 2011 07:37:41 +0100
Hi!

No  update on this  bug. My  patch seems  to be  better than  nothing at
all. How about using it waiting for a better solution?
-- 
panic("Tell me what a watchpoint trap is, and I'll then 
deal with such a beast...");
	2.2.16 /usr/src/linux/arch/arch/sparc/kernel/traps.c




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 20:03:57 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.