FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 12-14-2008, 05:08 PM
Goswin von Brederlow
 
Default Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?

Hi,

I run reprepro to create a local mirror for lenny, lenny-security and
sid. Since I have it setup to put all 3 into a common pool I noticed
the following:

Lenny:
------
Package: uw-imap
Version: 7:2007b~dfsg-3
Files:
b52118669abf422f766d14e3e2d69daa 1608456 uw-imap_2007b~dfsg.orig.tar.gz

Sid:
----
Package: uw-imap
Version: 8:2007b~dfsg-1
Files:
b52118669abf422f766d14e3e2d69daa 1608456 uw-imap_2007b~dfsg.orig.tar.gz

Lenny-Securiy:
--------------
Package: uw-imap
Version: 7:2007b~dfsg-4+lenny1
13dc7a81451e676f29ed840ba81b79ca 1617554 uw-imap_2007b~dfsg.orig.tar.gz


As you can see Lenny-Security has a different orig.tar.gz than
Lenny/Sid. This creates a problem for my reprepro as it detects a
size/md5sum mismatch, aborts and sends me an angry mail. But more
importantly this prevents the security update from entering Lenny:

20081106164710|process-unchecked|rejected|uw-imap_2007b~dfsg-4+lenny1_amd64.changes

Rejected: md5sum and/or size mismatch on existing copy of uw-imap_2007b~dfsg.orig.tar.gz.
Rejected: can not overwrite existing copy of 'uw-imap_2007b~dfsg.orig.tar.gz' already in the archive.


As it is the vulnerable version of uw-imap will remain in Lenny and
Lenny will have a known security bug that is totaly avoidable. From
the timestamp above you can see that this problem has been around over
a month.

Does anyone care?

MfG
Goswin





--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-14-2008, 07:03 PM
Nico Golde
 
Default Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?

Ccing maintainer.

Hi,
* Goswin von Brederlow <goswin-v-b@web.de> [2008-12-14 20:14]:
> I run reprepro to create a local mirror for lenny, lenny-security and
> sid. Since I have it setup to put all 3 into a common pool I noticed
> the following:
[...]
> As you can see Lenny-Security has a different orig.tar.gz than
> Lenny/Sid. This creates a problem for my reprepro as it detects a
> size/md5sum mismatch, aborts and sends me an angry mail. But more
> importantly this prevents the security update from entering Lenny:
>
> 20081106164710|process-unchecked|rejected|uw-imap_2007b~dfsg-4+lenny1_amd64.changes
>
> Rejected: md5sum and/or size mismatch on existing copy of uw-imap_2007b~dfsg.orig.tar.gz.
> Rejected: can not overwrite existing copy of 'uw-imap_2007b~dfsg.orig.tar.gz' already in the archive.

This update was unfortunately a bit problematic, to make the
story short uw-imap was uploaded as 7:2007b~dfsg-4 but we
then requested to upload this as -3+lenny1 to mark it as a
security update and to prevent broken updates in case
7:2007d~dfsg-1 gets rejected from NEW (in -3+lenny1 is also
the upstream tarball change).

Unfortunately -3+lenny1 was rejected on klecker because the
orig.tar.gz of the old build was still lying around in the
queue. As we can not use the same version twice on klecker
-4+lenny1 was uploaded as a rebuild of -3+lenny1 and the
upstream tarball change was overlooked in that chaos.

> As it is the vulnerable version of uw-imap will remain in Lenny and
> Lenny will have a known security bug that is totaly avoidable. From
> the timestamp above you can see that this problem has been around over
> a month.
>
> Does anyone care?

Yes.

I see two possibilities here, one option is to get
8:2007b~dfsg-1 unblocked and let this migrate to lenny
(there is some weird SONAME change though) or to reupload a
+lenny2 version to testing-security again.

Opinions?

Cheers
Nico

--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
 
Old 12-14-2008, 11:17 PM
José Luis Tallón
 
Default Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?

Nico Golde wrote:
> Yes.
> I see two possibilities here, one option is to get
> 8:2007b~dfsg-1 unblocked and let this migrate to lenny
> (there is some weird SONAME change though) or to reupload a
> +lenny2 version to testing-security again.
>
Yuck!
> Opinions?
>
7:2007b~dfsg-4+lenny2 sounds better, IMHO

Let's keep epochs for the occassions where real versioning goofups do
happen :-)



Cheers,

J.L.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-15-2008, 12:14 AM
Goswin von Brederlow
 
Default Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?

José Luis Tallón <jltallon@adv-solutions.net> writes:

> Nico Golde wrote:
>> Yes.
>> I see two possibilities here, one option is to get
>> 8:2007b~dfsg-1 unblocked and let this migrate to lenny
>> (there is some weird SONAME change though) or to reupload a
>> +lenny2 version to testing-security again.
>>
> Yuck!
>> Opinions?
>>
> 7:2007b~dfsg-4+lenny2 sounds better, IMHO
>
> Let's keep epochs for the occassions where real versioning goofups do
> happen :-)
>
>
>
> Cheers,
>
> J.L.

If the tarball has changed then how about a 7:2007b~dfsg2-<whatever>?
That way the filename will differ and no conflict will arise.

MfG
Goswin


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-15-2008, 01:17 AM
Brian May
 
Default Security slightly compromised. Why is lenny-security altering uw-imap_2007b~dfsg.orig.tar.gz?

Goswin von Brederlow wrote:

If the tarball has changed then how about a 7:2007b~dfsg2-<whatever>?
That way the filename will differ and no conflict will arise.

I am a bit surprised that a security update requires modifications to
the upstream tar ball.


I would speculate this was a mistake, and the best approach would be to
rebuild the security update with the correct tar ball.


Otherwise, if the changes to the tar ball where deliberate, change the
filename as above.


--
Brian May <brian@microcomaustralia.com.au>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 05:11 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org