| Summary: | sys-libs/lib-compat multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Ulrich Müller <ulm> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | major | CC: | base-system, games, vapier |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=504952 https://bugs.gentoo.org/show_bug.cgi?id=506226 |
||
| Whiteboard: | B1? [ebuild] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Ulrich Müller
2014-05-21 16:58:51 UTC
My first thought would be: hard-mask it and everything that depends on it. I can't think of any other solution. (In reply to Michał Górny from comment #1) > My first thought would be: hard-mask it and everything that depends on it. I > can't think of any other solution. lib-compat and its reverse dependencies are package masked since some time. Here is the list of reverse dependencies for emul-linux-x86-compat (as far as they have not been masked for other reasons already): dev-lang/dmd-bin games-action/mutantstorm-demo (*) games-action/rune (*) games-action/spacetripper-demo (*) games-fps/enemy-territory-truecombat games-fps/ut2003 (*) games-puzzle/drod-bin games-rpg/nwn games-server/nwn-ded (*) games-server/ut2003-ded (*) games-strategy/darwinia (*) games-strategy/darwinia-demo (*) mail-client/novell-groupwise-client[multilib] media-sound/aucdtect (*) media-video/binkplayer sci-chemistry/cara-bin sci-chemistry/icm[32bit] (*) sci-chemistry/icm-browser What is surprising is that the packages marked with (*) don't depend on lib-compat or libstdc++-v3 on x86. Therefore I'm reluctant to package.mask (or package.use.mask) them in the amd64 profile. @multilib: Is it still planned to update dependencies for these packages? The status page in the wiki was last updated in July. Yes, we're planning to update the deps. However, at this moment nobody in the team can afford to work on this. On a side note, most of those dependencies are likely completely misguided. From my attempts at various games, none of the packages depending on lib-compat was actually linking against anything in it... Of the packages you listed, the following actually do link against libstdc++.so.5: dev-lang/dmd-bin-1.016 games-fps/enemy-territory-truecombat-0.49b games-puzzle/drod-bin games-strategy/darwinia-1.3.0 games-strategy/darwinia-1.4.0_beta9 games-strategy/darwinia-demo-1.3.0 media-video/binkplayer-1.9p sci-chemistry/cara-bin-1.8.4 The following do *not* link against libstdc++.so.5, and probably should not depend on it (testing done by checking contents of distfiles): dev-lang/dmd-bin-2.008-r1 games-action/rune-1.07-r2 games-action/spacetripper-demo-1 games-fps/ut2003-2225-r4 games-rpg/nwn-1.68-r5 games-rpg/nwn-1.68-r6 games-rpg/nwn-1.69-r1 games-server/nwn-ded-1.68-r1 games-server/nwn-ded-1.69 games-server/ut2003-ded-2225-r2 media-sound/aucdtect-0.8.2 media-video/binkplayer-1.99w The following needs a file only provided by emul-linux-x86-compat or lib-compat and should therefore probably be masked: games-action/mutantstorm-demo-1.33 (needs libstdc++-libc6.2-2.so.3) The following are fetch restricted, so I cannot test them: mail-client/novell-groupwise-client-8.0.2.96933 sci-chemistry/icm-3.7.2e sci-chemistry/icm-3.7.3b sci-chemistry/icm-browser-3.6.1i All packages formerly depending on emul-linux-x86-compat have been updated to depend on lib-compat or libstdc++-v3. sys-libs/lib-compat and its reverse dependencies as well as app-emulation/emul-linux-x86-compat are package.masked now. The emul-linux-x86 part is gone. Packages long gone. (In reply to Michał Górny from comment #7) > Packages long gone. sys-libs/lib-compat is still in the tree. Sorry, haven't read throughly. * These packages depend on sys-libs/lib-compat: games-action/mutantstorm-demo-1.33 (sys-libs/lib-compat) games-action/phobiaii-1.1 (sys-libs/lib-compat) games-fps/rtcw-1.41b (sys-libs/lib-compat) games-fps/unreal-226 (sys-libs/lib-compat) sys-block/afacli-4.1 (sys-libs/lib-compat) sys-libs/lib-compat-loki-0.2-r1 (sys-libs/lib-compat) Still some rdeps in the tree. RTCW and Unreal both have standing security bugs as well. Maybe it is time to finally clean these? (In reply to Aaron Bauman from comment #10) > * These packages depend on sys-libs/lib-compat: > games-action/mutantstorm-demo-1.33 (sys-libs/lib-compat) > games-action/phobiaii-1.1 (sys-libs/lib-compat) > games-fps/rtcw-1.41b (sys-libs/lib-compat) > games-fps/unreal-226 (sys-libs/lib-compat) > sys-block/afacli-4.1 (sys-libs/lib-compat) > sys-libs/lib-compat-loki-0.2-r1 (sys-libs/lib-compat) Also (indirectly via lib-compat-loki): games-strategy/heroes3 games-strategy/heroes3-demo games-strategy/smac > Still some rdeps in the tree. RTCW and Unreal both have standing security > bugs as well. Maybe it is time to finally clean these? CCing maintainers. maintainer-needed: sys-block/afacli vapier: games-fps/unreal games: all others (In reply to Aaron Bauman from comment #10) > Still some rdeps in the tree. RTCW and Unreal both have standing security > bugs as well. Maybe it is time to finally clean these? These are both packages I would like to take on but haven't had the time yet. I did a lot of work on them in bug reports before I became a dev. I fear there's nothing we can do about the security issues though. A different approach needs to be taken with games, it's not like we can just say "oh play another game then". (In reply to James Le Cuirot from comment #12) > (In reply to Aaron Bauman from comment #10) > > Still some rdeps in the tree. RTCW and Unreal both have standing security > > bugs as well. Maybe it is time to finally clean these? > > These are both packages I would like to take on but haven't had the time > yet. I did a lot of work on them in bug reports before I became a dev. I > fear there's nothing we can do about the security issues though. A different > approach needs to be taken with games, it's not like we can just say "oh > play another game then". I agree, a different approach is needed. A security mask would suffice, but considering the length of the mask it does not seem ideal. Is an overlay a viable option? (In reply to James Le Cuirot from comment #12) > (In reply to Aaron Bauman from comment #10) > > Still some rdeps in the tree. RTCW and Unreal both have standing security > > bugs as well. Maybe it is time to finally clean these? > > These are both packages I would like to take on but haven't had the time > yet. I did a lot of work on them in bug reports before I became a dev. I > fear there's nothing we can do about the security issues though. A different > approach needs to be taken with games, it's not like we can just say "oh > play another game then". Regarding rtcw, I suggest switching over to iortcw: https://github.com/iortcw/iortcw It uses the original rtcw game files but has a very much improved engine including alsa support (which I badly missed in the original game). I started creating an ebuild but only got the single player stuff working: https://www.gentoofan.org/gentoo/poly-c_overlay/games-fps/rtcw/ (In reply to Lars Wendler (Polynomial-C) from comment #14) > Regarding rtcw, I suggest switching over to iortcw: > > https://github.com/iortcw/iortcw > > It uses the original rtcw game files but has a very much improved engine > including alsa support (which I badly missed in the original game). > > I started creating an ebuild but only got the single player stuff working: > > https://www.gentoofan.org/gentoo/poly-c_overlay/games-fps/rtcw/ With my brain in work mode, I got confused by the mention of Unreal and was thinking of RTNP (which never hit the tree) but RTCW is also something I used to play and never finished. I have heard of iortcw so I'll check it out. I too remember the OSS pain as it uses some special mode that ALSA/PA doesn't emulate. sys-libs/lib-compat-1.5 installs only libstdc++-libc6.2-2.so.3 (aka libstdc++-3-libc6.2-2-2.10.0.so) which appears to be the only library needed by reverse dependencies. This library was shipped with gcc-2.95.3. @Security team: Can you check if there are any known vulnerabilities in libstdc++-libc6.2-2.so.3? Otherwise, we could unmask and stabilise lib-compat-1.5. Alternatively, we could move what is now lib-compat-1.5 to a new sys-libs/libstdc++-v2-bin-2.95.3 package and last-rite sys-libs/lib-compat. Maybe that would be a more clear-cut solution. Package is still masked along with other games that are still vulnerable. GCC 2.9.x is masked as well in tree due to unresolved security issues. I am not sure leaving them in tree is best. Games are such a pain. Thoughts? (In reply to Aaron Bauman from comment #17) > Package is still masked along with other games that are still vulnerable. > GCC 2.9.x is masked as well in tree due to unresolved security issues. I am > not sure leaving them in tree is best. Games are such a pain. Thoughts? It's probably safe to say that libstdc++-libc6.2-2.so.3 is vulnerable and that's not going to change. Our stance, as always, is that even vulnerable games can remain with a mask and this allows users to decide whether it is worth the risk. This is a good compromise and I don't wish to change it. At least something can be done in the case of RTCW but this requires time I currently do not have. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=010852d13e7f1c59bc11ab2e3efe806dfacebaf4 commit 010852d13e7f1c59bc11ab2e3efe806dfacebaf4 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-12-08 21:13:32 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-12-08 21:13:32 +0000 games-*/*: drop last-rited pkgs Bug: https://bugs.gentoo.org/515926 Bug: https://bugs.gentoo.org/510960 Signed-off-by: Aaron Bauman <bman@gentoo.org> games-action/phobiaii/Manifest | 1 - games-action/phobiaii/metadata.xml | 8 - games-action/phobiaii/phobiaii-1.1-r1.ebuild | 36 ---- games-fps/rtcw/Manifest | 2 - games-fps/rtcw/files/wolf-ded.rc | 24 --- games-fps/rtcw/metadata.xml | 11 -- games-fps/rtcw/rtcw-1.41b.ebuild | 93 --------- games-fps/unreal/Manifest | 3 - games-fps/unreal/metadata.xml | 21 --- games-fps/unreal/unreal-226.ebuild | 85 --------- games-strategy/heroes3/Manifest | 2 - games-strategy/heroes3/files/heroes3-wrapper.sh | 13 -- games-strategy/heroes3/heroes3-1.3.1a-r2.ebuild | 208 --------------------- games-strategy/heroes3/metadata.xml | 13 -- games-strategy/smac/Manifest | 2 - games-strategy/smac/metadata.xml | 8 - games-strategy/smac/smac-6.0a.ebuild | 102 ---------- profiles/package.mask | 14 -- sys-libs/lib-compat-loki/Manifest | 1 - .../lib-compat-loki/lib-compat-loki-0.2-r1.ebuild | 39 ---- sys-libs/lib-compat-loki/metadata.xml | 8 - sys-libs/lib-compat/Manifest | 1 - sys-libs/lib-compat/lib-compat-1.5.ebuild | 16 -- sys-libs/lib-compat/metadata.xml | 8 - 24 files changed, 719 deletions(-) Package removed. |
