Summary: | <=app-admin/systemrescuecd-x86-6.0.3 multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Ulrich Müller <ulm> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bug, che, mgorny, tobias.pal, treecleaner |
Priority: | Normal | Keywords: | PMASKED |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Deadline: | 2019-10-18 |
Description
Ulrich Müller
2019-04-18 06:33:10 UTC
Newest upstream version 6.0.3 still has several vulnerabilities (using the list at https://security.archlinux.org/issues/all): High: polkit 0.115+24+g5230646-1 https://security.archlinux.org/AVG-897 gettext 0.19.8.1-3 https://security.archlinux.org/AVG-885 glibc 2.28-5 https://security.archlinux.org/AVG-855 Medium: openssh 7.9p1-1 https://security.archlinux.org/AVG-849 libarchive 3.3.3-1 https://security.archlinux.org/AVG-837 libtiff 4.0.10-1 https://security.archlinux.org/AVG-886 glibc 2.28-5 https://security.archlinux.org/AVG-831 Low: openssl 1.1.1.b-1 https://security.archlinux.org/AVG-919 unzip 6.0-13 https://security.archlinux.org/AVG-611 Oh, they changed release hosting, so I didn't get new versions via RSS. I'm not sure if I should bump them or just mask it as unmaintainable. After all, we won't be patching the prebuilt .iso. (of course, technically we could try building it from scratch ;-)) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de3810cffe3b165949592b4d3d2979af1c3c1635 commit de3810cffe3b165949592b4d3d2979af1c3c1635 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-04-18 11:43:13 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-04-18 11:44:44 +0000 package.mask: Mask app-admin/systemrescuecd-x86 for vulnerabilities Bug: https://bugs.gentoo.org/683724 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+) Can you describe any scenarios where these vulnerabilities affect the use of this mini-distro as a system rescue CD? I looked at the linked ones and feel that deleting this package for "security issues" is stupid. Whatever. Go ahead and apply your headless chicken security practices. I'll just keep/maintain the ebuild myself. It's not like I don't have plenty of games with similar overblown security warnings that I have to now maintain myself (for myself; the requirements for becoming a gentoo maintainer require far too much investment into "the community" of a distro that I hate, for exactly this kind of activity). (In reply to Thomas J. Moore from comment #4) This is treated like any other vulnerable package, according to policy: https://www.gentoo.org/support/security/vulnerability-treatment-policy.html As it is a binary package, there is not much that we can do, other than waiting for a fixed release from upstream. Unmask the package if you believe that the risk is negligible for your use case. However, we cannot answer that question for all users. I personally do not see the point in maintaining systemrescuecd as a package in general. From security POV: Gentoo security will not track vulnerabilities within systemrescuecd on our own. In case there is an upstream advisory for the product in general, we will do our work but we will not audit and keep track of included libs/packages as we don't even have enough man power to keep up with real packages in Gentoo. I am also not aware of any other distribution doing something like that for their own installation media. From time to time, they will just replace previous version with a new version. It's also normal these days that you can use such a medium for installation OR to boot a live system. Once booted, you can update the running live system using known package managers (which is even possible for systemrescuecd). => Closing security bug as "WONTFIX". @ maintainer(s): Feel free to lift the mask if you see a value in keeping sytemrescuecd as a package or last rite. I'm going to reopen this for last rites. We'll close it when the package is gone, ok? The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4876a4ebbab69f5319f5258da99b3c4f6d586871 commit 4876a4ebbab69f5319f5258da99b3c4f6d586871 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-18 20:35:49 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-18 20:38:48 +0000 package.mask: Last rite app-admin/systemrescuecd-x86 & revdep Bug: https://bugs.gentoo.org/683724 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9aed7def6f333dcaf2e4a3e4ddb887b9db2dab7b commit 9aed7def6f333dcaf2e4a3e4ddb887b9db2dab7b Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-10-18 06:57:06 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-10-18 06:58:19 +0000 app-admin/systemrescuecd-x86: Remove last-rited pkg Closes: https://bugs.gentoo.org/683724 Signed-off-by: Michał Górny <mgorny@gentoo.org> app-admin/systemrescuecd-x86/Manifest | 2 - app-admin/systemrescuecd-x86/metadata.xml | 19 ------ .../systemrescuecd-x86-5.3.2.ebuild | 63 ------------------- .../systemrescuecd-x86-6.0.3.ebuild | 70 ---------------------- profiles/package.mask | 8 --- 5 files changed, 162 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b93c3557c10f6f015879ff04d5619acf12dab285 commit b93c3557c10f6f015879ff04d5619acf12dab285 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-10-18 06:56:46 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-10-18 06:58:18 +0000 sys-boot/systemrescuecd-x86-grub: Remove last-rited pkg Closes: https://bugs.gentoo.org/683724 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 1 - .../files/systemrescuecd.default | 21 --- .../files/systemrescuecd.default-2 | 33 ----- .../files/systemrescuecd.grub | 64 --------- .../files/systemrescuecd.grub-2 | 146 --------------------- sys-boot/systemrescuecd-x86-grub/metadata.xml | 17 --- .../systemrescuecd-x86-grub-0.1-r1.ebuild | 31 ----- .../systemrescuecd-x86-grub-0.2.ebuild | 31 ----- 8 files changed, 344 deletions(-) |