+++ This bug was initially created as a clone of Bug #246916 +++ Comment 3 from the original bug. Still old versions in SRC_URI. > Given this was left unfixed and it's currently building two bzip2 versions that > should be pretty vulnerable ( > http://www.gentoo.org/security/en/glsa/glsa-200804-02.xml ), can we just drop > this? >
@security team: Can you tell me how you tell that this package builds vulnerable bzip2? Thanks.
/var/tmp/portage/app-portage/deltup-0.4.4/image $ find -name bz* ./usr/bin/bzip2_1.0.2 ./usr/bin/bzip2_1.0.3 The whole design of deltup with regards to security is broken. It expects you to have the exact version of bzip installed that the archive was created with (which seems to be bzip's fault). So it bundles 1.0.2 and 1.0.3 and depends on 1.0.5 (currently). See also bug 89475. Now this is not a vulnerability in deltup until a bzip version it ships becomes vulnerable, and GLSA 200804-02 affects the old bzip copies. However since the impact of that GLSA is a Denial of Service, this is not an issue in deltup. If an attacker can control a delta mirror, they can deny service to deltup users anyway. If an attacker could leverage these issues to execute arbitrary code, it would be more of an issue (and this might happen in the future). To sum it up: - I'm going to close this bug as it is not an issue for the security team. - I'd encourage you to consider unbundling the bzip2 copies, users will need to download full files for files compressed using an old bzip2 then (still better than keeping a time bomb around, IMO).
sorry, I did not realize this was not a bug assigned to security@ reopening
Thanks Robert for the explanation. Given this package's importance for dial-up users, I don't think it is wise to mask for removal. I will exchange an email or two with deltup upstream author. So, the answer to comment #0 is no. Not at this time.