Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 683724 - <=app-admin/systemrescuecd-x86-6.0.3 multiple vulnerabilities
Summary: <=app-admin/systemrescuecd-x86-6.0.3 multiple vulnerabilities
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Deadline: 2019-10-18
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords: PMASKED
Depends on:
Blocks:
 
Reported: 2019-04-18 06:33 UTC by Ulrich Müller
Modified: 2019-09-18 20:39 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2019-04-18 06:33:10 UTC
systemrescuecd-x86-6.0.0 comes with the following packages from Arch Linux:

   curl 7.63.0
   openssh 7.9p1-1

AFAICS, they are vulnerable to the issues of GLSA 201903-03 and GLSA 201903-16, respectively.

systemrescuecd-x86-5.3.2 (which is Gentoo based) ships these:

   dev-libs/openssl-1.0.2p (GLSA 201903-10)
   net-misc/openssh-7.7_p1-r9 (GLSA 201903-16)
   net-misc/curl-7.61.1 (GLSA 201903-03)
   net-misc/wget-1.19.5 (GLSA 201903-08)

There are more packages, but the above are amongst those that are likely to be used in a rescue environment.
Comment 1 Ulrich Müller gentoo-dev 2019-04-18 10:57:44 UTC
Newest upstream version 6.0.3 still has several vulnerabilities (using the list at https://security.archlinux.org/issues/all):

High:
   polkit 0.115+24+g5230646-1 https://security.archlinux.org/AVG-897
   gettext 0.19.8.1-3 https://security.archlinux.org/AVG-885
   glibc 2.28-5 https://security.archlinux.org/AVG-855

Medium:
   openssh 7.9p1-1 https://security.archlinux.org/AVG-849
   libarchive 3.3.3-1 https://security.archlinux.org/AVG-837
   libtiff 4.0.10-1 https://security.archlinux.org/AVG-886
   glibc 2.28-5 https://security.archlinux.org/AVG-831

Low:
   openssl 1.1.1.b-1 https://security.archlinux.org/AVG-919
   unzip 6.0-13 https://security.archlinux.org/AVG-611
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-04-18 11:27:19 UTC
Oh, they changed release hosting, so I didn't get new versions via RSS.

I'm not sure if I should bump them or just mask it as unmaintainable.  After all, we won't be patching the prebuilt .iso.  (of course, technically we could try building it from scratch ;-))
Comment 3 Larry the Git Cow gentoo-dev 2019-04-18 11:44:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de3810cffe3b165949592b4d3d2979af1c3c1635

commit de3810cffe3b165949592b4d3d2979af1c3c1635
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-04-18 11:43:13 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-04-18 11:44:44 +0000

    package.mask: Mask app-admin/systemrescuecd-x86 for vulnerabilities
    
    Bug: https://bugs.gentoo.org/683724
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 4 Thomas J. Moore 2019-05-19 20:58:46 UTC
Can you describe any scenarios where these vulnerabilities affect the use of this mini-distro as a system rescue CD?  I looked at the linked ones and feel that deleting this package for "security issues" is stupid.  Whatever.  Go ahead and apply your headless chicken security practices.  I'll just keep/maintain the ebuild myself.  It's not like I don't have plenty of games with similar overblown security warnings that I have to now maintain myself (for myself; the requirements for becoming a gentoo maintainer require far too much investment into "the community" of a distro that I hate, for exactly this kind of activity).
Comment 5 Ulrich Müller gentoo-dev 2019-07-05 16:06:54 UTC
(In reply to Thomas J. Moore from comment #4)

This is treated like any other vulnerable package, according to policy:
https://www.gentoo.org/support/security/vulnerability-treatment-policy.html

As it is a binary package, there is not much that we can do, other than waiting for a fixed release from upstream. Unmask the package if you believe that the risk is negligible for your use case. However, we cannot answer that question for all users.
Comment 6 Thomas Deutschmann gentoo-dev Security 2019-07-06 10:04:36 UTC
I personally do not see the point in maintaining systemrescuecd as a package in general.

From security POV: Gentoo security will not track vulnerabilities within systemrescuecd on our own. In case there is an upstream advisory for the product in general, we will do our work but we will not audit and keep track of included libs/packages as we don't even have enough man power to keep up with real packages in Gentoo.

I am also not aware of any other distribution doing something like that for their own installation media. From time to time, they will just replace previous version with a new version. It's also normal these days that you can use such a medium for installation OR to boot a live system. Once booted, you can update the running live system using known package managers (which is even possible for systemrescuecd).

=> Closing security bug as "WONTFIX".


@ maintainer(s): Feel free to lift the mask if you see a value in keeping sytemrescuecd as a package or last rite.
Comment 7 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-09-18 20:34:44 UTC
I'm going to reopen this for last rites.  We'll close it when the package is gone, ok?
Comment 8 Larry the Git Cow gentoo-dev 2019-09-18 20:39:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4876a4ebbab69f5319f5258da99b3c4f6d586871

commit 4876a4ebbab69f5319f5258da99b3c4f6d586871
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-09-18 20:35:49 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-09-18 20:38:48 +0000

    package.mask: Last rite app-admin/systemrescuecd-x86 & revdep
    
    Bug: https://bugs.gentoo.org/683724
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)