Suggestion for Linux Distro (from PSA: Linux vulnerability)

Marco Sulla Marco.Sulla.Python at gmail.com
Thu Apr 14 13:31:58 EDT 2022 

On Wed, 13 Apr 2022 at 20:05, Peter J. Holzer <hjp-python at hjp.at> wrote:
>
> On 2022-04-12 21:03:00 +0200, Marco Sulla wrote:
> > On Tue, 29 Mar 2022 at 00:10, Peter J. Holzer <hjp-python at hjp.at> wrote:
> > > They are are about a year apart, so they will usually contain different
> > > versions of most packages right from the start. So the Ubuntu and Debian
> > > security teams probably can't benefit much from each other.
> >
> > Well, this is what my updater on Lubuntu says to me today:
> >
> > Changes for tcpdump versions:
> > Installed version: 4.9.3-0ubuntu0.18.04.1
> > Available version: 4.9.3-0ubuntu0.18.04.2
> >
> > Version 4.9.3-0ubuntu0.18.04.2:
> >
> >   * SECURITY UPDATE: buffer overflow in read_infile
> >     - debian/patches/CVE-2018-16301.patch: Add check of
> >       file size before allocating and reading content in
> >       tcpdump.c and netdissect-stdinc.h.
> >     - CVE-2018-16301
> >   * SECURITY UPDATE: resource exhaustion with big packets
> >     - debian/patches/CVE-2020-8037.patch: Add a limit to the
> >       amount of space that can be allocated when reading the
> >       packet.
> >     - CVE-2020-8037
> >
> > I use an LTS version. So it seems that Ubuntu benefits from Debian
> > security patches.
>
> Why do you think so? Because the release notes mention debian/patches/*.patch?

Of course.

> This may be an artefact of the build process. The build tools for .deb
> packages expect all kinds of meta-data to live in a subdirectory called
> "debian", even on non-debian systems. This includes patches, at least if
> the maintainer is using quilt (which AFAIK is currently the recommended
> tool for that purpose).

And why does the security update package contain metadata about Debian
patches, if the Ubuntu security team did not benefit from Debian
security patches but only from internal work?

> OTOH tcpdump would be one of the those packages where Ubuntu could use a
> Debian patch directly [...]

It doesn't seem so. This is a fresh new security update:

Changes for git versions:
Installed version: 1:2.17.1-1ubuntu0.9
Available version: 1:2.17.1-1ubuntu0.10

Version 1:2.17.1-1ubuntu0.10:

  * SECURITY UPDATE: Run commands in diff users
    - debian/patches/CVE-2022-24765-*.patch: fix GIT_CEILING_DIRECTORIES; add
      an owner check for the top-level-directory; add a function to
      determine whether a path is owned by the current user in patch.c,
      t/t0060-path-utils.sh, setup.c, compat/mingw.c, compat/mingw.h,
      git-compat-util.hi, config.c, config.h.
    - CVE-2022-24765

I checked packages.debian.org and git 2.17 was never on Debian:

Package git

stretch (oldoldstable) (vcs): fast, scalable, distributed revision
control system
1:2.11.0-3+deb9u7: amd64 arm64 armel armhf i386 mips mips64el mipsel
ppc64el s390x
stretch-backports (vcs): fast, scalable, distributed revision control system
1:2.20.1-1~bpo9+1: amd64 arm64 armel armhf i386 mips mips64el mipsel
ppc64el s390x
buster (oldstable) (vcs): fast, scalable, distributed revision control system
1:2.20.1-2+deb10u3: amd64 arm64 armel armhf i386 mips mips64el mipsel
ppc64el s390x

etc.
https://packages.debian.org/search?keywords=git

More information about the Python-list mailing list