[prev in list] [next in list] [prev in thread] [next in thread]
List: opensuse-factory
Subject: Re: [opensuse-factory] is Factory first still true for SLES code / Patches / fixes?
From: Neal Gompa <ngompa13 () gmail ! com>
Date: 2019-11-30 21:34:56
Message-ID: CAEg-Je-RdaEOr02uEHWHZ8d_kV45gwTLqRboRpMu+u3KA7XZGA () mail ! gmail ! com
[Download RAW message or body]
On Sat, Nov 30, 2019 at 4:32 PM Stefan Seyfried
<stefan.seyfried@googlemail.com> wrote:
>
> Hi all,
>
> see $SUBJECT.
> Is there still a "Factory first" policy for SLES?
>
> The reason I'm asking is that I was surprised to find there is a bluez
> update for Leap 15.0 and 15.1 which comes from SLES15.
> I just found this by accident.
>
> This section of the changelog would also have been relevant for Factory:
>
> ----------------------------------------------------------------------
> Thu Jan 24 10:18:23 UTC 2019
>
> - Add:btmon: multiple memory management vulnerabilities fixed
> Multiple different memory management vulnerabilities were discovered
> in btmon while fuzzing it with American Fuzzy Lop. Purpose of this
> fuzzing effort was to find some bugs in btmon, analyse and fix them
> but also try to exploit them. Also goal was to prove that fuzzing is
> low effort way to find bugs that could end up being severe ones.
> Most common weakness appeared to be buffer over-read which was
> usually caused by missing boundary checks before accessing array.
> Integer underflows were also quite common. Most interesting bug was
> simple buffer overflow that was actually discovered already couple
> years ago by op7ic:
> https://www.spinics.net/lists/linux-bluetooth/msg68898.html
> but it was still not fixed. This particular vulnerability ended up
> being quite easily exploitable if certain mitigation technics were
> disabled.(bsc#1015173)(CVE-2016-9918)(bsc#1013893)(CVE-2016-9802)
> 0001-btmon-fix-segfault-caused-by-buffer-over-read.patch
> 0002-btmon-fix-segfault-caused-by-buffer-over-read.patch
> 0003-btmon-fix-segfault-caused-by-buffer-over-read.patch
> 0004-btmon-Fix-crash-caused-by-integer-underflow.patch
> 0005-btmon-fix-stack-buffer-overflow.patch
> 0006-btmon-fix-multiple-segfaults.patch
> 0007-btmon-fix-segfault-caused-by-integer-underflow.patch
> 0008-btmon-fix-segfault-caused-by-integer-undeflow.patch
> 0009-btmon-fix-segfault-caused-by-buffer-over-read.patch
> 0010-btmon-fix-segfault-caused-by-buffer-overflow.patch
> 0011-btmon-fix-segfault-caused-by-integer-underflow.patch
> 0012-btmon-fix-segfault-caused-by-buffer-over-read.patch
> ----------------------------------------------------------------------
>
> In January 2019, factory had still bluez version 5.50, these fixes went
> upstream only in version 5.51 which was released in September 2019 (and
> which did not yet make it to factory, but that's a different issue).
>
> As the bluez package maintainer, I would somehow expect to be on the CC
> list of bluez related security bugs reported on bugzilla and not having
> to discover them by accident.
It is *definitely* still the policy. Unfortunately, I don't know if
SUSE is doing anything right now to enforce it. Somebody definitely
did something wrong here, as that should have been pushed into Factory
first.
--
真実はいつも一つ!/ Always, there's only one truth!
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic