[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse-factory
Subject:    Re: [opensuse-factory] is Factory first still true for SLES code / Patches / fixes?
From:       Neal Gompa <ngompa13 () gmail ! com>
Date:       2019-11-30 21:34:56
Message-ID: CAEg-Je-RdaEOr02uEHWHZ8d_kV45gwTLqRboRpMu+u3KA7XZGA () mail ! gmail ! com
[Download RAW message or body]

On Sat, Nov 30, 2019 at 4:32 PM Stefan Seyfried
<stefan.seyfried@googlemail.com> wrote:
>
> Hi all,
>
> see $SUBJECT.
> Is there still a "Factory first" policy for SLES?
>
> The reason I'm asking is that I was surprised to find there is a bluez
> update for Leap 15.0 and 15.1 which comes from SLES15.
> I just found this by accident.
>
> This section of the changelog would also have been relevant for Factory:
>
> ----------------------------------------------------------------------
> Thu Jan 24 10:18:23 UTC 2019
>
> - Add:btmon: multiple memory management vulnerabilities fixed
>   Multiple different memory management vulnerabilities were discovered
>   in btmon while fuzzing it with American Fuzzy Lop. Purpose of this
>   fuzzing effort was to find some bugs in btmon, analyse and fix them
>   but also try to exploit them. Also goal was to prove that fuzzing is
>   low effort way to find bugs that could end up being severe ones.
>   Most common weakness appeared to be buffer over-read which was
>   usually caused by missing boundary checks before accessing array.
>   Integer underflows were also quite common. Most interesting bug was
>   simple buffer overflow that was actually discovered already couple
>   years ago by op7ic:
>   https://www.spinics.net/lists/linux-bluetooth/msg68898.html
>   but it was still not fixed. This particular vulnerability ended up
>   being quite easily exploitable if certain mitigation technics were
>   disabled.(bsc#1015173)(CVE-2016-9918)(bsc#1013893)(CVE-2016-9802)
>   0001-btmon-fix-segfault-caused-by-buffer-over-read.patch
>   0002-btmon-fix-segfault-caused-by-buffer-over-read.patch
>   0003-btmon-fix-segfault-caused-by-buffer-over-read.patch
>   0004-btmon-Fix-crash-caused-by-integer-underflow.patch
>   0005-btmon-fix-stack-buffer-overflow.patch
>   0006-btmon-fix-multiple-segfaults.patch
>   0007-btmon-fix-segfault-caused-by-integer-underflow.patch
>   0008-btmon-fix-segfault-caused-by-integer-undeflow.patch
>   0009-btmon-fix-segfault-caused-by-buffer-over-read.patch
>   0010-btmon-fix-segfault-caused-by-buffer-overflow.patch
>   0011-btmon-fix-segfault-caused-by-integer-underflow.patch
>   0012-btmon-fix-segfault-caused-by-buffer-over-read.patch
> ----------------------------------------------------------------------
>
> In January 2019, factory had still bluez version 5.50, these fixes went
> upstream only in version 5.51 which was released in September 2019 (and
> which did not yet make it to factory, but that's a different issue).
>
> As the bluez package maintainer, I would somehow expect to be on the CC
> list of bluez related security bugs reported on bugzilla and not having
> to discover them by accident.

It is *definitely* still the policy. Unfortunately, I don't know if
SUSE is doing anything right now to enforce it. Somebody definitely
did something wrong here, as that should have been pushed into Factory
first.

-- 
真実はいつも一つ！/ Always, there's only one truth!
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

[prev in list] [next in list] [prev in thread] [next in thread]