On Sat, Nov 30, 2019 at 4:32 PM Stefan Seyfried <stefan.seyfried@googlemail.com> wrote:
Hi all,
see $SUBJECT. Is there still a "Factory first" policy for SLES?
The reason I'm asking is that I was surprised to find there is a bluez update for Leap 15.0 and 15.1 which comes from SLES15. I just found this by accident.
This section of the changelog would also have been relevant for Factory:
---------------------------------------------------------------------- Thu Jan 24 10:18:23 UTC 2019
- Add:btmon: multiple memory management vulnerabilities fixed Multiple different memory management vulnerabilities were discovered in btmon while fuzzing it with American Fuzzy Lop. Purpose of this fuzzing effort was to find some bugs in btmon, analyse and fix them but also try to exploit them. Also goal was to prove that fuzzing is low effort way to find bugs that could end up being severe ones. Most common weakness appeared to be buffer over-read which was usually caused by missing boundary checks before accessing array. Integer underflows were also quite common. Most interesting bug was simple buffer overflow that was actually discovered already couple years ago by op7ic: https://www.spinics.net/lists/linux-bluetooth/msg68898.html but it was still not fixed. This particular vulnerability ended up being quite easily exploitable if certain mitigation technics were disabled.(bsc#1015173)(CVE-2016-9918)(bsc#1013893)(CVE-2016-9802) 0001-btmon-fix-segfault-caused-by-buffer-over-read.patch 0002-btmon-fix-segfault-caused-by-buffer-over-read.patch 0003-btmon-fix-segfault-caused-by-buffer-over-read.patch 0004-btmon-Fix-crash-caused-by-integer-underflow.patch 0005-btmon-fix-stack-buffer-overflow.patch 0006-btmon-fix-multiple-segfaults.patch 0007-btmon-fix-segfault-caused-by-integer-underflow.patch 0008-btmon-fix-segfault-caused-by-integer-undeflow.patch 0009-btmon-fix-segfault-caused-by-buffer-over-read.patch 0010-btmon-fix-segfault-caused-by-buffer-overflow.patch 0011-btmon-fix-segfault-caused-by-integer-underflow.patch 0012-btmon-fix-segfault-caused-by-buffer-over-read.patch ----------------------------------------------------------------------
In January 2019, factory had still bluez version 5.50, these fixes went upstream only in version 5.51 which was released in September 2019 (and which did not yet make it to factory, but that's a different issue).
As the bluez package maintainer, I would somehow expect to be on the CC list of bluez related security bugs reported on bugzilla and not having to discover them by accident.
It is *definitely* still the policy. Unfortunately, I don't know if SUSE is doing anything right now to enforce it. Somebody definitely did something wrong here, as that should have been pushed into Factory first. -- 真実はいつも一つ!/ Always, there's only one truth! -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org