So what can I do for Debian?

Wednesday, 16 July 2014

So I recently announced my intention to rejoin the Debian project, having been a member between 2002 & 2011 (inclusive).

In the past I resigned mostly due to lack of time, and what has changed is that these days I have more free time - primarily because my wife works in accident & emergency and has "funny shifts". This means we spend many days and evenings together, then she might work 8pm-8am for three nights in a row, which then becomes Steve-time, and can involve lots of time browsing reddit, coding obsessively, and watching bad TV (currently watching "Lost Girl". Shades of Buffy/Blood Ties/similar. Not bad, but not great.)

My NM-progress can be tracked here, and once accepted I have a plan for my activities:

  • I will minimally audit every single package running upon any of my personal systems.
  • I will audit as many of the ITP-packages I can manage.
  • I may, or may not, actually package software.

I believe this will be useful, even though there will be limits - I've no patience for PHP and will just ignore it, along with its ecosystem, for example.

As progress today I reported #754899 / CVE-2014-4978 against Rawstudio, and discussed some issues with ITP: tiptop (the program seems semi-expected to be installed setuid(0), but if it is then it will allow arbitrary files to be truncated/overwritten via "tiptop -W /path/to/file"

(ObRandom still waiting for a CVE identifier for #749846/TS-2867..)

And now sleep.

Tags: audit, debian, security. | 4 comments.

 

Comments On This Entry

[gravitar] Paul Wise

Submitted at 05:41:02 on 17 july 2014

Some ideas:

Install the how-can-i-help and debsecan packages. Run them daily and fix any issues that come up.

Work on hardening Debian:

https://wiki.debian.org/Hardening/Goals

Get ubuntu-security-tools into shape for inclusion in Debian.

https://launchpad.net/ubuntu-security-tools

Follow the debian-mentors list and do audits on new software.

[gravitar] Ben Hutchings

Submitted at 13:19:08 on 17 july 2014

> the program seems semi-expected to be installed setuid(0), but if it is then it will allow arbitrary files to be truncated/overwritten

Ah, maybe that's why they claim it "doesn't require root". Aside from the file issue, reading performance counters for arbitrary processes will be helpful when you want to extract private keys from them. If you're going to keep an eye on this ITP, please make sure that the uploaded package does not enable suid-root.

[author] Steve Kemp

Submitted at 13:56:11 on 17 july 2014

Paul - those seem mostly in line with what I was thinking, although I was primarily asking a rhetorical question.

Ben - Yes there were some private mails, and we're going to remove the references to setuid from the manpage and options output.

(Although some parts of the code correctly do drop privileges prior to writing files so it could be fixed.)

[gravitar] _Mark_

Submitted at 01:12:17 on 20 july 2014

Welcome back! As an old DD who's gotten more active lately after being a bit of a slacker, I recommend taking a look at "dgit" as a low-friction way to make actual package changes.

 

Comments are closed on posts which are more than ten days old.

Recent Posts

Recent Tags