[Pkg-mediawiki-devel] Bug#685324: Re: Bug#685324: Local File Inclusion Vulnerability in contrib script

Benny Baumann BenBE1987 at gmx.net
Tue Aug 21 19:20:55 UTC 2012 

Dear Steven,

Am 20.08.2012 05:12, schrieb Steven Chamberlain:
> tags 685324 + moreinfo unreproducible
> tags 685323 + moreinfo unreproducible
> merge 685324 685323
> severity 685326 wishlist
> merge 685326 584251
> thanks
>
> Hi,
>
> Were these reports of security issues supposed to be genuine?
Yes, they were, as they are really two distinct security issues.
> Or was this simply your "idea on how to get them to update GeSHi". [1]
Well, no. But it'd be a bit long for this mail to shed light on all the
background. And since I don't want to bore you to death while you
actually could be doing something useful (like e.g. updating the
package) I refrain from doing so.
> You refer to vulnerabilities in unspecified "contrib" scripts, but it
> seems to me that Debian does not even ship them in the php-geshi package.
Debian ships them. And the Security Team already has been notified about
the details. That's also the reason why these two bugs have been made
public as part of a longer discussion yesterday.
> "Debian who STILL believes the most recent version is 1.0.8.4", actually
> identifies the latest version as 1.0.8.10 on the PTS [2], with a link to
> the source tarball, and that will surely update within a few hours to
> indicate the new 1.0.8.11 release.
Just checked [2]: Still says 1.0.8.10. But that wasn't the point of the
blog post: The point was about the packaging which was (and by the way
still is) way behind; but more on this in a moment.
> Yes, you already filed a wishlist bug asking for someone to package the
> new version, so there was no reason to file a new 'serious'-severity
> duplicate just now demanding the same.
There was a request on the #debian-qa channel when I talked to some
people directly asking for it. If you'd like the log just ask.
> It seems to me you are in fact wasting the time of whoever would
> potentially package your software, of developers busy fixing serious
> issues to make the next Debian release happen, and of the security team,
> who would be kindly looking after users for the package's 2-3 year term
> in stable/oldstable.
Oh, thanks for that compliment, but I've to decline. Given exactly the
2-3 years this package will be in stable/oldstable is the reason why
there should be an update to something reasonably recent before the
package is put into a distribution. Putting in a package which is
~40kLOCs in diffs behind the current version (to compare the core
component only is about 5kLOC) will be a monster to support. Last time
there was a report to fix something in a stable release took about 4
months of MY time to look up a patch that the Package maintainers
requested; it would have taken about 2 days using upstream AND testing
it thouroughly.
> Some users really prefer long-term, unchanging versions, because they
> deploy lots of software that they don't want to have to review for
> what's changed, update it, re-test and check compatibility on a regular
> basis.  Debian's stable distribution fulfills that need.
Yeah, no news to me. And BTW: I'm also using Debian on some of my systems.

And if you really want to try: GeSHi 1.0.7.15 (which should be around
etch IIRC) can be replaced by a current 1.0.8.11 and everything just
keeps working. That's aboutith Cygwin half my system breaks everytime I
install an update.
> The freeze deadline has already passed, for someone to have
> _volunteered_ to update the GeSHi package in time for the Wheezy release
> process.  The only exception now might be for a genuine security fix or
> serious flaw (which would probably be only a minimal patch for the
> specific issue),
Feel lucky I had the revisions for the bugfix still at hand...

And regarding the packaging: It has been known for at least the time
there was this wishlist ticket that GeSHi was needing an update in
unstable/testing. It's absolutely not my fault that there's only someone
waking up once a security problem is notified. Also: I repeatedly tried
to get someone who was willing to do the packaging for php-geshi to
resolve those long-standing issues. If again the packaging team can't
manage to grant necessary privileges for about 5 month that's another
problem on your side.
> It is possible for more frequent updates to be packaged in testing or
> backports, for example to support new programming languages, but it
> would require continued effort on the part of a volunteer maintainer.
> That person would have had to process your bug reports too.
Correct. And I already did some work on this part prior and in parallel
to these reports. So don't be as gentle as an elephant shopping for
procelain.
>
> [1] http://blog.benny-baumann.de/?p=1297
>
> [2] http://packages.qa.debian.org/g/geshi.html
>
> Regards,
Regards,
upstream.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 546 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mediawiki-devel/attachments/20120821/71471334/attachment-0001.pgp>

More information about the Pkg-mediawiki-devel mailing list