[Pkg-security-team] Maintenance of aircrack-ng

Samuel Henrique samueloph at gmail.com
Thu Oct 20 17:09:37 UTC 2016 

>
> >That's nice, i will wait for Gianfranco's reply and then commit a
> gitignore containing only the ".pc" folder.
> >
> >As you're a DM with upload rights to aircrack-ng, i think you can upload
> it yourself (this aircrack-ng new release) after reviewing my changes. And
> if you don't >have the time, then I would ask for Gianfranco's review and
> upload.
>
>
> feel free to do whatever you prefer :)
>

​Cool, i'm gonna see what to do.​


​>From my POV, there's two things left to discuss:
> >
> >1) The python problem:
> >I'm not really sure if that script (and others) should be there, and even
> if that's ok, do we need to add a python depends just for them? Can we ship
> the script and >left the python dependency out, as they're not needed for
> aircrack-ng usage?
>
>
> it might make sense, and Python is somewhat installed almost everywhere
> already (I mean, I don't
> think there is an user needing only aircrack-ng in a almost empty system,
> and needs that single
> Python script)​
>

​Nice, so if Carlos agrees, and we don't get any objections, this problem
may be considered fixed, as we won't depend on python.​

​>Please have a look at https://trac.aircrack-ng.org/ticket/1680 in order
> to understand the problem.
> >
> >There are two possible workarounds (i listed them on the last comment):
> >
> >* Remove the Harkonen test (which we're doing right now and its bad
> because the Harkonen decrypt doesn't work deterministically).
> >
> >* Remove the fortify hardening flag (which is bad because it will disable
> fortify for all the binaries)
> >The two problems are already ~fixed~ with what i believe are the best
> workarounds, if you disagree, please feel free to reply and push your
> changes :)
>
>
> there is a patch on that track (github issue), did you try it?
> You already know this, but:
> Disabling a test means that in the real world this use-case will make the
> program segfault
> (I don't know how many people will need such code).
> Disabling hardening seems bad, but not so much as disabling the test.
>
>
> Asking for advices on -mentors or whatever might help you in finding the
> root cause and fix it
> (also bisecting the issue with git bisect might help)​
>

​If the patch you mentioned is this one (
https://github.com/aircrack-ng/aircrack-ng/pull/57), i didn't test it
because the discussion made me think that ​its better to wait for upstream
ack. in this case.

I think we don't need git bissect as we already know which commit showed us
the bug (
https://github.com/aircrack-ng/aircrack-ng/commit/37af2dfcccedf667e4a8747ee897ac9d9269b1e9),
i say "showed us" because it looks like the problem was already there (my
bet is that its a problem with memcpy or memset). Using git bisect to get
the exact problem wouldn't be helpful since we have no idea about when the
actual bug was commited (no commit-range to look for).

About cutting off the test vs. disabling fortify, let's see what Carlos
thinks, and if we still have doubts, then i can ask help on mentors (but i
think we can sort this one out with some C skills :) ).

​Thanks for your help, also, i didn't know the git-bissect tool, learned
something today.​

Samuel Henrique <samueloph>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20161020/688e76fe/attachment.html>

More information about the Pkg-security-team mailing list