Ticket #956 (closed task: fixed)
Need to audit packageset for bundling of libiberty
|Reported by:||toshio||Owned by:||toshio|
There's a security vulnerability in libiberty. We know that packages are bundling it and will need to be updated but we don't know what they are or how much change will need to be introduced into those pieces of code to plug this vulnerability.
In the F13 timeframe, FESCo and the FPC worked together to define the concept of copylibs as one basis for granting exceptions to the No Bundled Library rule. As part of that, ajax took a look at one copylib, libiberty, and found 24 packages that bundled it:
The FPC rules for exceptions to the No Bundled Library rule requires that packages that bundle a library add a Virtual Provide: https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Copylibs
For libiberty, that is: 'bundled(libiberty)'
Unfortunately, the packages that ajax discovered weren't updated with the virtual provide. As of F17, only two packages, gdb and insight provide 'bundled(libiberty)'.
This problem may affect other packages that were added -- for instance, no package has a virtual provide of 'bundled(egglib)' or 'bundled(binc)'. I don't know if any packages are currently bundling those libraries so I don't know if this is an actual problem or just a sign that those libraries are obsolete.
For libiberty, the problem has become apparent because of a CVE against it: https://bugzilla.redhat.com/show_bug.cgi?id=849693 a repoquery --whatprovides 'bundled(libiberty)' only reveals 2 packages that have the proper Virtual Provides: gdb and insight.
There's several steps that need to be taken:
- The packages that bundle libiberty need to be identified by auditing the sources of the package set.
- Implementations: Ask ajax if he has anything (scripts, procedure that he could document, results) from his F13 audit that could give us a headstart.
- Make a cattle call for people who can audit the package set for libiberty
- Note: If ajax has his results, we may decide it's not worthwhile to manually search the packageset for other instances of bundling as those would hopefully have been caught on new package review.
- Have someone who can organize handing out managable sets of packages to be dealt with by the volunteers who show up
- The packages with bundled copies of libiberty have to have the vulnerability fixed.
- Once we start to assemble a list of affected packages, file bugs for all affected packages
- Find a few people on hand who can explain how to fix the issue to the maintainers
- Set a date for maintainers to have fixed the issue.
- Find a few people who can fix packages where the maintainer hasn't done it before the deadline.
- The packages with bundled copies need to have the required Virtual Provide added at the same time so that finding these packages in the future is easier.
- Have a provenpackager who adds the necessary virtual Provides to all packages that are identified
- Packagers should be reminded to add the virtual Provides for any libraries that they bundle.
- Once the packages are patched, FESCo can send out a message to devel-announce letting people know about the work that's been done and that the work would have been greatly reduced if packagers kept their virtual provides for bundled libraries accurate and up to date.
comment:31 Changed 17 months ago by toshio
- Owner set to toshio
- Keywords Meeting removed
- Status changed from new to assigned