Analysis of Debian's CVE-2007-4074 response
By Tim Brown
What follows is an analysis of Debian's response to my advisory regarding a remote code execution vulnerability in the Festival test to speech server.
Gentoo released their advisory for this issue on July 25th, 2007. However, since the issue results from a weakness in default configuration (which can vary between distributions) they did not identify the remote nature of the vulnerability in their advisory. As a result whilst Debian did triage the initial issue as described in Gentoo's advisory, some level of misdiagnosis occurred and the remote aspect was left unresolved. The issue was independently identified by myself and reported in Debian unstable on February, 15th, 2008 almost 8 months after the initial advisory was released. It should be noted that Ubuntu required further notification before any action was taken.
From a security standpoint, this meant that users of Debian unstable, testing and Ubuntu Hardy Heron were vulnerable to remote code execution for approximately 8 months after Gentoo had released their advisory. Whilst no cases of exploitation appear to have been reported, anyone running one of these distributions with the Festival test to speech server installed would have been extremely vulnerable particularly considering the overlap with several root privilege escalation vulnerabilities that have since been reported in the Linux kernel.
There is a good side however, and that is how the maintainer, Kumar Appaiahi as well as Nico Golde of Debian testing security and Jamie Strandboge of Canonical were able to resolve the issue once it was brought to their attention. Triage was relatively easy, and although perhaps not as responsive as I would have liked, it never once felt like the issue was going to be brushed under the carpet.
Given that Gentoo and Debian have similar goals in being a powerful, customiseble distribution, the question raised is why the two distributions were unable to cooperate on triaging the issue as it was originally reported. Whilst criticism of Gentoo focuses on their advisory which lacked the necessary details, questions also need to be raised as to why Debian's festival package maintainer and the testing security team failed to follow through and make themselves familar with the full bug report which detailed the full nature of the misconfiguration which lead to the vulnerability.
I guess I'm kinda disappointed as I'm a Debian maintainer and I've always found Debian to be a stable, secure platform to deploy. It's kind of interesting though as I've recently been working on a paper on how Debian secure their social network and thus their distribution. This raises several important caveats to the positives I've described in my paper thus far, and should serve as a reminder to other maintainers (myself included) of the importance of both understanding the packages that you maintain and of following bug related discussions of your packages even where they concern other distributions. Perhaps in this day and age, the new maintainer process requires an update to reflect this.
Music: Efterklang - Monopolist
You are unknown, comment?