[Pkg-crosswire-devel] Bug#890289: bibledit: embeds mbedtls - vulnerable to CVE-2017-2784, CVE-2017-14032, CVE-2018-0487, CVE-2018-0488

James Cowgill jcowgill at debian.org
Mon Feb 12 23:27:28 GMT 2018

Source: bibledit
Version: 5.0.331-1
Severity: grave
Tags: security


I notice bibledit embeds mbed TLS 2.2.1. The embedded version is
vulnerable to at least these CVEs (based on the version number and
assuming they have not been manually patched):

[disclaimer: the mbedtls package is still vulnerable to the last two,
but I am working on fixing those]

I see you have overridden lintian which warns you about this:
> # For just now the mbed TLS library is included.
> # When using the system-provided libmbedtls, there currently is a segmentation fault.
> # Pending investigation of this fault, temporarily include mbed TLS.
> # Here is the link to the issue: https://github.com/bibledit/bibledit/issues/499
> # By the way, isn't it called "mbed" TLS, obviously intended to be "embedded"?
> # So Bibledit is doing that right now, it "embeds" mbed TLS.
> bibledit: embedded-library usr/bin/bibledit: mbedtls

"mbed" is the brand name ARM uses for its IOT operating system (of which
mbedtls is a component) and therefore is derived from "embedded systems".

IMO embedding a security library is unacceptable and the package should
not be in a stable release in its current state.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-crosswire-devel/attachments/20180212/c037e69f/attachment.sig>

More information about the Pkg-crosswire-devel mailing list