[Pkg-crosswire-devel] Bug#890289: bibledit: embeds mbedtls - vulnerable to CVE-2017-2784, CVE-2017-14032, CVE-2018-0487, CVE-2018-0488
James Cowgill
jcowgill at debian.org
Mon Feb 12 23:27:28 GMT 2018
Source: bibledit
Version: 5.0.331-1
Severity: grave
Tags: security
Hi,
I notice bibledit embeds mbed TLS 2.2.1. The embedded version is
vulnerable to at least these CVEs (based on the version number and
assuming they have not been manually patched):
CVE-2017-2784
CVE-2017-14032
CVE-2018-0487
CVE-2018-0488
[disclaimer: the mbedtls package is still vulnerable to the last two,
but I am working on fixing those]
I see you have overridden lintian which warns you about this:
> # For just now the mbed TLS library is included.
> # When using the system-provided libmbedtls, there currently is a segmentation fault.
> # Pending investigation of this fault, temporarily include mbed TLS.
> # Here is the link to the issue: https://github.com/bibledit/bibledit/issues/499
> # By the way, isn't it called "mbed" TLS, obviously intended to be "embedded"?
> # So Bibledit is doing that right now, it "embeds" mbed TLS.
> bibledit: embedded-library usr/bin/bibledit: mbedtls
"mbed" is the brand name ARM uses for its IOT operating system (of which
mbedtls is a component) and therefore is derived from "embedded systems".
IMO embedding a security library is unacceptable and the package should
not be in a stable release in its current state.
Thanks,
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-crosswire-devel/attachments/20180212/c037e69f/attachment.sig>
More information about the Pkg-crosswire-devel
mailing list