Source: ntdb Version: 1.0-9 Severity: important Tags: upstream Dear maintainers,
In March, I sent an e-mail to the list, about removing the NTDB packages because they are unmaintained upstream, have known security issues (if only DoS), and have no other users in Debian: https://alioth-lists.debian.net/pipermail/pkg-samba-maint/2018-March/020680.html AFAICT, I received no reply. Since then: * I described my findings in the DBM-type databases at http://www.openwall.com/lists/oss-security/2018/06/17/1 ; * a member of the security team requested filing a bug against ntdb for proper tracking; this is, belatedly, the requested tracking bug :) Copying the relevant parts of the message here: ' For NTDB, which has a trivial nullptr deref, and otherwise crashes due to controlled asserts in the library (easy DoS upon data corruption), the situation is different. Quoting Volker Lendecke after I mentioned that inciting distros to remove NTDB from future versions could be part of the solution, without hurting many third-party packages (per the above dep list): " I don't see Samba upstream to have the capacity to fix this code. Samba does not use it. It was intended as the successor to tdb, but this never materialized. So we removed it a few years ago. It's really up to debian to just dump it. " ' ' I noticed that the NTDB packages formed an island from Stretch onwards: # apt-cache rdepends libntdb1 libntdb1 Reverse Depends: libntdb-dev python-ntdb ntdb-tools libntdb1-dbg # apt-cache rdepends libntdb-dev libntdb-dev Reverse Depends: # apt-cache rdepends python-ntdb python-ntdb Reverse Depends: python-ntdb-dbg # apt-cache rdepends ntdb-tools ntdb-tools Reverse Depends: # apt-cache rdepends libntdb1-dbg libntdb1-dbg Reverse Depends: python-ntdb-dbg # apt-cache rdepends python-ntdb-dbg python-ntdb-dbg Reverse Depends: ' There's still time before the Buster freeze. Regards, Lionel Debroux. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf, armel, arm64, mips Kernel: Linux 4.17.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
