Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:debusine User: [email protected] Usertags: pu
[ Reason ] As Debusine is still a rapidly evolving project, we expect anyone using it seriously to want to use the version in trixie-backports. But we do have a version in stable, and there are known security vulnerabilities that we have fixed since its release, so here is a roll-up of backported security patches. [ Impact ] These known security issues would continue to be present in trixie. [ Tests ] We have full unit test coverage and meaningful integration tests in autopkgtests. A test run on Debusine: https://debusine.debian.net/debian/developers/work-request/829243/ I have not done any more manual verification than that. [ Risks ] There is some refactoring in some of these changes, but it's all fairly straightforward. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Two of the backported MRs are hardening, they aren't known to be exploitable, but they seem like a good idea to protect the server: - Enforce permissions on the file body upload endpoint. https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3126 The file body endpoint requires the files (and their hashes) to already be configured through an endpoint that did have permissions checks. So the risk here is minimal. - Sbuild task: harden against shell injection. https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3124 The data validation shouldn't let any shell injection get as far as these un-protected string substitutions. But escaping them is obviously an improvement. Then there are two real security issues in the server: - Restrict artifact relation creation and deletion. https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3127 Anonymous users were able to create and delete relationships between artifacts. - Reject .dsc/.changes checksum filenames with multiple path components. https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3125 Maliciously constructed source packages could be used to read arbitrary files from the server. Then there are also some CI configuration updates that aren't relevant to the Debian package, just getting us to this point.
