On Tue, Jun 09, 2026 at 09:57:54AM -0400, Stefano Rivera wrote: > Package: release.debian.org > Severity: normal > Tags: trixie > X-Debbugs-Cc: [email protected], [email protected] > Control: affects -1 + src:debusine > User: [email protected] > Usertags: pu > > [ Reason ] > As Debusine is still a rapidly evolving project, we expect anyone using > it seriously to want to use the version in trixie-backports. But we do > have a version in stable, and there are known security vulnerabilities > that we have fixed since its release, so here is a roll-up of backported > security patches. > > [ Impact ] > These known security issues would continue to be present in trixie. > > [ Tests ] > We have full unit test coverage and meaningful integration tests in > autopkgtests. > A test run on Debusine: > https://debusine.debian.net/debian/developers/work-request/829243/ > > I have not done any more manual verification than that. > > [ Risks ] > There is some refactoring in some of these changes, but it's all fairly > straightforward. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > Two of the backported MRs are hardening, they aren't known to be > exploitable, but they seem like a good idea to protect the server: > > - Enforce permissions on the file body upload endpoint. > https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3126 > > The file body endpoint requires the files (and their hashes) to > already be configured through an endpoint that did have permissions > checks. So the risk here is minimal. > > - Sbuild task: harden against shell injection. > https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3124 > > The data validation shouldn't let any shell injection get as far as > these un-protected string substitutions. But escaping them is > obviously an improvement. > > Then there are two real security issues in the server: > > - Restrict artifact relation creation and deletion. > https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3127 > > Anonymous users were able to create and delete relationships between > artifacts. > > - Reject .dsc/.changes checksum filenames with multiple path components. > https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3125 > > Maliciously constructed source packages could be used to read > arbitrary files from the server. > > Then there are also some CI configuration updates that aren't relevant > to the Debian package, just getting us to this point.
Can you get CVEs assigned for these? Not having a CVE for a remotely exploitable vulnerability in stable sounds very wrong. debusine is also shipped in e.g. the Ubuntu 24.04 and 26.04 LTS releases, and without CVEs users there have hidden known vulnerabilities. cu Adrian
