Wednesday, December 07, 2016

The dangers of stable/LTS/supported versions

Ubuntu 14.04 LTS is supported until April 2019 and ships poppler 0.24.5 http://packages.ubuntu.com/search?suite=trusty&searchon=names&keywords=libpoppler-dev

RHEL 7.3 ships poppler 0.26.5 (I may be wrong, https://git.centos.org/summary/?r=rpms/poppler is the best info i could find, Red Hat does not make easy to know what you're buying)

Debian stable (Jessie) ships poppler 0.26.5 https://packages.debian.org/search?suite=jessie&searchon=names&keywords=libpoppler-dev

Current release is poppler 0.49 https://poppler.freedesktop.org/releases.html

This means that people are running stable versions and thinking they are secure, but if we trust security specialists, [almost] every crash can be exploited, and I'm almost sure neither Ubuntu nor RedHat nor Debian have backported all of the crash fixes of the more than 20 releases and 2 years of development behind those *very old* versions they are shipping.

I don't know how/if this can be fixed, but i honestly think we're giving users a false sense of security by letting them run those versions.

13 comments:

Andrius said...

Well, it is even worse with Partition Manager. Debian jessie ships 1.0.3 which is about 6 years old... Well, hopefully I'll be able to convince them to upgrade it for stretch...

Sudhir Khanger said...

Then why did Plasma team decided that they had to ship an LTS release?

tosky said...

If the issue is worth a CVE, then it's on the queue for a quick backport of the fix.

The version number does not consider the patches included; you check the changelog for that.

Alex L. said...

Plasma LTS is upstream, devs will backports fixes from 5.9+ to 5.8 but not new features.
In my opinion a distro should backport fixes if it decides to ship older version of software.
Having LTS releases is a good thing for both upstream and downstream, but here distro are not doing it well, imho.

Anonymous said...

So why does KDE neon use ubuntu as base? ... they dont even ship bugfixreleases if they are available, universe and multiverse is technically a fat, dead securityhole after release and thanks to canonical it'll move to a completely different path (MIR) than Plasma does with wayland?

Seems thats the KDE where one end calls it bad to use a stable release because of _good reasons_ and the other end builds the whole kde distro on top of the worst of all stable release distros... good PR.. very good PR,,,,

C├ędric Bellegarde said...

ArchLinux is the way to go... ;)

Albert Astals Cid said...

@tosky: That's also part of the fun, according to "security researchers" every crash is exploitable, so every crash would need a CVE.

But every time i ask for an actual exploit they all go "Trust us" or "Are you saying you will ignore a crash unless it's exploitable" or some similar stuff, basically degrading their own "this is exploitable" claim by never ever providing proff that stuff is exploitable, so I've obviously decided not to care about creating new CVEs for every single crash we fix.

Albert Astals Cid said...

@Anonymous: The base that KDE neon uses is less bad, since it's the newer Ubuntu LTS and it's not a 3 year old release. As you saw basically every single "stable" distro is a problem. I was not involved in the choose of base distribution for KDE neon, I am sure they had good reasons, as said the world is not perfect.

Albert Astals Cid said...

@Cedric: ArchLinux has it's own set of problems (no debug packages still, come on) but this one is indeed not one of them

David Strobach said...

ArchLinux is aimed at users who are able to build a debug package for themselves if they need one. It's trivial with Arch.

tosky said...

Iirc you don't need a reproducer to create a CVE, but I can ask.

Albert Astals Cid said...

@David: Off topic, so it's my last comment about it here, but if it needs a wiki is not trivial, trivial is "sudo apt-get install qtbase5-dbg"

Albert Astals Cid said...

@tosky: So you suggest I do a CVE saying: "people have told me that if I have a crash i have a security vulrenability". Doesn't sound very professional tbh.