Fixing CVEs on Debian: Everything you probably know already - DebConf24

This talk is aimed at people new to fixing CVEs, but I’m also showing a few examples which could be interesting for experienced developers.

I’ll present an introduction to CVEs, how Debian deals with CVEs, how to avoid mistakes and my recommendations for a better patch backporting process (which allows for better reviews).

A CVE is an identifier for security vulnerabilities, so in other words this is about fixing security issues for Debian.

Presenter:
Samuel Henrique "samueloph" is a software developer focused on Debian, Linux, Python, Rust and Security. He's a Debian Developer, contributing mostly to packaging of security tools in the Debian Security Tools Packaging Team (pkg-security).
Samuel maintains a few other key packages on Debian, such as "curl", "rsync" and "nmap", for which he's also responsible for fixing CVEs for all Debian releases.
Working as a System Development Engineer in Amazon Linux, Samuel develops Rust and Python-based systems that deals with CVE processing at AWS.
He also helps people learning packaging and starting to contributing to Debian.

Presented on 2024-07-29 at DebConf24:
https://debconf24.debconf.org

00:00 Waiting...
00:04 Intro
02:49 Summary
03:44 The CVE Program and the CVE ID
06:12 A CVE for Debian
09:21 How upstream developers fix CVEs
11:22 How Debian fix CVEs
12:35 Steps to fix a CVE
13:54 Find a CVE to fix
15:50 Example of missed CVE for cpython
16:47 Example of bogus CVE for curl
17:57 Example of timing attack for GnuTLS
20:12 Confirm impact
23:29 Examples of CVE description gotchas
26:50 Identify the fix
28:32 Example of introduction of limits on curl
29:31 Example of regression
30:52 Apply the patches to the Debian packaging
31:53 Modify the patch as needed
34:33 Example of backported-by patch header
35:05 Example of backporting commits
36:10 Review the backporting
37:52 Example of curl memory leak
38:56 Test the changes
40:05 Submit the fix and watch for regressions
40:36 Questions