#992786 passenger uses many vendored libraries

#992786#5
Date:
2021-08-23 12:00:16 UTC
From:
To:
passenger-5.0.30/src/cxx_supportlib/vendor-copy:
adhoc_lve.h  libcurl  libuv  nghttp2  utf8  utf8.h

passenger-5.0.30/src/cxx_supportlib/vendor-modified:
SmallVector.h  jsoncpp  modp_b64.cpp  modp_b64_data.h
boost          libev    modp_b64.h    psg_sysqueue.h

passenger-6.0.10/src/cxx_supportlib/vendor-copy:
adhoc_lve.h  libuv  utf8  utf8.h  websocketpp

passenger-6.0.10/src/cxx_supportlib/vendor-modified:
boost    libev         modp_b64.h       modp_b64_strict_aliasing.cpp
jsoncpp  modp_b64.cpp  modp_b64_data.h  psg_sysqueue.h


The problem is that these vendored copies seem to actually be used.

Does for example CVE-2021-22918 in libuv1 need fixing in passenger?

The security team is Cc'ed, and in a better position to suggest
how this package should be handled.

Related, passenger is in security-tracker/data/packages/removed-packages
(it was renamed to ruby-passenger and then renamed back).

#992786#10
Date:
2021-08-23 12:18:42 UTC
From:
To:
I am new to this list and would like to get involved, but I am a relative
beginner in programming.   I understand from looking at this CVE that it is
triggered by a particular type of API call, which is probably unlikely in
the wild, unless prior recon has been done and there is already a threat
actor inside.  The threat is less than six.  I work in security and I have
seen many environments where threats this low are not patched.  If I would
have time and would want to volunteer help, can someone instruct me how to
get started?  Thank you in advance. I apologize if I am making noise on the
list, I just signed up.  I thought QA would be an easy way to get started
in the Debian community.  Thanks.

Michael Lazin

.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.

#992786#15
Date:
2021-08-25 20:15:38 UTC
From:
To:
Debian has already issued a security advisory for this specific
vulnerabily for the libuv1 package (and sent to the wrong list):
https://www.debian.org/security/2021/dsa-4936

My bug report was about passenger having copies of libraries that might
also be vulnerable to CVEs like for example this one.

General information:
https://www.debian.org/intro/help

The debian-mentors mailing list would be a good starting point for
helping other contributors with problems packaging and maintaining
software in Debian.

cu
Adrian

#992786#20
Date:
2022-06-02 00:05:26 UTC
From:
To:
Hi,

6.0.13+ds-1 drops the embedded copies of both libuv and libev, who seem
to be the most high-profile libraries; and it's now actually possible to
build passenger against system-provided copies of those.

There is still an embeded copy of boost, but that's modified from
upstream boost in a way that the code does not build about system boost.

Ideally we would want to drop all of the other embeded copies, but
realistically that would involve a amount of work that is not available
at the moment.

Because this is still a relevant issue, but IMO not worth removing
passenger because of it, I am downgrading this bug to important.