headers
Diego Elio Pettenò | 8 Jul 2012 20:04
Picon
Gravatar

Last rites for net-ftp/netkit-tftp

I just fixed a (reported) buffer overflow on it (not a security bug),
but the code is very bad and I'm expecting more issues in the future.

The ebuild wasn't bumped since 2008, the upstream FTP site is entirely
gone (there's no more the _domain_ of it), and net-ftp/tftp-hpa should
replace it in all ways.

So it'll be removed next month if there are no reasons to keep it around.

--

-- 
Diego Elio Pettenò — Flameeyes
flameeyes <at> flameeyes.eu — http://blog.flameeyes.eu/
Permalink | Reply |
headers
Chí-Thanh Christopher Nguyễn | 8 Jul 2012 20:13
Picon
Favicon
Gravatar

Re: Last rites for net-ftp/netkit-tftp

Diego Elio Pettenò schrieb:
> I just fixed a (reported) buffer overflow on it (not a security bug),
> but the code is very bad and I'm expecting more issues in the future.
> 
> The ebuild wasn't bumped since 2008, the upstream FTP site is entirely
> gone (there's no more the _domain_ of it), and net-ftp/tftp-hpa should
> replace it in all ways.
> 
> So it'll be removed next month if there are no reasons to keep it around.

Please report a removal bug for this, so any issues concerning users of
netkit-tftp can be tracked.

Best regards,
Chí-Thanh Christopher Nguyễn
Permalink | Reply |
headers
Diego Elio Pettenò | 8 Jul 2012 21:49
Picon
Gravatar

Re: Last rites for net-ftp/netkit-tftp

Il 08/07/2012 20:13, Chí-Thanh Christopher Nguyễn ha scritto:
> Please report a removal bug for this, so any issues concerning users of
> netkit-tftp can be tracked.

Here it is:
https://bugs.gentoo.org/show_bug.cgi?id=425362

And actually Robin K. who submitted the overflow bug I fixed, pointed
out that there _are_ cases where hpa doesn't work but netkit does, so
I've downgraded the removal to a simple masking for bad code.

I guess we'll wait a bit more before removing this, in the mean time
though I don't really feel happy with leaving it unmasked so it'll stay
as it is.

--

-- 
Diego Elio Pettenò — Flameeyes
flameeyes <at> flameeyes.eu — http://blog.flameeyes.eu/
Permalink | Reply |
headers
Pacho Ramos | 8 Jul 2012 23:29
Picon
Favicon
Gravatar

Re: Last rites for net-ftp/netkit-tftp

El dom, 08-07-2012 a las 21:49 +0200, Diego Elio Pettenò escribió:
> Il 08/07/2012 20:13, Chí-Thanh Christopher Nguyễn ha scritto:
> > Please report a removal bug for this, so any issues concerning users of
> > netkit-tftp can be tracked.
> 
> Here it is:
> https://bugs.gentoo.org/show_bug.cgi?id=425362
> 
> And actually Robin K. who submitted the overflow bug I fixed, pointed
> out that there _are_ cases where hpa doesn't work but netkit does, so
> I've downgraded the removal to a simple masking for bad code.
> 
> I guess we'll wait a bit more before removing this, in the mean time
> though I don't really feel happy with leaving it unmasked so it'll stay
> as it is.
> 

If its upstream is completely dead, it has bad code and it has a
replacement, I would still go to treeclean it
Permalink | Reply |
headers
Jeroen Roovers | 9 Jul 2012 02:57
Picon
Favicon

Re: Last rites for net-ftp/netkit-tftp

On Sun, 08 Jul 2012 23:29:35 +0200
Pacho Ramos <pacho <at> gentoo.org> wrote:

> El dom, 08-07-2012 a las 21:49 +0200, Diego Elio Pettenò escribió:
> > Il 08/07/2012 20:13, Chí-Thanh Christopher Nguyễn ha scritto:
> > > Please report a removal bug for this, so any issues concerning
> > > users of netkit-tftp can be tracked.
> > 
> > Here it is:
> > https://bugs.gentoo.org/show_bug.cgi?id=425362
> > 
> > And actually Robin K. who submitted the overflow bug I fixed,
> > pointed out that there _are_ cases where hpa doesn't work but
> > netkit does, so I've downgraded the removal to a simple masking for
> > bad code.
> > 
> > I guess we'll wait a bit more before removing this, in the mean time
> > though I don't really feel happy with leaving it unmasked so it'll
> > stay as it is.
> > 
> 
> If its upstream is completely dead, it has bad code and it has a
> replacement, I would still go to treeclean it

But if it provides the only means to netboot certain hardware, then you
might think twice.

      jer
(Continue reading)

Permalink | Reply |
headers
Anthony G. Basile | 9 Jul 2012 03:06
Picon
Favicon
Gravatar

Re: Last rites for net-ftp/netkit-tftp

On 07/08/2012 08:57 PM, Jeroen Roovers wrote:
> On Sun, 08 Jul 2012 23:29:35 +0200
> Pacho Ramos<pacho <at> gentoo.org>  wrote:
>
>> El dom, 08-07-2012 a las 21:49 +0200, Diego Elio Pettenò escribió:
>>> Il 08/07/2012 20:13, Chí-Thanh Christopher Nguyễn ha scritto:
>>>> Please report a removal bug for this, so any issues concerning
>>>> users of netkit-tftp can be tracked.
>>> Here it is:
>>> https://bugs.gentoo.org/show_bug.cgi?id=425362
>>>
>>> And actually Robin K. who submitted the overflow bug I fixed,
>>> pointed out that there _are_ cases where hpa doesn't work but
>>> netkit does, so I've downgraded the removal to a simple masking for
>>> bad code.
>>>
>>> I guess we'll wait a bit more before removing this, in the mean time
>>> though I don't really feel happy with leaving it unmasked so it'll
>>> stay as it is.
>>>
>> If its upstream is completely dead, it has bad code and it has a
>> replacement, I would still go to treeclean it
> But if it provides the only means to netboot certain hardware, then you
> might think twice.
>
>
>        jer
>
I have several ubiquity routerstations (the hardware in questions) and 
I've asked Robin Kauffman to report the steps to reproduce in the bug.
(Continue reading)

Permalink | Reply |
headers
Pacho Ramos | 9 Jul 2012 22:34
Picon
Favicon
Gravatar

Re: Last rites for net-ftp/netkit-tftp

El dom, 08-07-2012 a las 21:06 -0400, Anthony G. Basile escribió:
> On 07/08/2012 08:57 PM, Jeroen Roovers wrote:
> > On Sun, 08 Jul 2012 23:29:35 +0200
> > Pacho Ramos<pacho <at> gentoo.org>  wrote:
> >
> >> El dom, 08-07-2012 a las 21:49 +0200, Diego Elio Pettenò escribió:
> >>> Il 08/07/2012 20:13, Chí-Thanh Christopher Nguyễn ha scritto:
> >>>> Please report a removal bug for this, so any issues concerning
> >>>> users of netkit-tftp can be tracked.
> >>> Here it is:
> >>> https://bugs.gentoo.org/show_bug.cgi?id=425362
> >>>
> >>> And actually Robin K. who submitted the overflow bug I fixed,
> >>> pointed out that there _are_ cases where hpa doesn't work but
> >>> netkit does, so I've downgraded the removal to a simple masking for
> >>> bad code.
> >>>
> >>> I guess we'll wait a bit more before removing this, in the mean time
> >>> though I don't really feel happy with leaving it unmasked so it'll
> >>> stay as it is.
> >>>
> >> If its upstream is completely dead, it has bad code and it has a
> >> replacement, I would still go to treeclean it
> > But if it provides the only means to netboot certain hardware, then you
> > might think twice.
> >
> >
> >        jer
> >
> I have several ubiquity routerstations (the hardware in questions) and
(Continue reading)

Permalink | Reply |
headers
Diego Elio Pettenò | 9 Jul 2012 23:05
Picon
Gravatar

Re: Last rites for net-ftp/netkit-tftp

On Mon, Jul 9, 2012 at 10:34 PM, Pacho Ramos <pacho <at> gentoo.org> wrote:
> I thought it has a replacement, if not, ok to keep

It has a replacement for probably 95% of its users; hopefully Robin
and Anthony can figure out why those 5% (random number of course) is
not able to use tftp-hpa; once we do that it should be safe to remove.
I'll keep it monitored till then. And masked of course, as we don't
want to risk issues, especially security issues, due to that.
Permalink | Reply |

Gmane