Calligra stable releases not in Debian stable Jessi

Jaroslaw Staniek staniek at kde.org
Fri Sep 30 22:43:22 UTC 2016


On 1 October 2016 at 00:18, Nicolás Alvarez <nicolas.alvarez at gmail.com> wrote:
> 2016-09-30 6:31 GMT-03:00 Jaroslaw Staniek <staniek at kde.org>:
>>
>> Dear Debian contributors,
>> I am maintainer of Kexi, one of Calligra apps.
>> I've just noticed that in Debian stable Jessi the recent Calligra is 2.8.5
>> which is 13 releases old. There are no updates to 2.8.7, and zero updates to
>> 2.9.*.
>>
>> 2.8.5 is a July 2014 version. Due to security and stability issues it may be
>> even better *not* to have this version released at all than receiving
>> reports and users thinking that's the most recent version (this is my own
>> opinion).
>>
>> When users run, say, a Raspberry, they see that old and unsupported (by us)
>> version. So here Jessi distributes this unstable software despite many
>> updates being available. I don't see the same issue with MySQL for example,
>> which was updated just this month. Maybe a man power issue?
>>
>> I have questions then:
>> - what happens?
>> - what can be done to fix the situation?
>> - how to coordinate better?
>>
>
> Jessie is frozen, I doubt Kexi 2.9 will ever be in 'jessie'. I don't
> see how MySQL is different, the latest version from upstream is
> 5.7.15, Jessie has 5.5.52, it was upgraded from 5.5.50 because of a
> specific security fix.
>
> See this for the criteria to get an update in stable:
> https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
>
> Can you mention specific security bugs that 2.8.5 has? That could
> justify bringing 2.8.7 in (or backporting the security fixes).
>
> And maybe 2.9 could be in the 'jessie-backports' repository. But I
> wouldn't expect it in 'jessie'.
>
>
> Of course, this is in addition to the possible lack of manpower to do
> such packaging :)

Thanks for the useful info, Nicolás.
Let's see 1st commit from 2.8.7 which removes possibility of preparing
attack that can
crash your db. Please see below. It's enough to cause Kexi to ask
a specific question and it enters infinite loop and exits with exception, thus
e.g. loosing unsaved designs.
Really we did not set formal distinction between type of instabilities
knowing that *normally* distributors take all fixes and deploy them to
the users; because this is a connected/network software for multiuser
environment consequences may be more serious than, say, in a locally
running text editor.

Honestly, we know via telemetrics that more than needed users run
outdated software.
And request free support for it.

commit db59286ef26be67eccf6f0fb31e5abdcf9911d02
Author: Jaroslaw Staniek <staniek at kde.org>
Date:   Tue Nov 25 23:06:03 2014 +0100

    Fix infinite recursion in msghandler.cpp

    The Calligra 2.7.90 build log using msvc2010 gives this warning
    concerning msghandler.cpp: 'KexiDB::MessageHandler::askQuestion' :
    recursive on all control paths, function will cause runtime stack overflow

    Thanks, Stephen Leibowitz
    CCMAIL:LibreStephen at gmail.com
    REVIEW:121180
    FIXED-IN:2.8.7

Another, specific query can be passed by one user to another and cause
a crash; in theory also executing arbitrary code on some
architectures:

commit eaefd12562da5b422ae175351423fa15fd1a2cb4
Author: Jaroslaw Staniek <staniek at kde.org>
Date:   Wed Jun 4 13:12:22 2014 +0200

    Fix crash when accessing a query with duplicated table names

    Example query that crashed: SELECT t.foo FROM t, t.
    Now error message is displayed so user can fix the statement.

    BUG:315852
    FIXED-IN:2.8.4


If the database serves more than one user it can also mean denial of
service attacks: it's enough to set query to be always executed
initially e.g. for a main form.

-- 
regards, Jaroslaw Staniek

KDE:
: A world-wide network of software engineers, artists, writers, translators
: and facilitators committed to Free Software development - http://kde.org
Calligra Suite:
: A graphic art and office suite - http://calligra.org
Kexi:
: A visual database apps builder - http://calligra.org/kexi
Qt Certified Specialist:
: http://www.linkedin.com/in/jstaniek


More information about the kde-community mailing list