September Report

2018-10-11 Thread Hugo Lefeuvre 
[re-sending report, was not properly archived]

Hi,

Here is my (E)LTS report for September.

---
LTS

I was allocated 10 hours. I have spent all of them in the following
tasks:

* 389-ds work:

  Triage CVE-2018-14638, not affecting Jessie. Investigate CVE-2018-14624,
  which affects Jessie. Backport patch, test and upload it.

* openjpeg2 work:

  Reproduce and investigate CVE-2018-5785, write a patch, get feedback
  from upstream (patch was merged in the master) and backport it for
  Jessie. Not uploaded yet, this patch will be included in a more
  substancial upload this month.


ELTS

I was allocated 6 hours. I have spent 2.75 of them in the following
tasks:

* tiff3 work:

  Mark CVE-2018-17101, CVE-2018-17100 and CVE-2018-17000 .
  Mark CVE-2018-15209 and CVE-2018-16335  (I have tried to
  investigate the issues and develop a patch but couldn't reproduce the
  issues properly on my system. Also, I discovered that recent fixes made
  exploit and reproduction even harder. After spending some time on it
  I decided to just postpone them and wait for a patch from upstream).

Best Regards,
 Hugo

--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

September Report

2018-10-09 Thread Hugo Lefeuvre 
Hi,

Here is my (E)LTS report for September.

---
LTS

I was allocated 10 hours. I have spent all of them in the following
tasks:

* 389-ds work:

  Triage CVE-2018-14638, not affecting Jessie. Investigate CVE-2018-14624,
  which affects Jessie. Backport patch, test and upload it.

* openjpeg2 work:

  Reproduce and investigate CVE-2018-5785, write a patch, get feedback
  from upstream (patch was merged in the master) and backport it for
  Jessie. Not uploaded yet, this patch will be included in a more
  substancial upload this month.


ELTS

I was allocated 6 hours. I have spent 2.75 of them in the following
tasks:

* tiff3 work:

  Mark CVE-2018-17101, CVE-2018-17100 and CVE-2018-17000 .
  Mark CVE-2018-15209 and CVE-2018-16335  (I have tried to
  investigate the issues and develop a patch but couldn't reproduce the
  issues properly on my system. Also, I discovered that recent fixes made
  exploit and reproduction even harder. After spending some time on it
  I decided to just postpone them and wait for a patch from upstream).

Best Regards,
 Hugo

--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

September Report

2017-10-02 Thread Hugo Lefeuvre 
Hi,

September 2017 was my 13th month as a payed Debian LTS contributor.

I was allocated 15 hours. I have spent all of them doing the following
tasks:

 * Continue to investigate lame CVEs.

   I have spent quite a lot of time trying to reproduce the
   CVEs, without success. Neverheless, I still think that the wheezy
   version could be affected. You can find a summary of my work here:
   https://lists.debian.org/debian-lts/2017/09/msg00082.html

   I am probably going to wait for 3.100 to decide whether I should mark
   these CVEs no-dsa or not.

* Organise libav support in Debian LTS.

  libav LTS support has been quite infrequent since last year. I am
  currently discussing with Diego in order to guarantee a better
  handling of the 44 CVEs currently affecting libav in wheezy.

* Debug, test and upload clamav update (DLA 1105-1)

* Triage mp3gain CVEs and reproduce CVE-2017-14409/07.

  Again, issues seem to be hard to reproduce like the ones in lame
  (codebase is similar).

  Start to work on a patch but decide to stop (too time consuming,
  unclear whether I would get useful results or not).

* Debug ming CVE-2017-11704 and start writing a patch addressing the
  issue:
  https://github.com/libming/libming/issues/76

  This is quite time-consuming because CVE-2017-11704 is actually caused
  by several overflows in multiple methods.

  Reproduce CVE-2017-117{04, 28, 29, 30, 32, 34}.

Best Regards,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E


signature.asc
Description: PGP signature

September report

2016-10-19 Thread Emilio Pozuelo Monfort 
Hi,

September was a bad month for me, and I only managed to spend 1h out of 12.30h,
working on the libarchive update. I am returning the rest of the time to the
pool so it can be allocated among the contributors next month.

Sorry for that and for the delay in the report, I should be back to normal now.

Cheers,
Emilio

September Report

2016-09-29 Thread Brian May 
This month I had 12.25 hours and I spent my 12.25 hours on the following
projects:

* Further chicken investigations.
* Further work with matrixssl. Tried to reproduce vulnerability.
* Add --unassigned option to find-work.
* Updates to wiki documentation. In particular, add documentation on the Debian
  Security Tracker.
* Fix autotrace CVE-2016-7392 issue with overwriting past end of allocated
  buffer due to insufficient memory allocated.
* Researched mysql-5.5 CVE-2016-6662.
* Researched tiff / tiff3 CVE-2015-7554 / CVE-2016-5318.
* Start patching graphicsmagick for various security issues.

During this period I had difficulty finding work to do on security
fixes, so I spent time on updating other bits and pieces (as described
above) instead.

Next month I imagine I will continue with the graphicsmagick work.
-- 
Brian May 
https://linuxpenguins.xyz/brian/