September Report
[re-sending report, was not properly archived] Hi, Here is my (E)LTS report for September. --- LTS I was allocated 10 hours. I have spent all of them in the following tasks: * 389-ds work: Triage CVE-2018-14638, not affecting Jessie. Investigate CVE-2018-14624, which affects Jessie. Backport patch, test and upload it. * openjpeg2 work: Reproduce and investigate CVE-2018-5785, write a patch, get feedback from upstream (patch was merged in the master) and backport it for Jessie. Not uploaded yet, this patch will be included in a more substancial upload this month. ELTS I was allocated 6 hours. I have spent 2.75 of them in the following tasks: * tiff3 work: Mark CVE-2018-17101, CVE-2018-17100 and CVE-2018-17000 . Mark CVE-2018-15209 and CVE-2018-16335 (I have tried to investigate the issues and develop a patch but couldn't reproduce the issues properly on my system. Also, I discovered that recent fixes made exploit and reproduction even harder. After spending some time on it I decided to just postpone them and wait for a patch from upstream). Best Regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
September Report
Hi, Here is my (E)LTS report for September. --- LTS I was allocated 10 hours. I have spent all of them in the following tasks: * 389-ds work: Triage CVE-2018-14638, not affecting Jessie. Investigate CVE-2018-14624, which affects Jessie. Backport patch, test and upload it. * openjpeg2 work: Reproduce and investigate CVE-2018-5785, write a patch, get feedback from upstream (patch was merged in the master) and backport it for Jessie. Not uploaded yet, this patch will be included in a more substancial upload this month. ELTS I was allocated 6 hours. I have spent 2.75 of them in the following tasks: * tiff3 work: Mark CVE-2018-17101, CVE-2018-17100 and CVE-2018-17000 . Mark CVE-2018-15209 and CVE-2018-16335 (I have tried to investigate the issues and develop a patch but couldn't reproduce the issues properly on my system. Also, I discovered that recent fixes made exploit and reproduction even harder. After spending some time on it I decided to just postpone them and wait for a patch from upstream). Best Regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
September Report
Hi, September 2017 was my 13th month as a payed Debian LTS contributor. I was allocated 15 hours. I have spent all of them doing the following tasks: * Continue to investigate lame CVEs. I have spent quite a lot of time trying to reproduce the CVEs, without success. Neverheless, I still think that the wheezy version could be affected. You can find a summary of my work here: https://lists.debian.org/debian-lts/2017/09/msg00082.html I am probably going to wait for 3.100 to decide whether I should mark these CVEs no-dsa or not. * Organise libav support in Debian LTS. libav LTS support has been quite infrequent since last year. I am currently discussing with Diego in order to guarantee a better handling of the 44 CVEs currently affecting libav in wheezy. * Debug, test and upload clamav update (DLA 1105-1) * Triage mp3gain CVEs and reproduce CVE-2017-14409/07. Again, issues seem to be hard to reproduce like the ones in lame (codebase is similar). Start to work on a patch but decide to stop (too time consuming, unclear whether I would get useful results or not). * Debug ming CVE-2017-11704 and start writing a patch addressing the issue: https://github.com/libming/libming/issues/76 This is quite time-consuming because CVE-2017-11704 is actually caused by several overflows in multiple methods. Reproduce CVE-2017-117{04, 28, 29, 30, 32, 34}. Best Regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E signature.asc Description: PGP signature
September report
Hi, September was a bad month for me, and I only managed to spend 1h out of 12.30h, working on the libarchive update. I am returning the rest of the time to the pool so it can be allocated among the contributors next month. Sorry for that and for the delay in the report, I should be back to normal now. Cheers, Emilio
September Report
This month I had 12.25 hours and I spent my 12.25 hours on the following projects: * Further chicken investigations. * Further work with matrixssl. Tried to reproduce vulnerability. * Add --unassigned option to find-work. * Updates to wiki documentation. In particular, add documentation on the Debian Security Tracker. * Fix autotrace CVE-2016-7392 issue with overwriting past end of allocated buffer due to insufficient memory allocated. * Researched mysql-5.5 CVE-2016-6662. * Researched tiff / tiff3 CVE-2015-7554 / CVE-2016-5318. * Start patching graphicsmagick for various security issues. During this period I had difficulty finding work to do on security fixes, so I spent time on updating other bits and pieces (as described above) instead. Next month I imagine I will continue with the graphicsmagick work. -- Brian Mayhttps://linuxpenguins.xyz/brian/