[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

LTS Report for August 2016

For August I was allocated 14.5 hours.  I spent 11 hours as follows:

* CVE-2016-6293: Fix buffer overflow in uloc_acceptLanguageFromHTTP

  This issue turned out to be very complex to figure out.  It was
  initially discovered by a PHP developer and reported to the PHP bug
  tracker.  As the upstream bug report was detailed, I first attempted
  to replicate the bug in the same way as described in the bug report.
  It turns out that the gcc in wheezy does not support address sanitizer
  and that the ICU and PHP from wheezy won't build with clang, so I
  embarked on a rather frustrating journey to finally strike the correct
  combination: build on jessie, ICU from wheezy (of course), and PHP
  from sid (I had to patch out the fix that was implemented in PHP to
  unmask the bug in ICU).  Once I figured that out, I was able to
  reliably reproduce the buffer overflow.  After that I found the
  related fix in the upstream source repository and then I had to
  backport the fix (the affected file transitioned from C to C++ some
  time ago so I could not simply take upstream's patch).  I was able to
  incorporate an upstream update to the related unit test and between
  that and the address sanitizer check I am confident that the fix I
  implented is correct.

  Remaining items to complete this task:
  - Build/sign/upload package
  - Publish DLA

I apologize if the description was a bit too lengthy, but given the
amount of time I spent on a single task I thought it worthwhile to
explain with a bit of detail.



Roberto C. Sánchez

Reply to: