LTS Report for August 2016
For August I was allocated 14.5 hours. I spent 11 hours as follows:
* CVE-2016-6293: Fix buffer overflow in uloc_acceptLanguageFromHTTP
This issue turned out to be very complex to figure out. It was
initially discovered by a PHP developer and reported to the PHP bug
tracker. As the upstream bug report was detailed, I first attempted
to replicate the bug in the same way as described in the bug report.
It turns out that the gcc in wheezy does not support address sanitizer
and that the ICU and PHP from wheezy won't build with clang, so I
embarked on a rather frustrating journey to finally strike the correct
combination: build on jessie, ICU from wheezy (of course), and PHP
from sid (I had to patch out the fix that was implemented in PHP to
unmask the bug in ICU). Once I figured that out, I was able to
reliably reproduce the buffer overflow. After that I found the
related fix in the upstream source repository and then I had to
backport the fix (the affected file transitioned from C to C++ some
time ago so I could not simply take upstream's patch). I was able to
incorporate an upstream update to the related unit test and between
that and the address sanitizer check I am confident that the fix I
implented is correct.
Remaining items to complete this task:
- Build/sign/upload package
- Publish DLA
I apologize if the description was a bit too lengthy, but given the
amount of time I spent on a single task I thought it worthwhile to
explain with a bit of detail.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: