[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

April report

Brian May <bam@debian.org> writes:

This month I had 10 hours and I spent my 10 hours on the following

* XBMC CVE-2017-5982. This is slow going due to time taken to build
  different versions. I found that *all* versions of xmbc/kodi are
  vulnerable, and (contrary to some websites) there is no upstream fix
  (unless it happened within the last week, which I doubt). The URL
  required to exploit varies depending on installation and version. I
  imagine the fix required for wheezy/jessie will be somewhat different
  from stretch/sid (not verified this). I think I have identified the
  code path in wheezy, although I still need to double check some

  From reading the wheezy/jessie code, it is also possible that the
  scope of the problem is larger then claimed (i.e. more then just the
  special URLs used for thumbnail), at least on wheezy. I haven't yet
  been able to verify this yet (I found at the last minute my test was
  flawed; many web clients will automatically remove '../' from URLs;
  this doesn't happen for the special URLS which are HTML quoted).

* Heimdal CVE-2017-6594. Prepared initial patch for Wheezy/Stretch
  release before it was publicly announced, although found it was
  missing a hunk. This has been corrected in the official release.

  The fix applies cleanly although the tests need to be applied

As I have run out of hours this month, if anybody else wants to take
over either of these, please let me know and I will provide more
Brian May <bam@debian.org>

Reply to: