April report
Brian May <bam@debian.org> writes:
This month I had 10 hours and I spent my 10 hours on the following
tasks:
* XBMC CVE-2017-5982. This is slow going due to time taken to build
different versions. I found that *all* versions of xmbc/kodi are
vulnerable, and (contrary to some websites) there is no upstream fix
(unless it happened within the last week, which I doubt). The URL
required to exploit varies depending on installation and version. I
imagine the fix required for wheezy/jessie will be somewhat different
from stretch/sid (not verified this). I think I have identified the
code path in wheezy, although I still need to double check some
details.
From reading the wheezy/jessie code, it is also possible that the
scope of the problem is larger then claimed (i.e. more then just the
special URLs used for thumbnail), at least on wheezy. I haven't yet
been able to verify this yet (I found at the last minute my test was
flawed; many web clients will automatically remove '../' from URLs;
this doesn't happen for the special URLS which are HTML quoted).
* Heimdal CVE-2017-6594. Prepared initial patch for Wheezy/Stretch
release before it was publicly announced, although found it was
missing a hunk. This has been corrected in the official release.
The fix applies cleanly although the tests need to be applied
manually.
As I have run out of hours this month, if anybody else wants to take
over either of these, please let me know and I will provide more
details.
--
Brian May <bam@debian.org>
Reply to: