Hi,
September 2017 was my 13th month as a payed Debian LTS contributor.
I was allocated 15 hours. I have spent all of them doing the following
tasks:
* Continue to investigate lame CVEs.
I have spent quite a lot of time trying to reproduce the
CVEs, without success. Neverheless, I still think that the wheezy
version could be affected. You can find a summary of my work here:
https://lists.debian.org/debian-lts/2017/09/msg00082.html
I am probably going to wait for 3.100 to decide whether I should mark
these CVEs no-dsa or not.
* Organise libav support in Debian LTS.
libav LTS support has been quite infrequent since last year. I am
currently discussing with Diego in order to guarantee a better
handling of the 44 CVEs currently affecting libav in wheezy.
* Debug, test and upload clamav update (DLA 1105-1)
* Triage mp3gain CVEs and reproduce CVE-2017-14409/07.
Again, issues seem to be hard to reproduce like the ones in lame
(codebase is similar).
Start to work on a patch but decide to stop (too time consuming,
unclear whether I would get useful results or not).
* Debug ming CVE-2017-11704 and start writing a patch addressing the
issue:
https://github.com/libming/libming/issues/76
This is quite time-consuming because CVE-2017-11704 is actually caused
by several overflows in multiple methods.
Reproduce CVE-2017-117{04, 28, 29, 30, 32, 34}.
Best Regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
Attachment:
signature.asc
Description: PGP signature