[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

September Report


September 2017 was my 13th month as a payed Debian LTS contributor.

I was allocated 15 hours. I have spent all of them doing the following

 * Continue to investigate lame CVEs.

   I have spent quite a lot of time trying to reproduce the
   CVEs, without success. Neverheless, I still think that the wheezy
   version could be affected. You can find a summary of my work here:

   I am probably going to wait for 3.100 to decide whether I should mark
   these CVEs no-dsa or not.

* Organise libav support in Debian LTS.

  libav LTS support has been quite infrequent since last year. I am
  currently discussing with Diego in order to guarantee a better
  handling of the 44 CVEs currently affecting libav in wheezy.

* Debug, test and upload clamav update (DLA 1105-1)

* Triage mp3gain CVEs and reproduce CVE-2017-14409/07.

  Again, issues seem to be hard to reproduce like the ones in lame
  (codebase is similar).

  Start to work on a patch but decide to stop (too time consuming,
  unclear whether I would get useful results or not).

* Debug ming CVE-2017-11704 and start writing a patch addressing the

  This is quite time-consuming because CVE-2017-11704 is actually caused
  by several overflows in multiple methods.

  Reproduce CVE-2017-117{04, 28, 29, 30, 32, 34}.

Best Regards,

             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

Attachment: signature.asc
Description: PGP signature

Reply to: