[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

January Report


January 2018 was my 17th month as a payed Debian LTS contributor.

I was allocated 18.25 hours. I have spent all of them doing the following

* Continue my libav work:
  - Continue to investigate libav CVE-2015-8216: Probably affected, but
    I am still unable to take final conclusions. If I can't conclude on
    this issue next month, I will probably have to let it by side and
    continue on other problems.
  - Investigate FPE (reported last month) and propose to merge a ffmpeg
    commit apperently addressing this issue:
    Diego later had a look at the issue, confirmed it and merged the ffmpeg
    commit addressing it. However the status of this vulnerability in other
    branches could not be clearly characterized.

Status of libav in Wheezy:
    The backlog is still very high and I clearly doubt that I will be
    able to handle all of it until the end of Wheezy LTS. There are
    several reasons for that, but the most important one is that I don't
    have most of the reproducers, and fixing/investigating these issues
    without them is going to be way more time expensive.
    Unfortunately I doubt to be ever able to get these reproducers because
    the Google team that reported the issues couldn't find them anymore.

* Continue my Ming work:
  - Finish to test my patch for ming CVE-2017-16898, get it merged by
    upstream and ship it in ming 1:0.4.4-1.1+deb7u6 (DLA 1240-1) together
    with patches for CVE-2017-11732 and CVE-2017-16883 from last month.
  - Investigate ming CVEs CVE-2018-5294, CVE-2018-5251, CVE-2018-6315 and
    CVE-2018-6359, request CVE IDs when needed, write patches fixing these
    issues and get patches merged. I will upload these fixes as part of
    1:0.4.4-1.1+deb7u7 next month.
  - Investigate ming issue #102, which is actually a duplicate of CVE-2017-9988
    (already fixed in Wheezy).
  - Find lots of code duplication in listfdb module. Probably more than 5+
    vulnerabilities involved: Document and report them: CVE-2018-6358 (#104),
    #106 and #107.

* Continue my work on lame:
  - It turned out that Fabian wasn't aware that we were waiting for his patch,
    but after getting in touch with him he kindly submitted a patch draft
    (thanks Fabian !).
  - I have tested the patch draft with my set of test samples and couldn't find
    any regressions, but nevertheless I still consider these changes to
    be regression-risky and I'll only upload them if the security team
    agrees to update Jessie at the same time.

* Investigate CVE-2018-6544 in mupdf: Could not reproduce the issue,
  codebase is very different. Start to analyse the issue, probably not
  affected. I'll publish the result of my work in the next days.

Best Regards,

             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA

Reply to: