January 2018 was my 17th month as a payed Debian LTS contributor.
I was allocated 18.25 hours. I have spent all of them doing the following
* Continue my libav work:
- Continue to investigate libav CVE-2015-8216: Probably affected, but
I am still unable to take final conclusions. If I can't conclude on
this issue next month, I will probably have to let it by side and
continue on other problems.
- Investigate FPE (reported last month) and propose to merge a ffmpeg
commit apperently addressing this issue:
Diego later had a look at the issue, confirmed it and merged the ffmpeg
commit addressing it. However the status of this vulnerability in other
branches could not be clearly characterized.
Status of libav in Wheezy:
The backlog is still very high and I clearly doubt that I will be
able to handle all of it until the end of Wheezy LTS. There are
several reasons for that, but the most important one is that I don't
have most of the reproducers, and fixing/investigating these issues
without them is going to be way more time expensive.
Unfortunately I doubt to be ever able to get these reproducers because
the Google team that reported the issues couldn't find them anymore.
* Continue my Ming work:
- Finish to test my patch for ming CVE-2017-16898, get it merged by
upstream and ship it in ming 1:0.4.4-1.1+deb7u6 (DLA 1240-1) together
with patches for CVE-2017-11732 and CVE-2017-16883 from last month.
- Investigate ming CVEs CVE-2018-5294, CVE-2018-5251, CVE-2018-6315 and
CVE-2018-6359, request CVE IDs when needed, write patches fixing these
issues and get patches merged. I will upload these fixes as part of
1:0.4.4-1.1+deb7u7 next month.
- Investigate ming issue #102, which is actually a duplicate of CVE-2017-9988
(already fixed in Wheezy).
- Find lots of code duplication in listfdb module. Probably more than 5+
vulnerabilities involved: Document and report them: CVE-2018-6358 (#104),
#106 and #107.
* Continue my work on lame:
- It turned out that Fabian wasn't aware that we were waiting for his patch,
but after getting in touch with him he kindly submitted a patch draft
(thanks Fabian !).
- I have tested the patch draft with my set of test samples and couldn't find
any regressions, but nevertheless I still consider these changes to
be regression-risky and I'll only upload them if the security team
agrees to update Jessie at the same time.
* Investigate CVE-2018-6544 in mupdf: Could not reproduce the issue,
codebase is very different. Start to analyse the issue, probably not
affected. I'll publish the result of my work in the next days.
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA