[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

March Report


March 2018 was my 19th month as a payed Debian LTS contributor.

I was allocated 39.75 hours. I have spent 35.5h of them in the following

* Continue my Ming work:
  - Finish to prepare patches for CVE-2018-5251, CVE-2018-5294,
    CVE-2018-6315 and CVE-2018-6359, prepare, test and upload
    ming 1:0.4.4-1.1+deb7u7 (DLA-1305-1).

(Following patching work is not uploaded to wheezy yet, will be
published next month)

  - Investigate, debug/prepare patches for ming CVE CVE-2018-6358,
    issues #106 and #107 (security issues but no CVE number assigned
    yet). Got these patches reviewed and merged by upstream.

  - Investigate, debug/prepare patches for ming CVE CVE-2018-7875
    (and similar issues #117, #123 and #122), CVE-2018-7871,
    CVE-2018-7870, CVE-2018-7872 and CVE-2018-7868. Got these patches
    reviewed and merged by upstream.

  - Investigate, debug/prepare patch for ming issue #121. This issue
    required quite a long debugging time since the root of the problem
    was deep in the library and wasn't any syntaxical or classical issue:
    The problem was the result of a possible misunderstanding of the SWF
    standards which I consider to be anything but clear on this topic.
    I still have to request a CVE number for this issue.

  - Investigate, debug/prepare patch for ming CVE-2018-7867.

The two last points are still under review and are the blockers for the
next Wheezy update.

* Finish my mupdf work:

  - Investigate CVE-2018-6187. Very unlikely to be affected.

  - Finish investigations about CVE-2018-6544 and publish report I was
    mentioning in my January report. Very likely to be unaffected.

* Start working on tiff and tiff3:

  - Investigate, debug/prepare and test patch for CVE-2018-7456 (git master
    version). This issue was very long to debug because it required me
    to have a good understanding of the TIFF standard which I had to
    read carefully, and also of the TIFF codebase, which I had to study
    extensively. I have submitted my patch to upstream, not sure it's
    ready yet but I feel like I understand the problem well enough
    to finish it and backport the patch to Wheezy and Jessie.

    You can find most of my work on the debian-lts mailing list and
    upstream bug report.

    During my investigations I bumped across another, older issue which
    I still have to investigate in master (it never got a CVE assigned and
    I'm not even sure that upstream heard about it, it got probably
    fixed 'by chance').

* Test Santiago's clamav update.

So, I could catch up with the backlog pretty well this month, even if
those are many many hours spent on not so many issues (14 CVEs + 6
issues without number), but some of them like CVE-2018-7456 and ming #121
required a lot of debugging and specification analysis time.

Next month I intend to spend my hours plus the 4.25h remaining hours from
this month on libav, tiff and ming issues.

Best Regards,

             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA

Attachment: signature.asc
Description: PGP signature

Reply to: