Hi, March 2018 was my 19th month as a payed Debian LTS contributor. I was allocated 39.75 hours. I have spent 35.5h of them in the following tasks: * Continue my Ming work: - Finish to prepare patches for CVE-2018-5251, CVE-2018-5294, CVE-2018-6315 and CVE-2018-6359, prepare, test and upload ming 1:0.4.4-1.1+deb7u7 (DLA-1305-1). (Following patching work is not uploaded to wheezy yet, will be published next month) - Investigate, debug/prepare patches for ming CVE CVE-2018-6358, issues #106 and #107 (security issues but no CVE number assigned yet). Got these patches reviewed and merged by upstream. - Investigate, debug/prepare patches for ming CVE CVE-2018-7875 (and similar issues #117, #123 and #122), CVE-2018-7871, CVE-2018-7870, CVE-2018-7872 and CVE-2018-7868. Got these patches reviewed and merged by upstream. - Investigate, debug/prepare patch for ming issue #121. This issue required quite a long debugging time since the root of the problem was deep in the library and wasn't any syntaxical or classical issue: The problem was the result of a possible misunderstanding of the SWF standards which I consider to be anything but clear on this topic. I still have to request a CVE number for this issue. - Investigate, debug/prepare patch for ming CVE-2018-7867. The two last points are still under review and are the blockers for the next Wheezy update. * Finish my mupdf work: - Investigate CVE-2018-6187. Very unlikely to be affected. https://lists.debian.org/debian-lts/2018/03/msg00041.html - Finish investigations about CVE-2018-6544 and publish report I was mentioning in my January report. Very likely to be unaffected. https://lists.debian.org/debian-lts/2018/03/msg00043.html * Start working on tiff and tiff3: - Investigate, debug/prepare and test patch for CVE-2018-7456 (git master version). This issue was very long to debug because it required me to have a good understanding of the TIFF standard which I had to read carefully, and also of the TIFF codebase, which I had to study extensively. I have submitted my patch to upstream, not sure it's ready yet but I feel like I understand the problem well enough to finish it and backport the patch to Wheezy and Jessie. You can find most of my work on the debian-lts mailing list and upstream bug report. During my investigations I bumped across another, older issue which I still have to investigate in master (it never got a CVE assigned and I'm not even sure that upstream heard about it, it got probably fixed 'by chance'). * Test Santiago's clamav update. So, I could catch up with the backlog pretty well this month, even if those are many many hours spent on not so many issues (14 CVEs + 6 issues without number), but some of them like CVE-2018-7456 and ming #121 required a lot of debugging and specification analysis time. Next month I intend to spend my hours plus the 4.25h remaining hours from this month on libav, tiff and ming issues. Best Regards, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
Attachment:
signature.asc
Description: PGP signature