October Report

To: debian-lts@lists.debian.org
Subject: October Report
From: Hugo Lefeuvre <hle@debian.org>
Date: Fri, 9 Nov 2018 17:17:13 +0100
Message-id: <[🔎] 20181109161713.GA1864@hle-laptop.local>

Hi,

Here is my LTS report for October.

I was allocated 10 hours. I have spent all of them in the following
tasks:

* openjpeg2:

  Reproduce, analyse and patch CVE-2017-17480 (still under review by
  upstream).

  Reproduce and perform in-depth analysis of CVE-2018-5727, but decide
  to stop investigations after a few hours:

      This security issue is triggered by what I assume to be a corner case
      of the JPEG2000 standard. Unfortunately the official JPEG2000 ISO/ITU
      standard is not public (available for sale[0] on the ISO website,
      fairly pricey). Without access to the standard, determining the right
      behavior of the openjpeg2 library for this kind of corner cases is
      significantly more difficult.

      I have published the result of my investigations on the upstream bug
      report along with my questions. If I get an answer then I'll continue
      my investigations. Otherwise, unless someone else wants to take over,
      I suggest to wait for upstream to address this issue.

  Start to work on a patch for CVE-2018-18088.

  It is almost certain that I will come up with a patch for CVE-2018-18088
  so I decided to delay the openjpeg2 upload until all patches are ready
  and reviewed.

* 389-ds-base:

  CVE-2018-14648: prepare security update, test and upload it (DLA-1554-1).

  Regression: Tracker contained pointers to patches causing crash regression.
  Prepare regression update, test and upload it (DLA-1554-2).

* liblivemedia:

  Take a look at CVE-2018-4013, looks like a remote code execution issue
  to me, worth fixing. Start to develop a patch following upstream's
  information, should be uploaded next month.

The increased number of assigned hours next month should allow me to
finish the patches currently in development and focus again on libav to
find a definitive solution to the lack of maintainance until now.

Best Regards,
 Hugo

[0] https://www.iso.org/standard/70018.html

--
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Re: Documenting installer issues for jessie LTS
Next by Date: Re: updates on the gnupg/enigmail/thunderbird/firefox situation
Previous by thread: Re: Documenting installer issues for jessie LTS
Next by thread: My Debian LTS activities in October 2018
Index(es):
- Date
- Thread