Hi, Here is my LTS report for October. I was allocated 10 hours. I have spent all of them in the following tasks: * openjpeg2: Reproduce, analyse and patch CVE-2017-17480 (still under review by upstream). Reproduce and perform in-depth analysis of CVE-2018-5727, but decide to stop investigations after a few hours: This security issue is triggered by what I assume to be a corner case of the JPEG2000 standard. Unfortunately the official JPEG2000 ISO/ITU standard is not public (available for sale[0] on the ISO website, fairly pricey). Without access to the standard, determining the right behavior of the openjpeg2 library for this kind of corner cases is significantly more difficult. I have published the result of my investigations on the upstream bug report along with my questions. If I get an answer then I'll continue my investigations. Otherwise, unless someone else wants to take over, I suggest to wait for upstream to address this issue. Start to work on a patch for CVE-2018-18088. It is almost certain that I will come up with a patch for CVE-2018-18088 so I decided to delay the openjpeg2 upload until all patches are ready and reviewed. * 389-ds-base: CVE-2018-14648: prepare security update, test and upload it (DLA-1554-1). Regression: Tracker contained pointers to patches causing crash regression. Prepare regression update, test and upload it (DLA-1554-2). * liblivemedia: Take a look at CVE-2018-4013, looks like a remote code execution issue to me, worth fixing. Start to develop a patch following upstream's information, should be uploaded next month. The increased number of assigned hours next month should allow me to finish the patches currently in development and focus again on libav to find a definitive solution to the lack of maintainance until now. Best Regards, Hugo [0] https://www.iso.org/standard/70018.html -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Attachment:
signature.asc
Description: PGP signature