Hi,
March 2018 was my 19th month as a payed Debian LTS contributor.
I was allocated 39.75 hours. I have spent 35.5h of them in the following
tasks:
* Continue my Ming work:
- Finish to prepare patches for CVE-2018-5251, CVE-2018-5294,
CVE-2018-6315 and CVE-2018-6359, prepare, test and upload
ming 1:0.4.4-1.1+deb7u7 (DLA-1305-1).
(Following patching work is not uploaded to wheezy yet, will be
published next month)
- Investigate, debug/prepare patches for ming CVE CVE-2018-6358,
issues #106 and #107 (security issues but no CVE number assigned
yet). Got these patches reviewed and merged by upstream.
- Investigate, debug/prepare patches for ming CVE CVE-2018-7875
(and similar issues #117, #123 and #122), CVE-2018-7871,
CVE-2018-7870, CVE-2018-7872 and CVE-2018-7868. Got these patches
reviewed and merged by upstream.
- Investigate, debug/prepare patch for ming issue #121. This issue
required quite a long debugging time since the root of the problem
was deep in the library and wasn't any syntaxical or classical issue:
The problem was the result of a possible misunderstanding of the SWF
standards which I consider to be anything but clear on this topic.
I still have to request a CVE number for this issue.
- Investigate, debug/prepare patch for ming CVE-2018-7867.
The two last points are still under review and are the blockers for the
next Wheezy update.
* Finish my mupdf work:
- Investigate CVE-2018-6187. Very unlikely to be affected.
https://lists.debian.org/debian-lts/2018/03/msg00041.html
- Finish investigations about CVE-2018-6544 and publish report I was
mentioning in my January report. Very likely to be unaffected.
https://lists.debian.org/debian-lts/2018/03/msg00043.html
* Start working on tiff and tiff3:
- Investigate, debug/prepare and test patch for CVE-2018-7456 (git master
version). This issue was very long to debug because it required me
to have a good understanding of the TIFF standard which I had to
read carefully, and also of the TIFF codebase, which I had to study
extensively. I have submitted my patch to upstream, not sure it's
ready yet but I feel like I understand the problem well enough
to finish it and backport the patch to Wheezy and Jessie.
You can find most of my work on the debian-lts mailing list and
upstream bug report.
During my investigations I bumped across another, older issue which
I still have to investigate in master (it never got a CVE assigned and
I'm not even sure that upstream heard about it, it got probably
fixed 'by chance').
* Test Santiago's clamav update.
So, I could catch up with the backlog pretty well this month, even if
those are many many hours spent on not so many issues (14 CVEs + 6
issues without number), but some of them like CVE-2018-7456 and ming #121
required a lot of debugging and specification analysis time.
Next month I intend to spend my hours plus the 4.25h remaining hours from
this month on libav, tiff and ming issues.
Best Regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
Attachment:
signature.asc
Description: PGP signature