Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.
In November, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 24.5h for LTS (out of 30 max) and 20h for ELTS (max).
Multiple vulnerabilities come from in-process fuzzing (library fuzzing with compiler instrumentation, as opposed to fuzzing a user executable). This is an interesting technique, though those are harder to reproduce, especially with older versions or (even worse) forks. A significant portion of such vulnerabilities comes from google's OSS-117Fuzz infrastructure.
data/CVE/list from the debian security-tracker repository reached 20M. With multiple changes per hour, git blame is consequently near-unusable: several minutes for a targetted, single-line look-up, if the entry is not too old. Despite this, the git commit messages are often used for triage justification or even as a substitute for personal communication, a practice I wouldn't recommend. #908678 looks stalled.
MITRE is still reactive when reporting issues on various free software project, and still very shy about changing the status of vulnerabilities. This is understandable when dealing with hard-to-reproduce issues, less understandable with legit-looking bogus vulnerabilities, which some people still like to throw at us so we have more work to do and get paid (seriously: please don't).
ELTS - Wheezy
- Second part of my Front-Desk week, though only auto-triaged unsupported packages
- CVE-2019-14866/cpio: help opal investigate reproducibility issue, contact cpio maintainer and security@gnu.org to get official patch/review
- CVE-2019-18684/sudo: deconstruct bogus vulnerability; MITRE now marks it as DISPUTED
- CVE-2019-5068/mesa: attempt to reproduce the issue, BTS update, testing, security upload
- CVE-2019-3466/postgresql-common: triage: not-affected
- libonig: start work on multiple vulnerabilities with non-trivial backports; to be completed in December
- CVE-2019-19012/libonig: backport for 5.9, get maintainer review
- CVE-2019-19246/libonig: register CVE for untracked vulnerability (discovered through upstream fuzzing, re-discovered through php-mbstring)
- libonig: find embedded copy in php7.0 (Stretch) and php7.3 (Buster); LTS/ELTS not-affected
LTS - Jessie
- CVE-2019-3689/nfs-util: ping upstream and debian sid, no pong
- CVE-2019-14866/cpio: shared work with ELTS
- CVE-2019-18684/sudo: shared work with ELTS
- CVE-2019-5068/mesa: shared work with ELTS, security upload
- CVE-2019-3466/postgresql-common: confirmed fix: jessie already fixed but I didn't notice due to late DLA
- CVE-2019-11027/ruby-openid: provide requested second opinion
- libav: start processing pending issues, package is a ffmpeg fork, was removed from newer dists and is unresponsive to security issues, requiring more work; to be completed in December
- CVE-2019-17542/libav: heap-based buffer overflow: apply fix though libfuzzer-based reproducer not reproducible
- CVE-2019-17539/libav: triage: not-affected (vulnerable code introduced later)
- CVE-2019-14443/libav: reproduce, track down fix in ffmpeg, update libav bug
- CVE-2019-14441/libav: mitre request: duplicate CVE-2018-19129 (got DISPUTED); fix attempt, update libav bug
- CVE-2019-14371/libav: triage: already fixed through CVE-2018-11102
- CVE-2019-9720/libav: triage: unimportant (stretching the definition of DoS)
- CVE-2019-9719/libav: mitre request: rejection (got DISPUTED): generic warning, no vulnerability
- CVE-2019-9717/libav: triage: unimportant (stretching the definition of DoS)
- CVE-2018-20001/libav: jessie triage: postponed (not reproducible)
- CVE-2018-19130/libav: mitre request: duplicate CVE-2017-17127 (got DISPUTED)
- CVE-2018-19128/libav: reproduce, track down fix in ffmpeg
- Welcome new trainee
Documentation/Scripts
- Development: document the good practice to test on both 32- and 64- architectures
- TestSuites/aspell: how to use OSS-Fuzz' reproducers on Jessie
- TestSuites/libav: with "fate" test suite
- TestSuites/libonig: with libonig's and php-mbstring's test suites