RSS Atom Add a new post titled:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In December, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 16.5h for LTS (out of 30 max) and 16.5h for ELTS (max).

This is less than usual, AFAICS due to having more team members requesting more hours (while I'm above average), and less unused hours given back (or given back too late).

ELTS - Wheezy

  • libonig: finish work started in November:
  • CVE-2019-19203/libonig: can't reproduce, backport non-trivial likely to introduce bugs,
  • CVE-2019-19012,CVE-2019-19204,CVE-2019-19246/libonig: security upload
  • libpcap: attempt to recap vulnerabilities mismatch (possibly affecting ELA-173-1/DLA-1967-1); no follow-up from upstream
  • CVE-2019-19317,CVE-2019-19603,CVE-2019-19645/sqlite3: triage: not-affected (development version only)
  • CVE-2019-1551/openssl: triage: not-affected; discuss LTS triage rationale
  • CVE-2019-14861,CVE-2019-14870/samba: triage: not-affected
  • CVE-2019-19725/sysstat: triage: not-affected (vulnerable code introduced in v11.7.1)
  • CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255/ruby1.9.1: security upload

LTS - Jessie

  • CVE-2019-19012,CVE-2019-19204,CVE-2019-19246/libonig: shared work with ELTS, security upload
  • libpcap: shared work with ELTS
  • libav: finish work started in November:
  • CVE-2018-18829/libav: triage: postponed (libav-specific issue, no patch)
  • CVE-2018-11224/libav: triage: postponed (libav-specific issue, no patch)
  • CVE-2017-18247/libav: triage: ignored (not reproducible, no targeted patch)
  • CVE-2017-18246/libav: triage: ignored (not reproducible)
  • CVE-2017-18245/libav: reproduce, track down fix in ffmpeg
  • CVE-2017-18244/libav: triage: ignored (not reproducible)
  • CVE-2017-18243/libav: triage: ignored (not reproducible)
  • CVE-2017-18242/libav: triage: ignored (not reproducible)
  • CVE-2017-17127/libav: reproduce, track down fix in ffmpeg
  • CVE-2016-9824/libav: triage: ignored: usan (undefined sanitized) warning only, no patch
  • CVE-2016-9823/libav: triage: ignored: usan (undefined sanitized) warning only, no patch
  • CVE-2016-5115/libav: triage: postpone due different (indirect mplayer) vulnerability and lack of time
  • CVE-2017-17127,CVE-2017-18245,CVE-2018-19128,CVE-2018-19130,CVE-2019-14443,CVE-2019-17542/libav: security upload


Posted Thu Jan 2 10:18:46 2020 Tags:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In November, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 24.5h for LTS (out of 30 max) and 20h for ELTS (max).

Multiple vulnerabilities come from in-process fuzzing (library fuzzing with compiler instrumentation, as opposed to fuzzing a user executable). This is an interesting technique, though those are harder to reproduce, especially with older versions or (even worse) forks. A significant portion of such vulnerabilities comes from google's OSS-117Fuzz infrastructure.

data/CVE/list from the debian security-tracker repository reached 20M. With multiple changes per hour, git blame is consequently near-unusable: several minutes for a targetted, single-line look-up, if the entry is not too old. Despite this, the git commit messages are often used for triage justification or even as a substitute for personal communication, a practice I wouldn't recommend. #908678 looks stalled.

MITRE is still reactive when reporting issues on various free software project, and still very shy about changing the status of vulnerabilities. This is understandable when dealing with hard-to-reproduce issues, less understandable with legit-looking bogus vulnerabilities, which some people still like to throw at us so we have more work to do and get paid (seriously: please don't).

ELTS - Wheezy

  • Second part of my Front-Desk week, though only auto-triaged unsupported packages
  • CVE-2019-14866/cpio: help opal investigate reproducibility issue, contact cpio maintainer and to get official patch/review
  • CVE-2019-18684/sudo: deconstruct bogus vulnerability; MITRE now marks it as DISPUTED
  • CVE-2019-5068/mesa: attempt to reproduce the issue, BTS update, testing, security upload
  • CVE-2019-3466/postgresql-common: triage: not-affected
  • libonig: start work on multiple vulnerabilities with non-trivial backports; to be completed in December
  • CVE-2019-19012/libonig: backport for 5.9, get maintainer review
  • CVE-2019-19246/libonig: register CVE for untracked vulnerability (discovered through upstream fuzzing, re-discovered through php-mbstring)
  • libonig: find embedded copy in php7.0 (Stretch) and php7.3 (Buster); LTS/ELTS not-affected

LTS - Jessie

  • CVE-2019-3689/nfs-util: ping upstream and debian sid, no pong
  • CVE-2019-14866/cpio: shared work with ELTS
  • CVE-2019-18684/sudo: shared work with ELTS
  • CVE-2019-5068/mesa: shared work with ELTS, security upload
  • CVE-2019-3466/postgresql-common: confirmed fix: jessie already fixed but I didn't notice due to late DLA
  • CVE-2019-11027/ruby-openid: provide requested second opinion
  • libav: start processing pending issues, package is a ffmpeg fork, was removed from newer dists and is unresponsive to security issues, requiring more work; to be completed in December
  • CVE-2019-17542/libav: heap-based buffer overflow: apply fix though libfuzzer-based reproducer not reproducible
  • CVE-2019-17539/libav: triage: not-affected (vulnerable code introduced later)
  • CVE-2019-14443/libav: reproduce, track down fix in ffmpeg, update libav bug
  • CVE-2019-14441/libav: mitre request: duplicate CVE-2018-19129 (got DISPUTED); fix attempt, update libav bug
  • CVE-2019-14371/libav: triage: already fixed through CVE-2018-11102
  • CVE-2019-9720/libav: triage: unimportant (stretching the definition of DoS)
  • CVE-2019-9719/libav: mitre request: rejection (got DISPUTED): generic warning, no vulnerability
  • CVE-2019-9717/libav: triage: unimportant (stretching the definition of DoS)
  • CVE-2018-20001/libav: jessie triage: postponed (not reproducible)
  • CVE-2018-19130/libav: mitre request: duplicate CVE-2017-17127 (got DISPUTED)
  • CVE-2018-19128/libav: reproduce, track down fix in ffmpeg
  • Welcome new trainee


Posted Sat Nov 30 19:59:55 2019 Tags:

What is it already?

Android Rebuilds provides freely-licensed builds of Android development tools written by somebody else.

New builds

SDK 10 (API 29) and NDK 20 rebuilds are now available, as unattended build scripts as well as binaries you shan't trust.

sdkmanager integration will be complete when we figure out how to give our repo precedence over somebody else's.

Evolution of the situation

SDK build remains monolithic and growing (40GB .git, 7h multi-core build, 200GB build space).

But there are fewer build issues, thanks to newer "prebuilts" deps straight in Git, now including OpenJDK.
I expect we'll soon chroot in Git before build.

Also for the first time ever I could complete a NDK windows build.


Official binaries are still click-wrapped with a proprietary license.

It was discovered that such a license is also covering past versions of android.jar & al. hidden in a prebuilts directory and somehow necessary to the builds.
Archeological work already successfully started to rebuild SDKs from the start of the decade.


Android Rebuilds is showcased in ungoogled-chromium-android, a lightweight approach to removing Google web service dependency.

F-Droid mirror

After some back and forth, the F-Droid mirror is stable and limited to the experimental sdkmanager repository.
F-Droid showed high dedication to implementing upload restrictions and establishing procedures.
I have great hope that they will soon show the same level of dedication dropping non-free licenses and freeing their build server.

Posted Fri Nov 22 13:35:58 2019 Tags:

SCP is a mind-blowing, diverse, high-quality collection of writings and illustrations, all released under the CC-BY-SA free license.
If you never read horror stories written with scientific style -- have a try :)

[obviously this has nothing to do with OpenSSH Secure CoPy ;)]

Faced with a legal threat through the aggressive use of a RU/EU trademark, the SCP project is raising a legal fund.
I suggest you have a look.

Posted Mon Nov 18 12:55:57 2019 Tags:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In October, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 22.75h for LTS (out of 30 max) and 20h for ELTS (max).

There was a bit of backlog during my LTS triage week and for once I didn't make a pass at classifying old undetermined issues.

MITRE was responsive for public (non-embargoed) issues in common free software packages, when I submitted new references or requested a CVE to identify known issues. There was more ball passing and delays when there was an another CNA (CVE Numbering Authorities).

Interestingly some issues were not fixed in LTS due to them being marked 'ignored' in later distros (sometimes, regrettably, with no clear rationale), as this means there would be a regression when upgrading. It's probably worth I check on my past security uploads to see if such as discrepancies appeared (this month's nfs-utils comes to mind, I'll re-offer a oldstable/stable upload next month).

Ubuntu recently started a post-LTS extended security support as well, with private updates. For now it's not clear whether we can get access to ease cooperation.

The last uploads I did took me some more hours than expected, so I'm a bit over my time - that means I have a few hours in advance for next month (not accounted for above).

ELTS - Wheezy

  • CVE-2019-16928/exim4: triage: not-affected
  • CVE-2019-15165/libpcap: security upload
  • libpcap: triage: other vulnerabilities not-affected
  • CVE-2019-3689/nfs-util: proposed patch and testing procedure to upstream and sid/salsa, ping, security upload
  • CVE-2019-3689/nfs-util: update security tracker: proposed fs.protected_symlinks mitigation is not valid as /var/lib/nfs has no sticky-bit; coordinate with MITRE and SuSE to update CVE
  • CVE-2019-17041,CVE-2019-17042/rsyslog: security upload, clarify triage description
  • CVE-2019-17040/rsyslog: triage: not-affected
  • CVE-2019-14287/sudo: request backport to maintainer, security upload
  • CVE-2019-17544/aspell: security upload
  • CVE-2019-11043/php5: security upload, provide feedback about applicability to cgi
  • CVE triage week part 1
    • CVE-2019-13464/modsecurity-crs: triage: not-affected (affected rules is not present)
    • CVE-2019-14847,CVE-2019-14833/samba: triage: not-affected
    • CVE-2019-10218/samba: triage: affected
    • CVE-2019-14866/cpio: triage: affected
    • CVE-2018-21029/systemd: triage: not-affected

LTS - Jessie

  • Front-Desk week
    • firefox: ping i386 build status following user request
    • CVE-2019-3689/nfs-utils: triage: affected
    • CVE-2019-16723/cacti: triage: affected
    • CVE-2019-16892/ruby-zip: triage: postponed (minor issue, fix is zip bomb mitigation not enabled by default)
    • CVE-2018-21016,CVE-2018-21015/gpac: triage: postponed (minor issue, local DoS)
    • CVE-2019-13376/phpbb3: triage: reference fixes, request CVE for prior incomplete CSRF fix (SECURITY-188), fix-up confusion following that
    • CVE-2018-20839/xorg-server: re-triage: clarify and mark for later fix
    • CVE-2019-13504/exiv2: update: reference missing patch, check that it's not needed for jessie
    • CVE-2019-14369,CVE-2019-14370/exiv2: triage: not-affected
    • CVE-2019-11755/thunderbird: triage: affected
    • CVE-2019-16370,CVE-2019-15052/gradle: triage: postponed (old gradle mainly used for build Debian packages in restricted environment)
    • CVE-2019-12412/libapreq2: triage: affected
    • CVE-2019-0193/lucene-solr: triage: affected; research commit for actual fix
    • CVE-2019-12401/lucene-solr: triage: affected; issue potentially in dependencies
    • CVE-2017-18635/novnc: triage: affected
    • CVE-2019-16239/openconnect: triage: affected
    • CVE-2019-14491,CVE-2019-14492,CVE-2019-14493/opencv: triage: postponed (DoS, PoC not crashing)
    • CVE-2019-14850,CVE-2019-14851/nbdkit: triage: ignored (DoS/amplification for specific configuration, non-trivial backport, low popcon)
    • CVE-2019-16910/polarssl: triage: affected, locate and reference patch
    • CVE-2019-16276/golang: triage: affected; later marked ignored, clarify that it's for consistency with later distros
    • CVE-2019-10723/libpodofo: revisit my early triage: ignored->postponed (minor but easy to add in later security upload)
    • DSA 4509-2/subversion: triage: not-affected
    • CVE-2019-8943/wordpress: triage: add precisions
    • CVE-2019-12922/phpmyadmin: triage: postponed (minor issue, unlikely situation); reference patch, reference patch at MITRE, mark unfixed
    • CVE-2019-16910/polarssl: reference patch at MITRE
    • CVE-2019-10219/libhibernate-validator-java: triage: no changes (still no clear information nor patch)
    • CVE-2019-11027/ruby-openid: triage: no changes (still no clear information nor patch)
    • CVE-2019-3685/osc: triage: no changes, report bug to packager, reference BTS
    • CVE-2019-1010091/tinymce: triage: ignored (questionable self-xss)
    • CVE-2019-16866/unbound: triage: not-affected
    • tcpdump,libpcap: triage: affected
    • CVE-2018-16301/libpcap: triage: asked upstream for commit, conclude duplicate, relay info to MITRE (not clear enough for them to mark duplicate AFAICS)
    • CVE-2019-14553/edk2: triage: end-of-life (non-free)
    • CVE-2019-9959/poppler: triage: affected
    • CVE-2019-10871/poppler: triage: cancel postponed (new upstream fix)
    • Remove remaining "not used by any sponsor" justification for Jessie LTS (one left-over from April clean-up)
  • CVE-2019-14287/sudo: security upload
  • CVE-2019-3689/nfs-utils: security upload
  • CVE-2019-11043/php5: security upload


  • Development: add reminder to add package short description / context in security announcements, some team members tend to forget it (myself included)
  • ampache: provide feedback about maintaining support
  • libclamunrar: provide feedback about dropping support
Posted Thu Oct 31 19:10:01 2019 Tags: logo

GNU Planet now automatically fetches news feeds from ' portions' and ' translation teams' Savannah projects.

Posted Sat Oct 26 16:03:20 2019 Tags:

One year ago I posted a little entry in Ren'Py Jam 2018, which was the first-ever Ren'Py game directly playable in the browser :)

The Question Tutorial

Big thanks to Ren'Py's author who immediately showed full support for the project, and to all the other patrons who joined the effort!

One year later, RenPyWeb is officially integrated in Ren'Py with a one-click build, performances improved, countless little fixes to the Emscripten technology stack provided stability, and more than 60 games of all sizes were published for the web.


What's next? I have plans to download resources on-demand (rather than downloading the whole game on start-up), to improve support for mobile browsers, and of course to continue the myriad of little changes that make RenPyWeb more and more robust. I'm also wondering about making our web stack more widely accessible to Pygame, so as to bring more devs in the wonderful world of python-in-the-browser and improve the tech ecosystem - let me know if you're interested.

Hoping to see great new Visual Novels on the web this coming year :)

Posted Mon Sep 30 17:01:27 2019 Tags:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In September, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 23.75h for LTS (out of 30 max) and 20h for ELTS (max).

I was again able to factor out some time between LTS and ELTS.

The qemu update required more testing than I expected, as it's used with lots of different CPU and disk backends.

ELTS - Wheezy

  • CVE-2019-13626/libsdl1.2: triage: mark postponed so it doesn't stay in the triage list
  • freetype: CVE-2015-9381,CVE-2015-9382,CVE-2015-9383 security upload
  • freetype: de-dup TEMP-0773084-4AB1FB / CVE-2014-9659
  • CVE-2019-13232/unzip: regression update (zipbomb)
  • CVE-2019-5481/curl: triage: not-affected
  • CVE-2019-1549/openssl: triage: not-affected
  • CVE-2019-16163/libonig: security upload
  • CVE-2019-2180/cups: triage: was fixed prior CVE assignment, no other significant vulnerability to fix, no upload
  • tomcat7: investigate upgrading to upstream stable version, so as to fix the currently failing testsuite; decide not to when realizing that means applying all upstream changes since 2012
  • CVE-2019-3689/nfs-utils: triage, contact package maintainer
  • CVE-2019-16935/python*: help Ola triage and assess severity

LTS - Jessie

  • freetype: CVE-2015-9381,CVE-2015-9382,CVE-2015-9383 security upload
  • radare2: triage: clarify status, add reference to ML discussion about its support
  • unzip: untriage: false-positive
  • CVE-2019-16163/libonig: security upload
  • qemu:
    • check status of unpublished prepared update for CVE-2016-5126,CVE-2016-5403,CVE-2017-9375,CVE-2017-15124,CVE-2019-12155
    • CVE-2017-11334: triage: clarify, keep postponed (known regression)
    • CVE-2017-13672: triage: ignored: minor issue, guest root DoS, too complex to backport
    • CVE-2017-15124: re-triage: ignored: identify regression in proposed update, too complex to backport; reference complementary VNC/SASL patch
    • CVE-2018-19665: triage: ignored: still no sanctioned patch, bluetooth subsystem deprecated
    • CVE-2018-15746: triage: ignored: non-default configuration, requires backported kernel and libseccomp
    • CVE-2019-12067: triage: postponed: no sanctioned patch
    • setup physical jessie box, test extensively (Xen, KVM, virt-manager/gnome-boxes, VNC, Spice, Windows, LVM, VirtIO, iSCSI...)
    • call for testing
    • security upload: pending update -CVE-2017-15124 +CVE-2019-12068,CVE-2019-13164,CVE-2019-14378,CVE-2019-15890


  • ASAN (Address Sanitizer): fix missing option and document limitations
  • tomcat: notes from last month about testing tomcat
  • qemu: summarize qemu top use cases
  • bin/contact-maintainers: fix Python 2 code leftover
  • Point out that the training / new member process could be more visible
Posted Mon Sep 30 13:27:08 2019 Tags:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

Yes, that changed since last month, as I was offered to work on ELTS :)

In August, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 21.75h for LTS (out of 30 max) and 14h for ELTS (max).

Interestingly I was able to factor out some time between LTS and ELTS while working on vim and tomcat for both suites.

LTS - Jessie

  • squirrelmail: CVE-2019-12970: locate patch, refresh previous fix with new upstream-blessed version, security upload
  • vim: CVE-2017-11109, CVE-2017-17087, CVE-2019-12735: analyze and reproduce issues (one of them not fully exploitable), fix new and postponed issues, security upload
  • tomcat8: improve past patch to fix the test suite, report and refresh test certificates
  • tomcat8: CVE-2016-5388, CVE-2018-8014, CVE-2019-0221: requalify old not-affected issue, fix new and postponed issues, security upload


  • wiki: document good upload/test practices (pbuilder and lintian+debdiff+piuparts); request for comments
  • import missing DLA-1810 (tomcat7/CVE-2019-0221)
  • freeimage: update dla-needed.txt status

ELTS - Wheezy

  • Get acquainted with the new procedures and setup build/test environments
  • vim: CVE-2017-17087, CVE-2019-12735: analyze and reproduce issues (one of them not fully exploitable), fix new and pending issues, security upload
  • tomcat7: CVE-2016-5388: requalify old not-affected issue, security upload


  • raise concern about missing dependency in our list of supported packages
  • user documentation: doc fix apt-key list -> apt-key finger
  • triage: mark a few CVE as EOL, fix-up missing fixed versions in data/ELA/list (not automated anymore following the oldoldstable -> oldoldold(!)stable switch)

While not part of Debian strictly speaking, ELTS strives for the same level of transparency, see in particular the Git repositories:

Posted Sat Aug 31 14:27:06 2019 Tags:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) project, which extends the security support for past Debian releases, as a paid contributor.

In July, the monthly sponsored hours were split evenly among contributors depending on their max availability - I declared max 30h and got 18.5h.

My time was mostly spend on Front-Desk duties, as well as improving our scripts&docs.

Current vulnerabilities triage:

  • CVE-2019-13117/libxslt CVE-2019-13118/libxslt: triage (affected, dla-needed)
  • CVE-2019-12781/python-django: triage (affected)
  • CVE-2019-12970/squirrelmail: triage (affected)
  • CVE-2019-13147/audiofile: triage (postponed)
  • CVE-2019-12493/poppler: jessie triage (postponed)
  • CVE-2019-13173/node-fstream: jessie triage (node-* not supported)
  • exiv2: jessie triage (5 CVEs, none to fix - CVE-2019-13108 CVE-2019-13109 CVE-2019-13110 CVE-2019-13112 CVE-2019-13114)
  • CVE-2019-13207/nsd: jessie triage (affected, posponed)
  • CVE-2019-11272/libspring-security-2.0-java: jessie triage (affected, dla-needed)
  • CVE-2019-13312/ffmpeg: (libav) jessie triage (not affected)
  • CVE-2019-13313/libosinfo: jessie triage (affected, postponed)
  • CVE-2019-13290/mupdf: jessie triage (not-affected)
  • CVE-2019-13351/jackd2: jessie triage (affected, postponed)
  • CVE-2019-13345/squid3: jessie triage (2 XSS: 1 unaffected, 1 reflected affected, dla-needed)
  • CVE-2019-11841/golang-go.crypto: jessie triage (affected, dla-needed)
  • Call for triagers for the upcoming weeks

Past undermined issues triage:

  • libgig: contact maintainer about 17 pending undetermined CVEs
  • libsixel: contact maintainer about 6 pending undetermined CVEs
  • netpbm-free - actually an old Debian-specific fork: contact original reporter for PoCs and attach them to BTS; CVE-2017-2579 and CVE-2017-2580 not-affected, doubts about CVE-2017-2581


Tooling - bin/

  • filter out 'undetermined' but explicitely 'ignored' packages (e.g. jasperreports)
  • fix formatting with no-colors output, hint that color output is available
  • display lts' nodsa sub-states
  • upgrade unsupported packages list to jessie
Posted Wed Jul 31 13:32:27 2019 Tags:

This blog is powered by ikiwiki.