Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In February, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 20h for LTS (out of 30 max; all done) and 8h for ELTS (out of 20 max; I did 7).

Security work is never completely isolated, typically my work on nodejs impacted jessie/stretch/buster, and my work on netty affected wheezy/jessie/stretch :)

ELTS - Wheezy

  • netty: refine prior triages, write minimal test server, adapt 3 fixes, security upload: ELA-214
  • Suggest redispatching hours from past month not given back in time, as team members only got 3.5h each; follow-up on the issue
  • Contribute to exchanges about supporting libgd2 (unsupported dependency of a supported package, an inconsistency we'll try to detect earlier)

LTS - Jessie

  • netty: refine prior triages, security upload DLA 2109-1
  • netty-3.9: identify duplicate package, fix prior vulnerabilities, security upload DLA 2110-1
  • nodejs: jessie/stretch/buster triage (3 CVEs), request access to not-yet-public hackerone reports
  • nodejs: clarify support status, reclassify open vulnerabilities on nodejs ecosystem as EOL (end-of-life) for jessie & stretch
  • http-parser: mark as affected by nodejs' CVE-2019-15605; jessie triage: ignored (invasive change with ABI breakage)
  • wordpress: precise my past triage (2 CVEs): postponed (serialization vulnerabilities related to PHP itself currently not addressed at application/wordpress level)
  • otrs2: security upload DLA 2118-1 (interestingly recent otrs2 is in non-free not due to licensing, but due to embedding specific versions of javascript dependencies)
  • CVE-2019-10784/phppgadmin: answer request for comment
  • xen: point out external support


  • TestSuites/netty: instruction on how to find, compile and adapt server examples
  • DLA-1993-1: update Debian website (was only published via mailing-list)
  • embedded-code-copies: reference http-parser embedded in nodejs
  • README.external-support: clean-up external support contact points
Posted Mon Mar 2 10:30:55 2020 Tags:

Escoria, the point-and-click system for the Godot game engine, is now working again with the latest Godot (3.2).

Godot is a general-purpose game engine. It comes with an extensive graphic editor with skeleton and animation support, can create all sorts of games and mini-games, making it an interesting choice for point-and-click's.

The Escoria point-and-click template provides notably a dialog system and the Esc language to write the story and interactions. It was developed for the Dog Mendonça and Pizzaboy crowdfunded game and later released as free software. A community is developing the next version, but the current version has been incompatible with the current Godot engine. So I upgraded the game template as well as the Escoria in Daïza tutorial game to Godot 3.2. Enjoy!

HTML5 support is still lacking, so I might get a compulsive need to fix it in the future ;)

Posted Sat Feb 8 16:24:43 2020 Tags:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In January, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 23.75h for LTS (out of 30 max) and 20h for ELTS (max) of which I did 1.5h.

I couldn't work much on ELTS because there are very few sponsors left for oldoldoldstable (sic!), hence not many packages to support, hence not much possible work.

In a direct communication, one team member expressed that team workflow is to be discussed on a private mailing list because according to them these problems don't need to be discussed in public and only results count. I have an opposite approach -- anything that isn't strictly confidential / security-sensitive is to be discussed publicly. The Debian Social Contract says "We don't hide problems" so if we want to address problems in a Debian workflow, this is to be public. What do you think?

ELTS - Wheezy

  • request supported packages list update
  • sqlite3: re-triage: drop as it just reached end-of-life
  • nss: re-triage: suggest clarification since package just reached end-of-life, yet claimed; actually a static build dependency of openjdk
  • python-apt: re-triage: claimed, checked actual EOL status with triager, unclaimed
  • python2.7: re-triage: was marked end-of-life, checked !EOL status with triager, marked for update

LTS - Jessie

  • wordpress: jessie triage (7 CVEs), security upload
  • tomcat7: start working then cancel work since it was unclaimed since 9 days yet 2 LTS members were already working on it
  • gpac: jessie triage (17 CVEs), reported new crash, reported invalid fix, security upload


Posted Tue Feb 4 13:32:57 2020 Tags:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In December, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 16.5h for LTS (out of 30 max) and 16.5h for ELTS (max).

This is less than usual, AFAICS due to having more team members requesting more hours (while I'm above average), and less unused hours given back (or given back too late).

ELTS - Wheezy

  • libonig: finish work started in November:
  • CVE-2019-19203/libonig: can't reproduce, backport non-trivial likely to introduce bugs,
  • CVE-2019-19012,CVE-2019-19204,CVE-2019-19246/libonig: security upload
  • libpcap: attempt to recap vulnerabilities mismatch (possibly affecting ELA-173-1/DLA-1967-1); no follow-up from upstream
  • CVE-2019-19317,CVE-2019-19603,CVE-2019-19645/sqlite3: triage: not-affected (development version only)
  • CVE-2019-1551/openssl: triage: not-affected; discuss LTS triage rationale
  • CVE-2019-14861,CVE-2019-14870/samba: triage: not-affected
  • CVE-2019-19725/sysstat: triage: not-affected (vulnerable code introduced in v11.7.1)
  • CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255/ruby1.9.1: security upload

LTS - Jessie

  • CVE-2019-19012,CVE-2019-19204,CVE-2019-19246/libonig: shared work with ELTS, security upload
  • libpcap: shared work with ELTS
  • libav: finish work started in November:
  • CVE-2018-18829/libav: triage: postponed (libav-specific issue, no patch)
  • CVE-2018-11224/libav: triage: postponed (libav-specific issue, no patch)
  • CVE-2017-18247/libav: triage: ignored (not reproducible, no targeted patch)
  • CVE-2017-18246/libav: triage: ignored (not reproducible)
  • CVE-2017-18245/libav: reproduce, track down fix in ffmpeg
  • CVE-2017-18244/libav: triage: ignored (not reproducible)
  • CVE-2017-18243/libav: triage: ignored (not reproducible)
  • CVE-2017-18242/libav: triage: ignored (not reproducible)
  • CVE-2017-17127/libav: reproduce, track down fix in ffmpeg
  • CVE-2016-9824/libav: triage: ignored: usan (undefined sanitized) warning only, no patch
  • CVE-2016-9823/libav: triage: ignored: usan (undefined sanitized) warning only, no patch
  • CVE-2016-5115/libav: triage: postpone due different (indirect mplayer) vulnerability and lack of time
  • CVE-2017-17127,CVE-2017-18245,CVE-2018-19128,CVE-2018-19130,CVE-2019-14443,CVE-2019-17542/libav: security upload


Posted Thu Jan 2 10:18:46 2020 Tags:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In November, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 24.5h for LTS (out of 30 max) and 20h for ELTS (max).

Multiple vulnerabilities come from in-process fuzzing (library fuzzing with compiler instrumentation, as opposed to fuzzing a user executable). This is an interesting technique, though those are harder to reproduce, especially with older versions or (even worse) forks. A significant portion of such vulnerabilities comes from google's OSS-117Fuzz infrastructure.

data/CVE/list from the debian security-tracker repository reached 20M. With multiple changes per hour, git blame is consequently near-unusable: several minutes for a targetted, single-line look-up, if the entry is not too old. Despite this, the git commit messages are often used for triage justification or even as a substitute for personal communication, a practice I wouldn't recommend. #908678 looks stalled.

MITRE is still reactive when reporting issues on various free software project, and still very shy about changing the status of vulnerabilities. This is understandable when dealing with hard-to-reproduce issues, less understandable with legit-looking bogus vulnerabilities, which some people still like to throw at us so we have more work to do and get paid (seriously: please don't).

ELTS - Wheezy

  • Second part of my Front-Desk week, though only auto-triaged unsupported packages
  • CVE-2019-14866/cpio: help opal investigate reproducibility issue, contact cpio maintainer and to get official patch/review
  • CVE-2019-18684/sudo: deconstruct bogus vulnerability; MITRE now marks it as DISPUTED
  • CVE-2019-5068/mesa: attempt to reproduce the issue, BTS update, testing, security upload
  • CVE-2019-3466/postgresql-common: triage: not-affected
  • libonig: start work on multiple vulnerabilities with non-trivial backports; to be completed in December
  • CVE-2019-19012/libonig: backport for 5.9, get maintainer review
  • CVE-2019-19246/libonig: register CVE for untracked vulnerability (discovered through upstream fuzzing, re-discovered through php-mbstring)
  • libonig: find embedded copy in php7.0 (Stretch) and php7.3 (Buster); LTS/ELTS not-affected

LTS - Jessie

  • CVE-2019-3689/nfs-util: ping upstream and debian sid, no pong
  • CVE-2019-14866/cpio: shared work with ELTS
  • CVE-2019-18684/sudo: shared work with ELTS
  • CVE-2019-5068/mesa: shared work with ELTS, security upload
  • CVE-2019-3466/postgresql-common: confirmed fix: jessie already fixed but I didn't notice due to late DLA
  • CVE-2019-11027/ruby-openid: provide requested second opinion
  • libav: start processing pending issues, package is a ffmpeg fork, was removed from newer dists and is unresponsive to security issues, requiring more work; to be completed in December
  • CVE-2019-17542/libav: heap-based buffer overflow: apply fix though libfuzzer-based reproducer not reproducible
  • CVE-2019-17539/libav: triage: not-affected (vulnerable code introduced later)
  • CVE-2019-14443/libav: reproduce, track down fix in ffmpeg, update libav bug
  • CVE-2019-14441/libav: mitre request: duplicate CVE-2018-19129 (got DISPUTED); fix attempt, update libav bug
  • CVE-2019-14371/libav: triage: already fixed through CVE-2018-11102
  • CVE-2019-9720/libav: triage: unimportant (stretching the definition of DoS)
  • CVE-2019-9719/libav: mitre request: rejection (got DISPUTED): generic warning, no vulnerability
  • CVE-2019-9717/libav: triage: unimportant (stretching the definition of DoS)
  • CVE-2018-20001/libav: jessie triage: postponed (not reproducible)
  • CVE-2018-19130/libav: mitre request: duplicate CVE-2017-17127 (got DISPUTED)
  • CVE-2018-19128/libav: reproduce, track down fix in ffmpeg
  • Welcome new trainee


Posted Sat Nov 30 19:59:55 2019 Tags:

What is it already?

Android Rebuilds provides freely-licensed builds of Android development tools written by somebody else.

New builds

SDK 10 (API 29) and NDK 20 rebuilds are now available, as unattended build scripts as well as binaries you shan't trust.

sdkmanager integration will be complete when we figure out how to give our repo precedence over somebody else's.

Evolution of the situation

SDK build remains monolithic and growing (40GB .git, 7h multi-core build, 200GB build space).

But there are fewer build issues, thanks to newer "prebuilts" deps straight in Git, now including OpenJDK.
I expect we'll soon chroot in Git before build.

Also for the first time ever I could complete a NDK windows build.


Official binaries are still click-wrapped with a proprietary license.

It was discovered that such a license is also covering past versions of android.jar & al. hidden in a prebuilts directory and somehow necessary to the builds.
Archeological work already successfully started to rebuild SDKs from the start of the decade.


Android Rebuilds is showcased in ungoogled-chromium-android, a lightweight approach to removing Google web service dependency.

F-Droid mirror

After some back and forth, the F-Droid mirror is stable and limited to the experimental sdkmanager repository.
F-Droid showed high dedication to implementing upload restrictions and establishing procedures.
I have great hope that they will soon show the same level of dedication dropping non-free licenses and freeing their build server.

Posted Fri Nov 22 13:35:58 2019 Tags:

SCP is a mind-blowing, diverse, high-quality collection of writings and illustrations, all released under the CC-BY-SA free license.
If you never read horror stories written with scientific style -- have a try :)

[obviously this has nothing to do with OpenSSH Secure CoPy ;)]

Faced with a legal threat through the aggressive use of a RU/EU trademark, the SCP project is raising a legal fund.
I suggest you have a look.

Posted Mon Nov 18 12:55:57 2019 Tags:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In October, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 22.75h for LTS (out of 30 max) and 20h for ELTS (max).

There was a bit of backlog during my LTS triage week and for once I didn't make a pass at classifying old undetermined issues.

MITRE was responsive for public (non-embargoed) issues in common free software packages, when I submitted new references or requested a CVE to identify known issues. There was more ball passing and delays when there was an another CNA (CVE Numbering Authorities).

Interestingly some issues were not fixed in LTS due to them being marked 'ignored' in later distros (sometimes, regrettably, with no clear rationale), as this means there would be a regression when upgrading. It's probably worth I check on my past security uploads to see if such as discrepancies appeared (this month's nfs-utils comes to mind, I'll re-offer a oldstable/stable upload next month).

Ubuntu recently started a post-LTS extended security support as well, with private updates. For now it's not clear whether we can get access to ease cooperation.

The last uploads I did took me some more hours than expected, so I'm a bit over my time - that means I have a few hours in advance for next month (not accounted for above).

ELTS - Wheezy

  • CVE-2019-16928/exim4: triage: not-affected
  • CVE-2019-15165/libpcap: security upload
  • libpcap: triage: other vulnerabilities not-affected
  • CVE-2019-3689/nfs-util: proposed patch and testing procedure to upstream and sid/salsa, ping, security upload
  • CVE-2019-3689/nfs-util: update security tracker: proposed fs.protected_symlinks mitigation is not valid as /var/lib/nfs has no sticky-bit; coordinate with MITRE and SuSE to update CVE
  • CVE-2019-17041,CVE-2019-17042/rsyslog: security upload, clarify triage description
  • CVE-2019-17040/rsyslog: triage: not-affected
  • CVE-2019-14287/sudo: request backport to maintainer, security upload
  • CVE-2019-17544/aspell: security upload
  • CVE-2019-11043/php5: security upload, provide feedback about applicability to cgi
  • CVE triage week part 1
    • CVE-2019-13464/modsecurity-crs: triage: not-affected (affected rules is not present)
    • CVE-2019-14847,CVE-2019-14833/samba: triage: not-affected
    • CVE-2019-10218/samba: triage: affected
    • CVE-2019-14866/cpio: triage: affected
    • CVE-2018-21029/systemd: triage: not-affected

LTS - Jessie

  • Front-Desk week
    • firefox: ping i386 build status following user request
    • CVE-2019-3689/nfs-utils: triage: affected
    • CVE-2019-16723/cacti: triage: affected
    • CVE-2019-16892/ruby-zip: triage: postponed (minor issue, fix is zip bomb mitigation not enabled by default)
    • CVE-2018-21016,CVE-2018-21015/gpac: triage: postponed (minor issue, local DoS)
    • CVE-2019-13376/phpbb3: triage: reference fixes, request CVE for prior incomplete CSRF fix (SECURITY-188), fix-up confusion following that
    • CVE-2018-20839/xorg-server: re-triage: clarify and mark for later fix
    • CVE-2019-13504/exiv2: update: reference missing patch, check that it's not needed for jessie
    • CVE-2019-14369,CVE-2019-14370/exiv2: triage: not-affected
    • CVE-2019-11755/thunderbird: triage: affected
    • CVE-2019-16370,CVE-2019-15052/gradle: triage: postponed (old gradle mainly used for build Debian packages in restricted environment)
    • CVE-2019-12412/libapreq2: triage: affected
    • CVE-2019-0193/lucene-solr: triage: affected; research commit for actual fix
    • CVE-2019-12401/lucene-solr: triage: affected; issue potentially in dependencies
    • CVE-2017-18635/novnc: triage: affected
    • CVE-2019-16239/openconnect: triage: affected
    • CVE-2019-14491,CVE-2019-14492,CVE-2019-14493/opencv: triage: postponed (DoS, PoC not crashing)
    • CVE-2019-14850,CVE-2019-14851/nbdkit: triage: ignored (DoS/amplification for specific configuration, non-trivial backport, low popcon)
    • CVE-2019-16910/polarssl: triage: affected, locate and reference patch
    • CVE-2019-16276/golang: triage: affected; later marked ignored, clarify that it's for consistency with later distros
    • CVE-2019-10723/libpodofo: revisit my early triage: ignored->postponed (minor but easy to add in later security upload)
    • DSA 4509-2/subversion: triage: not-affected
    • CVE-2019-8943/wordpress: triage: add precisions
    • CVE-2019-12922/phpmyadmin: triage: postponed (minor issue, unlikely situation); reference patch, reference patch at MITRE, mark unfixed
    • CVE-2019-16910/polarssl: reference patch at MITRE
    • CVE-2019-10219/libhibernate-validator-java: triage: no changes (still no clear information nor patch)
    • CVE-2019-11027/ruby-openid: triage: no changes (still no clear information nor patch)
    • CVE-2019-3685/osc: triage: no changes, report bug to packager, reference BTS
    • CVE-2019-1010091/tinymce: triage: ignored (questionable self-xss)
    • CVE-2019-16866/unbound: triage: not-affected
    • tcpdump,libpcap: triage: affected
    • CVE-2018-16301/libpcap: triage: asked upstream for commit, conclude duplicate, relay info to MITRE (not clear enough for them to mark duplicate AFAICS)
    • CVE-2019-14553/edk2: triage: end-of-life (non-free)
    • CVE-2019-9959/poppler: triage: affected
    • CVE-2019-10871/poppler: triage: cancel postponed (new upstream fix)
    • Remove remaining "not used by any sponsor" justification for Jessie LTS (one left-over from April clean-up)
  • CVE-2019-14287/sudo: security upload
  • CVE-2019-3689/nfs-utils: security upload
  • CVE-2019-11043/php5: security upload


  • Development: add reminder to add package short description / context in security announcements, some team members tend to forget it (myself included)
  • ampache: provide feedback about maintaining support
  • libclamunrar: provide feedback about dropping support
Posted Thu Oct 31 19:10:01 2019 Tags: logo

GNU Planet now automatically fetches news feeds from ' portions' and ' translation teams' Savannah projects.

Posted Sat Oct 26 16:03:20 2019 Tags:

One year ago I posted a little entry in Ren'Py Jam 2018, which was the first-ever Ren'Py game directly playable in the browser :)

The Question Tutorial

Big thanks to Ren'Py's author who immediately showed full support for the project, and to all the other patrons who joined the effort!

One year later, RenPyWeb is officially integrated in Ren'Py with a one-click build, performances improved, countless little fixes to the Emscripten technology stack provided stability, and more than 60 games of all sizes were published for the web.


What's next? I have plans to download resources on-demand (rather than downloading the whole game on start-up), to improve support for mobile browsers, and of course to continue the myriad of little changes that make RenPyWeb more and more robust. I'm also wondering about making our web stack more widely accessible to Pygame, so as to bring more devs in the wonderful world of python-in-the-browser and improve the tech ecosystem - let me know if you're interested.

Hoping to see great new Visual Novels on the web this coming year :)

Posted Mon Sep 30 17:01:27 2019 Tags:

This blog is powered by ikiwiki.