2021/11, FLOSS activity

LTS

This is my 9th month of working for LTS.

Released DLAs

  1. DLA-2812-1 botan1.10_1.10.17-1+deb9u1

  2. DLA-2818-1 ffmpeg_3.2.16-1+deb9u1.

    • CVE-2021-38291: Assertion failure at src/libavutil/mathematics.c, causing ffmpeg aborted is detected. In some extrme cases, like with adpcm_ms samples with an extremely high channel count, get_audio_frame_duration() may return a negative frame duration value.

    • CVE-2021-38171: adts_decode_extradata in libavformat/adtsenc.c does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.

    • CVE-2020-22054: A Denial of Service vulnerability due to a memory leak in the av_dict_set function in dict.c.

    • CVE-2020-22049: A Denial of Service vulnerability due to a memory leak in the wtvfile_open_sector function in wtvdec.c.

    • CVE-2020-22048: A Denial of Service vulnerability due to a memory leak in the ff_frame_pool_get function in framepool.c.

    • CVE-2020-22046: A Denial of Service vulnerability due to a memory leak in the avpriv_float_dsp_allocl function in libavutil/float_dsp.c.

    • CVE-2020-22044: A Denial of Service vulnerability due to a memory leak in the url_open_dyn_buf_internal function in libavformat/aviobuf.c.

    • CVE-2020-22041: A Denial of Service vulnerability due to a memory leak in the av_buffersrc_add_frame_flags function in buffersrc.

    • CVE-2020-22037: A Denial of Service vulnerability due to a memory leak in avcodec_alloc_context3 at options.c

    • CVE-2020-20453: Divide By Zero issue via libavcodec/aaccoder, which allows a remote malicious user to cause a Denial of Service.

    • CVE-2020-20451: Denial of Service issue due to resource management errors via fftools/cmdutils.c.

    • CVE-2020-20446: Divide By Zero issue via libavcodec/aacpsy.c, which allows a remote malicious user to cause a Denial of Service.

    • CVE-2020-20445: Divide By Zero issue via libavcodec/lpc.h, which allows a remote malicious user to cause a Denial of Service.

  1. FD-duties:
    1. Added icinga2, kodi, mbedtls, ckeditor, wordpress, gerbv
    2. Initiated discussion about redefining FD-role and fair FD-slots dispatch
  2. Mark following CVEs as for Stretch:
    1. CVE-2021-38090 - ffmpeg
    2. CVE-2021-38091 - ffmpeg
    3. CVE-2021-38092 - ffmpeg
    4. CVE-2021-38093 - ffmpeg
    5. CVE-2021-38094 - ffmpeg
    6. CVE-2020-22056 - ffmpeg
    7. CVE-2020-22056 - ffmpeg
    8. CVE-2020-22038 - ffmpeg
    9. CVE-2020-20898 - ffmpeg
    10. CVE-2020-20448 - ffmpeg
  3. Mark following CVEs as for Stretch:
    1. CVE-2020-22042 - ffmpeg
    2. CVE-2020-22042 - ffmpeg
    3. CVE-2020-22040 - ffmpeg
    4. CVE-2020-22039 - ffmpeg

LTS-Meeting

I participated the Debian LTS team IRC-meeting this month, but not from the beginning due to a time shift…

Debian Science Team

  • Requested CVE-2021-43618 for the gmp package

  • filed

    • #1000539 to remove boost1.71 from the archive.
  • uploaded

    • gmsh_4.8.4+ds1-2, gmsh_4.8.4+ds2-1, fixing #995424, #948773
    • wslay_1.1.1-3, fixing #997384
    • minieigen_0.50.3+dfsg1-13, fixing #997061, #997422
    • sfepy_2020.4-2, fixing #997436
    • lammps_20210122~gita77bb+ds1-3, fixing #997418
    • yade_2021.11~git~6f71ebd-1, fixing #984421
    • lammps_20210122~gita77bb+ds1-4, fixing FTBFS
    • gmp_6.2.1+dfsg-3, fixing #994405, CVE-2021-43618
    • gmp_6.1.2+dfsg-4+deb10u1, (filed #1000473 for approval), CVE-2021-43618
    • gmp_6.2.1+dfsg-1+deb11u1, (filed #1000477 for approval), CVE-2021-43618
    • alglib_3.18.0-1~exp1
    • eigen3_3.4.0-1~exp1
    • boost1.74_1.74.0-13, fixing #999778, #999853
    • eigen3_3.4.0-1
    • dyssol_1.0~alpha1-20211119.gitd7bc300-1
    • vtk9_9.1.0+dfsg1-1
    • vtk9_9.1.0+dfsg2-1, fixing #1000501, #996257, #998470
    • vtk9_9.1.0+dfsg2-2
    • vtk9_9.1.0+really9.0.3+dfsg1-3, fixing #1000611
    • vtk9_9.1.0+really9.0.3+dfsg1-4, fixing #1000746
  • Reviewd and uploaded

    • ignition-utils_1.1.0+ds-2
    • opm-common_2021.10-1
    • opm-material_2021.10-1
    • opm-grid_2021.10-1
    • opm-models_2021.10-1
    • opm-upscaling_2021.10-1
    • opm-simulators_2021.10-1

Other FLOSS activities

  • Some activities in Yade project.