This is my 14th month of working for LTS and the 2nd one for ELTS.
Released DLAs, ELAs
- CVE-2018-25032: For rare inputs with a large number of distant matches, the pending buffer into which the compressed data is written can overwrite the distance symbol table which it overlays. That results in corrupted output due to invalid distances, and can result in out-of-bound accesses, crashing the application. It can happen when using Z_FIXED.
- CVE-2016-9318: not fixed versions do not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.
- CVE-2017-5130: integer overflow in memory debug code, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file.
- CVE-2017-5969: parser in a recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document.
- CVE-2017-16932: When expanding a parameter entity in a DTD, infinite recursion could lead to an infinite loop or memory exhaustion.
- CVE-2022-23308: the application that validates XML using xmlTextReaderRead() with XML_PARSE_DTDATTR and XML_PARSE_DTDVALID enabled becomes vulnerable to this use-after-free bug. This issue can result in denial of service.
- CVE-2022-1122: an input directory with a large number of files can lead to a segmentation fault and a denial of service due to a call of free() on an uninitialized pointer.
- CVE-2021-29338: integer overflow allows remote attackers to crash the application, causing a denial of service This occurs when the attacker uses the command line option “-ImgDir” on a directory that contains 1048576 files.
- CVE-2020-27843: the flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability.
- CVE-2020-27842: null pointer dereference through specially crafted input. The highest impact of this flaw is to application availability.
- CVE-2021-32435: stack-based buffer overflow in the function get_key in parse.c allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors.
- CVE-2018-10753: stack-based buffer overflow in the delayed_output function in music.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
- CVE-2018-10771: stack-based buffer overflow in the get_key function in parse.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
- CVE-2019-1010069: incorrect access control allows attackers to cause a denial of service via a crafted file.
- CVE-2021-32434: array overflow when wrong duration in voice overlay.
- CVE-2021-32436: out-of-bounds read in the function write_title() in subs.c allows remote attackers to cause a denial of service (DoS) via unspecified vectors.
- CVE-2018-25032: See the text above.
- CVE-2021-29338, CVE-2020-27843, CVE-2020-27842: See the text above.
Several packages are in a pipeline and fixes will be released soon.
Other (E)LTS-related work
- Analyzed python2.7 build failures for ELTS release. Discussed with uploader.
- CVE-2022-1122 fixed for ELTS in git.
- Triaged for LTS:
- Dispatched FD-slots for 2022Q3
- Updated the script for FD-slots dispatching.
- Triaged for LTS:
- Tested the updated script for the CVE triage for the LTS release
- I attended the Debian LTS team Jitsi-meeting.