=== Serge_ is now known as hallyn | ||
bittin | any new episode today? | 10:00 |
---|---|---|
bittin | of the podcast | 10:00 |
bittin | that is | 10:00 |
mainek00n | I was looking at the Ubuntu Security Tracker git repository and found something strange. | 11:05 |
mainek00n | In the README, Package Status should be written as `<release>_<source-package>: <status> (<version/notes>)`. | 11:05 |
mainek00n | However, in https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-1921, it is written as `upstream_gst-plugins-good1.0: 1.20.3`. | 11:05 |
ubottu | Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1921> | 11:05 |
mainek00n | Checking at https://ubuntu.com/security/CVE-2022-1921, the status of upstream is released. | 11:06 |
ubottu | Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1921> | 11:06 |
mainek00n | Therefore, it should be written as `upstream_gst-plugins-good1.0: released (1.20.3)`. | 11:07 |
mainek00n | If you know of a more appropriate place to report, please let me know. | 11:09 |
amurray | bittin: yes, apologies I am a bit behind - will take another hour or two | 11:28 |
amurray | mainek00n (if you see this in IRC logs): thanks for the heads up - I've just updated it via https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=0d72c098eed6292d3fd067d3fb57186cee7a289d | 11:30 |
ubottu | Commit 0d72c09 in ubuntu-cve-tracker "Fix upstream status for CVE-2022-1921 for gst-plugins-good1.0 HEAD master" | 11:30 |
amurray | mainek00n: thanks for heads up - I've just updated it https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=0d72c098eed6292d3fd067d3fb57186cee7a289d | 11:31 |
ubottu | Commit 0d72c09 in ubuntu-cve-tracker "Fix upstream status for CVE-2022-1921 for gst-plugins-good1.0 HEAD master" | 11:31 |
amurray | (we do have a script which is meant to catch things like this but apparently we purposefully don't check the upstream field: https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/check-syntax#n473) | 11:32 |
mainek00n | I'm watching this repository pretty carefully, but if I find mistakes again, shall I send a Patch? | 11:35 |
mainek00n | For example, a typo for `Tags_cupsys_gutsy` instead of `Tags_cups_gutsy`. | 11:37 |
mainek00n | https://git.launchpad.net/ubuntu-cve-tracker/tree/retired/CVE-2007-4351?id=0d72c098eed6292d3fd067d3fb57186cee7a289d#n19 | 11:37 |
ubottu | Off-by-one error in the ippReadIO function in cups/ipp.c in CUPS 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted (1) textWithLanguage or (2) nameWithLanguage Internet Printing Protocol (IPP) tag, leading to a stack-based buffer overflow. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4351> | 11:37 |
bittin | amurray, alright attending Fedora flock, but will listen to it tommorow then, thanks | 11:38 |
amurray | mainek00n: sure, you can send a merge request if you like - see https://help.launchpad.net/Code/Git for how launchpad does git - in particular once you've cloned the git repo you can push it to your own remote (see "Pushing your code" on that help page) - and when you do push it to your own local fork, git should then prompt you if you want to file a merge request | 12:45 |
amurray | mainek00n: or you can do it via the web interface too I think - see "Fork it to your account" on https://code.launchpad.net/ubuntu-cve-tracker | 12:46 |
amurray | bittin: hope you enjoy flock! - fwiw the podcast for this week just went live - https://ubuntusecuritypodcast.org/episode-171/ | 12:55 |
bittin | amurray, thanks | 13:04 |
sbeattie | mainek00n: FYI, back in gutsy, the source package for cups was named cupsys, it's not a typo. https://launchpad.net/ubuntu/+source/cupsys/+publishinghistory | 14:14 |
sbeattie | mainek00n: oh, I see what you're saying. | 14:15 |
* sbeattie gets coffee | 14:16 | |
mainek00n | I was thinking the same thing about cupsys. | 14:24 |
mainek00n | https://git.launchpad.net/~mainek00n/ubuntu-cve-tracker/commit/?id=2b2e900c9519d518eb789a11fd4088a0c84c93d6 | 14:24 |
ubottu | Commit 2b2e900 in ~mainek00n/ubuntu-cve-tracker "fix Tags_ typo" | 14:24 |
mainek00n | I'm sorry I'm not good at communicating…… | 14:26 |
mainek00n | I wrote two patches. | 14:31 |
mainek00n | https://code.launchpad.net/~mainek00n/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+ref/patch-1 | 14:31 |
mainek00n | https://code.launchpad.net/~mainek00n/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+ref/patch-2 | 14:31 |
luis220413 | Please release the fix for node-moment in bug 1982617. | 19:10 |
ubottu | Bug 1982617 in node-moment (Ubuntu Jammy) "Versions in Bionic, Focal and Jammy are vulnerable to CVE-2022-24785 and CVE-2022-31129" [Undecided, Confirmed] https://launchpad.net/bugs/1982617 | 19:10 |
luis220413 | Please release the fix for jupyter-notebook in bug 1982670, even though CVE-2021-32798 is unfixed (it requires at least 5 new packages in Bionic and 3 in Focal). | 21:09 |
ubottu | Bug 1982670 in jupyter-notebook (Debian) "Multiple vulnerabilities in Bionic, Focal, Jammy and Kinetic" [Unknown, Confirmed] https://launchpad.net/bugs/1982670 | 21:09 |
ubottu | The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker t... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32798> | 21:09 |
luis220413 | leosilva: I have fixes for 2 distinct packages ready for sponsoring. | 21:29 |
luis220413 | See bug 1982617 and bug 1982670 | 21:32 |
ubottu | Bug 1982617 in node-moment (Ubuntu Jammy) "Versions in Bionic, Focal and Jammy are vulnerable to CVE-2022-24785 and CVE-2022-31129" [Undecided, Confirmed] https://launchpad.net/bugs/1982617 | 21:32 |
ubottu | Bug 1982670 in jupyter-notebook (Debian) "Multiple vulnerabilities in Bionic, Focal, Jammy and Kinetic" [Unknown, Confirmed] https://launchpad.net/bugs/1982670 | 21:32 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!