=== Serge_ is now known as hallyn [10:00] any new episode today? [10:00] of the podcast [10:00] that is [11:05] I was looking at the Ubuntu Security Tracker git repository and found something strange. [11:05] In the README, Package Status should be written as `_: ()`. [11:05] However, in https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-1921, it is written as `upstream_gst-plugins-good1.0: 1.20.3`. [11:05] Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite. [11:06] Checking at https://ubuntu.com/security/CVE-2022-1921, the status of upstream is released. [11:06] Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite. [11:07] Therefore, it should be written as `upstream_gst-plugins-good1.0: released (1.20.3)`. [11:09] If you know of a more appropriate place to report, please let me know. [11:28] bittin: yes, apologies I am a bit behind - will take another hour or two [11:30] mainek00n (if you see this in IRC logs): thanks for the heads up - I've just updated it via https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=0d72c098eed6292d3fd067d3fb57186cee7a289d [11:30] Commit 0d72c09 in ubuntu-cve-tracker "Fix upstream status for CVE-2022-1921 for gst-plugins-good1.0 HEAD master" [11:31] mainek00n: thanks for heads up - I've just updated it https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=0d72c098eed6292d3fd067d3fb57186cee7a289d [11:31] Commit 0d72c09 in ubuntu-cve-tracker "Fix upstream status for CVE-2022-1921 for gst-plugins-good1.0 HEAD master" [11:32] (we do have a script which is meant to catch things like this but apparently we purposefully don't check the upstream field: https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/check-syntax#n473) [11:35] I'm watching this repository pretty carefully, but if I find mistakes again, shall I send a Patch? [11:37] For example, a typo for `Tags_cupsys_gutsy` instead of `Tags_cups_gutsy`. [11:37] https://git.launchpad.net/ubuntu-cve-tracker/tree/retired/CVE-2007-4351?id=0d72c098eed6292d3fd067d3fb57186cee7a289d#n19 [11:37] Off-by-one error in the ippReadIO function in cups/ipp.c in CUPS 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted (1) textWithLanguage or (2) nameWithLanguage Internet Printing Protocol (IPP) tag, leading to a stack-based buffer overflow. [11:38] amurray, alright attending Fedora flock, but will listen to it tommorow then, thanks [12:45] mainek00n: sure, you can send a merge request if you like - see https://help.launchpad.net/Code/Git for how launchpad does git - in particular once you've cloned the git repo you can push it to your own remote (see "Pushing your code" on that help page) - and when you do push it to your own local fork, git should then prompt you if you want to file a merge request [12:46] mainek00n: or you can do it via the web interface too I think - see "Fork it to your account" on https://code.launchpad.net/ubuntu-cve-tracker [12:55] bittin: hope you enjoy flock! - fwiw the podcast for this week just went live - https://ubuntusecuritypodcast.org/episode-171/ [13:04] amurray, thanks [14:14] mainek00n: FYI, back in gutsy, the source package for cups was named cupsys, it's not a typo. https://launchpad.net/ubuntu/+source/cupsys/+publishinghistory [14:15] mainek00n: oh, I see what you're saying. [14:16] * sbeattie gets coffee [14:24] I was thinking the same thing about cupsys. [14:24] https://git.launchpad.net/~mainek00n/ubuntu-cve-tracker/commit/?id=2b2e900c9519d518eb789a11fd4088a0c84c93d6 [14:24] Commit 2b2e900 in ~mainek00n/ubuntu-cve-tracker "fix Tags_ typo" [14:26] I'm sorry I'm not good at communicating…… [14:31] I wrote two patches. [14:31] https://code.launchpad.net/~mainek00n/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+ref/patch-1 [14:31] https://code.launchpad.net/~mainek00n/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+ref/patch-2 [19:10] Please release the fix for node-moment in bug 1982617. [19:10] Bug 1982617 in node-moment (Ubuntu Jammy) "Versions in Bionic, Focal and Jammy are vulnerable to CVE-2022-24785 and CVE-2022-31129" [Undecided, Confirmed] https://launchpad.net/bugs/1982617 [21:09] Please release the fix for jupyter-notebook in bug 1982670, even though CVE-2021-32798 is unfixed (it requires at least 5 new packages in Bionic and 3 in Focal). [21:09] Bug 1982670 in jupyter-notebook (Debian) "Multiple vulnerabilities in Bionic, Focal, Jammy and Kinetic" [Unknown, Confirmed] https://launchpad.net/bugs/1982670 [21:09] The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker t... [21:29] leosilva: I have fixes for 2 distinct packages ready for sponsoring. [21:32] See bug 1982617 and bug 1982670 [21:32] Bug 1982617 in node-moment (Ubuntu Jammy) "Versions in Bionic, Focal and Jammy are vulnerable to CVE-2022-24785 and CVE-2022-31129" [Undecided, Confirmed] https://launchpad.net/bugs/1982617 [21:32] Bug 1982670 in jupyter-notebook (Debian) "Multiple vulnerabilities in Bionic, Focal, Jammy and Kinetic" [Unknown, Confirmed] https://launchpad.net/bugs/1982670