Brian May <b...@debian.org> writes: This month I had 10 hours and I spent my 10 hours on the following tasks:
* XBMC CVE-2017-5982. This is slow going due to time taken to build different versions. I found that *all* versions of xmbc/kodi are vulnerable, and (contrary to some websites) there is no upstream fix (unless it happened within the last week, which I doubt). The URL required to exploit varies depending on installation and version. I imagine the fix required for wheezy/jessie will be somewhat different from stretch/sid (not verified this). I think I have identified the code path in wheezy, although I still need to double check some details. From reading the wheezy/jessie code, it is also possible that the scope of the problem is larger then claimed (i.e. more then just the special URLs used for thumbnail), at least on wheezy. I haven't yet been able to verify this yet (I found at the last minute my test was flawed; many web clients will automatically remove '../' from URLs; this doesn't happen for the special URLS which are HTML quoted). * Heimdal CVE-2017-6594. Prepared initial patch for Wheezy/Stretch release before it was publicly announced, although found it was missing a hunk. This has been corrected in the official release. The fix applies cleanly although the tests need to be applied manually. As I have run out of hours this month, if anybody else wants to take over either of these, please let me know and I will provide more details. -- Brian May <b...@debian.org>