18:04:23 #startmeeting 18:04:23 Meeting started Mon Dec 19 18:04:23 2011 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/AlanBell/mootbot. 18:04:23 18:04:23 Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 18:04:26 The meeting agenda can be found at: 18:04:26 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 18:04:32 [TOPIC] Announcements 18:04:47 While the team is off next week, we will be monitoring lists, bugs and email for critical issues. 18:04:58 [TOPIC] Weekly stand-up report 18:05:23 jjohansen is off this week and next. I wish him well deserved rest :) 18:05:27 I'll go first 18:05:39 I've got another short week this week 18:05:56 and am off Thu and Fri (and like everyone else, next week) 18:06:02 I'm on community 18:06:23 I have a couple of pending updates. if I don't get them out today I will likely wait until after the break 18:06:49 I have some archive admin work and will look into some bugs that have been accumulating if I have time 18:06:53 that's it from me 18:06:56 mdeslaur: you're up 18:08:01 I've just released some libarchive updates 18:08:09 and am currently working on jasper and ghostscript 18:08:20 and will also be testing some embargoed backports too this week 18:08:48 since jj's off, guess I'm the stu^H^H^Hfortunate to be doing the kernel USN publication 18:09:02 and I'm in the happy place 18:09:07 that's about it for me! 18:09:09 sbeattie: you're up 18:09:42 I'm in the happy place this week 18:10:21 I'm planning to poke at my work items and finish up the glibc update I'm working on 18:10:44 I also need to respond to jj on a couple of apparmor things. 18:11:06 I've got a short week this week, I'm off wednesday and friday 18:11:16 That's it for me. 18:11:19 micahg: poke 18:12:38 I've got Mozilla updates this week along with Chromium (time permitting), we're starting the Rapid release migration in Lucid/Maverick as well (announcement to come this week), Chromium updates as well time permitting, short week for me (not sure which day yet) 18:12:46 tyhicks: you're up 18:12:55 I'm in the triage role this week 18:13:07 I'll be around the entire week 18:13:16 I plan on getting a t1lib update out today and then primarily focusing on improving eCryptfs testing 18:13:22 but I'll take another update (tbd) to work off and on 18:13:35 That's all I've got, jdstrand 18:14:32 thanks 18:14:42 [TOPIC] Highlighted packages 18:14:46 The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 18:14:52 See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 18:15:10 http://people.canonical.com/~ubuntu-security/cve/pkg/libsmi.html 18:15:15 http://people.canonical.com/~ubuntu-security/cve/pkg/wxwidgets2.6.html 18:15:18 http://people.canonical.com/~ubuntu-security/cve/pkg/libdigest-perl.html 18:15:21 http://people.canonical.com/~ubuntu-security/cve/pkg/phpgroupware.html 18:15:25 http://people.canonical.com/~ubuntu-security/cve/pkg/clearsilver.html 18:15:34 [TOPIC] Miscellaneous and Questions 18:15:56 heya. The Chrome folks asked me to see if this was getting any attention: http://rcvalle.com/post/14261796328/more-on-exploiting-glibc-tzfile-read-integer-overflow 18:16:36 it boils down to two things: glibc malloc has predictable allocation behavior, and some part of the FILE structure doesn't use PTR_MANGLE. 18:17:26 kees: it hasn't gotten any attention yet, as I don't think we were aware of it 18:17:31 * mdeslaur will read 18:17:37 * sbeattie will, too 18:17:46 kees: thanks for pointing it out 18:17:55 it's more about an exploitation technique than a vuln, really. 18:17:58 yeah, I didn't know about it either 18:18:02 kees: thanks! 18:18:12 I'm probably going to send some patches to glibc to further harden the FILE structures. 18:18:31 but I don't really know what to do about the predictable allocation behavior. that's been a long-time problem. 18:19:14 kees: any CVEs been assigned? 18:19:22 or is it not actually a flaw? 18:19:35 mdeslaur: I don't really think it qualifies as a flaw. 18:19:53 kees: cool. would you mind opening an ubuntu bug when you open the upstream one, so we can track it? 18:19:55 mdeslaur: it's more of a technique to stabilize the environment during an attack. 18:19:59 jdstrand: sure! 18:20:21 I lack too much context, I'll catch up on it first 18:20:51 cool, no worries. I don't think it's high priority at all, but I just wanted to point it out. 18:22:45 kees: thank you for doing so :) 18:23:01 sure! :) 18:23:13 Any other questions or items to discuss? 18:23:48 that was it from me. 18:25:59 mdeslaur, sbeattie, micahg, tyhicks, kees: thanks! 18:26:00 #endmeeting