For August I was allocated 14.5 hours. I spent 11 hours as follows: * CVE-2016-6293: Fix buffer overflow in uloc_acceptLanguageFromHTTP
This issue turned out to be very complex to figure out. It was initially discovered by a PHP developer and reported to the PHP bug tracker. As the upstream bug report was detailed, I first attempted to replicate the bug in the same way as described in the bug report. It turns out that the gcc in wheezy does not support address sanitizer and that the ICU and PHP from wheezy won't build with clang, so I embarked on a rather frustrating journey to finally strike the correct combination: build on jessie, ICU from wheezy (of course), and PHP from sid (I had to patch out the fix that was implemented in PHP to unmask the bug in ICU). Once I figured that out, I was able to reliably reproduce the buffer overflow. After that I found the related fix in the upstream source repository and then I had to backport the fix (the affected file transitioned from C to C++ some time ago so I could not simply take upstream's patch). I was able to incorporate an upstream update to the related unit test and between that and the address sanitizer check I am confident that the fix I implented is correct. Remaining items to complete this task: - Build/sign/upload package - Publish DLA I apologize if the description was a bit too lengthy, but given the amount of time I spent on a single task I thought it worthwhile to explain with a bit of detail. Regards, -Roberto -- Roberto C. Sánchez
