There was a vulnerability in libcdio that we sat on for quite a bit because I had accidentally found another way to crash iso-info. Took some time to figure it all out, but we were persistent and Gustavo came up with the fix for all supported libcdio versions.
I don’t normally blog about the security stuff we do, so why is this different? Well, this one was more interesting than your run-of-the-mill patch-test-release cycle. We actually got to do some testing and fixing on our own which, while not a first for Mandriva, is certainly rare. Usually we’re the recipients of other people’s patches. This time, we found something, and we fixed it, got to submit it upstream, etc. This might be a normal thing for maintainers, but not so normal for the secteam.
Anyways, I’ve always wanted to be able to have the resources to do more “research” in looking for vulns to fix things proactively. This gave me a taste of it, and I like it. =) Too bad the resources aren’t there to do more of this sort of thing.
It’s also nice seeing your name associated with upstream fixes. The patch information gives Mandriva credit for the fix, which is great for us. Also lets Gustavo puff his chest a bit with a job well-done. My name is in there, but didn’t need to be… I guess that’s the benefits of being a middle-man/proxy/manager sort.
At any rate, it’s back to the usual grind, but this was an interesting little side-track. I guess the next “big thing” isn’t so much package auditing, but is a departure from the normal grind… get to figure out how to setup and use iurt to build security updates. Should be interesting.