Verified identity
I am a member of ~canonical-security, my identity has been verified through a background check, in person, and during the onboarding process.
History of high-quality sponsored security updates
I researched, backported and tested patches for security vulnerabilities in a variety of packages, listed below.
USNs:
- USN-6808-1: Package “atril”, 1 CVE, patched for: 16.04, 18.04, 20.04, 22.04, 23.10
- USN-6826-1: Package “libapache-mod-jk”, 1 CVE, patched for: 16.04, 18.04, 20.04, 22.04, 23.10
- USN-6566-2: Package “sqlite3”, 1 CVE, patched for 18.04
- USN-6943-1: Packages “tomcat8” & “tomcat9”, 5 CVEs, patched for: 16.04, 18.04, 20.04, 22.04
- USN-6961-1: Package “busybox”, 4 CVEs, patched for: 20.04, 22.04, 24.04, 24.10
- USN-6981-1: Package “drupal7”, 3 CVEs, patched for: 16.04
- USN-6983-1: Package “ffmpeg”, 1 CVE, patched for: 16.04, 18.04, 20.04, 22.04, 24.04
- USN-6981-2: Package “drupal7”, 3 CVEs, patched for: 14.04
- USN-7032-1: Package “tomcat8” & “tomcat9”, 1 CVE patched for 18.04, 20.04, 22.04, 24.04, 24.10
The following table shows how this set of updates covers the various ESM/release/component combinations:
| main | universe | |
|---|---|---|
| oracular | USN-6961-1 | USN-7032-1 |
| noble | USN-6961-1 | USN-6983-1*, USN-7032-1 |
| mantic | USN-6808-1, USN-6826-1 | |
| jammy | USN-6961-1 | USN-6808-1, USN-6826-1, USN-6943-1*, USN-6983-1*, USN-7032-1* |
| focal | USN-6961-1 | USN-6808-1, USN-6826-1, USN-6943-1, USN-6983-1*, USN-7032-1 |
| bionic | USN-6566-2* | USN-6808-1*, USN-6826-1*, USN-6943-1*, USN-6983-1*, USN-7032-1* |
| xenial | USN-6943-1* | USN-6808-1*, USN-6826-1*, USN-6981-1*, USN-6983-1* |
| trusty | USN-6981-2* |
(*) ESM update
Additionally, I contributed several security updates to internal projects. I’ll be happy to provide further information on these updates upon request.
QRT tests added:
- busybox: Reproduces old heap overflow and UAF vulnerabilities in
awk - cyrus imapd: Reproduces an old DOS through hash collisions on a hash-map implementation, using statistical analysis to determine whether the vulnerability is present or not
- libapache-mod-jk: Reproduces an old vulnerability whereby requests would be incorrectly forwarded to Tomcat for resolution, which could lead to bypass of security constraints.
- atril: Reproduces a path traversal vulnerability that allows for arbitrary file creation when opening an epub file.
Security updates troubleshooting:
-
While working on the patch for CVE-2023-46589 on Ubuntu 24.10 (which was the development release as of the time of patching) I encountered a FTBFS error on Tomcat 9. This issue was due to a change introduced in one of the dependencies (libeclipse-jdt-core-java), which changed the location of a .jar file imported by the package. This issue only surfaced while building the package on the Launchpad CI pipeline, which made us realise that the Argentine mirror for the Ubuntu archive was badly out of sync. This synchronisation error prevented the latest version of the dependency from being used, and that was the reason why the build was failing on Launchpad but not on my host.
In order to troubleshoot this error I had to go through the build log to identify which Java import was causing the error, identify the jar file that provided that class, and then the package that provided that jar file. After going through that project’s history I found a change to the project structure which moved the relevant class to a different jar file, which was the one that should have been used to successfully build Tomcat 9. -
While working on CVE patches for Busybox I also ran into an issue whereby, when trying to install the patched package on my testing VM, the version of the package available on the repositories had a higher pin-priority than the one available in my local repository, which could hinder the testing workflow. This led to a fix in UQT to automatically assign the highest pin-priority to the local repository when using the uvt utility (see “Demonstrated understanding of required tools and systems” below for a link to the relevant MP).
Continued, on-going security updates
As a member of the Security Engineering team, I will continue to work on security updates on a regular basis.
Demonstrated understanding of required tools and systems
Sample of updates to the Ubuntu CVE Tracker:
- Status updates:
- Assigning:
- Retiring:
- Misc.:
UCT fixes/improvements:
- https://code.launchpad.net/~octagalland/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/472233: Fixes a bug that would prevent package sources from being copied from one of the staging PPAs to the local repository
- https://code.launchpad.net/~octagalland/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/469412: Ask for explicit permission to retire CVEs whenever local environment does not seem to be properly configured. This was motivated by CVEs being improperly retired due to differing environment setups.
- https://code.launchpad.net/~octagalland/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+merge/468605: When attempting to retire a CVE, raise an error if underlying scripts fail. This prevents tools from failing silently as this was concealing some faulty configurations.
UST fixes/improvements:
- https://code.launchpad.net/~octagalland/ubuntu-security-tools/+git/ubuntu-security-tools/+merge/471273: Toggle
--skip-repoofumt qrtwas requiring a value, which was not used. - https://code.launchpad.net/~octagalland/ubuntu-security-tools/+git/ubuntu-security-tools/+merge/471081: Add VPN connectivity check to
umt testflingerto raise an error instead of hanging if the user was not connected to the VPN. - https://code.launchpad.net/~octagalland/ubuntu-security-tools/+git/ubuntu-security-tools/+merge/470985: Allows
umt qrtto ignore test failures occurring on old package versions if they relate to the CVE being patched. Warns the user and still requires all tests to pass on the patched version of the package. - https://code.launchpad.net/~octagalland/ubuntu-security-tools/+git/ubuntu-security-tools/+merge/466965: Handle increment of version numbers ending in
fakesync.
UQT fixes/improvements:
- https://code.launchpad.net/~octagalland/ubuntu-qa-tools/+git/ubuntu-qa-tools/+merge/470446: When using
uvt repo -e, use highest available pin-priority for the local repository. This was motivated by the fact that ESM PPAs are currently configured with a higher than default priority on virtual machines. As a result, when testing an update for a package from an ESM PPA, a normal update would not have installed the patched version of the package from the local repository.
USN tool fixes/improvements:
- https://code.launchpad.net/~octagalland/usn-tool/+git/usn-tool/+merge/468363: Looks for related USNs (USNs sharing the same root) in the USN DB when publishing, and adds them as references to the template email (formerly, only the
USN-*-1USN was being included).
Additionally, I contributed tooling fixes to internal projects. I’ll be happy to provide further information on these fixes upon request.
Demonstrated responsive and respectful communication
I have signed the code of conduct. I regularly monitor Launchpad bugs for packages I have patched, as well as relevant mailing list announcements, looking for possible regressions. Only once I received an inquiry from a community member about an update, to which I replied by providing the requested information and pointing them to our CVE tracker (since the community member was asking what other vulnerabilities affected the patched package).
Demonstrated understanding of the responsibility of ~ubuntu-security membership
I am following credentials best practices, my disk is fully encrypted, and have 2FA enabled for all accounts.