Here is my monthly update covering what I have been doing in the free software world during April 2023 (previous month):
Last month, I put together a set of ICS files for the UK Picturehouse Cinema chain which allows them to be displayed within, for instance, Google Calendar. After the change to daylight savings time, though, I noticed that timezone handling was broken, which required fixing. [...]
Reproducible Builds
The Reproducible Build project's mission is to ensure the security of the 'supply chains' used in open source software — that is, preventing attacks targeting the complex systems that build our shared digital infrastructure. This month, I:
-
Kept isdebianreproducibleyet.com up to date. [...]
-
Submitted a patches to fix a reproducibility issue in the
ruby-regexp-parserDebian package. -
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository. -
Wrote and published our monthly report for March 2023.
-
Updated diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues to add a missing 'raise' statement accidentally dropped in a previous commit. [...]
- Updated the Reproducible Builds website and documentation to make all the "Back to who is involved" links to be displayed consistently in italics [...], attempt to fix literal
{: .lead}strings appearing in the page (Re: reproducible-builds/reproducible-website#45) [...] and correct the syntax of the_data/sponsors.ymlfile. [...].
Debian
-
python-django(3:4.2-1) — Upload new upstream stable release. -
redis(5:7.0.11-1) — Upload new upstream security release in order to fix CVE-2023-28856. (#1034613)
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged:
asterisk(CVE-2023-27585),configobj,connmanjackson-databind,libelfin(CVE-2023-24180),libxml2,openvswitch,redis(CVE-2023-28856) andruby-loofah. -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
-
Issued DLA 3381-1 as it was discovered that there was a potential buffer-overflow vulnerability in Ghostscript, a popular interpreter for the PostScript language used, for example, to generate PDF files.
-
Issued DLA 3383-1 for GruntJS, a multipurpose task runner and build system tool.
file.copyoperations in GruntJS were vulnerable to a TOCTOU ("time-of-check vs. time-of-use") race condition that could have led to arbitrary file writes in GitHub repositories. This could have then led to local privilege escalation if a lower-privileged user had write access to both source and destination directories, as the lower-privileged user could have created a symlink to the GruntJS user's~/.bashrcconfiguration file etc. -
Issued DLA 3386-1, also for GruntJS, as it was discovered that there was a potential path-traversal, a multipurpose task runner and build system tool. This could have been exploited via malicious symlinks.
-
Issued DLA 3388-1 and DLA 3389-1 for
lldpd, an implementation of the IEEE 802.1ab (LLDP), a protocol used to administer and monitor networking devices. There were two issues that could have been used to engineer a denial-of-service (DoS) attack. -
Issued DLA 3396-1 and ELA 838-1 for the Redis key-value data store. Authenticated users could have used the
HINCRBYFLOATcommand to create an invalid hash field that would have crashed the server on access. -
Issued DLA 3397-1 because it was discovered that there was a potential denial of service vulnerability in ConnMan, a command-line network manager designed for use on embedded devices. Network-adjacent attackers operating a specially-crafted DHCP server could have caused a stack-based buffer overflow, resulting in a denial of service through terminating the underlying
connmanprocess. -
I also filed an 'unblock request' in order to permit the latest version of Redis to transition to the Debian testing distribution in time for the upcoming release. (#1035328)
You can find out more about the Debian LTS project via the following video: