Here is my monthly update covering what I have been doing in the free software world during April 2024 (previous month).
Reproducible Builds
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month, I:
-
Kept isdebianreproducibleyet.com up to date. [...]
-
Wrote and submitted a number of patches to fix specific reproducibility issues in Debian, including:
- #1068173 filed against
pg-gvm. - #1068176 filed against
goldendict-ng. - #1068372 filed against
grokevt. - #1068374 filed against
ttconv. - #1068375 filed against
ludevit. - #1068795 filed against
pympress. - #1069168 filed against
sagemath-database-conway-polynomials. - #1069169 filed against
gap-polymaking. - #1069663 filed against
dub. - #1069709 filed against
dpb. - #1069784 filed against
python-itemloaders. - #1069822 filed against
python-gvm.
- #1068173 filed against
-
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository. -
Drafted, published and publicised our monthly report.
-
Made a number of updates to the main Reproducible Builds website and documentation, including updating the archive page to recommend
-Xand unzipping withTZ=UTC[…] and adding Maven, Gradle, JDK and Groovy examples to theSOURCE_DATE_EPOCHpage […]. -
Enquired on our mailing list which conferences readers are attending these days: "After peak Covid and other industry-wide changes, conferences are no longer the 'must attend' events they previously were… especially in the area of software supply-chain security. In rough, practical terms, it seems harder to justify conference travel today than it did in mid-2019." The thread generated a number of responses which would be of interest to anyone planning travel in Q3 and Q4 of 2024.
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 263, 264 and 265 to Debian:
- Don't crash on invalid
.zipfiles, even if we encounter their 'badness' halfway through the file and not at the time of their initial opening. […] - Prevent
odt2txttests from always being skipped due to an (impossibly) new version requirement. […] - Avoid parens-in-parens in test 'skipping' messages. […]
- Ensure that tests with "
>=" style version constraints actually print the tool name. […]
Debian
-
lastpass-cli(1.4.0-1) — New upstream release. -
python-django(3:5.0.4-1) — New upstream bugfix release
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc., as well as attending the monthly IRC meeting.
-
Issued DLA 3803-1 because a potential remote code execution vulnerability was discovered in Astropy, a suite of tools, utilities and Python utilities for astrophysics. Improper input validation in the
TranformGraph().to_dot_graphfunction could have led to arbitary command execution as values were passed as the first argument tosubprocess.Popen(). Although an error will be raised, the command or script would still be executed successfully. -
Issued ELA 1082-1 because a potential SQL injection vulnerability was discovered in
phpmyadmin, the popular MySQL web administration tool. This could have been exploited by a malicious storage engine value. -
Issued ELA 1078-1 as an integer overflow attack was discovered in
util-linux. This could have caused a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the/proc/sysvipc/semfile. -
Investigated and triaged
ansible,emacs(CVE-2024-30202),gunicorn(CVE-2024-1135),less,mediawiki,nodejs(CVE-2024-27982 & CVE-2024-27983),org-mode(CVE-2024-30205),pillow(CVE-2024-28219),tinymce(CVE-2024-29881 & CVE-2024-29881),util-linux(CVE-2024-28085),wireshark(CVE-2024-2955) &xorg-server(CVE-2024-31080, CVE-2024-31081 & CVE-2024-31083).
You can find out more about the project via the following video: