Free software activities in August 2022

Here is my monthly update covering what I have been doing in the free software world during August 2022 (previous month):

• Opened pull requests to make the build reproducible in:

  • sphinx-design, a Sphinx documentation extension for "designing beautiful, screen-size responsive web components". This was because it used Python's uuid.uuid4 method to generate unique identifiers, but those numbers are random/nondeterminstic by design. My pull request seeds these random numbers from SOURCE_DATE_EPOCH if it exists, otherwise it will revert back to random numbers. (#90)

  • sphinx-panels. This was a identical issue to sphinx-design described above, but this package has been deprecated. (#82)

  • Psi, the instant messaging application designed for the XMPP network. This was due to using CMake's TIMESTAMP feature without specifying a timezone. This means that, even if SOURCE_DATE_EPOCH is present (which CMake adopts), the generated value —and thus the Psi binary—will vary depending on the build machine's timezone setting. (#669)

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

• Submitted 8 Debian patches to fix specific reproducibility issues in geeqie, multipath-tools, node-canvas-confetti, psi, rust-rustls, sphinx-panels, sysfsutils & wayfire.

• Kept isdebianreproducibleyet.com up to date. [...]

• Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.

• Drafted, published and publicised our monthly report.

  • sphinx-design, a Sphinx documentation extension for "designing beautiful, screen-size responsive web components". This was because it used Python's uuid.uuid4 method to generate unique identifiers, but those numbers are random/nondeterminstic by design. My pull request seeds these random numbers from SOURCE_DATE_EPOCH if it exists, otherwise it will revert back to random numbers. (#90)

  • sphinx-panels. This was a identical issue to sphinx-design described above, but this package has been deprecated. (#82)

  • Psi, the instant messaging application designed for the XMPP network. This was due to using CMake's TIMESTAMP feature without specifying a timezone. This means that, even if SOURCE_DATE_EPOCH is present (which CMake adopts), the generated value —and thus the Psi binary—will vary depending on the build machine's timezone setting. (#669)

• I made the following changes to diffoscope, including preparing and uploading version 221 and then uploading that version to Debian:

  • Update external_tools.py to reflect changes to xxd and the vim-common package. [...]
  • Depend on the dedicated xxd package now, not the vim-common package. [...]
  • Don't crash if we can open a PDF file using the PyPDF library, but cannot subsequently parse the annotations within. [...]

Debian

Uploads

• memcached (1.6.16-1) — New upstream release.

• python-django:

  • 3.2.14-1 — Revert Debian unstable to using 3.2.x LTS release stream. (#1016090)
  • 3.2.15-1 — New upstream security release. (CVE-2022-36359)
  • 4.1~rc1-1 — New upstream release candidate to experimental.
  • 4.1-1 — New upstream release to experimental.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged exim4 (CVE-2022-37452), exiv2 (CVE-2020-19716), flac (CVE-2021-0561), freecad (CVE-2022-6083, CVE-2021-45844 & CVE-2021-45845), gdk-pixbuf (CVE-2021-46829), gpac Triage CVE-2022-36186, CVE-2022-36190 & CVE-2022-36191), libxml2 (CVE-2016-3709), mbedtls (CVE-2020-36475, CVE-2020-36476 & CVE-2020-36478), net-snmp, php-horde-mime-viewer (CVE-2022-26874), php-horde-turba (CVE-2022-30287), rails, ruby-rack (CVE-2022-30122 & CVE-2022-30123), ruby-tzinfo (CVE-2022-31163), sofia-sip (CVE-2022-31001, CVE-2022-31002 & CVE-2022-31003), sox (CVE-2021-40426), unbound (CVE-2022-30698 & CVE-2022-30699), upx-ucl (CVE-2020-27787) & wkhtmltopdf (CVE-2020-21365).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Fixed some bugs in a new Python script to walk-through developers adding items to the dla-needed.txt and ela-needed.txt, prompting for various items of potentially-helpful metadata.

• Updated the documentation to correct some grammar [...] and also to correct a number of mistakes caused after the switch of supported distributions [...][...].

• Issued DLA 3077-1 as it was discovered that there was a potential directory traversal vulnerability in ruby-tzinfo, a timezone library for the Ruby programming language.

• Issued DLA 3089-1 to address a potential XSS vulnerability in php-horde-mime-viewer, a MIME viewer library for the Horde groupware platform.

• Issued DLA 3090-1 to fix an arbitrary object deserialization vulnerability in php-horde-turba, an address book component for the Horde groupware suite.

• Issued ELA 670-1 because there was a potential HTTP request smuggling vulnerability in http-parser, a popular library for parsing HTTP messages.

• Issued ELA 660-1 for the squid3 HTTP caching proxy as two vulnerabilities were discovered, the first was a potential information disclosure issue and the second was a potential Denial of Service (DoS) vulnerability caused by improper buffer management.

• Issued ELA 658-1 for libxslt, a widely-used XML processing library.

• Issued ELA 656-1 for libxml2, another widely-used XML library.

• Issued ELA 657-1 for the Ruby webserver ruby-rack as there was a Denial of Service (DoS) vulnerability as well as a potential shell injection vulnerability too.

You can find out more about the project via the following video:

You can subscribe to new posts via email or RSS.