Free software activities in August 2023

Here is my monthly update covering what I have been doing in the free software world during August 2023 (previous month):

• Opened a pull request against the command-line automation tool Tox to correct a notset typo in --hashseed's --help text. (#3082)

• Merged a pull request from enekochan to update my user panel addon for the Django Debug Toolbar in order to update it to support Django version 4.x. (#4)

• Updated my Tickle Me Email tool that implements Getting Things Done-like behaviours in any IMAP inbox to support downloading the subject lines from multiple mailboxes at once [...].

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

This month, I:

• Opened a pull request against the command-line automation tool Tox to correct a notset typo in --hashseed's --help text. This was discovered during reproducibility testing. (#3082)

• Kept isdebianreproducibleyet.com up to date. [...]

• Drafted, published and publicised our monthly report for July 2023.

• Submitted the following patches to fix reproducibility-related toolchain issues within Debian:

  • pdsh: Fix malformed changelog (and therefore make the build reproducible). (#1050726)

  • zzzeeksphinx: Please make the documentation reproducible. (#1042955)

• I also submitted six patches to fix specific reproducibility issues in jtreg6, libcerf, pytds, rpy2, tox & zlib.

• Elsewhere in our tooling, I made a number of changes to diffoscope, including preparing and uploading versions 247, 248 and 249 to Debian. This included adding documentation for the new specialize_as method and expanding the documentation of the existing specialize as well [...].

• Categorised a huge number of packages and issues in the Reproducible Builds notes.git repository, including a handful of new automatic classifiers.

Debian

• hiredis:

  • 0.14.1-4 — Clean up dump.rdb file after build. (#1047475)
  • 1.2.0-3 — Add hiredis_ssl.pc to debian/clean. (#1047475)
  • 1.2.0-4 — Allow crossbuilding to fail, but still run the tests. Also clean dump.rdb (Re: #1047475)

• lastpass-cli (1.3.4-2) — Also clean the test/.lpass directory. (#1048723)

• libfiu (1.1-4) — Use dh_auto_clean to ensure package is properly cleaned. (#1048082)

• memcached (1.6.21-2) — Do more cleanup in the clean target. (#1046084)

• python-django (4.2.4-1) — New upstream bugfix release.

• redis:

  • 7.0.12-2 — Try and clean up better (#1047506), allow arm64 crossbuild to run but not to fail the build, replace dependency on lsb-base with sysvinit-utils, and drop very old debian/NEWS entry.
  • 7.2.0-1 (to experimental) — New upstream stable release.
  • 7.2.0-2 (to experimental) — Try and clean up better (#1047506), allow arm64 crossbuild to run but not to fail the build, replace dependency on lsb-base with sysvinit-utils, and drop very old debian/NEWS entry.

I performed an upload of mtools (4.0.43-1) for a new upstream version, but also orphaning the package (#1042948).

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged xqilla (CVE-2022-24795 & CVE-2017-16516) and orthanc (CVE-2023-33466).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 3514-1 as it was discovered that there was a potential LDAP injection vulnerability in Bouncy Castle, a cryptographic library for Java. During the certificate validation process, the library used the certificate's "Subject Name" into an LDAP search filter without any escaping.

• Issued ELA-914-1 for python-django as a significant number of vulnerabilities were discovered in Django, a popular Python-based web development framework.

  • CVE-2021-45115: Denial-of-service possibility in the UserAttributeSimilarityValidator class. UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. In order to mitigate this issue, relatively long values are now ignored by this class.

  • CVE-2021-45116: Potential information disclosure in dictsort template filter. Due to leveraging the Django Template Language's variable resolution logic, the |dictsort template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key. In order to avoid this possibility, |dictsort now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries.

  • CVE-2021-45452: Potential directory-traversal via Storage.save(). Storage.save() allowed directory traversal if directly passed suitably crafted file names.

  • CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. Passing certain inputs to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack. The number of files parts parsed is now limited via the (new) DATA_UPLOAD_MAX_NUMBER_FILES setting.

  • CVE-2023-31047: Prevent a potential bypass of validation when uploading multiple files using one form field. Uploading multiple files using one form field has never been supported by forms.FileField or forms.ImageField as only the last uploaded file was validated. Unfortunately, the "Uploading multiple files" documentation topic suggested otherwise. In order to avoid the vulnerability, the ClearableFileInput and FileInput form widgets now raise ValueError when the multiple HTML attribute is set on them. To prevent the exception and keep the old behavior, developers can set the allow_multiple_selected attribute to True.

• Issued ELA-829-1 as it was discovered that there were two potential Denial of Service (DoS) attacks in lldpd, an implementation of the IEEE 802.1ab protocol that is used to administer and monitor networking devices.

• Issued DLA 3546-1 because it was discovered that there was an issue in the opendmarc Domain-based Message Authentication, Reporting and Conformance (DMARC) email filter system. A vulnerability allowed attackers to inject authentication results to provide false information about the domain that originated an email message. This was caused by incorrect parsing and interpretation of SPF/DKIM authentication results. A second update was subsequently needed (DLA 3550-1) in order to backport an (orthogonal) issue for users not using systemd.

You can find out more about the project via the following video:

You can subscribe to new posts via email or RSS.