Here follows my monthly update covering what I have been doing in the free software world during August 2024 (previous month).
Reproducible Builds
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month, I:
-
Submitted five patches to fix specific reproducibility issues in
apg,pan,python-aiopvpc,receptor&scikit-optimize. -
Kept
isdebianreproducibleyet.comup to date. [...] -
Discovered an issue in the
tetzlewhere a malformed line indebian/changelog(it was missing a date line) was resulting in the package being unreproducible (#1078687). I also discovered, through reproducibility testing, that thejquerypackage does not build from source (#1077808). -
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository, including adding a new issue type […]. -
Drafted, published and publicised our monthly report for July 2024.
- Updated the main Reproducible Builds website and documentation to set the
future: trueconfiguration value so we render all files and documents in the website, regardless of whether they have a date property in the future. After all, we don't re-generate the website on a timer, and have other ways of making unpublished, draft posts. […][…]
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and releasing versions 274, 275, 276 and 277, uploaded these to Debian, and making the following changes as well:
-
New features:
- Strip ANSI escapes—usually colour codes—from the output of the Procyon Java decompiler. […]
- Factor out a method for stripping ANSI escapes. […]
- Append output from
dumppdf(1)in more cases, avoiding situations where we fallback to a binary diff. […] - Add support for versions of Perl's IO::Compress::Zip version 2.212. […]
-
Bug fixes:
- Also catch
RuntimeErrorexceptions when importing the PyPDF library so that it, or, crucially, its transitive dependencies, cannot not cause diffoscope to traceback at runtime and build time. […] - Do not call
marshal.load(…)of precompiled Python bytecode as it, alas, inherently unsafe. Replace for now with a brief summary of the code section of.pyc. […][…] - Don't include excessive debug output when calling
dumppdf(1). […]
- Also catch
-
Testsuite-related changes:
- Don't bother to check version number in
test_python.py: the fixture for this test is fixed. […][…] - Update
test_ziptext fixtures and definitions to support new changes to the Perl IO::Compress library. […]
- Don't bother to check version number in
I also prepared a backported version of diffoscope version 240 for Debian stable (#1079689):
- Backport a patch by FC (Fay) Stegerman to fix a build failure caused by a zip bomb-related security fix uploaded in
python3.11version3.11.2-6+deb12u2via #1070133. diffoscope's testsuite deliberately uses a .zip file that has overlapping entries. (#1078883) - Do not call
marshal.loadson precompiled Python bytecode as it is inherently unsafe. Replace, for now, with a brief textual summary of the file's 'code' section of.pycfiles instead. […]
Debian uploads
-
bfs:3.3.1-3— Pass theCCenvironment variable to./configurescript to fix cross-build support. (#1078525)3.3.1-4— Correctly (i.e. explicitly) includebuildtools.mkindebian/rules; it is not yet included by default.4.0.1-1— New upstream release.
-
lastpass-cli(1.6.0-1) — New upstream release. -
4.2.15-1— New upstream security release (#1078074) to address four CVEs.5.1-1— New upstream 5.1 release.
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
-
Investigated and triaged a number of somewhat historical issues for
python-djangosuch asCVE-2024-41991andCVE-2024-42005, as well as investigating precisely which CVEs forredisapply to which versions. -
Prepared a number of packages for Debian bullseye, to be released and announced in early September.
-
Issued DLA 3856-1 as there was a sanitisation bypass issue in
python-html-sanitizer, a library used ensure that user-specified content cannot inject HTML or JavaScript into a webpage. If the defaultkeep_typographic_whitespace=Falsevalue was set, malicious users could have exploited the fact that some Unicode characters normalise to chevrons, which allowed specially-crafted HTML to escape sanitization. -
Issued ELA-1163-1 because a Denial of Service (DoS) vulnerability was discovered in the jessie and stretch versions of Django, a popular Python-based web development framework. The
floatformattemplate filter was subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. -
Issued ELA-1164-1 as a number of vulnerabilities were discovered in the buster version of Django:
-
CVE-2024-41991: Fix an issue where theurlizeandurlizetrunctemplate filters (as well as theAdminURLFieldWidgetwidget) were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. -
CVE-2024-42005: Fix an issue where theQuerySet.values()andvalues_list()methods on models with aJSONFieldswere subject to a SQL injection attack through column aliases via a crafted JSON object key. -
CVE-2024-41989: Thefloatformattemplate filter was subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.
-
-
Issued ELA-1167-1 because it was discovered that there was a series of integer overflow vulnerabilities in LibTomMath, a multiple-precision mathematics library. This could have led attackers to execute arbitrary code and/or cause a denial of service (DoS).
You can find out more about the project via the following video: