Free software activities in December 2022

Here is my monthly update covering what I have been doing in the free software world during December 2022 (previous month).

Reproducible Builds

The goal of the Reproducible Builds effort is to ensure no flaws can be been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on what the 'correct', non-compromised build, should be.

This month, I:

• Filed an upstream pull request against Sphinx, the popular documentation generator used extensively in Python projects. Instead of the usual situation where Sphinx was generating documentation that was unreproducible, however, it was Sphinx's own documentation that was nondeterministic. This was because the locale_dir keyword argument for the init_console method within Sphinx defaulted to the path that method is implemented in (using Python's __file__ mechanism). That (non-deterministic) default argument was then included in the documents which made the build unreproducible as, of course, it varies depending on the directory you created the documentation from. ([...])

• Kept isdebianreproducibleyet.com up to date. [...]

• Made another large batch of Debian non-maintainer uploads (NMUs) to apply reproducibility patches that had been lingering in the bug tracker for some time:

  • aespipe (#661079 & #1020809)
  • xmlrpc-epi (#865688 & #1020651)
  • cdbackup (#1011428)

• I also submitted a number of patches to fix specific reproducibility issues within Debian, including bugs in cctools, jamin, opari2, python-django-health-check & sphinx (forwarded upstream).

• Drafted, published and publicised our monthly report for November 2022.

• Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 228, 229 and 230 to Debian:

• Fix compatibility with file(1) version 5.43, with thanks to Christoph Biedl. [...]
• Skip the test_html.py::test_diff test if html2text is not installed. (#1026034)
• Update copyright years. [...]
• Reviewed and merged a significant number of contributions from others.

Debian

• python-django (4.1.4-1) — New upstream bugfix release.

• redis (5:7.0.7-1) — New upstream release.

• lastpass-cli (1.3.4-1) — New upstream version.

I performed a number of QA and NMU uploads as part of an ongoing campaign within the Reproducible Builds effort (see above).

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged: asterisk (CVE-2022-39244 & CVE-2022-39269), cacti (CVE-2022-46169), capnproto (CVE-2022-46149), dlt-daemon (CVE-2022-31291), gpac (CVE-2022-45283), node-d3-color & node-follow-redirects (CVE-2022-0536), & node-set-value (CVE-2021-23440)

• Frontdesk duties, responding to other developers' questions, participating in mailing list discussions, monthly meeting etc.

• Issued DLA 3246-1 as it was discovered that there was an issue in Hawk, an HTTP authentication scheme used in Node.JS applications. Hawk used a regular expression to parse Host HTTP headers which was subject to regular expression DoS attack. Each added character in the attacker's input increased the computation time exponentially.

• Issued DLA 3247-1 for node-trim-newlines because there was a potential remote denial of service vulnerability in node-trim-newlines, a Javascript module to strip newlines from the start and/or end of a string.

• Issued DLA 3254-1 and ELA-761-1 for the exuberant-ctags source code parser as it was shown that it incorrectly handled the -o command-line option which specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file could have resulted in arbitrary command execution because the externalSortTags() function in sort.c called the system(3) function in an unsafe way.

• Issued DLA 3253-1. This was because there was an out-of-bounds read and integer underflow vulnerability in Open vSwitch, a software-based Ethernet virtual switch.

• Issued DLA 3257-1 for GNU Emacs. This was similar to DLA 3253-1 (above) in that attackers could have executed arbitrary commands via shell metacharacters in the name of a source-code file: this was because lib-src/etags.c used the system(3) library function when calling the (external) ctags(1) binary.

You can find out more about the LTS project via the following video:

You can subscribe to new posts via email or RSS.