Here is my monthly update covering what I have been doing in the free software world during December 2022 (previous month).
The goal of the Reproducible Builds effort is to ensure no flaws can be been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on what the 'correct', non-compromised build, should be.
This month, I:
Filed an upstream pull request against Sphinx, the popular documentation generator used extensively in Python projects. Instead of the usual situation where Sphinx was generating documentation that was unreproducible, however, it was Sphinx's own documentation that was nondeterministic. This was because the
locale_dirkeyword argument for the
init_consolemethod within Sphinx defaulted to the path that method is implemented in (using Python's
__file__mechanism). That (non-deterministic) default argument was then included in the documents which made the build unreproducible as, of course, it varies depending on the directory you created the documentation from. ([...])
Made another large batch of Debian non-maintainer uploads (NMUs) to apply reproducibility patches that had been lingering in the bug tracker for some time:
Drafted, published and publicised our monthly report for November 2022.
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions
230 to Debian:
- Fix compatibility with
file(1)version 5.43, with thanks to Christoph Biedl. [...]
- Skip the
html2textis not installed. (#1026034)
- Update copyright years. [...]
- Reviewed and merged a significant number of contributions from others.
5:7.0.7-1) — New upstream release.
1.3.4-1) — New upstream version.
I performed a number of QA and NMU uploads as part of an ongoing campaign within the Reproducible Builds effort (see above).
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
Investigated and triaged:
asterisk(CVE-2022-39244 & CVE-2022-39269),
Frontdesk duties, responding to other developers' questions, participating in mailing list discussions, monthly meeting etc.
Issued DLA 3246-1 as it was discovered that there was an issue in Hawk, an HTTP authentication scheme used in Node.JS applications. Hawk used a regular expression to parse
HostHTTP headers which was subject to regular expression DoS attack. Each added character in the attacker's input increased the computation time exponentially.
Issued DLA 3247-1 for
Issued DLA 3254-1 and ELA-761-1 for the
exuberant-ctagssource code parser as it was shown that it incorrectly handled the
-ocommand-line option which specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file could have resulted in arbitrary command execution because the
system(3)function in an unsafe way.
Issued DLA 3257-1 for GNU Emacs. This was similar to DLA 3253-1 (above) in that attackers could have executed arbitrary commands via shell metacharacters in the name of a source-code file: this was because
system(3)library function when calling the (external)
You can find out more about the LTS project via the following video:
You can subscribe to new posts via email or RSS.