Free software activities in December 2023

Here is my monthly update covering what I have been doing in the free software world during December 2023 (previous month).

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third parties to come to a consensus on whether a build was compromised.

This month:

• I was honoured to learn that my paper Reproducible Builds: Increasing the Integrity of Software Supply Chains co-written with Dr. Stefano Zacchiroli was awarded the Computer Society IEEE Software "Best Paper award" for 2022.

• In Debian:

  • Submitted 5+ patches to fix specific reproducibility issues in openpyxl, python-aiostream, python-multipletau, stunnel4 & wxmplot.

  • Kept isdebianreproducibleyet.com up to date. [...]

• Drafted, published and publicised our monthly report for November 2023 and updated the code to generate outlines for all of our monthly reports to not quit with a Traceback if YAML data source is corrupted in the current version or, as is more likely, in its Git history. [...]

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, I made a number of changes, including:

• Process objdump symbol comment filter inputs as Python byte (and not str) instances. [...]

Debian

• python-django:

  • 5.0-1 — New upstream stable release (uploaded to experimental).
  • 4.2.8-1 — New upstream bugfix release (uploaded to unstable).

Debian LTS

This month I worked 18 hours on Debian Long Term Support (LTS) a well as 12 hours on its sister Extended LTS project.

• Investigated and triaged clickhouse (CVE-2023-47118, CVE-2023-48298 & CVE-2023-48704), curl (CVE-2023-27534), dask.distributed (CVE-2021-42343), h2o (CVE-2023-41337), jenkins-htmlunit-core-js (CVE-2023-49093) & php-guzzlehttp-psr7 (CVE-2023-29197) … not including adding notes and commit references to a number of other packages.

• Issued DLA 3688-1 for Debian LTS because it was discovered that there was a potential information disclosure vulnerability in HAProxy, a reverse proxy server used to load balance HTTP requests across multiple backend servers. Formerly, HAProxy accepted the # (ie. the "pound" or "hash") symbol as part of a URI component. This might have allowed remote attackers to obtain sensitive information upon HAProxy's misinterpretation of a so-called path_end rule, such as by routing index.html#.png to a static server. This was fixed by backporting upstream's patch which specifically checks for these characters against the version in Debian LTS.

• Issued DLA 3689-1 and ELA-1023-1 as it was discovered that there was a keyboard injection attack in the Bluez Bluetooth protocol stack, a set of services and tools for interacting with wireless devices. It seems that, prior to this change at least, BlueZ may have permitted unauthenticated peripherals to establish encrypted connections to Bluez and thereby accept keyboard messages, potentially permitting injection of so-called HID (~keyboard) commands, despite no user ever authorising such access. This issue was fixed by inverting a configuration flag default that was previously setup with a value to "maximize device compatibility".

You can find out more about the project via the following video:

You can subscribe to new posts via email or RSS.