Free software activities in February 2022

Here is my monthly update covering what I have been doing in the free software world during February 2022 (previous month):

• As part of my duties of being on the board of directors of the Software in the Public Interest I attended its respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding logistics and policy etc.

• Opened pull requests to make the build reproducible in:

  • ltsp, in order to make the generated dates timezone-agnostic [...]

  • Matplotlib's mpl-sphinx-theme, to make the documentation build reproducibly. [...]

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• Filed a pull request against ltsp in order to make the generated dates timezone-agnostic. [...]

• Created a pull request for Matplotlib's mpl-sphinx-theme in order to make the documentation build reproducibly. [...]

• Kept isdebianreproducibleyet.com up to date. [...]

• Submitted the following patches to fix reproducibility-related toolchain issues within Debian:

  • jcabi-aspects: Please make the build (partly) reproducible. [...]

  • pcmemtest: Please make the build (partly) reproducible. [...]

• I also submitted 6 patches to fix specific reproducibility issues in gap-hapcryst, hatchling, ltsp, mpl-sphinx-theme, paper-icon-theme & tree-puzzle. I also filed a bug against freesas in order to report that the manpage contains a Python traceback. This includes the build directory and, therefore, renders the build unreproducible. (#1006206)

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for January 2022.

• Updated the main Reproducible Builds website and documentation, including:

  • Considerably rework the Who is involved? page. [...][...]
  • Move the contributors.sh Bash/shell script into a Python script. [...][...][...]

Elsewhere in tooling related to Reproducible Builds, I made the following changes to diffoscope, including preparing and uploading versions 203, 204, 205 and 206 to Debian:

• Bug fixes:

  • Fix a file(1)-related regression where Debian .changes files that contained non-ASCII text were not identified as such, therefore resulting in seemingly arbitrary packages not actually comparing the nested files themselves. The non-ASCII parts were typically in the Maintainer or in the changelog text. [...][...]
  • Fix a regression when comparing directories against non-directories. [...][...]
  • If we fail to scan using binwalk, return False from BinwalkFile.recognizes. [...]
  • If we fail to import binwalk, don't report that we are missing the Python rpm module! [...]

• Testsuite improvements:

  • Add a test for recent file(1) issue regarding .changes files. [...]
  • Use our assert_diff utility where we can within the test_directory.py set of tests. [...]
  • Don't run our binwalk-related tests as root or fakeroot. The latest version of binwalk has some new security protection against this. [...]

• Codebase improvements:

  • Drop the _PATH suffix from module-level globals that are not paths. [...]
  • Tidy some control flow in Difference._reverse_self. [...]
  • Don't print a warning to the console regarding NT_GNU_BUILD_ID changes. [...]

Debian

Uploads

• redis (7.0~rc1-1) — New upstream 7.x release.

• python-django:

  • 3.2.12-1 — New upstream security release.
  • 3.2.12-2 — Fix a traceback around the handling of RequestSite/get_current_site() due to a circular import. (#1003478)
  • 4.0.2-1 — New upstream security release.

• memcached (1.6.14-1) — New upstream release.

• bfs (2.4.1-1) — New upstream release.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged: mruby (CVE-2022-0240, CVE-2022-0481), libde265 (CVE-2021-36408, CVE-2021-36409, CVE-2021-36410, CVE-2021-36411), atftp (CVE-2021-46671), etc.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in various mailing list discussions and so on.

• Aided in the disclosure and fix of CVE-2022-0543 in two Debian distributions, a (Debian-specific) Lua sandbox escape vulnerability in the Redis database. This vulnerability existed because the Lua library in Debian is provided as a dynamic library. A "package" variable was automatically populated that in turn permitted access to arbitrary Lua functionality. As this extended to, for example, the "execute" function from the Lua os module, an attacker with the ability to execute arbitrary Lua code could potentially execute arbitrary shell commands. A special thanks to Reginaldo Silva for discovering and reporting this issue. (#1005787)

• Issued DLA 2906-1 for the Django web development framework that addressed two vulnerabilities: the first surrounding a possible XSS via the {% debug %} template tag and the second involved a potential denial-of-service attack via file uploads.

• Issued DLA 2910-1 to correct a number of different issues in ldns, a library used in programs that use the Domain Name System (DNS). The issues addressed included CVE-2020-19860, CVE-2020-19861, CVE-2017-1000231 and CVE-2017-1000232.

• Issued DLA 2924-1 as it was discovered that there was a potential remote denial of service (DoS) vulnerability in XStream, a Java library used to serialize objects to XML and back again.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.