Here is my monthly update covering what I have been doing in the free software world during February 2023 (previous month):
-
Worked on a pull request to make the output of
marked-manreproducible. This is a tool that wraps the wraps themarkedutility to extend it withgroffoutput support in order to create Unix manual pages for use with the usualmansystem, and, without my pull request, the output depends on the build system's timezone. -
Investigated another reproducibility issue within the Sphinx documentation generator, which was not emitting the representation of nested sets objects in a reliable order. Originally filed by James Addison, the issue in question might be that:
This seems to be because Sphinx is essentially running
repr(…)on aset()data structure nested within a tuple object, and it isn't sorting the contents of that nestedset()when rendering it. [...]
Reproducible Builds
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month, I:
-
Attended the Open Technology Fund's summit in Austin, TX.
-
Investigated another reproducibility issue within the Sphinx documentation generator, which was not emitting the representation of nested sets objects in a reliable order. Originally filed by James Addison, the issue in question might be that:
This seems to be because Sphinx is essentially running
repr(…)on aset()data structure nested within a tuple object, and it isn't sorting the contents of that nestedset()when rendering it. [...]
-
Worked on a pull request to make the output of
marked-manreproducible. This is a tool that wraps the wraps themarkedutility to extend it withgroffoutput support in order to create Unix manual pages for use with the usualmansystem, and, without my pull request, the output depends on the build system's timezone. -
In Debian:
-
Kept isdebianreproducibleyet.com up to date. [...]
-
I submitted 9 patches to fix specific reproducibility issues in
adacgi,cwltool,gap-browse,gawk,multipath-tools,node-marked-man,pyproject-api,pysdl2&ruby-pgplot.
-
-
Drafted, published and publicised our monthly report.
-
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository.
diffoscope
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 235 and 236 to Debian:
- Fix compatibility with PyPDF2. (re. issue #331) [...][...][...]
- Fix compatibility with ImageMagick version 7.1. [...]
- Require at least version 23.1.0 to run the Black source code tests. [...]
- Update
debian/tests/controlafter merging changes from others. [...] - Don't write test data during a test. [...]
- Update copyright years. [...]
- Merged a large number of changes from others.
Debian
Bugs filed
-
cwltool: Installs the text of 'Moby-Dick' under /usr/lib/python3/dist-packages` (#1030713). This was actually included on LWN.net. Perhaps this was an in-joke on behalf of the developers as an arch reference to the 'Moby Dick Support Device' thought experiment. -
Due to the use of
override_dh_auto_testin order to append '|| true', thecertmongerpackage does not respect thenocheckflag in DEB_BUILD_OPTIONS. (#1032058)
Uploads
-
3.2.17-1— New upstream security release (CVE-2023-23969)3.2.18-1— New upstream security release (CVE-2023-24580)4.2~beta1-1— New upstream beta release.
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged
redis(CVE-2022-35977,CVE-2022-24736&CVE-2022-24735),tpm2-tss(CVE-2023-22745),trafficserver(CVE-2022-31779,CVE-2022-32749&CVE-2022-37392) andwebkit2gtk(CVE-2022-42826,CVE-2023-23517&CVE-2023-23518). -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
-
Issued DLA 3306-1 as it was discovered that there was a potential denial-of-service (DoS) vulnerability in Django, the popular Python-based web development framework. Parsed values of the
Accept-LanguageHTTP headers are cached by Django order to avoid repetitive parsing. This could have led to a potential DoS attack via excessive memory usage if the raw value ofAccept-Languageheaders was very large. -
Issued DLA 3309-1 for Graphite, a tool providing real-time graphing of system statistics, etc. A series of cross-site scripting (XSS) vulnerabilties existed that could have been exploited remotely. Issues existed in the cookie, template name and absolute time range handler components.
-
Issued DLA 3329-1 and ELA-791-1 to prevent a denial-of-service vulnerability in Django — pssing certain inputs to multipart forms could have resulted in too many open files or memory exhaustion, thus providing a potential vector for a DoS attack.
-
Issued DLA 3330-1 for Amanda because it was discovered that there was a potential privilege escalation vulnerability in this backup utility. The SUID binary located at
/lib/amanda/rundumpexecuted/usr/sbin/dumpas therootsuperuser with arguments controlled by the attacker, which may have led to an escalation of privileges, denial-of-service or information disclosure. -
Issued DLA 3331-1 and DLA 3331-2 to fix a potential memory corrution vulnerability in
python-cryptography, a Python library offering a number of encryption and cryptography primitives.
You can find out more about the project via the following video: