Free software activities in January 2023

Here is my monthly update covering what I have been doing in the free software world during January 2023 (previous month):

Reproducible Builds

Building and distributing software that is secure throughout its entire lifecycle turns out to be very challenging. Attacks can emerge at any step of the chain, such as when building, packaging, uploading and distributing software on its long journey from coding to installation. Nefarious third-parties can compromise systems by injecting malicious code into ostensibly secure software during these compilation and distribution processes. Reproducible Builds is a project that is implementing tools, strategies and frameworks to secure software on its way to end-user devices, and additionally helps to prevent attacks on developers themselves.

This month, I:

• Submitted a patch to fix a reproducibility-related issue in Debian's python-miio package, which was actually rooted in its (in)compatibility with versions of Click versions greater than 8.x. (#1029295)

• Kept isdebianreproducibleyet.com up to date. [...]

• I also submitted 5 patches to fix specific reproducibility issues in accel-config, click, hamster-time-tracker, python-graphviz & unifrac-tools.

• Attended the Open Tech Fund's summit in Austin, TX.

• I additionally created a patch to remove temporary files created during the build of the towncrier Debian package which was causing the package to unreproducible. This was swiftly fixed by Ben Finney — thanks. (#1027992)

• Drafted, published and publicised our monthly report for December 2022.

• Categorised a very large number of packages and issues in the Reproducible Builds notes.git repository.

• Finally, I also made the following non-maintainer uploads (NMUs) to fix reproducibility issues within Debian:

  • log4cpp (1.1.3-3.1) — Apply a patch by Vagrant Cascadian to avoid embeddedng the build path in the log4cpp-config file. (#1020662)

  • nanomsg (1.1.5+dfsg-1.1) — Apply a patch by Vagrant Cascadian to address ELF Build-Id differences in binaries caused by a difference in their RPATH. (#1001853)

diffoscope

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 231, 232, 233 and 234 to Debian:

• No need for from __future__ import print_function import anymore. [...]
• Comment and tidy the extras_require.json handling. [...]
• Split inline Python code to generate test Recommends into a separate Python script. [...]
• Update debian/tests/control after merging support for PyPDF support. [...]
• Correctly catch segfauling cd-iccdump binary. [...]
• Drop some old debugging code. [...]
• Allow ICC tests to (temporarily) fail. [...]

Debian

• memcached (1.6.18-1) — New upstream release.

• python-django:

  • 4.1.5-1 — New upstream release.
  • 4.2~alpha1-1 — New upstream alpha release.

• redis:

  • 7.0.8-1 — New upstream security release.
  • 7.0.8-2 — Add delaycompess to the logrotate(8) configuration. Thanks, Marc Haber. (#1029844)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged: amanda (CVE-2022-37705), cinder, glance, nova & sssd (CVE-2022-4254).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 3261-1 as it was discovered that there was a potential null pointer dereference vulnerability in libetpan, an low-level library for handling email.

• Issued DLA 3262-1 for smarty3, a widely-used PHP templating engine because it was discovered that there was a potential cross-site scripting vulnerability.

• Issued DLA 3263-1 because it was discovered that there was an off-by-one array size issue in libtasn1-6, a library to manage the Abstract Syntax Notation One (ASN.1) data structures.

• Issued DLA 3264-1 for ruby-sinatra as it was discovered that there was a potential reflected file download (RFD) vulnerability in this Ruby library for writing HTTP applications. A Content-Disposition HTTP header was being incorrectly derived from a (potentially) user-supplied filename.

• Issued DLA 3266-1 and ELA-768-1. This was because it was announced that there were two issues in ViewVC, a web-based interface for browsing Subversion and CVS repositories. The attack vectors involved files with unsafe names; names that, when embedded into an HTML stream, could cause the browser to run unwanted code.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.