Free software activities in July 2023

Here is my monthly update covering what I have been doing in the free software world during July 2023 (previous month).

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• Opened pull requests to make the build reproducible in:

  • Pushed the following to Codra-Ingenierie-Informatique/guidata:

  • Opened a pull request for Make the build reproducible. [...]

  • Pushed the following to norman/babosa:

  • Opened a pull request for Make the build reproducible. [...]

• In Debian:

  • Kept isdebianreproducibleyet.com up to date. [...]

  • I submitted 4 patches to fix specific reproducibility issues in dotenv-cli, guidata, ruby-babosa & unity-java.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for June 2013.

• I made the following changes to diffoscope, including preparing and uploading versions 244, 245, and 256 to Debian:

  • Don't include file size in image metadata (it is, at best, distracting and it is already in the directory metadata). [...]
  • Move to using assert_diff in ICO and JPEG tests. [...]
  • Temporarily mark some Android-related as XFAIL due to Debian bugs #1040941 and #1040916. [...]
  • Attempt compatibility with libarchive-5. [...]
  • Fix "test skipped" reason generation in the case of a version outside of the required range. [...]
  • Mark that test_dex::test_javap_14_differences requires the procyon tool. [...]

Debian

• bfs (3.0-1) — New upstream release.

• hiredis:

  • 1.2.0-1 — New upstream release.
  • 1.2.0-2 — Rename package to match new SONAME.

• python-django:

  • 3.2.20-1 — New upstream security release.
  • 4.2.3-1 — New upstream security release.

• redis:

  • 7.0.12-1 — New upstream security release.
  • 7.2~rc3-1 — New upstream security release.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged qtbase-opensource-src CVE-2023-38197, spip, gpac CVE-2023-37174, CVE-2023-37765, CVE-2023-37766 & CVE-2023-37767, vim CVE-2020-20703, iotjs CVE-2020-22597, r-cran-jsonlite CVE-2017-16516 & CVE-2022-24795, bind9 CVE-2023-2911, redis CVE-2022-24834, vim CVE-2020-20703 and r-cran-jsonlite CVE-2017-16516 & CVE-2022-24795

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 3494-1 because it was discovered that there was an issue in ruby-doorkeeper, an OAuth2 provider for Ruby on Rails applications. Doorkeeper automatically processed authorization requests without user consent for public clients that have been previously approved, but public clients are inherently vulnerable to impersonation as their identity cannot be assured.

• Issued DLA 3498-1 and ELA-904-1 for the popular Domain Name Server (DNS) server, bind9. Shoham Danino, Anat Bremler-Barr, Yehuda Afek and Yuval Shavitt discovered that a flaw in the cache-cleaning algorithm used in named can cause that named's configured cache size limit can be significantly exceeded, potentially resulting in a denial of service attack.

• Issued DLA 3500-1 as it was discovered that there was a potential denial of service attack in Django, the popular Python-based web development framework. The EmailValidator and URLValidator classes were subject to potential regular expression denial of service attacks via a very large number of domain name labels of emails and URLs. Updates for Debian bullseye and bookworm have been prepared and are forthcoming.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.