Free software activities in June 2024

Here is my monthly update covering what I have been doing in the free software world during June 2024 (previous month).

• Released a new version of my installation-birthday utility, which will celebrate each 'birthday' of your Debian system by automatically sending a message to the local system administrator. This was to fix compatibility with new Python versions, specifically moving away from Python's utcfromtimestamp and fix another SyntaxWarning in order to fix Debian bug #1074444.

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

This month, I:

• Kept isdebianreproducibleyet.com up to date. [...]

• Submitted a patch to fix a reproducibility issue in fastfetch.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• In our tooling, I made the following changes to diffoscope, including preparing and uploading versions 270 and 271 to Debian:

  • Drop Build-Depends on liblz4-tool. Thansk, Chris Peterson! (Closes: Debian:#1072575) [...]
  • Update tests to support zipdetails "4.004" shipped with Perl 5.40. (Closes: reproducible-builds/diffoscope#377) [...]

• Drafted, published and publicised our monthly report.

Debian

• python-django (5.1~beta1-1) — New upstream beta release.

• redis (7.2.5-1) — New, and possibly the last, upstream release under a free-software license.

• bfs:

  • 3.3.1-1 — New upstream release.
  • 3.3.1-2 — Apply patch from upstream to fix FTBFS on riscv64. (#1072933)

• memcached (1.6.28-1) — New upstream release.

• installation-birthday (17) — Move away from Python's utcfromtimestamp and fix another SyntaxWarning. (#1074444)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Investigated and triaged: atril (CVE-2023-51698), bluez (CVE-2023-50229 & CVE-2023-50230), erlang, firefox-esr (CVE-2024-5688, CVE-2024-5690, CVE-2024-5691), libndp (CVE-2024-5564), ntfs-3g (CVE-2023-52890), slic3r-prusa (CVE-2023-35949, CVE-2023-35950, CVE-2023-35951, CVE-2023-35952, CVE-2023-35953, CVE-2023-49600, CVE-2024-22181, CVE-2024-23947, CVE-2024-23948, CVE-2024-23949, CVE-2024-23950, CVE-2024-23951, CVE-2024-24583, CVE-2024-24584, CVE-2024-24684, CVE-2024-24685, CVE-2024-24686) & thunderbird (CVE-2024-5688, CVE-2024-5690, CVE-2024-5691).

• Issued DLA 3837-1 and ELA-1113-1 because it was discovered that there was a buffer overflow vulnerability in libndp, a library for implementing IPv6's Neighbor Discovery Protocol (NDP) and is used by Network Manager and other networking tools. A local, malicious user could have caused a buffer overflow in Network Manager by sending a malformed IPv6 router advertisement packet. This issue existed because libndp was not correctly validating route length information.

• Issued DLA 3838-1 and ELA-1114-1 as there were a number of command-line injection vulnerabilities in Composer, a popular dependency manager for PHP. The install, status, reinstall and remove functionality had issues when used with Git or Hg repositories which used maliciously-crafted branch names, which could have been abused to execute arbitrary shell commands.

You can find out more about the Debian LTS project through the following video:

You can subscribe to new posts via email or RSS.