Free software activities in March 2022

Here is my monthly update covering what I have been doing in the free software world during March 2022 (previous month):

As part of my duties of being on the board of directors of the Software in the Public Interest I attended its respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding logistics and policy etc.

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure.

This month, I:

• Kept isdebianreproducibleyet.com up to date. [...]

• In Debian, I submitted 5 patches to fix specific reproducibility issues in chemical-structures, fiat, nbformat, python-ara & sdl12-compat.

• Categorised a large number of packages and issues in the Reproducible Builds 'notes' Git repository.

• Added a Twitter Card to our website. [...][...][...]

• Drafted, published and publicised our monthly report for February 2022.

• For diffoscope (our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues), I merged a number of contributions from others, updated the R test fixture for the 4.2.x series of the R programming language [...] as well as updated minimum version of Black to prevent test failure on Ubuntu jammy [...].

Debian

• python-django (2:4.0.3-1) — New upstream bugfix release.

• redis:

  • 6.0.16-2 — Prevent a Debian-specific Lua sandbox escape vulnerability.
  • 7.0~rc2-1 — New upstream release candidate.
  • 7.0~rc2-2 — Prevent a Debian-specific Lua sandbox escape vulnerability.

I also filed a build failure bug against the python-plac package.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged a large number of CVEs, including libxml2, nbd, paramiko, python-treq, python-django & redis.

• Frontdesk duties, responding to user/developer questions, attending our monthly meeting, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 2938-1 and ELA-575-1 as it was discovered that there was an issue in the Twisted Python network programming framework where SSH client and server implementations could accept an infinite amount of data for the peer’s SSH version identifier and that a buffer then uses all available memory.

• Issued DLA 2944-1 as an integer overflow (with a resultant heap-based buffer overflow) was discovered in the nbd Network Block Device server. A value of 0xffffffff in the name length field could have caused a zero-sized buffer to be allocated for the name, resulting in a write to a dangling pointer.

• Issued DLA 2954-1 because it was discovered that there was an information disclosure issue in Treq, a high-level library/API for making HTTP requests using the Python Twisted network programming library. HTTP cookies were not bound to a single domain and were instead sent to every domain.

• Issued DLA 2959-1 and ELA-583-1 as it was discovered that there was a potential race condition in Paramiko, a pure-Python implementation of the SSH algorithm. In particular, unauthorised information disclosure could have occurred during the creation of SSH private keys.

You can find out more about the project via the following video:

You can subscribe to new posts via email or RSS.