Free software activities in March 2024

Here is my monthly update covering what I have been doing in the free software world during March 2024 (previous month).

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• I authored and submitted 14 patches to solve reproducibility issues in bochs, gnome-maps, golang-github-stvp-tempredis, gretl, librsvg, mpl-sphinx-theme, node-function-bind, postfix, python-pysaml2, python-quantities, q2cli, storm-lang, tox & woof-doom.

• Drafted, published and publicised our monthly report.

• Updated the main Reproducible Builds website and documentation in order to add a lot of new academic publications. […]

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Kept isdebianreproducibleyet.com up to date. […]

• Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading four versions (259, 260, 261 and 262):

  • New features:

    • Add support for zipdetails from the Perl package. Thanks to Larry Doolittle and friends for the pointer to this tool. […]

  • Bug fixes:

    • Don't identify Redis database dumps (etc.) as GNU R database files based simply on their filename. […]
    • Add a missing call to File.recognizes so we actually perform the filename check for GNU R database files. […]
    • Don't crash if we encounter an .rdb file without an equivalent .rdx file. […]

  • Test improvements:

    • Fix .epub tests after supporting zipdetails. […]
    • Don't use parenthesis within skipping… messages in the tests, as PyTest adds its own parenthesis. […]
    • Skip some .zip tests under 3.10.14 as well; a Python regression of sorts may have been backported to the 3.10.x series. […]
    • Factor out Python version checking in test_zip.py. […]
    • Correctly check for the 7z binary being available (not lz4), when testing the 7z-like functionality. […]

Debian

• python-django:

  • 5.0.3-1 — New upstream security release.
  • 4.2.11-1 — New upstream security release.

• memcached:

  • 1.6.24-1 — New upstream release.
  • 1.6.26-1 — New upstream release.

• bfs:

  • 3.1.2-1 & 3.1.3-1 — New upstream releases.

• installation-birthday (16) — Drop Build-Depends on python3-distutils. (#1065880)

• docbook-to-man (1:2.0.0-46) — Fix a build failure with the (now-default) -Werror=implicit-function-declaration GCC argument. (#1066680)

• libfiu (1.2-2) — Drop Build-Depends on python3-distutils. (#1065891)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc., as well as attending the monthly IRC meeting.

• Issued DLA 3751-1 as it was discovered that there was a potential Denial of Service (DoS) attack in the libapache2-mod-auth-openidc, an OpenID Connect (OpenIDC) module for the Apache web server. It appears that missing input validation on a cookie made the server vulnerable to this attack; if someone manipulated the value of the OpenIDC cookie to a very large number, the server struggled with the request for a long time and finally returned a HTTP 500 error. Making just a few requests of this kind can cause servers to become unresponsive, and so attackers could thereby craft requests that would make the server work very hard and/or crash with minimal effort.

• Investigated and triaged large number of issues in python-django (e.g. CVE-2024-24680), and did significant work on a long-awaited update for Django in ELTS. I also fixed CVE-2024-27351 in Debian unstable and experimental, although these are strictly outside the remit of Debian LTS.

• Later in the month, I issued DLA 3773-1. This was because it was reported that there was a command-line injection issue in the FreeIPA identity/authentication/audit framework. A specially crafted HTTP request could have lead to a Denial of Service (DoS) attack and/or data exposure.

• Worked towards an update for dnsmasq in order to address a number CVEs including CVE-2019-14834, CVE-2021-3448, CVE-2022-0934 & CVE-2023-28450. This should be released in early April.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.