Free software activities in March 2025

Here is my monthly update covering what I have been doing in the free software world during March 2025 (previous month):

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

This month, I:

• Submitted at least 9 patches to fix specific reproducibility issues in font-manager, hx, isync, jenkins-job-builder, oss4, python-moto, python-pytest-shell-utilities, sphinxcontrib-googleanalytics & yaramod.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for February 2025.

• Updated the main Reproducible Builds website and documentation to add a Meson alternative for generating SOURCE_DATE_EPOCH that calls out to Python to the SOURCE_DATE_EPOCH documentation. [...]

• Kept isdebianreproducibleyet.com up to date. [...]

diffoscope

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 290, 291, 292 and 293 and 293 to Debian:

• Bug fixes:

  • file(1) version 5.46 now returns XHTML document for .xhtml files such as those found nested within our .epub tests. [...]
  • Also consider .aar files as APK files, at least for the sake of diffoscope. [...]
  • Require the new, upcoming, version of file(1) and update our quine-related testcase. [...]

• Codebase improvements:

  • Ensure all calls to our_check_output in the ELF comparator have the potential CalledProcessError exception caught. [...][...]
  • Correct an import masking issue. [...]
  • Add a missing subprocess import. [...]
  • Reformat openssl.py. [...]
  • Update copyright years. [...][...][...]

Debian

• memcached (1.6.38-1) — New upstream release.

• python-django:

  • 4.2.20-1 — New upstream security release.
  • 5.2~rc1-1 — New upstream RC release.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged freetype (CVE-2025-27363), glewlwyd (CVE-2024-25715), keras, libcap2, libxslt for bullseye LTS (CVE-2024-55549, CVE-2025-24855), opensaml, phpmyadmin, ruby-saml (CVE-2025-25291, CVE-2025-25292, CVE-2025-25293) and zvbi (CVE-2025-2173, CVE-2025-2174, CVE-2025-2175, CVE-2025-2176 & CVE-2025-2177)

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 4092-1 as it was discovered that there were three issues in libcap2, a library for managing kernel "capabilities"; that is, partitioning the powerful single root privilege into a set of distinct privileges, typically used to limit any damage if a process running as the root user is exploited. The three issues are as follows:

  • CVE-2023-2602: A vulnerability was found in the pthread_create() function. This issue could have allowed a malicious actor in order to exhaust the system's memory.

  • CVE-2023-2603: An issue was found in the _libcap_strdup function which could have led to an integer overflow if the input string was close to 4GiB.

  • CVE-2025-1390: The pam_cap.so PAM module supports group names starting with @ but during parsing, configurations not starting with @ were incorrectly recognised as group names. This user-group confusion may have resulted in unintended users being granted an inherited capability set, potentially leading to security risks. Attackers could have exploited this vulnerability to achieve local privilege escalation on systems where capability.conf was used to configure user inherited privileges by constructing specific usernames.

• Issued DLA 4086-1 and ELA 1356-1 because it was discovered that there was a potential denial-of-service (DoS) vulnerability in Django, a Python-based web development framework. The issue was situated in the wrap() method of the django.utils.text module. This method and the |wordwrap template filter were subject to a potential DoS attack when used with very long strings.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.