Free software activities in May 2022

Here is my monthly update covering what I have been doing in the free software world during May 2022 (previous month):

• Fixed an issue in my django-slack library that provides a convenient wrapper between projects using the Django web development framework and the Slack chat platform, specifically to set zip_safe=False in setup.py so that Python setuptools does not attempt to install the library as a Python 'egg' and thus does not install the templates. [...]

• As part of my duties of being on the board of directors of the Software in the Public Interest I attended its respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding logistics and policy etc.

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third parties to come to a consensus on whether a build was compromised.

This month, I:

• In Debian:

  • I also submitted 5 patches to fix specific reproducibility issues in freesas, logapp, longrun, mono & rust-simplelog.

  • Kept isdebianreproducibleyet.com up to date. [...]

• Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.

• Drafted, published and publicised our monthly report.

• Updated the main Reproducible Builds website and documentation in a number of small ways, but also prepared and published an interview with Jan Nieuwenhuizen about Bootstrappable Builds, GNU Mes and GNU Guix. [...][...][...][...][...]

diffoscope

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 212, 213 and 214 to Debian:

• New features:

  • Add support for extracting vmlinuz Linux kernel images. [...]
  • Support both python-argcomplete 1.x and 2.x. [...]
  • Strip sticky etc. from x.deb: sticky Debian binary package […]. [...]
  • Integrate test coverage with GitLab's concept of artifacts. [...][...][...]

• Bug fixes:

  • Don't mask differences in .zip or .jar central directory extra fields. [...]
  • Don't show a binary comparison of .zip or .jar files if we have observed at least one nested difference. [...]

• Codebase improvements:

  • Substantially update comment for our calls to zipinfo and zipinfo -v. [...]
  • Use assert_diff in test_zip over calling get_data with a separate assert. [...]
  • Don't call re.compile and then call .sub on the result; just call re.sub directly. [...]
  • Clarify the comment around the difference between --usage and --help. [...]

• Testsuite improvements:

  • Test --help and --usage. [...]
  • Test that --help includes the file formats. [...]

Debian uploads

• bfs (2.6-1) — New upstream release & refresh packaging.

• python-django (4.1~alpha1-1) — New upstream alpha release.

• redis:

  • 6.0.16-3 — Add an internal timeout for the cluster tests to prevent build failures. (#1011187)
  • 6.0.16-4 — Disable, hopefully temporarily, the use of the system-wide Lua due to Redis' fork gaining security/hardening features (eg. lua_enablereadonlytable). This addresses CVE-2022-24735 and CVE-2022-24736.

I also performed a QA upload of xtermcontrol (3.8-5) to make the build reproducible. (#994976)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged adminer, neutron (CVE-2021-20267), node-sqlite3, redis (CVE-2022-24736), sqlite3 (CVE-2022-21227), etc. etc

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions and so on.

• Issued DLA 3002-1 as it was discovered that there was an issue in the web-based database tool Adminer, whereby an attacker could have performed an arbitrary file read on the remote server by requesting that Adminer connect to a crafted/malicious remote MySQL database.

• Issued DLA 3003-1 and ELA 609-1 for ruby-nokogiri, a HTML, XML, SAX etc. parser written in/for the Ruby programming language, to address a potential denial of service attack. This was caused by the use of inefficient regular expressions that were susceptible to excessive backtracking.

• Issued DLA 3004-1 and ELA 610-1 for htmldoc a HTML processor that generates indexed HTML, PS and PDF files as it was discovered that there was an integer overflow vulnerability. This was caused by a programming error in the image_load_jpeg function due to a conflation or confusion of declared image dimensions.

• Issued DLA 3024-1 to address a potential SQL injection vulnerability in the Django web development framework. Untrusted data was used as a tolerance parameter in Geographic Information System (GIS) functions and aggregates when using the Oracle database backend. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was potentially possible to break escaping and inject malicious SQL.

• Issued DLA 3025-1 for irssi as it was discovered that there was a user-after-free vulnerability.

• Issued DLA 3027-1 for neutron, correcting an issue where the previous upload to fix an input validation vulnerability.

• Issued DLA 3031-1 and ELA 619-1 as it was discovered that there was a potential resource exhaustion attack in ModSecurity, an Apache module that inspects HTTP requests with the aim of preventing typical web application attacks such as XSS and SQL.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.