Free software activities in May 2023

Here is my monthly update covering what I have been doing in the free software world during May 2023 (previous month):

• Reviewed and merged a patches by Peter Law for django-enumfield-ng, a library of mine for the Django web application framework to support type-safe enumeration fields. [...]

• Last month, I put together a set of ICS files for the UK Picturehouse Cinema chain, which allows them to be displayed within (e.g.) Google Calendar. This month, however, I extended this to support Seattle's SIFF cinema group [...] as well as started work on a similar scraper for the UK 'Vue' cinema chain [...].

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• Kept isdebianreproducibleyet.com up to date. [...]

• Submitted two patches to fix (potentially) Debian-specific reproducibility issues in mfem and refnx.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for April.

diffoscope

In our reproducibility tooling, I made the following changes to diffoscope, including preparing and uploading version 242 to Debian:

• New features:

  • Add support for extracting vmlinuz Linux kernel images. [...]
  • Support both python-argcomplete 1.x and 2.x. [...]
  • Strip sticky etc. from x.deb: sticky Debian binary package […]. [...]
  • Integrate test coverage with GitLab's concept of artifacts. [...][...][...]

• Bug fixes:

  • Don't mask differences in .zip or .jar central directory extra fields. [...]
  • Don't show a binary comparison of .zip or .jar files if we have observed at least one nested difference. [...]

• Codebase improvements:

  • Substantially update comment for our calls to zipinfo and zipinfo -v. [...]
  • Use assert_diff in test_zip over calling get_data with a separate assert. [...]
  • Don't call re.compile and then call .sub on the result; just call re.sub directly. [...]
  • Clarify the comment around the difference between --usage and --help. [...]

• Testsuite improvements:

  • Test --help and --usage. [...]
  • Test that --help includes the file formats. [...]

Debian

• python-django:

  • 3.2.19-1 — New upstream security release.
  • 4.2.1-1 — New upstream security release (to experimental).

• redis (7.2-rc2-1) — New upstream release.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged c-ares (CVE-2023-31130 & CVE-2023-32067), configobj (CVE-2023-26112), gpac (CVE-2023-2837, CVE-2023-2838, CVE-2023-2839 & CVE-2023-2840), nvidia-graphics-drivers-legacy-390xx (CVE-2023-0180), tiff (CVE-2023-2731 & CVE-2023-30086), vim (CVE-2023-2610) & virtuoso-opensource (CVE-2023-31607, CVE-2023-31608, CVE-2023-31609, CVE-2023-31610, CVE-2023-31611, CVE-2023-31612, CVE-2023-31613, CVE-2023-31614, CVE-2023-31615, CVE-2023-31616, CVE-2023-31617, CVE-2023-31618, CVE-2023-31619, CVE-2023-31620, CVE-2023-31621, CVE-2023-31622, CVE-2023-31623, CVE-2023-31624, CVE-2023-31625, CVE-2023-31626, CVE-2023-31627, CVE-2023-31628, CVE-2023-31629, CVE-2023-31630 & CVE-2023-31631)

• Updated the Git workflow documentation to add a missing call to git-rm(1). [...]

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 3414-1 and ELA 844-1 as it was discovered that there was a local Denial of Service (DoS) vulnerability in Avahi, a system that facilitates service discovery on a local network.

• Issued DLA 3415-1 for python-django to address a potential validation bypass. A bug was also filed to ensure this ended up in the upcoming release of Debian. (#1035520)

• Issued DLA 3423-1 because it was discovered that there was a potential credential-stealing attack in epiphany-browser, the default GNOME web browser. When using a sandboxed Content Security Policy (CSP) or the HTML iframe tag, the sandboxed web content was trusted by the main/surrounding resource.

• Issued DLA 3438-1 as it was discovered that there was a potential denial-of-service (DoS) attack in the Kamailio SIP telephony server. This was caused by the Kamailio server mishandling INVITE requests with duplicated fields.

• Issued DLA 3439-1 to address a potential arbitrary code execution vulnerability in libwebp, a library to support the WebP image compression format.

• Issued ELA 859-1 as a potential denial of service (DoS) vulnerability was discovered in python-ipaddress, a backport of Python 3’s ipaddress module for creating and manipulating IPv4 and IPv6 internet addresses.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.