Free software activities in November 2022

Here is my monthly update covering what I have been doing in the free software world during November 2022 (previous month):

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

• I made another large batch of non-maintainer uploads (NMUs) to Debian this month to apply reproducibility patches that had been lingering the in bug tracker for some time:

  • tuxcmd-modules (#1011500 & #941296)
  • zephyr. (#828867 & #1021374)
  • paxctl (#1020804)
  • waili (#1020751)
  • png23d (#1020805)

• I also submitted three new patches to fix Debian-specific reproducibility issues in libnvme, pykafka & python-fissix.

• Kept isdebianreproducibleyet.com up to date. [...]

• Categorised a large number of packages and issues in the Reproducible Builds [notes.git](https://salsa.debian.org/reproducible-builds/reproducible-notes/activity) repository.

• Drafted, published and publicised our monthly report for October 2022.

• Updated the main Reproducible Builds website and documentation to ensure the openEuler logo is visible with a white background. [...]

• strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build. This month, I merged a set of Lintian fixes to the debian/upstream/metadata file. [...]

diffoscope

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 226 and 227 to Debian:

• Support both python3-progressbar and python3-progressbar2, two modules providing the progressbar Python module. [...]
• Don't run Python decompiling tests on Python bytecode that file(1) cannot detect yet and Python 3.11 cannot unmarshall. (#1024335)
• Don't attempt to attach text-only differences notice if there are no differences to begin with. (#1024171)
• Make sure we recommend apksigcopier. [...]
• Tidy generation of os_list. [...]
• Make the code clearer around generating the Debian 'substvars'. [...]
• Use our assert_diff helper in test_lzip.py. [...]
• Drop other copyright notices from lzip.py and test_lzip.py. [...]

Debian

• hiredis (1.1.0~rc1-1) — New upstream release candidate.

• python-django (4.1.3-1) — New upstream bugfix release.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 3181-1 and ELA 728-1 as it was discovered that there was a information disclosure utility in sudo, a popular tool used to provide limited superuser privileges to specific users.

• Issued DLA 3179-1 after it was reported that there was a potential out-of-bounds write vulnerability in pixman, a pixel-manipulation library used in many Linux graphical applications.

• Issued DLA-3177-1 and DLA 3191-1 because multiple issues were discovered in Django, a Python-based web development framework:

  • CVE-2021-45452: Storage.save allowed directory traversal if crafted filenames were passed directly to it.

  • CVE-2022-22818: The {% debug %} template tag did not properly encode the current context. This may have led to a cross-site scripting (XSS) vulnerability.

  • CVE-2022-23833: The HTTP MultiPartParser had a issue whereby certain inputs to multipart forms could result in an infinite loop when parsing uploaded files.

  • CVE-2022-28346: QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

  • CVE-2021-45115: UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.

  • CVE-2021-45116: Due to leveraging the Django template language's variable resolution logic, the |dictsort template filter was potentially vulnerable to information disclosure or an unintended method call if passed a suitably crafted key.

• Issued DLA 3211-1 as it was discovered that there was a potential out-of-bounds read in the BGP daemon of frr, a set of tools to route internet traffic.

• Issued DLA 3210-1 because two vulnerabilities were discovered gerbv, a Gerber file viewer. Most Printed Circuit Board (PCB) design programs can export data to a Gerber file. The two vulnerabilities were:

• CVE-2021-40401: A use-after-free vulnerability existed in the RS-274X aperture definition tokenisation functionality. A specially-crafted Gerber file could have led to code execution.

• CVE-2021-40403: An information disclosure vulnerability existed in the 'pick-and-place' rotation parsing functionality. A specially-crafted pick-and-place file could have exploited the missing initialisation of a structure in order to leak memory contents.

• Issued DLA 3213-1 as it was announced that there was a potential Denial of Service (DoS) attack against krb5, a suite of tools implementing the Kerberos authentication system. An integer overflow in PAC parsing could have been exploited if a cross-realm entity acted maliciously.

You can find out more about the Debian LTS project from the following video:

You can subscribe to new posts via email or RSS.