Free software activities in November 2023

Here is my monthly update covering what I have been doing in the free software world during November 2023 (previous month):

• Opened a pull request for the Meson build system to make the Requires.private line in generated .pkgconfig files files reproducible. (#12528)

• Updated python-gfshare, a Python library of mine that implements the Shamir method for secret sharing technique to split a "secret" into multiple parts, giving each participant its own unique part. In particular, I added support for Python 3.8+. [...]

• Updated my Tickle Me Email tool which implements Getting Things Done-like behaviours in any IMAP inbox. Specifically, I added support for truncating long truncate Subject: lines. [...]

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I have:

• Wrote nine patches to fix specific reproducibility issues in bidict, maildir-utils, openmrac-data, pelican, php-doc, python-ansible-pygments, radsecproxy, taffybar & vectorscan.

• Kept isdebianreproducibleyet.com up to date. [...]

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Opened a pull request for the Meson build system to make the Requires.private line in generated .pkgconfig files files reproducible. (#12528)

• Drafted, published and publicised our monthly report for October 2023 as well as wrote a "farewell"-style post at the end of our latest in-person summit in Hamburg, Germany.

• Updated the main Reproducible Builds website and documentation to use a "hero" image on the homepage [...], improved the documentation related to SOURCE_DATE_EPOCH and CMake [...], added iomart (neé Bytemark) and DigitalOcean to our sponsors page [...] and dropped an unnecessary link on some horizontal navigation buttons [...].

• diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, I made a number of changes, including:

  • Improving DOS/MBR extraction by adding support for 7z. [...]
  • Adding a missing RequiredToolNotFound import. [...]
  • As a UI/UX improvement, try and avoid printing an extended traceback if diffoscope runs out of memory. [...]
  • Mark diffoscope as 'stable' on PyPI.org. [...]
  • Uploading version 252 to Debian unstable. [...]

Debian

• redis (7.2.3-1) — New upstream release.

• python-django (5.0~rc1-1) — New upstream RC1 release.

• lastpass-cli (1.3.7-1 for bookworm) — Upload latest upstream version to fix compatibility with Lastpass's new SSL keys. (#105587)

• libfiu (1.2-1) — New upstream release; drop all local patches.

• dh-python: fs.py leaves dot-directories behind. (#1056291)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Investigated and triaged apache2 (CVE-2023-31122, CVE-2023-43622 & CVE-2023-45802), curl (CVE-2023-28322 & CVE-2023-27534), gpac (CVE-2023-46927, CVE-2023-46928, CVE-2023-46930 & CVE-2023-46931), horizon (CVE-2022-45582), lwip (CVE-2020-22283 & CVE-2020-22284), netty LTS (CVE-2023-44487), node-json5 (CVE-2022-46175), squid (CVE-2023-46846, CVE-2023-46847 & CVE-2023-5824), tang (CVE-2023-1672) & tinymce (CVE-2023-45818 & CVE-2023-45819).

• Issued DLA 3644-1 because of a potential remote code execution vulnerability in phppgadmin, a web-based administration tool for the PostgreSQL database server. This issue concerned the deserialisation of untrusted data, which may have led to remote code execution because user-controlled data was being passed directly to the PHP unserialize() function.

• Issued DLA 3648-1 for the Tang cryptography server because it was discovered that there was a race condition in its key generation and (re-generation) routines. This flaw resulted in a small time window whereby newly generated private keys were readable by other processes on the same machine.

• It was discovered that there was a potential cross-site scripting (XSS) in ruby-sanitize, a whitelist-based HTML sanitiser. Using carefully crafted input, an attacker may have be able to sneak arbitrary HTML and CSS through Sanitize when configured to use the built-in "relaxed" config or when using a custom config that allowed style elements and one or more CSS @-rules. This could have resulted in cross-site scripting (XSS) or other undesired behaviour if the malicious HTML and CSS were then rendered in a browser. A fix for this issue was released as part of DLA 3652-1.

• Issued DLA 3663-1 and ELA 1012-1 because it was discovered that there was a potential buffer overflow in Strongswan, an IPsec-based VPN (Virtual Private Network) server. A vulnerability related to processing public Diffie-Hellman key exchange values could have resulted in a buffer overflow and potentially remote code execution as a result.

• I also updated the version of lastpass-cli in bookworm to fix Debian bug #1056307) and redis to fix #1055229.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.