Free software activities in October 2021

Here is my monthly update covering what I have been doing in the free software world during October 2021 (view my report for September):

• As part of my duties of being on the board of directors of the Software in the Public Interest I attended its respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding logistics and policy etc.

• I blogged about a paper I co-authored with Stefano Zacchiroli which was accepted by IEEE Software in April 2021. [...]

• For Lintian, the static analysis tool for Debian packages, I uploaded versions 2.107.0, 2.108.0, 2.109.0, 2.110.0 and 2.111.0 as well as updated a tag description to mention that --with=sphinxdoc (or dh_sphinxdoc) is the easiest way to prevent including Sphinx .doctree files in binary packages. [...]

• I filed a trivial pull request for the bitcoinbinary.org site to correct a grammatical error on the homepage. [...]

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• Did some work on the Sphinx documentation generator which is used extensively in the Python community. Specifically, I submitted a change to make the output of instance aliases reproducible (filed in Debian as [#996948](https://bugs.debian.org/996948)) as well as worked towards addressing an issue where the LANGUAGE environment variable inconsistently affects the output of objects.inv files (#998059). This latter problem is currently causing a huge number of packages in Debian to be unreproducible.

• I submitted 11 patches to fix specific reproducibility issues within Debian for afnix, fenics-basix, libinput, libminidns-java, node-inquirer, pikepdf, python-duniterpy, python-pipx, pytools, smplayer & snakemake.

• Kept isdebianreproducibleyet.com? up to date. [...]

• Drafted, published and publicised our monthly report for September 2021.

• Presented at an internal, albeit open, Microsoft event with a broad overview of reproducible builds.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git" repository.

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 186, 187, 188 and 189 to Debian:

• New features:

  • Add support for Python Sphinx inventory files (usually named objects.inv on-disk). [...]
  • Add support for comparing .pyc files. Thanks to Sergei Trofimovich for the inspiration. [...]
  • Try some alternative suffixes (eg. .py) to support distributions that strip or retain them. [...][...]

• Bug fixes:

  • Fix Python decompilation tests under Python 3.10+ [...] and for Python 3.7 [...].
  • Don't raise a traceback if we cannot unmarshal Python bytecode. This is in order to support Python 3.7 failing to load .pyc files generated with newer versions of Python. [...]
  • Skip Python bytecode testing where we do not have an expected diff. [...]

• Codebase improvements:

  • Use our file_version_is_lt utility instead of accepting both versions of uImage expected diff. [...]
  • Split out a custom call to assert_diff for a .startswith equivalent. [...]
  • Use skipif instead of manual conditionals in some tests. [...]

Uploads to Debian

• hiredis:

  • 0.14.1-2 — Prevent an integer overflow vulnerability when parsing 'multi-bulk' replies.
  • 1.0.0-3 — Prevent an integer overflow vulnerability when parsing 'multi-bulk' replies (to experimental).
  • 1.0.2-1 — New upstream release (to experimental).

• memcached (1.6.12+dfsg-1) — New upstream release.

• python-django:

  • 3.2.8-1 — New upstream bugfix release.
  • 4.0~beta1-1 — New upstream beta release (to experimental).

• redis:

  • 6.0.16-1 — New upstream security release.
  • 6.2.6-1 — New upstream security release (to experimental).

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged ardour (CVE-2020-22617), libcrypto++ (CVE-2021-40530), libreoffice (CVE-2021-25633, CVE-2021-25634 & CVE-2021-25635), nodejs (CVE-2021-22959 &, CVE-2021-22960), redis (CVE-2021-32626, CVE-2021-32627, CVE-2021-32628, CVE-2021-32672, CVE-2021-32675, CVE-2021-32687, CVE-2021-32762 & CVE-2021-41099), redmine (CVE-2021-42326) & shiro (CVE-2021-41303).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc. I also created a frontdesk scheduling document for 2022 [...]. Due to a scheduling conflict, however, I regrettably could not attend the monthly meeting.

• Issued DLA 2781-1 for neutron as it was discovered that there was an issue where authenticated attackers could have reconfigured dnsmasq via a crafted extra_dhcp_opts value within OpenStack's Neutron virtual network service.

• Issued DLA 2783-1 and ELA-499-1 for hiredis, a C client library for communicating with Redis databases. An integer overflow vulnerability existed within the handling and parsing of 'multi-bulk' replies.

• Issued DLA 2784-1 and ELA-496-1 as it was discovered that there was a potential use-after-free vulnerability in icu, a library which provides Unicode and locale functionality.

• Issued DLA 2791-1 and ELA-500-1 as it was discovered that there was a potential remote privilege escalation vulnerability in the Mailman mailing-list manager. Some CSRF token values were derived from the admin password, and that could have been used to conduct a brute-force attack against that password.

You can find out more about the Debian LTS project through the following video:

You can subscribe to new posts via email or RSS.