Here is my monthly update covering what I have been doing in the free software world during October 2022 (previous month):
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month, I:
I made a large number of non-maintainer uploads (NMUs) to Debian to apply reproducibility patches that had been lingering the in bug tracker for some time:
Filed a bug against the
mkshpackage within Debian as the test output differs between builds and this output is included in the
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
- Drafted, published and publicised our monthly report and updated the stylesheet on the main Reproducible Builds website to improve the aesthetics of the blog posts. [...]
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions
225 to Debian:
- Add support for comparing the text content of HTML files using
- Add support for detecting ordering-only differences in XML files. [...]
- Fix an issue with detecting ordering differences. [...]
- Use the capitalised version of "Ordering" consistently everywhere in output. [...]
- Add support for displaying font metadata using
ttx(1)from the fonttools suite. [...]
- Temporarily allow the
stable-popipeline to fail in the CI. [...]
- Rename the
order1.difftest fixture to
- Tidy the JSON tests. [...]
get_dataand an manual assert within the XML tests. [...]
- Drop the
ALLOWED_TEST_FILEStest; it was mostly just annoying. [...]
- Tidy the
- Temporarily allow the
I also added a link to diffoscope's OpenBSD packaging on the diffoscope.org homepage. [...]
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
Issued DLA 3139-1 for the
knot-resolverDNSSEC-validating DNS resolver. Remote attackers could have caused a denial of service via CPU consumption by exploiting algorithmic complexity: during an attack, an authoritative server would return large nameserver or address sets.
Issued DLA 3140-1 for
libpgjava, a Java library for connecting to PostgreSQL databases. A malicious user could have crafted a schema that caused an application to execute commands as a privileged user due to the lack of escaping of column names in some operations.
Issued DLA 3143-1 and ELA-702-1 for the
strongswanVPN server. Strongswan could have queried URLs with untrusted certificates, and this could potentially lead to a DoS attack by blocking the fetcher thread.
Issued DLA 3147-1 for a PHP templating library called
twig. This was caused by insufficient validation of template names in
Issued DLA 3164-1 for the Django web development work in order to fix multiple issues:
CVE-2020-24583: Fix incorrect permissions on intermediate-level directories on Python 3.7+.
FILE_UPLOAD_DIRECTORY_PERMISSIONSmode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the
CVE-2020-24584: Correct permission escalation vulnerability in intermediate-level directories of the file system cache. On Python 3.7 and above, the intermediate-level directories of the file system cache had the system's standard umask rather than
CVE-2021-3281: Fix a potential directory-traversal exploit via
django.utils.archive.extract()function, used by
startproject --template, allowed directory traversal via an archive with absolute paths or relative paths with dot segments.
CVE-2021-23336: Prevent a web cache poisoning attack via "parameter cloaking". Django contains a copy of
urllib.parse.parse_qsl()which was added to backport some security fixes.
Extract()database functions were subject to a potential SQL injection attach if untrusted data was used as a value for the
lookup_nameparameters. Applications that constrain the choice to a known safe list were unaffected by this issue.
I also prepared an update for Debian stable bullseye on behalf of the of the Debian security team that was released as DSA-5254-1.
You can find out more about the Debian LTS project via the following video:
You can subscribe to new posts via email or RSS.