Free software activities in October 2022

Here is my monthly update covering what I have been doing in the free software world during October 2022 (previous month):

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• Pushed the following to tpm2-pytss, a set of Python bindings to interact with the TPM2 Software Stack. [...]

• Kept isdebianreproducibleyet.com up to date. [...]

• I also submitted 2 patches to fix reproducibility issues in puppet-agent & tpm2-pytss.

• I made a large number of non-maintainer uploads (NMUs) to Debian to apply reproducibility patches that had been lingering the in bug tracker for some time:

  • ascii2binary (#1020812, #998758 & #1007421)
  • bibclean (#829754 & #929036)
  • dradio (#1020814)
  • leave (#777403, #967002 & #999259)
  • libimage-imlib2-perl (#1020665)
  • mailto (#998978 & #777413)
  • remote-tty (#829721 & #977280)
  • xcolmix (#1020748, #999219 & #988018)
  • z80asm (#939775 & #1020875)

• Filed a bug against the mksh package within Debian as the test output differs between builds and this output is included in the README.Debian file. (#1021085)

• Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.

• Drafted, published and publicised our monthly report and updated the stylesheet on the main Reproducible Builds website to improve the aesthetics of the blog posts. [...]

diffoscope

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 224 and 225 to Debian:

• Add support for comparing the text content of HTML files using html2text. [...]
• Add support for detecting ordering-only differences in XML files. [...]
• Fix an issue with detecting ordering differences. [...]
• Use the capitalised version of "Ordering" consistently everywhere in output. [...]
• Add support for displaying font metadata using ttx(1) from the fonttools suite. [...]

• Testsuite improvements:

  • Temporarily allow the stable-po pipeline to fail in the CI. [...]
  • Rename the order1.diff test fixture to json_expected_ordering_diff. [...]
  • Tidy the JSON tests. [...]
  • Use assert_diff over get_data and an manual assert within the XML tests. [...]
  • Drop the ALLOWED_TEST_FILES test; it was mostly just annoying. [...]
  • Tidy the tests/test_source.py file. [...]

I also added a link to diffoscope's OpenBSD packaging on the diffoscope.org homepage. [...]

Debian

Uploads:

• python-django:

  • 2.2.28-1~deb11u1 (to bullseye) — New upstream security release.
  • 3.2.16-1 — New upstream security release.
  • 4.1.2-1 (to experimental) — New upstream security release.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged freerdp2 (CVE-2022-39282 & CVE-2022-39283), ini4j (CVE-2022-41404), isc-dhcp CVE-2022-2928 & CVE-2022-2929), ruby-mechanize (CVE-2022-31033) etc.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 3139-1 for the knot-resolver DNSSEC-validating DNS resolver. Remote attackers could have caused a denial of service via CPU consumption by exploiting algorithmic complexity: during an attack, an authoritative server would return large nameserver or address sets.

• Issued DLA 3140-1 for libpgjava, a Java library for connecting to PostgreSQL databases. A malicious user could have crafted a schema that caused an application to execute commands as a privileged user due to the lack of escaping of column names in some operations.

• Issued DLA 3143-1 and ELA-702-1 for the strongswan VPN server. Strongswan could have queried URLs with untrusted certificates, and this could potentially lead to a DoS attack by blocking the fetcher thread.

• Issued DLA 3147-1 for a PHP templating library called twig. This was caused by insufficient validation of template names in source and include statements.

• Issued DLA 3164-1 for the Django web development work in order to fix multiple issues:

  • CVE-2020-24583: Fix incorrect permissions on intermediate-level directories on Python 3.7+. FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the collectstatic management command.

  • CVE-2020-24584: Correct permission escalation vulnerability in intermediate-level directories of the file system cache. On Python 3.7 and above, the intermediate-level directories of the file system cache had the system's standard umask rather than 0o077.

  • CVE-2021-3281: Fix a potential directory-traversal exploit via archive.extract(). The django.utils.archive.extract() function, used by startapp --template and startproject --template, allowed directory traversal via an archive with absolute paths or relative paths with dot segments.

  • CVE-2021-23336: Prevent a web cache poisoning attack via "parameter cloaking". Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes.

  • CVE-2022-34265: The Trunc() and Extract() database functions were subject to a potential SQL injection attach if untrusted data was used as a value for the kind or lookup_name parameters. Applications that constrain the choice to a known safe list were unaffected by this issue.

I also prepared an update for Debian stable bullseye on behalf of the of the Debian security team that was released as DSA-5254-1.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.