Here follows my monthly update covering what I have been doing in the free software world during October 2023 (previous month).
Reproducible Builds
The motivation behind Reproducible Builds is to ensure no flaws have been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month:
- I kept isdebianreproducibleyet.com up to date. [...]
-
Helped organise our in-person summit in Hamburg, Germany and updated the main Reproducible Builds website and documentation significantly as a result.
-
Drafted, published and publicised our monthly report for September 2023.
-
Updated diffoscope to fix an issue where if
file -ireturnstext/plainfor a file, fallback to comparing as a text file. [...] -
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository. -
Submitted at least patches to fix specific reproducibility issues, including
dacite&rtpengine.
Debian
-
python-django(4.2.6-1) — New upstream security release (to address CVE-2023-43665) -
bfs(3.0.4-1) — New upstream release. -
1.6.21-3— Don't run the tests on theriscv64architecture.1.6.22-1— New upstream release.
-
7.0.13-2— Only install systemd units once. (#1054091)7.0.14-1— New upstream security release. (CVE-2023-45145)7.0.14-2— DropProcSubset=pidhardening flag from the systemd unit files it appears to cause crashes with memory allocation errors. (#1055039)7.2.1-2(to experimental) — Only install systemd units once. (#1054091)7.2.2-1(to experimental) — New upstream security release. (CVE-2023-45145)7.2.2-2— (to experimental) — DropProcSubset=pidhardening flag from the systemd unit files it appears to cause crashes with memory allocation errors. (#1055039)
-
libfiu(1.1-5) — Backport a patch (5dcc6d4) from upstream in order to fix test failure. (#1054777)
Debian LTS
This month I worked 17 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged
nss(CVE-2023-5388),open-vm-tools(CVE-2023-34058&CVE-2023-34059),python-django(multiple CVEs) andrequest-tracker4. -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc., as well as attending the monthly LTS meeting.
-
Issued DLA 3616-1 as it was discovered that there was a potential code injection vulnerability in Org Mode, a popular add-on for the Emacs text editor. Attackers could have executed arbitrary shell commands via a filename (or directory name) that contained shell metacharacters.
-
Issued DLA 3624-1 because it was discovered that there was a potential authorisation bypass vulnerability in Apache Zookeeper, a co-ordination service for reliable distributed applications. Specifically, if SASL Quorum Peer authentication was enabled via
quorum.auth.enableSasl, authorisation was performed by verifying that the instance part in the SASL authentication ID was listed in thezoo.cfgserver list. However, this value is optional, and, if missing (such as in'eve@EXAMPLE.COM'), the authorisation check will be skipped. As a result, an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. -
Issued DLA 3627-1 and ELA-988-1 as an authentication bypass vulnerability was discovered in Redis, the popular key-value database similar to Memcached. On startup, Redis began listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive
umask(2)was used, this created a race condition that enabled, during a short period of time, another process to establish an otherwise unauthorized connection. -
Issued DLA 3643-1 for
pmix, a library used in parallel/cluster computing. Attackers could have obtained ownership of arbitrary files via a symlink-related race condition during execution of library code with UID 0.
You can find out more about the project via the following video: