Free software activities in September 2022

Here is my monthly update covering what I have been doing in the free software world during September 2022 (previous month):

• Updated my Tickle Me Email tool that implements Getting Things Done-like behaviours in any IMAP inbox. First, I added optional support to marking emails as "unread" when rotating them back into an inbox (so that they stand out) [...] and to optionally support writing out the From header of emails when using the subjects feature as well [...]. Both of these features were then released in version 4.8.0.

• Merged a contribution to my django-slack library that provides a convenient wrapper between projects using the Django web development framework and the Slack chat platform. In particular, merging a pull request by Stian Jensen to support overriding the default exception manager. [...]

• Reviewed a number of papers as part of CSAW 2022, the "most comprehensive student-run cyber security event in the world".

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. This month, I:

• Categorised a very large number of packages and issues in the Reproducible Builds "notes" repository.

• Kept isdebianreproducibleyet.com up to date. [...]

• Submitted a patch to fix a specific reproducibility issues in the gnome-online-accounts Debian package.

• Responded to a question about Debian bug #972494, a reproducibility-related bug filed against the libgrokj2k package. I also tested a patch by Helmut Grohne attached against the #873138 bug about the dpkg-genbuildinfo component of dpkg.

• Contacted a hardware sponsor due an issue with a new billing scheme.

• Arranged for a number of meetings and interviews to take place during October 2022.

• Drafted, published and publicised our monthly report.

• Added a redirect on our website from /projects/ to [/who/](https://reproducible-builds.org/who/) to keep old/archived links working. [...]

diffoscope

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 222 and 223 to Debian:

• The cbfstools utility is now provided in Debian via the coreboot-utils package so we can enable that functionality within Debian. [...]

• Looked into Mach-O support.

• Worked with, triaged and otherwise merged a number of contributions from others.

• Fixed the try.diffoscope.org service by addressing a compatibility issue between glibc/seccomp that was preventing the Docker-contained diffoscope instance from spawning any external processes whatsoever [...]. I also updated the requirements.txt file, as some of the specified packages were no longer available [...][...].

Debian

Uploads

• redis (5:7.0.5-1) — New upstream security release to address a heap overflow vulnerability in XAUTOCLAIM (CVE-2022-35951).

• python-django (3:4.1.1-1) — New upstream bugfix release.

• memcached (1.6.17-1) — New upstream release.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged: assimp (CVE-2022-38528), http-parser (CVE-2020-8287), mako for stretch ELTS (CVE-2022-40023), modsecurity-crs, pdftk for stretch ELTS (CVE-2021-37819), pspp (CVE-2022-39831 & CVE-2022-39832), python-oauthlib (CVE-2022-36087) & snakeyaml (CVE-2022-25857).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 3104-1 for Paramiko, a pure-Python implementation of the SSH algorithm. In particular, unauthorised information disclosure could have occurred during the creation of SSH private keys (CVE-2022-24302)

• Issued DLA 3105-1 as two issue were discovered in connman, a daemon for managing internet connections within embedded devices. These were CVE-2022-32292 (an issue where remote attackers were able to send HTTP requests to the gweb component were able to exploit a heap-based buffer overflow in the received_data function) and CVE-2022-32293 a man-in-the-middle attack against a WISPR HTTP query which could be used to trigger a use-after-free state, leading to crashes or even code execution).

• Issued DLA 3106-1 because it was announced that there was credential disclosure vulnerability (CVE-2022-0718) in the python-oslo.utils package, a set of utilities used by OpenStack.

• Issued DLA 3107-1 and ELA 678-1 as it was discovered that there were three issues in SQLite:

  • CVE-2020-35525: Prevent a potential null pointer deference issue in INTERSEC query processing.

  • CVE-2020-35527: Prevent an out-of-bounds access issue that could be exploited via ALTER TABLE statements in views that have a nested SQL FROM clauses.

  • CVE-2021-20223: Prevent an issue with the unicode61 tokeniser related to Unicode control characters ("class Cc") and embedded NUL characters being misinterpreted as tokens.

You can find out more about the project via the following video:

You can subscribe to new posts via email or RSS.