Here is my monthly update covering what I have been doing in the free software world during September 2024 (previous month):
- Released a new version of my
installation-birthdayutility, which will celebrate each 'birthday' of your Debian system by automatically sending a message to the local system administrator. This was to update the build dependencies for compatibility with the latest Python versions. (#1080609)
Reproducible Builds
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month, I:
-
Kept isdebianreproducibleyet.com up to date. [...]
-
Submitted 6+ patches to fix specific reproducibility issues in
lomiri-content-hub,magic-wormhole-transit-relay,muon-meson,python-mt-940,python-sphobjinv&tree-puzzle. -
Through reproducibility testing, I identified that the documentation for the
python-inline-snapshotpackage includes inline error messages instead of example output. (#1082705) -
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository. -
Drafted, published and publicised our monthly report for August 2024.
Updated our website:
- Attempt to use GitLab CI to 'artifact' the website; hopefully useful for testing branches. [...]
- Correct the linting rule whilst building the website. [...]
- Make a number of small changes to Kees' post written by Vagrant. [...][...][...]
- Add the Civil Infrastructure Platform to the Projects page. [...]
- Miscellaneous administration of misfiled images. [...][...]
diffoscope
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading version 278 to Debian:
-
New features:
- Add a helpful contextual message to the output if comparing Debian
.origtarballs within.dscfiles without the ability to "fuzzy-match" away the leading directory. [...]
- Add a helpful contextual message to the output if comparing Debian
-
Bug fixes:
-
Misc:
For trydiffoscope, the command-line client for the web-based version of diffoscope, I:
- Added an explicit
python3-setuptoolsdependency. (#1080825) - Bumped the
Standards-Versionto 4.7.0. [...]
Debian uploads
-
memcached(1.6.31-1) — New upstream release. -
bfs(4.0.2-1) — New upstream release. -
installation-birthday(19) — Add an explicitBuild-Dependsonpython3-setuptools(#1080609) and bump the package'sStandards-Versionto version 4.7.0. -
libfiu(1.2-3) — Add an explicitBuild-Dependsonpython3-setuptools(#1080632))) -
4.2.16-1— New upstream security release.5.1.1-1— New upstream security release.
I also filed a removal bug for the (buggy and superseded) python-gflags package. (#1081383)
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged
proftpd-dfsg(CVE-2023-48795),anki(CVE-2024-26020,CVE-2024-29073,CVE-2024-32152&CVE-2024-32484),cockpit(CVE-2024-6126),fish(CVE-2023-49284),foot(CVE-2023-XXXX),frr(CVE-2023-41909),git(CVE-2024-32020),knot-resolver(CVE-2023-46317),mediawiki(CVE-2023-51704),newlib(CVE-2021-3420),node-rollup(CVE-2024-47068),olm(CVE-2024-45191,CVE-2024-45192&CVE-2024-45193),openipmi(CVE-2024-42934x),proftpd-mod-proxy(CVE-2023-48795),python-zipp(CVE-2024-5569),python3.9(CVE-2024-8088),python3.4(CVE-2024-8088),python3.5(CVE-2024-8088),python3.7(CVE-2024-8088),redis,thunderbird(CVE-2024-8381,CVE-2024-8382&CVE-2024-8384) &wolfssl(CVE-2023-3724). -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
-
Issued DLA 3857-1 as it was discovered that there was a series of integer overflow vulnerabilities in LibTomMath, a multiple-precision mathematics library. This could have led attackers to execute arbitrary code and/or cause a denial of service (DoS).
-
Issued DLA 3883-1 for
python-jwcrypto. This was released as it was discovered that there was a potential denial of service (DoS) attack in this implementation of JSON Web Encryption and similar object signing standards. This could have been exploited by passingpython-jwcryptoa malicious JWE token with a high compression ratio. When the server processed said token, it would have consumed a lot of memory and processing time. -
Issued DLA 3885-1 as it was discovered that there were a number of issues in Redis, a popular key-value database. This included:
-
CVE-2023-45145: On startup, the daemon began listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissiveumask(2)was used, this created a race condition that enabled, during a short period of time, another process to establish an otherwise unauthorized connection. -
CVE-2023-28856: Authenticated users could have used theHINCRBYFLOATcommand to create an invalid hash field that would have crashed the Redis server on access. -
CVE-2023-25155: Authenticated users issuing specially craftedSRANDMEMBER,ZRANDMEMBER, andHRANDFIELDcommands can trigger an integer overflow, resulting in a runtime assertion and termination of the server process. -
CVE-2022-36021: Authenticated users can use string matching commands (likeSCANorKEYS) with a specially crafted pattern to trigger a denial-of-service, causing it to hang and consume 100% CPU time. -
CVE-2022-24834: A specially-crafted Lua script executing in the server instance could have triggered a heap overflow in thecjsonandcmsgpacklibraries and result in heap corruption and potentially remote code execution.
-
You can find out more about the Debian LTS project via the following video: