Here is my monthly update covering what I have been doing in the free software world during February 2024 (previous month):
§
Reproducible Builds
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.
This month, I:
In Debian:
Kept isdebianreproducibleyet.com up to date. [...]
I submitted 3 patches to fix specific reproducibility issues in
geophar,klepto&pytest-repeat.
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository.Drafted, published and publicised our monthly report.
Updated the main Reproducible Builds website and documentation:
- Improve the relative sizing of headers. [...]
- Re-order and "punch" up the introduction and documenation on the
SOURCE_DATE_EPOCHpage. [...] - Update
SOURCE_DATE_EPOCHdocumentation re.datetime.datetime.fromtimestamp. Thanks, James Addison. [...] - Add a post about Reproducible Builds at FOSDEM 2024. [...]
§
diffoscope
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 256, 257& 258 to Debian:
- Use a deterministic name instead of trusting
gpg's --use-embedded-filenames. Many thanks to Daniel Kahn Gillmor dkg@debian.org for reporting this issue and providing feedback. [...][...] - Don't error-out with a traceback if we encounter
struct.unpack-related errors when parsing Python.pycfiles. (#1064973). [...] - Don't try and compare
rdb_expected_diffon non-GNU systems as%pformatting can vary, especially with respect to MacOS. [...] - Fix compatibility with
pytest8.0. [...] - Temporarily fix support for Python 3.11.8. [...]
- Use the
7zippackage (overp7zip-full) after a Debian package transition. (#1063559). [...] - Bump the minimum Black source code reformatter requirement to 24.1.1+. [...]
- Expand an older changelog entry with a CVE reference. [...]
- Make
test_zipblack clean. [...]
§
Debian
bfs:3.1-1— New upstream release.3.1.1-1— New upstream bugfix release.
4.2.10-1— New upstream security release.5.0.2-1— New upstream security release.
I performed the following QA uploads:
Finally, I also performed a sponsored upload of adminer version 4.8.1-2.
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
Investigated and triaged:
python-django(CVE-2024-24680),bind9(CVE-2023-4408,CVE-2023-50387,CVE-2023-50868,CVE-2023-5517&CVE-2023-5679),exiv2(CVE-2024-24826&CVE-2024-25112),glewlwyd(CVE-2024-25715),libhibernate-validator-java(CVE-2023-1932),nodejs(CVE-2023-46809,CVE-2024-21892&CVE-2024-22019),unbound(CVE-2023-50387&CVE-2023-50868),lucene-solr(CVE-2023-50291,CVE-2023-50292,CVE-2023-50298&CVE-2023-50386),filezilla(CVE-2023-48795) &ghostscript(CVE-2020-36773).Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
Issued DLA 3738-1 as it was discovered that there was an authentication bypass issue in
iwd, the Intel Wireless Daemon. Adversaries could have gained unauthorised access to a protected 'home' (ie. non-WPA2-Enterprise) WiFi network. This problem was addressed in version0.14-2+deb10u1.Issued DLA 3743-1 because, similar to the above issue in
iwd, there was a potential authentication bypass vulnerability inwpa, a set of tools including the widely-usedwpasupplicantclient for authenticating with WPA and WPA2 wireless networks. For an attack to have been successful, however,wpasupplicantmust have been configured to not verify the network's TLS certificate during Phase 1 of the authentication cycle; the vulnerability could have been used to skip Phase 2 authentication by sending an EAP-TLV "Success" packet instead of actually starting Phase 2. This problem has been fixed inwpaversion2:2.7+git20190128+0c1e29f-6+deb10u4.Addressed four CVEs in DLA 3744-1 for Django, a popular Python-based web development framework:
CVE-2021-28658: Prevent a directory traversal issue which could have been exploited by maliciously crafted filenames. However, the built-in upload handlers were not affected by this vulnerability. (#986447)
CVE-2021-31542: Fix a potential directory-traversal vulnerability that could have been exploited by uploaded files. The
MultiPartParser,UploadedFileandFieldFileclasses allowed directory-traversal via uploaded files with suitably crafted file names. In order to mitigate this risk, stricterbasenameand path sanitation is now applied. Specifically, empty file names and paths with dot (.) segments are rejected. (#988053)CVE-2021-33203: Prevent a potential directory traversal via admindocs. Staff members could use the
admindocs'TemplateDetailViewview to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. (#989394)CVE-2021-33571: Prevent possible SSRF, RFI (Remote File Inclusion) and LFI (Local File Inclusion) attacks, since validators accepted leading zeros in IPv4 addresses.
URLValidator,validate_ipv4_address()andvalidate_ipv46_address()did not prohibit leading zeros in octal literals. (#989394)
You can find out more about the Debian LTS project via the following video:
