2021/12, FLOSS activity

LTS Link to heading

Released DLAs Link to heading

1. DLA-2848-1 libssh2_1.7.0-1+deb9u2

   • CVE-2019-13115: kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

   • CVE-2019-17498: SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

2. DLA-2839-1 gerbv_2.6.1-2+deb9u1

   • CVE-2021-40391: An out-of-bounds write vulnerability exists in the drill format T-code tool number functionality. A specially-crafted drill file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

3. DLA-2837-1 gmp_6.1.2+dfsg-1+deb9u1

   • CVE-2021-43618: Integer overflow is possible in mpz/inp_raw.c and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.

Several packages are in a pipeline and fixes will be released soon.

Other LTS-related work Link to heading

• Reviewed MR
• Discussion on IRC and issue-tracker.
• I attended the Debian LTS team Jitsi-meeting.

Debian Science Team / Debian electronics team Link to heading

• Uploaded:

  • bme280_0.2.4~git720dcbe6+ds1-1, fixing #1002046 (new package)
  • ceres-solver:
    • ceres-solver_2.0.0+dfsg1-1, fixing #1001307, #1000231
    • ceres-solver_2.0.0+dfsg1-1~exp1, fixing #984887
    • ceres-solver_2.0.0+dfsg1-2
    • ceres-solver_2.0.0+dfsg1-3
    • ceres-solver_2.0.0+dfsg1-4
    • ceres-solver_2.0.0+dfsg1-5
  • eigen3_3.4.0-2, fixing #1000779
  • freeglut_3.2.1-1~exp2
  • gmsh_4.8.4+ds2-1, fixing #1001770
  • gnuplot
    • gnuplot_5.4.1+dfsg1-1+deb11u1 and requested #1002619 (bullseye-p-u)
    • gnuplot_5.4.2+dfsg2-1
    • gnuplot_5.4.2+dfsg2-2, fixing CVE-2021-44917, #1002539
  • heaptrack_1.3.0-1
  • lapack_3.10.0-2, fixing CVE-2021-4048 #1001902
  • luma.core (new version):
    • luma.core_2.3.2-1
    • luma.core_2.3.2-2
  • luma.lcd_2.9.0+ds1
  • luma.oled_3.8.1+ds1
  • meshlab_2020.09+dfsg1-2, fixing #984232
  • pybind11_2.7.1-2, fixing #1000780
  • pyftdi_0.53.3-1, fixing #1002138
  • spidev:
    • spidev_3.5-2
    • spidev_3.5-3

• Sponsored

  • ogre-next_2.2.5+dfsg3-1
  • dart_6.12.1+dfsg4-1

• Requested:

  • #1002791 to upload luma.oled
  • #1002627 for alglib transition
  • #1002665 to upload spidev
  • #1002792 to upload luma.lcd
  • #1002844 to upload luma.emulator

• Mark CVE-2021-44917 as not-affected in buster

• Started to package boost 1.78. Package is basically ready, d/copyright should be fixed.

Other FLOSS activities Link to heading

• It was a long story with the package freeglut and #859687. “New” (almost 5 years old!) version of freeglut could not be uploaded because of some weird behavior and crash with some packages. See the upstream bug. But upstream fixed the problem and the new package will be uploaded into Debian in the next few weeks.

• I started to prepare the package for the boost 1.78, released this month, The work is ongoing.