2021/12, FLOSS activity

LTS

This is my tenth month of working for LTS.

Released DLAs

  1. DLA-2848-1 libssh2_1.7.0-1+deb9u2

    • CVE-2019-13115: kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

    • CVE-2019-17498: SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

  2. DLA-2839-1 gerbv_2.6.1-2+deb9u1

    • CVE-2021-40391: An out-of-bounds write vulnerability exists in the drill format T-code tool number functionality. A specially-crafted drill file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
  3. DLA-2837-1 gmp_6.1.2+dfsg-1+deb9u1

    • CVE-2021-43618: Integer overflow is possible in mpz/inp_raw.c and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.

Several packages are in a pipeline and fixes will be released soon.

  • Reviewed MR
  • Discussion on IRC and issue-tracker.
  • I attended the Debian LTS team Jitsi-meeting.

Debian Science Team / Debian electronics team

  • Uploaded:

    • bme280_0.2.4~git720dcbe6+ds1-1, fixing #1002046 (new package)
    • ceres-solver:
      • ceres-solver_2.0.0+dfsg1-1, fixing #1001307, #1000231
      • ceres-solver_2.0.0+dfsg1-1~exp1, fixing #984887
      • ceres-solver_2.0.0+dfsg1-2
      • ceres-solver_2.0.0+dfsg1-3
      • ceres-solver_2.0.0+dfsg1-4
      • ceres-solver_2.0.0+dfsg1-5
    • eigen3_3.4.0-2, fixing #1000779
    • freeglut_3.2.1-1~exp2
    • gmsh_4.8.4+ds2-1, fixing #1001770
    • gnuplot
    • heaptrack_1.3.0-1
    • lapack_3.10.0-2, fixing CVE-2021-4048 #1001902
    • luma.core (new version):
      • luma.core_2.3.2-1
      • luma.core_2.3.2-2
    • luma.lcd_2.9.0+ds1
    • luma.oled_3.8.1+ds1
    • meshlab_2020.09+dfsg1-2, fixing #984232
    • pybind11_2.7.1-2, fixing #1000780
    • pyftdi_0.53.3-1, fixing #1002138
    • spidev:
      • spidev_3.5-2
      • spidev_3.5-3
  • Sponsored

    • ogre-next_2.2.5+dfsg3-1
    • dart_6.12.1+dfsg4-1
  • Requested:

  • Mark CVE-2021-44917 as not-affected in buster

  • Started to package boost 1.78. Package is basically ready, d/copyright should be fixed.

Other FLOSS activities

  • It was a long story with the package freeglut and #859687. “New” (almost 5 years old!) version of freeglut could not be uploaded because of some weird behavior and crash with some packages. See the upstream bug. But upstream fixed the problem and the new package will be uploaded into Debian in the next few weeks.

  • I started to prepare the package for the boost 1.78, released this month, The work is ongoing.