2022/03, FLOSS activity

LTS

This is my 13th month of working for LTS and the 1st one for ELTS.

Released DLAs, ELAs

DLAs:

  1. DLA-2937-1 gif2apng_1.9+srconly-2+deb9u2

    • CVE-2021-45909: heap-based buffer overflow vulnerability in the DecodeLZW function. It allows an attacker to write a large amount of arbitrary data outside the boundaries of a buffer.
    • CVE-2021-45910: heap-based buffer overflow within the main function. It allows an attacker to write data outside of the allocated buffer.
    • CVE-2021-45911: heap based buffer overflow in processing of delays in the main function.ssh
  2. DLA-2948-1 debian-archive-keyring_2017.5+deb9u2

    • This upload did not close any CVEs. It adds bullseye signing GPG-keys: automatic Signing Key, stable Release Key, Security Archive Automatic Signing Key for the Stretch.

    • CVE-2021-40401: use-after-free vulnerability exists in the RS-274X aperture definition tokenization functionality. A specially-crafted gerber file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

ELAs:

  1. ELA-579-1 debian-archive-keyring_2017.5~deb8u2

    • This upload did not close any CVEs. It adds buster and bullseye signing GPG-keys: automatic Signing Key, stable Release Key, Security Archive Automatic Signing Key for the Jessie release.
  2. ELA-581-1 libxml2_2.9.1+dfsg1-5+deb8u12

    • CVE-2022-23308: the application that validates XML using xmlTextReaderRead() with XML_PARSE_DTDATTR and XML_PARSE_DTDVALID enabled becomes vulnerable to this use-after-free bug. This issue can result in denial of service.

Several packages are in a pipeline and fixes will be released soon.

  • Uploaded gif2apng_1.9+srconly-2+deb9u1 with one missing patch. Fixed in gif2apng_1.9+srconly-2+deb9u2 and released DLA
  • Analyzed CVE-2022-24986 for stretch. Decided to mark it as ignored. Minor issue, patch is too intrusive to backport.
  • Updated documentation for ELTS to make an upload. Initiated the discussion about one source for documentation.
  • Analyzed CVE-2021-25636 (libreoffice) and decided not to fix it for stretch.
  • Participated in the Debian LTS team IRC-meeting
  • Update 42 projects in salsa repo “Packages for (E)LTS” according to DEP-14 schema.
  • Fixed CVE-2021-40401 in the gerbv package in the git. Postponed upload due to some more CVEs, not fixed yet by upstream.
  • Fixed CVE-2019-13590 in the sox package in the git. Postponed upload due to CVE-2021-40426, not fixed yet by upstream.
  • Fixed CVE-2021-4189 and CVE-2021-23336 by the upload of python2.7_2.7.18-13.1 (both were previously fixed for stretch).
  • Fixed CVE-2021-40401 in git. Other CVEs do not have a proper patch. Review later.

Debian Science Team / Debian electronics team

  • Uploaded:
    • lammps_20220106.git7586adbb6a+ds1-1
    • lammps_20220106.git7586adbb6a+ds1-2
    • yade_2022.01a-7
    • bme280_0.2.4-1
    • luma.emulator_1.4.0-2
    • luma.lcd_2.9.0+ds1-2
    • luma.oled_3.8.1+ds1-2

Other Debian activities

  • Voted on the “GR: Voting secrecy”
  • Uploaded dokuwiki_0.0.20200729-0.1~bpo11+1 into bullseye-backports
  • Uploaded dokuwiki_0.0.20220317_gitaeff85c-0.1_exp1 into experimental
  • new lammps will be available in the upcoming Ubuntu LTS 22.04.

Other FLOSS activities

  • Participated in YADE bimonthly meeting.