June Debian (E)LTS Monthly Report for Scarlett Moore
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Here is my public monthly report. Thanks to our sponsors for making this possible, and to Freexian for handling the offering. https://www.freexian.com/lts/debian/#sponsors LTS: - - golang-yaml.v2 - buster: - CVE-2021-4235 - CVE-2022-3064 - Add upstream patch with style fixes for CVE-2022-3064 so that we are in line with upstream code if there happens to be another security update. - Verified the i386 test is broken prior to to these patches and the completely unrelated to the code changes and the upload can continue. Ready to upload but out of LTS time - will upload in July after the US holiday. https://salsa.debian.org/lts-team/packages/golang-yaml.v2 - - qt4-x11 - buster: - CVE-2023-34410 - CVE-2023-32573 - CVE-2021-45930 - CVE-2021-3481 Patches and local testing done. https://salsa.debian.org/qt-kde-team/qt/qt4-x11/-/commits/buster - CVE-2023-32763 Attempted to backport upstream patch for qt 5.15.15 but the code changes from qt4 -> qt5 has changed too dramatically and the fix uses private overflow functions that do not exist in qt4. I am reaching out to some qt connections I have for help and to see if it is even possible to backport. ELTS: - stretch: - CVE-2023-34410 - CVE-2023-32573 Patches and local testing done. Also affected by - CVE-2023-32763 - see above https://salsa.debian.org/qt-kde-team/qt/qt4-x11/-/commits/debian%2Fstretch - jessie: - CVE-2023-34410 - CVE-2023-32573 - CVE-2021-45930 - CVE-2021-3481 Patches and local testing done. https://salsa.debian.org/qt-kde-team/qt/qt4-x11/-/commits/jessie I am awaiting feedback for CVE-2023-32763 before uploading. If anyone here has QT experience and would like to take a look, please don't hesitate to reach out. Misc: Spent some free time familiarizing myself with django and package tracker code. Team monthly meeting Thanks, Scarlett -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEfDWSDxziiZ6OqarQLnwDZ7m/oIkFAmSduKUACgkQLnwDZ7m/ oImQoBAAgGDsLRTZLUfiYJ2SaGal5oBko1MSWqEeZ33JiQVN5Lny2FmiyFvbvX5a 8hXNbgLHInp7mzI2t4ijVYJffdy+R+tle62xsbAjxpLqtOlF4OX2m2fnYQFrQ4BZ 0VzCGo/njIKQUiUTWqwC6hrHw7xEk2iQwjoBnsiH7UjTvRVyWzLlgLMY14La8R+u 0xl5j+VmRL/PUJADKjEb9nrtvZctcVrgn3pqxtrl7A9mfqpXDeJIacwHRflToMgw tcN493GNjvI2CfKuVOL55nDFxbtez26o1hIZYhe+rwPCde3HOYj3FHVb/bsUu3ei zxknr8fdWcMDoZJJ8gKOCbagc3qj4YutlsadAjB6aBESNPF0IwqMgCbWqf+372aB jCyVNZd/A8K/q+nuvgPlAIhI4JCowgKdhnx8zgJKrwun144SBOFtNwmKJ+sn8M2P ezP7Q55trFszmYW7Bxcq/NqUqh7rrE6e0LzNUKnZYLqKOEXffK/gYJqWcXoUh+um 2jy2rOqWCxQBz8c2hj/VCfIWfXRKma+42BPpUu6gUQLcUorpCssWoZwthiUC07tP AWtPsXYpzAGUNjQ8S5C5kZ+OE3FLuK6tYSOd5cPSFzK748W7fAAxybkD41HJvQyo ChDV+7I0MfFekQiM3oua8SPTt+OrnpehKnFGSon5AVRIjoeSH1A= =neFh -END PGP SIGNATURE-
(early) monthly report
Hi all, Here's my early LTS report. The TL;DR: is: * website work * python-gpg * golang * libarchive * netmask * libreoffice * enigmail # Website work I again worked on the website this month, doing one more mass import ([MR 53][]) which was finally merged by Holger Levsen, after I [fixed an issue with PGP signatures][] showing up on the website. [fixed an issue with PGP signatures]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/51 I also polished the misnamed "audit" script that checks for missing announcements on the website and published it as [MR 1][] on the "cron" project of the webmaster team. It's still a "work in progress" because it is still too noisy: there are a few DLAs missing already and we haven't published the latest DLAs on the website. [MR 1]: https://salsa.debian.org/webmaster-team/cron/merge_requests/1 [MR 53]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/53 The remaining work here is to automate the import of new announcements on the website ([bug #859123][]). I've done what is hopefully the [last mass import][] and updated the workflow in the wiki. Finally, I have also done a bit of [cleanup][] on the website that was necessary after the mass import which also required [rewrite rules][] at the server level. Hopefully, I will have this fairly well wrapped up for whoever picks this up next. [rewrite rules]: https://salsa.debian.org/anarcat/dsa-puppet/merge_requests/1 [cleanup]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/55 [last mass import]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/58 [bug #859123]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859123 # Python GPG concerns Following a new vulnerability (CVE-2019-6690) disclosed in the python-gnupg library, I have [expressed concerns][] at the security reliability of the project in future updates, refering to wider issues identified by Isis Lovecroft in [this post][]. I suggested we should simply drop security support for the project, citing it didn't have many reverse dependencies. But it seems that wasn't practical and the [response][] was that it was actually possible to keep on maintaining it an such an update was issued for jessie. [response]: https://lists.debian.org/20190209103913.e45eqo3gax5g3...@manillaroad.local.home.trueelena.org [this post]: https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html [expressed concerns]: https://lists.debian.org/87r2cj4kg2@curie.anarc.at # Golang concerns Similarly, I have [expressed more concerns][] about the maintenance of Golang packages following the disclosure of a vulnerability (CVE-2019-6486) regarding elliptic curve implementations in the core Golang libraries. An update (DLA-1664-1) was issued for the core, but because Golang is statically compiled, I was worried the update wasn't sufficient: we also needed to upload updates for any build dependency using the affected code as well. [expressed more concerns]: https://lists.debian.org/87sgx0czxg@curie.anarc.at Holger asked the golang team for help and i also asked on irc. Apparently, all the non-dev packages (with some exceptions) were binNMU'd in stretch but the process needs to be clarified. I also wondered if this maintenance problem could be resolved in the long term by switching to dynamic linking. Ubuntu tried to switch to dynamic linking but abandoned the effort, so it seems Golang will be quite difficult to maintain for security updates in the forseeable future. # Libarchive updates I have reproduced the problem described in CVE-2019-120 and CVE-2019-119 in jessie. I published a fix as [DLA-1668-1][]. I had to build the update without sbuild's overlay system (in a tar chroot) otherwise the cpio tests fail. [DLA-1668-1]: https://lists.debian.org/20190207192754.ga14...@curie.anarc.at # Netmask updates This one was minimal: a patch was [sent by the maintainer][] so I only wrote and sent [DLA 1665-1][]. Interestingly, I didn't have access to the `.changes` file which made writing the DLA a little harder, as my workflow normally involves calling `gen-DLA --save` with the .changes file which autopopulates a template. I learned that `.changes` files are normally archived on `coccia.debian.org` (specifically in `/srv/ftp-master.debian.org/queue/done/`), but not in the case of security uploads. [DLA 1665-1]: https://lists.debian.org/20190206222753.ga28...@curie.anarc.at [sent by the maintainer]: https://lists.debian.org/20190206005958.ga7...@debian.org # Libreoffice I once again tried to tackle an issue (CVE-2018-16858) with Libreoffice. The [last time][] I tried to work on LibreOffice, the test suite was failing and the linker was *crashing* after hours of compilation and I never got anywhere. But that was wheezy, so I figured jessie might be in better shape. [last time]: https://anarc.at/blog/2017-11-30-free-software-activities-november-2017 I quickly got into trouble with sbuild: I ran ou
Re: monthly report
[Ugh. Sorry about that last email, the markup was terrible - I copy-pasted from Emacs' markdown mode which ellipsises links... Here's a better formatted one.] ## Enigmail / GnuPG 2.1 backport I've spent a significant amount of time working on the Enigmail backport for a third consecutive month. I first [published][] a straightforward backport of GnuPG 2.1 depending on the libraries available in jessie-backports last month, but then I actually [rebuilt the dependencies as well][] and sent a "HEADS UP" to the mailing list, which finally got peoples' attention. [rebuilt the dependencies as well]: https://lists.debian.org/87zht94219@curie.anarc.at [published]: https://lists.debian.org/87r2fqnja0@curie.anarc.at There are many changes bundled in that possible update: GnuPG actually depends on about half a dozen other libraries, mostly specific to GnuPG, but in some cases used by third party software as well. The most problematic one is [libgcrypt20][] which Emilio Pozuelo Monfort [said][] included tens of thousands of lines of change. So even though I tested the change against cryptsetup, gpgme, libotr, mutt and Enigmail itself, there are concerns that other dependencies that merit more testing as well. [libgcrypt20]: https://tracker.debian.org/libgcrypt20 [said]: https://lists.debian.org/6a8835ce-f54d-faa6-2689-aeb91b1b6...@debian.org This caused many to raise the idea of aborting the work and simply marking Enigmail as unsupported in jessie. But Daniel Kahn Gillmor [suggested][] this should also imply removing Thunderbird itself from jessie, as simply removing Enigmail will force people to use the binaries from Mozilla's add-ons service. Gillmor [explained][] those builds include a OpenPGP.js implementation of dubious origin, which is especially problematic considering it deals with sensitive private key material. [explained]: https://lists.debian.org/878t0mzlv2@fifthhorseman.net [suggested]: https://lists.debian.org/87pntxxg6h@fifthhorseman.net It's unclear which way this will go next. I'm taking a break of this issue and hope others will be able to test the packges. If we keep on working on Enigmail, the next step will be to re-enable the `dbg` packages that were removed in the stretch updates, use dh-autoreconf correctly, remove some `mingw` pacakges I forgot and [test gcrypt like crazy][] ([especially the 1.7 update][]). We'd also update to the latest Enigmail, as it fixes issues that forced the Tails project to [disable autocrypt][] because of [weird interactions][] that make it send cleartext (instead of encrypted) mail in some cases. [weird interactions]: https://redmine.tails.boum.org/code/issues/15923 [disable autocrypt]: https://redmine.tails.boum.org/code/issues/16186 [especially the 1.7 update]: https://lists.debian.org/20181220130018.ga5...@argenau.bebt.de [test gcrypt like crazy]: https://lists.debian.org/1c1ca626-de3c-1f72-3c95-e280c1bdf...@debian.org ## Automatic unclaimer My [previous report][] yielded an [interesting discussion][] around my work on the security tracker, specifically the "automatic unclaimer" designed to unassign issues that are idle for too long. Holger Levsen, with his new coordinator hat, tested the program and found many bugs and missing features, which I was happy to implement. After many patches and back and forth, it seems the program is working well, although it's ran by hand by the coordinator. [interesting discussion]: https://lists.debian.org/debian-lts/2018/11/msg00097.html [previous report]: https://lists.debian.org/debian-lts/2018/11/msg00090.html ## DLA website publication I took a look at various issues surrounding the publication of LTS advisories on the main debian.org website. While normal security advisories are regularly published on [debian.org/security][] [about 500+ DLAs are missing from the website][], mainly because [DLAs are not automatically imported][]. [DLAs are not automatically imported]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859123 [about 500+ DLAs are missing from the website]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859122 [debian.org/security]: https://www.debian.org/security/ As it turns out, there is a script called `parse-dla.pl` that is designed to handle those entries but for some reason, they are not imported anymore. So I got to work to import the backlog and make sure new entries are properly imported. [Various fixes for parse-dla.pl][] were necessary to properly parse messages both from the templates generated by `gen-DLA` and the existing archives correctly. then I tested the result with two existing advisories, which resulted in two MR on the webml repo: [add data for DLA-1561][] and [add dla-1580 advisory][]. I requested and was granted access to the repo, and eventually merged my own MRs after a review from Levsen. [add dla-1580 advisory]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/42 [add data for DLA-1561]: https://salsa.debian.org/webmaster-tea
monthly report
Hi! This is my monthly report, published on the mailing list as I haven't found time to do my personal report on my blog in over a month now... ## Enigmail / GnuPG 2.1 backport I've spent a significant amount of time working on the Enigmail backport for a third consecutive month. I first [published](https://lists.debian.org/87r2fqnja0@curie.anarc.at) a straightforward backport of GnuPG 2.1 depending on the libraries available in jessie-backports last month, but then I actually [rebuilt the dependencies as well](https://lists.debian.org/87zht94219@curie.anarc.at) and sent a "HEADS UP" to the mailing list, which finally got peoples' attention. There are many changes bundled in that possible update: GnuPG actually depends on about half a dozen other libraries, mostly specific to GnuPG, but in some cases used by third party software as well. The most problematic one is [[!debpkg libgcrypt20]] which Emilio Pozuelo Monfort [said](https://lists.debian.org/6a8835ce-f54d-faa6-2689-aeb91b1b6...@debian.org) included tens of thousands of lines of change. So even though I tested the change against cryptsetup, gpgme, libotr, mutt and Enigmail itself, there are concerns that other dependencies that merit more testing as well. This caused many to raise the idea of aborting the work and simply marking Enigmail as unsupported in jessie. But Daniel Kahn Gillmor [suggested](https://lists.debian.org/87pntxxg6h@fifthhorseman.net) this should also imply removing Thunderbird itself from jessie, as simply removing Enigmail will force people to use the binaries from Mozilla's add-ons service. Gillmor [explained](https://lists.debian.org/878t0mzlv2@fifthhorseman.net) those builds include a OpenPGP.js implementation of dubious origin, which is especially problematic considering it deals with sensitive private key material. It's unclear which way this will go next. I'm taking a break of this issue and hope others will be able to test the packges. If we keep on working on Enigmail, the next step will be to re-enable the `dbg` packages that were removed in the stretch updates, use dh-autoreconf correctly, remove some `mingw` pacakges I forgot and [test gcrypt like crazy](https://lists.debian.org/1c1ca626-de3c-1f72-3c95-e280c1bdf...@debian.org) ([especially the 1.7 update](https://lists.debian.org/20181220130018.ga5...@argenau.bebt.de)). We'd also update to the latest Enigmail, as it fixes issues that forced the Tails project to [disable autocrypt](https://redmine.tails.boum.org/code/issues/16186) because of [weird interactions](https://redmine.tails.boum.org/code/issues/15923) that make it send cleartext (instead of encrypted) mail in some cases. ## Automatic unclaimer My [previous report][] yielded an [interesting discussion](https://lists.debian.org/debian-lts/2018/11/msg00097.html) around my work on the security tracker, specifically the "automatic unclaimer" designed to unassign issues that are idle for too long. Holger Levsen, with his new coordinator hat, tested the program and found many bugs and missing features, which I was happy to implement. After many patches and back and forth, it seems the program is working well, although it's ran by hand by the coordinator. [previous report]: https://lists.debian.org/debian-lts/2018/11/msg00090.html ## DLA website publication I took a look at various issues surrounding the publication of LTS advisories on the main debian.org website. While normal security advisories are regularly published on [debian.org/security](https://www.debian.org/security/) [about 500+ DLAs are missing from the website](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859122), mainly because [DLAs are not automatically imported](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859123). As it turns out, there is a script called `parse-dla.pl` that is designed to handle those entries but for some reason, they are not imported anymore. So I got to work to import the backlog and make sure new entries are properly imported. [Various fixes for parse-dla.pl](https://salsa.debian.org/webmaster-team/webwml/merge_requests/43) were necessary to properly parse messages both from the templates generated by `gen-DLA` and the existing archives correctly. then I tested the result with two existing advisories, which resulted in two MR on the webml repo: [add data for DLA-1561](https://salsa.debian.org/webmaster-team/webwml/merge_requests/41) and [add dla-1580 advisory](https://salsa.debian.org/webmaster-team/webwml/merge_requests/42). I requested and was granted access to the repo, and eventually merged my own MRs after a review from Levsen. I eventually used the following procedure to test importing the entire archive: rsync -vPa master.debian.org:/home/debian/lists/debian-lts-announce . cd debian-lts-announce xz -d \*.xz cat \* > ../giant.mbox mbox2maildir ../giant.mbox debian-lts-announce