(early) monthly report

To: debian-lts@lists.debian.org
Subject: (early) monthly report
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Mon, 18 Feb 2019 19:09:40 -0500
Message-id: <[🔎] 87wolwvdtn.fsf@curie.anarc.at>
Hi all,

Here's my early LTS report. The TL;DR: is:

 * website work
 * python-gpg
 * golang
 * libarchive
 * netmask
 * libreoffice
 * enigmail

# Website work

I again worked on the website this month, doing one more mass import
([MR 53][]) which was finally merged by Holger Levsen, after I [fixed
an issue with PGP signatures][] showing up on the website.

[fixed an issue with PGP signatures]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/51

I also polished the misnamed "audit" script that checks for missing
announcements on the website and published it as [MR 1][] on the
"cron" project of the webmaster team. It's still a "work in progress"
because it is still too noisy: there are a few DLAs missing already
and we haven't published the latest DLAs on the website.

[MR 1]: https://salsa.debian.org/webmaster-team/cron/merge_requests/1
[MR 53]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/53

The remaining work here is to automate the import of new announcements
on the website ([bug #859123][]). I've done what is hopefully the
[last mass import][] and updated the workflow in the wiki.

Finally, I have also done a bit of [cleanup][] on the website that
was necessary after the mass import which also required [rewrite
rules][] at the server level. Hopefully, I will have this fairly well
wrapped up for whoever picks this up next.

[rewrite rules]: https://salsa.debian.org/anarcat/dsa-puppet/merge_requests/1
[cleanup]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/55
[last mass import]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/58
[bug #859123]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859123

# Python GPG concerns

Following a new vulnerability (CVE-2019-6690) disclosed in the
python-gnupg library, I have [expressed concerns][] at the security
reliability of the project in future updates, refering to wider issues
identified by Isis Lovecroft in [this post][]. 

I suggested we should simply drop security support for the project,
citing it didn't have many reverse dependencies. But it seems that
wasn't practical and the [response][] was that it was actually
possible to keep on maintaining it an such an update was issued for
jessie.

[response]: [🔎] 20190209103913.e45eqo3gax5g33op@manillaroad.local.home.trueelena.org">https://lists.debian.org/[🔎] 20190209103913.e45eqo3gax5g33op@manillaroad.local.home.trueelena.org
[this post]: https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html
[expressed concerns]: [🔎] 87r2cj4kg2.fsf@curie.anarc.at">https://lists.debian.org/[🔎] 87r2cj4kg2.fsf@curie.anarc.at

# Golang concerns

Similarly, I have [expressed more concerns][] about the maintenance of
Golang packages following the disclosure of a vulnerability
(CVE-2019-6486) regarding elliptic curve implementations in the core
Golang libraries. An update (DLA-1664-1) was issued for the core, but
because Golang is statically compiled, I was worried the update wasn't
sufficient: we also needed to upload updates for any build dependency
using the affected code as well.

[expressed more concerns]: [🔎] 87sgx0czxg.fsf@curie.anarc.at">https://lists.debian.org/[🔎] 87sgx0czxg.fsf@curie.anarc.at

Holger asked the golang team for help and i also asked on
irc. Apparently, all the non-dev packages (with some exceptions) were
binNMU'd in stretch but the process needs to be clarified.

I also wondered if this maintenance problem could be resolved in the
long term by switching to dynamic linking. Ubuntu tried to switch to
dynamic linking but abandoned the effort, so it seems Golang will be
quite difficult to maintain for security updates in the forseeable
future.

# Libarchive updates

I have reproduced the problem described in CVE-2019-1000020 and
CVE-2019-1000019 in jessie. I published a fix as [DLA-1668-1][]. I had
to build the update without sbuild's overlay system (in a tar chroot)
otherwise the cpio tests fail.

[DLA-1668-1]: https://lists.debian.org/20190207192754.GA14483@curie.anarc.at

# Netmask updates

This one was minimal: a patch was [sent by the maintainer][] so I only
wrote and sent [DLA 1665-1][]. Interestingly, I didn't have access to
the `.changes` file which made writing the DLA a little harder, as my
workflow normally involves calling `gen-DLA --save` with the .changes
file which autopopulates a template. I learned that `.changes` files
are normally archived on `coccia.debian.org` (specifically in
`/srv/ftp-master.debian.org/queue/done/`), but not in the case of
security uploads.

[DLA 1665-1]: https://lists.debian.org/20190206222753.GA28901@curie.anarc.at
[sent by the maintainer]: [🔎] 20190206005958.GA7780@debian.org">https://lists.debian.org/[🔎] 20190206005958.GA7780@debian.org

# Libreoffice

I once again tried to tackle an issue (CVE-2018-16858) with
Libreoffice. The [last time][] I tried to work on LibreOffice, the
test suite was failing and the linker was *crashing* after hours of
compilation and I never got anywhere. But that was wheezy, so I
figured jessie might be in better shape.

[last time]: https://anarc.at/blog/2017-11-30-free-software-activities-november-2017
    
I quickly got into trouble with sbuild: I ran out of space on *both*
`/` and `/home` so I moved all my photos to external drive (!). The
patch ended up being trivial. I could reproduce with a simple proof of
concept, but could not quite get code execution going. It might just
be I haven't found the right Python module to load, so I assumed the
code was vulnerable and, given the patch was simple, it was worth
doing an update.

The build ended up taking close to nine hours and 35GiB of disk
space. I published [DLA-1669-1][] as a result. 

I also opened a [bug report against dput-ng][] against dput-ng because
it still doesn't warn users about uploads to security-master the same
way dput does.

[bug report against dput-ng]: https://bugs.debian.org/921750
[DLA-1669-1]: https://lists.debian.org/20190208212911.GA10095@curie.anarc.at

# Enigmail

Finally, Enigmail was finally taken off the official support list in
jessie when the debian-security-support proposed update was
[approved][].

[approved]: https://lists.debian.org/81f630a358a5c6da6b3a02c3a2c18712@mail.adam-barratt.org.uk

-- 
It is capitalism and government which stand for disorder and
violence. Anarchism is the very reverse of it; it means order without
government and peace without violence.
                        - Alexander Berkman
Reply to:
Prev by Date: Re: rssh security update breaks rsync via Synology's "hyper backup"
Next by Date: Re: rssh security update breaks rsync via Synology's "hyper backup"
Previous by thread: Re: [SECURITY] [DLA 1680-1] tiff security update
Next by thread: 31 DLAs missing from the website
Index(es):
- Date
- Thread