Linux Weekly News

Version 3.1 of the Blender artistic suite is out. The list of changes is long and can be seen in the video-heavy announcement page; it includes Apple Metal support, a new "point cloud" object, and much more.

A few days prior to the expected 5.17 release, the mainline kernel has just received a series of Spectre mitigations for the x86 and ARM architectures. The vulnerability this time is called "branch history injection"; it has been deemed CVE-2022-0001 and CVE-2022-0002. Some information can be found in this Intel disclosure, this ARM advisory, and this VUSec page:

Branch History Injection (BHI or Spectre-BHB) is a new flavor of Spectre-v2 in that it can circumvent eIBRS and CSV2 to simplify cross-privilege mistraining. The hardware mitigations do prevent the unprivileged attacker from injecting predictor entries for the kernel. However, the predictor relies on a global history to select the target entries to speculatively execute. And the attacker can poison this history from userland to force the kernel to mispredict to more “interesting” kernel targets (i.e., gadgets) that leak data.

According to a documentation patch merged into the mainline, the only known way to exploit this problem is via unprivileged BPF.

According to this report on The Hacker News, there are a couple of recent Firefox vulnerabilities that are currently being exploited.

Tracked as CVE-2022-26485 and CVE-2022-26486, the zero-day flaws have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations (XSLT) parameter processing and the WebGPU inter-process communication (IPC) Framework.

Updating seems like a good idea.

Users of the elementary OS distribution may want to be aware of the turmoil in its parent company, as reported by Brian Lunduke. "The Short Version: The company behind elementary OS has been losing money for quite some time. Two co-founders are not pleased with each other and are attempting to part ways… and it is getting messy".

Security updates have been issued by Debian (kernel, linux-4.19, spip, and thunderbird), Fedora (cyrus-sasl and libxml2), Mageia (firefox and thunderbird), openSUSE (buildah and tcpdump), Red Hat (cyrus-sasl, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (buildah, kernel, libcaca, and tcpdump), and Ubuntu (linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oem-5.14, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-azure-fde, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, ilinux-lts-xenial, linux-oracle, linux-raspi2, linux-snapdragon).

As part of the recent discussion on switching to secret voting for Debian general resolutions (GRs), which has resulted in a ongoing GR of its own, the subject of voting systems that embody various attributes some would like to see for voting in Debian has been brought up. One of the systems mentioned, Belenios, provides an open-source "verifiable online voting system". Whether or not Debian chooses to switch to secret voting, Belenios would seem to provide what other projects or organizations may be looking for as a mechanism to handle their voting needs.

The 5.16.13, 5.15.27, 5.10.104, 5.4.183, 4.19.233, 4.14.270, and 4.9.305 stable kernel updates are available; each contains another set of important fixes.

DENT is a special-purpose Linux distribution aimed at router deployments; "DENT utilizes the Linux Kernel, Switchdev, and other Linux based projects as the basis for building a new standardized network operating system without abstractions or overhead". Version 2.0 has been released:

DENT 2.0 adds secure scaling with Internet Protocol version 6 (IPv6) and Network Address Translation (NAT) to support a broader community of enterprise customers. It also adds Power over Ethernet (PoE) control to allow remote switching, monitoring, and shutting down. Connectivity of IoT, Point of Sale (POS), and other devices is highly valuable to retail storefronts, early adopters of DENT. DENT 2.0 also adds traffic policing, helping mitigate attack situations that overload the CPU.

The Collabora blog looks at recent developments in the PipeWire media system and looks forward to what is yet to come:

Now in 2022, we are looking to the future. We already have designs to improve WirePlumber and experiment with new things. On the short-term horizon, we have plans to rework some parts of WirePlumber in order to make its configuration more user-friendly and the scripts easier to work with. We are also planning to revisit the policy logic and try to go a step beyond what PulseAudio has ever offered. In addition, we are looking forward to experimenting with complex cameras to improve how PipeWire and libcamera work together for an optimal user experience.

Version 98.0 of the Firefox browser is out. The big change this time is a new "optimized download flow" that is alleged to make the process of downloading files go much more smoothly. There are also some significant security fixes in this release.

Security updates have been issued by Debian (gif2apng and twisted), Mageia (golang, kernel, and webmin), openSUSE (chromium, cyrus-sasl, and opera), Red Hat (virt:rhel and virt-devel:rhel), Slackware (mozilla), SUSE (cyrus-sasl), and Ubuntu (glibc and redis).

It is a good bet that a significant amount of code in the kernel is entirely unused. Even so, that code must still be maintained and shipped, posing an ongoing cost to the development community. What should be done with code that is unmaintained and, possibly, unused? Answering that question requires understanding which users still exist, if any, and taking a hard look at what the future support requirements for that code will be. The kernel community has recently discussed this problem in the context of filesystems, and the Reiserfs filesystem in particular, with a focus on the approaching 2038 deadline.

Linus has released 5.17-rc7, which is hopefully the final prepatch in this development series: "as things stand, I expect that final 5.17 will be next weekend unless something surprising comes up".

Max Kellermann has disclosed a disconcerting kernel vulnerability:

Two weeks ago, I found a vulnerability in the Linux kernel since version 5.8 commit f6dd975583bd ("pipe: merge anon_pipe_buf*_ops") due to uninitialized variables. It enables anybody to write arbitrary data to arbitrary files, even if the file is O_RDONLY, immutable or on a MS_RDONLY filesystem. It can be used to inject code into arbitrary processes.

This vulnerability has been named "dirty pipe"; Kellermann has put up a web page describing it in detail. Updates from distributors are already being released.

Security updates have been issued by Debian (chromium, containerd, cyrus-sasl2, expat, firefox-esr, freecad, kernel, and tiff), Fedora (seamonkey, swtpm, and webkit2gtk3), Mageia (docker-containerd, firefox, flac, libtiff, libxml2, and mc), openSUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, libeconf, shadow and util-linux, mariadb, nodejs14, perl-App-cpanminus, vim, wireshark, wpa_supplicant, and zsh), SUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, java-11-openjdk, kernel-firmware, libeconf, shadow and util-linux, libxml2, mariadb, nodejs14, python-Twisted, vim, wireshark, wpa_supplicant, and zsh), and Ubuntu (firefox, openjdk-lts, openjdk-17, and php8.0).

Google's Chrome browser seemingly dominates the Internet at this point, but that does not mean that everybody wants to run it. Chrome, of course, is built on an open-source project called Chromium but is not an open-source product itself; it includes a number of proprietary add-ons. But the Chromium source is out there and can, with some effort, be used to build a working, open-source browser; a number of distributors do so. But Chromium is famously hard to package, and distributors have, at times, struggled to keep up with it; a recent discussion in the Fedora community has brought new attention to this problem.

Security updates have been issued by Debian (varnish), Fedora (barrier and polkit), openSUSE (bitcoin, conmon, libcontainers-common, libseccomp, podman, firefox, nodejs-electron, nodejs8, php7, and webkit2gtk3), SUSE (conmon, libcontainers-common, libseccomp, podman, cyrus-sasl, expat, firefox, nodejs8, php7, tomcat, and webkit2gtk3), and Ubuntu (containerd).

The disclosure of the Meltdown and Spectre vulnerabilities put a spotlight on the risks that come with sharing address spaces too widely. Even if the protection mechanisms provided by the hardware should prevent access to sensitive data, those vulnerabilities can often be used to leak that data anyway. So, from the beginning, mitigation strategies have included reducing the sharing of address spaces, but there is more that could be done and ongoing interest in doing so. Now, this patch set posted by Junaid Shahid (containing work from Ofir Weisse and inspired by earlier patches from Alexandre Chartre) shows what would be required to create a general address-space isolation (ASI) mechanism for the kernel.

Security updates have been issued by CentOS (cyrus-sasl), Fedora (kicad), Mageia (php), openSUSE (envoy-proxy, ldns, libdxfrw, librecad, php7, and shapelib), Red Hat (cyrus-sasl), SUSE (firefox, gnutls, ldns, and php7), and Ubuntu (haproxy and php7.2, php7.4).

The LWN.net Weekly Edition for March 3, 2022 is available.