Linux Weekly News

Version 4.1.0 of the secure-desktop-oriented Qubes OS distribution has been released. "The culmination of years of development, this release brings a host of new features, major improvements, and numerous bug fixes". New features an experimental GUI domain separate from dom0, the "Qrexec" policy system, progress toward a reproducible build, and more. See below and this article for more information.

Digital photography opens up a whole new world of photo postprocessing opportunities, especially if the photographer uses their camera's raw format to take advantage of all of the data collected by the sensor. On the other hand, using raw images means doing without all of the processing done by the camera and taking on a range of complex tasks. Raw photo editors are designed to work with raw images as a key part of a photographer's workflow. Your editor recently reviewed the darktable editor, but there are other options available in the free-software community. RawTherapee is a GPLv3-licensed raw editor that is in some ways simpler than darktable — but that is not the same as saying that it is simple.

Security updates have been issued by Debian (ldns and libphp-adodb), Fedora (kernel, kernel-headers, kernel-tools, mingw-binutils, mingw-openexr, mingw-python3, mingw-qt5-qtsvg, scap-security-guide, stratisd, util-linux, and webkit2gtk3), Mageia (lrzsz, qtwebengine5, and xterm), openSUSE (chromium), and Ubuntu (python-django).

The 5.17-rc3 kernel prepatch is out for testing. Linus says: "Things look fairly normal so far, with a pretty average number of commits for an rc3 release".

The 5.16.6, 5.15.20, 5.10.97, and 5.4.177 stable kernel updates have been released. Unfortunately, a problem was reported almost immediately after that release, leading to the reversion of a broken patch and the subsequent release of 5.16.7, 5.15.21, and 5.10.98. It's worth noting that numerous groups tested the first set of releases and reported successful results (they can be seen as replies to the -rc1 posting), but nobody hit this problem in time.

Version 1.20.0 of the GStreamer multimedia system is out. Changes include a new high-level playback library replacing GstPlayer, decoding support for WebM Alpha, updated Rust bindings, and more; see the announcement for lots of details.

Loading a BPF program into the kernel involves a lot of steps, including verification, permissions checking, linking to in-kernel helper functions, and compilation to the native instruction format. Underneath all of that, though, lies one other simple task: allocating some memory to store the compiled BPF program in the kernel's address space. It turns out that this allocation can be somewhat wasteful of memory in current kernels, especially on systems where large numbers of BPF programs are loaded. This patch set from Song Liu seeks to remedy this problem by introducing yet another specialized memory allocator into the kernel.

Security updates have been issued by Debian (apng2gif, ruby2.5, ruby2.7, and strongswan), Fedora (389-ds-base, glibc, java-latest-openjdk, keylime, mingw-python-pillow, perl-Image-ExifTool, python-pillow, rust-afterburn, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-skim, rust-thread_local, rust-tokei, strongswan, vim, xen, and zola), Mageia (cryptsetup and expat), openSUSE (containerd, docker, glibc, and xen), Oracle (firefox, thunderbird, varnish:6, and vim), Red Hat (rh-maven36-log4j12 and varnish:6), SUSE (containerd, docker, glibc, samba, and xen), and Ubuntu (gdisk, graphviz, libdbi-perl, and mysql-5.7).

Version 15 of the venerable Slackware distribution has been released.

The challenge this time around was to adopt as much of the good stuff out there as we could without changing the character of the operating system. Keep it familiar, but make it modern. And boy did we have our work cut out for us. We adopted PAM (finally) as projects we needed dropped support for pure shadow passwords. We switched from ConsoleKit2 to elogind, making it much easier to support software that targets that Other Init System and bringing us up-to-date with the XDG standards. We added support for PipeWire as an alternate to PulseAudio, and for Wayland sessions in addition to X11.

A bit more information can be found in the release notes. Many of us got our start with Slackware; it is good to see that it's still out there and true to form.

Version 2.35 of the GNU C Library has been released. New features include Unicode 14.0.0 support, support for the C.UTF-8 locale, a bunch of new math functions, support for restartable sequences, and much more; see the announcement for details.

Persistent memory has a number of advantages; it is fast, CPU-addressable, available in large quantities and, of course, persistent. But it also, arguably, poses a higher risk of suffering corruption as a result of bugs in the kernel. Protecting against this possibility is the objective of this patch set from Ira Weiny, which makes use of Intel's "protection keys supervisor" (PKS) feature to make it harder for the kernel to inadvertently write to persistent memory.

With a more lengthy than usual message, Greg Kroah-Hartman has released the 4.4.302 stable kernel; it will be the last from the stable kernel team in the 4.4.x series. "Do not use it anymore unless you really know what you are doing." He notes that the Civil Infrastructure Platform (CIP) project is considering maintaining 4.4 into the future; those interested should contact CIP. He also added some statistics showing a nearly six-year lifetime for the branch with 8.44 changes per day from over 3500 developers. It was a good kernel branch, helped out by many to work as well as it has, thanks to all for your help with this. It has powered many millions, maybe a few billion, devices out in the world, but now it's time to say good-bye.

Security updates have been issued by Debian (librecad), Fedora (flatpak, flatpak-builder, and glibc), Mageia (chromium-browser-stable, connman, libtiff, and rust), openSUSE (lighttpd), Oracle (cryptsetup, nodejs:14, and rpm), Red Hat (varnish:6), SUSE (kernel and unbound), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-aws-5.13, linux-gcp, linux-gcp-5.11, linux-hwe-5.13, linux-kvm, linux-oem-5.13, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-dell300x, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-gke, linux-gke-5.4, mysql-5.7, mysql-8.0, python-django, and samba).

The LWN.net Weekly Edition for February 3, 2022 is available.

The nasty vulnerability in pkexec has been rippling through the Linux world, leading to lots of security updates to the underlying polkit authorization toolkit. It also led to a recent discussion on the Fedora devel mailing list about whether pkexec, which runs a program as another user, is actually needed—or wanted—in some or all of the distribution's editions. But pkexec is used by quite a few different Fedora components, particularly in desktop-oriented editions, and it could perhaps be a better choice than the alternatives for running programs with the privileges of another user.

Version 7.3 of the LibreOffice "Community" edition is out. "In addition to the majority of code commits being focused on interoperability with Microsoft's proprietary file formats, there is a wealth of new features targeted at users migrating from Office, to simplify the transition".

Security updates have been issued by CentOS (samba), Debian (apache2 and python-django), Fedora (kernel and phpMyAdmin), Mageia (kernel and kernel-linus), openSUSE (samba), Oracle (nginx:1.20 and samba), Red Hat (cryptsetup, java-1.8.0-ibm, kernel, nodejs:14, rpm, and vim), SUSE (kernel, python-Django, python-Django1, and samba), and Ubuntu (cron).

The problem of how to deprecate pieces of the Python language in a minimally disruptive way has cropped in various guises over the last few years—in truth, it has been wrangled with throughout much of language's 30-year history. The scars of the biggest deprecation, that of Python 2, are still rather fresh, both for users and the core developers, so no one wants (or plans) a monumental change of that sort. But the language community does want to continue evolving Python, which means leaving some "baggage" behind; how to do so without leaving further scars is a delicate balancing act, as yet another discussion highlights.

The Systems and Network Security Group at Vrije Universiteit Amsterdam has announced a tool called Kasper that is able to scan the kernel source and locate speculative-execution vulnerabilities:

Namely, it models an attacker capable of controlling data (e.g., via memory massaging or value injection a la LVI), accessing secrets (e.g., via out-of-bounds or use-after-free accesses), and leaking these secrets (e.g., via cache-based, MDS-based, or port contention-based covert channels). As a result, Kasper discovered 1,379 previously unknown gadgets in the heavily-hardened Linux kernel.

The page includes a discussion of a vulnerability in the kernel's linked-list implementation as well as links to the code and the full paper. (Thanks to Paul Wise).

For anybody who feels they haven't had enough stable kernel releases recently, the 5.16.5, 5.15.19, 5.10.96, and 5.4.176 stable kernel updates have been released; each contains another set of important fixes.