Linux Weekly News

Greg Kroah-Hartman has a suggestion for anybody who would like to help him maintain long-term-stable kernel releases. "All I request is that people test the -rc releases when I announce them, and let me know if they work or not for their systems/workloads/tests/whatever. [...] But, if you want to do more, I always really appreciate when people email me, or stable@vger.kernel.org, git commit ids that are needed to be backported to specific stable kernel trees because they found them in their testing/development efforts."

Security updates have been issued by Debian (open-build-service and openldap), Fedora (jasper, libebml, and tcmu-runner), openSUSE (segv_handler), Red Hat (thunderbird), Scientific Linux (kernel), SUSE (cups and openvswitch), and Ubuntu (apport and ca-certificates).

Version 4.2 of the desktop-oriented Solus distribution is available. "We recognized that Desktop Icons was an important part of the workflow of many users, so we spent considerable time during this development cycle ensuring there was a solution for them as well as our downstream users of Budgie. Expanding on this, Solus 4.2 defaults to having desktop icons enabled to make Solus more approachable to new users." Some more information on the desktop changes can be found in this blog entry from December.

The LibreOffice 7.1 "Community" release is out. "LibreOffice 7.1 Community adds several interoperability improvements with DOCX/XLSX/PPTX files: improvements to Writer tables (better import/export and management of table functions, and better support for change tracking in floating tables); a better management of cached field results in Writer; support of spacing below the header's last paragraph in DOC/DOCX files; and additional SmartArt improvements when importing PPTX files." The announcement also goes on at length about the new "community" label and how this release "is not targeted at enterprises".

A longstanding hole in the Sudo privilege-delegation tool that was discovered in late January is a potent local vulnerability. Exploiting it allows local users to run code of their choosing as root by way of a bog-standard heap-buffer overflow. It seems like the kind of bug that might have been found earlier via code inspection or fuzzing, but it has remained in this security-sensitive utility since it was introduced in 2011.

Security updates have been issued by Debian (firefox-esr, libdatetime-timezone-perl, python-django, thunderbird, and tzdata), Fedora (kf5-messagelib and qt5-qtwebengine), Mageia (kernel-linus), openSUSE (firefox, jackson-databind, and messagelib), Oracle (flatpak), Red Hat (glibc, kernel, kernel-alt, kernel-rt, linux-firmware, net-snmp, perl, qemu-kvm, and qemu-kvm-ma), SUSE (firefox, java-11-openjdk, openvswitch, terraform, and thunderbird), and Ubuntu (fastd, firefox, python-django, and qemu).

Version 2.33 of the GNU C library is out. Changes this time include a number of dynamic linker improvements, 32-bit RISC-V support, and a number of security fixes.

The kernel development community talks often about subsystems and subsystem maintainers, but it is less than entirely clear about what a "subsystem" is in the first place. People wanting to understand how kernel development works could benefit from a clearer idea of what actually comprises a subsystem within the kernel. In an attempt to better understand how kernel development works, Pia Eichinger and her colleagues spent a lot of time looking for the actual boundaries; Eichinger presented that work at the 2021 linux.conf.au online gathering.

Security updates have been issued by Arch Linux (home-assistant, libgcrypt, libvirt, and mutt), Debian (ffmpeg, kernel, libonig, libsdl2, mariadb-10.1, and thunderbird), Fedora (chromium, firefox, jasper, libebml, mingw-python3, netpbm, opensmtpd, thunderbird, and xen), Gentoo (firefox and thunderbird), Mageia (db53, dnsmasq, kernel, kernel-linus, and php-pear), openSUSE (go1.14, go1.15, messagelib, nodejs8, segv_handler, and thunderbird), Oracle (firefox, kernel, and thunderbird), Red Hat (flatpak), SUSE (firefox and rubygem-nokogiri), and Ubuntu (mysql-5.7, mysql-8.0 and python-django).

The 5.11-rc6 kernel prepatch is out for testing. "Things look a little calmer than last week, and over-all very average for rc6. So - like always this late in the release schedule - I'd certainly have liked things to be even calmer, but nothing here really stands out."

The stable-kernel machine has produced another set of updates: 5.10.12, 5.4.94, 4.19.172, 4.14.218, 4.9.254, and 4.4.254. Each contains a relatively small set of important fixes.

There was a time when people who were exploring computational technology saw it as the path toward decentralization and freedom worldwide. What we have ended up with, instead, is a world that is increasingly centralized, subject to surveillance, and unfree. How did that come to be? In a keynote at the online 2021 linux.conf.au event, Cory Doctorow gave his view of this problem and named its source: monopoly.

The GNU Privacy Guard (GnuPG or GPG) project has announced a critical security bug in Libgcrypt version 1.9.0 released January 19. "Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt." Version 1.9.1 has been released to address the problem and all users of 1.9.0 should update immediately. It is a heap buffer overflow, but no version of GnuPG uses the 1.9 series yet. "Exploiting this bug is simple and thus immediate action for 1.9.0 users is required. A CVE-id has not yet been assigned. We track this bug at https://dev.gnupg.org/T5275. The 1.9.0 tarballs on our FTP server have been renamed so that scripts won't be able to get this version anymore."

David Malcolm describes the progress in the GCC static analyzer for the upcoming GCC 11 release. "In GCC 10, I added the new -fanalyzer option, a static analysis pass for identifying various problems at compile-time, rather than at runtime. The initial implementation was aimed at early adopters, who found a few bugs, including a security vulnerability: CVE-2020-1967. Bernd Edlinger, who discovered the issue, had to wade through many false positives accompanying the real issue. Other users also managed to get the analyzer to crash on their code. I’ve been rewriting the analyzer to address these issues in the next major release, GCC 11. In this article, I describe the steps I’m taking to reduce the number of false positives and make this static analysis tool more robust."

Security updates have been issued by Arch Linux (dnsmasq, erlang, flatpak, go, gobby, gptfdisk, jenkins, kernel, linux-hardened, linux-lts, linux-zen, lldpd, openvswitch, podofo, virtualbox, and vlc), Fedora (erlang, firefox, nss, and seamonkey), Gentoo (imagemagick, nsd, and vlc), openSUSE (chromium and python-autobahn), Oracle (firefox and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (firefox, jackson-databind, and thunderbird), and Ubuntu (libxstream-java).

Jeffrey Walsh started off his 2021 linux.conf.au presentation with a statement that, while 2020 was not the greatest year ever, there were still some good things that happened; one of those was the Emacs 27.1 release. This major update brought a number of welcome new features, but also led to yet another discussion on the future of Emacs. With that starting point, Walsh launched into a fast-moving look at the history of Emacs, why users still care about it, what changes are coming, and (especially) what was involved in moving Emacs away from the X window system and making it work with the Wayland compositor.

Security updates have been issued by Debian (ansible, firefox-esr, and slurm-llnl), Fedora (firefox, nss, php-pear, seamonkey, and thunderbird), Gentoo (phpmyadmin and telegram-desktop), openSUSE (chromium and python-autobahn), Oracle (firefox and sudo), Red Hat (firefox), Scientific Linux (firefox), and Ubuntu (ceph, kernel, linux, linux-lts-xenial, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux-aws, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, and tcmu).

The LWN.net Weekly Edition for January 28, 2021 is available.

It would appear that "sudo" has a buffer-overflow vulnerability that allows any local user to gain root privileges, whether or not they are in the sudoers file. It has been there since 2011. See this advisory for details, but perhaps run an update first.

Distribution developers do a lot of work to keep a language ecosystem working well within the distribution. It is relatively thankless work that normally only becomes visible when there is a problem or complaint. But Miro Hrončok recently put together a look back at what the Fedora Python team did during 2020. While it is, obviously, Fedora-specific, it provides something of a look inside at the kinds of things that distribution teams work on.