Linux Weekly News

Just in case anybody out there is still using qmail: a remote code execution vulnerability has just been disclosed. Its CVE number is CVE-2005-1513 because, as it turns out, the problem was reported 15 years ago but the fix was refused by the maintainer. "As a proof of concept, we developed a reliable, local and remote exploit against Debian's qmail package in its default configuration. This proof of concept requires 4GB of disk space and 8GB of memory, and allows an attacker to execute arbitrary shell commands as any user, except root (and a few system users who do not own their home directory)."

Developers of safety-critical systems tend to avoid Linux kernels for a number of fairly obvious reasons; Linux simply was not developed with that sort of use case in mind. There are increasingly compelling reasons to use Linux in such systems, though, leading to a search for the best way to do so safely. At the 2020 Power Management and Scheduling in the Linux Kernel summit (OSPM), José Martins described Bao, a minimal hypervisor aimed at safety-critical deployments.

Security updates have been issued by Debian (bind9 and clamav), Fedora (kernel, moodle, and transmission), Oracle (kernel), Red Hat (ipmitool, kernel, ksh, and ruby), Slackware (bind and libexif), SUSE (dpdk, openconnect, python, and rpmlint), and Ubuntu (linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-riscv and linux-gke-5.0, linux-oem-osp1).

AWK is a text-processing language with a history spanning more than 40 years. It has a POSIX standard, several conforming implementations, and is still surprisingly relevant in 2020 — both for simple text processing tasks and for wrangling "big data". The recent release of GNU Awk 5.1 seems like a good reason to survey the AWK landscape, see what GNU Awk has been up to, and look at where AWK is being used these days.

CZ.NIC staff member Petr Špaček has a blog post describing a newly disclosed DNS resolver vulnerability called NXNSAttack. It allows attackers to abuse the delegation mechanism to create a denial-of-service condition via packet amplification. "This is so-called glueless delegation, i.e. a delegation which contains only names of authoritative DNS servers (a.iana-servers.net. and b.iana-servers.net.), but does not contain their IP addresses. Obviously DNS resolver cannot send a query to “name”, so the resolver first needs to obtain IPv4 or IPv6 address of authoritative server 'a.iana-servers.net.' or 'b.iana-servers.net.' and only then it can continue resolving the original query 'example.com. A'. This glueless delegation is the basic principle of the NXNSAttack: Attacker simply sends back delegation with fake (random) server names pointing to victim DNS domain, thus forcing the resolver to generate queries towards victim DNS servers (in a futile attempt to resolve fake authoritative server names)." At this time, Ubuntu has updated its BIND package to mitigate the problem; other distributions will no doubt follow soon. More details can also be found in the paper [PDF].

The kernel's CPU scheduler does its best to make the right decisions for just about any workload; over the years, it has been extended to better handle mobile-device scheduling as well. But handset vendors still end up applying their own patches to the scheduler for the kernels they ship. Shipping out-of-tree code in this way leads to a certain amount of criticism from the kernel community but, as Vincent Donnefort pointed out in his session at the 2020 Power Management and Scheduling in the Linux Kernel summit (OSPM), those patches are applied for a reason. He looked at a set of vendor scheduler patches to see why they are being used.

Security updates have been issued by Debian (dpdk and exim4), Fedora (openconnect, perl-Mojolicious, and php), Red Hat (kernel and kpatch-patch), Slackware (sane), and Ubuntu (bind9, dpdk, exim4, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-oem, linux-oracle, linux-snapdragon, and linux, linux-aws, linux-lts-xenial, linux-raspi2, linux-snapdragon).

The MMTests benchmarking system is normally associated with its initial use case: testing memory-management changes. Increasingly, though, MMTests is not limited to memory management testing; at the 2020 Power Management and Scheduling in the Linux Kernel summit (OSPM), Dario Faggioli talked about how he is using it to evaluate changes to the CPU scheduler, along with a discussion of the changes he had to make to get useful results for systems hosting virtualized guests.

A task's "nice" value describes its priority within the completely fair scheduler; its semantics have roots in ancient Unix tradition. Last August, a "latency nice" parameter was proposed to provide similar control over a task's response-time requirements. At the 2020 Power Management and Scheduling in the Linux Kernel summit (OSPM), Parth Shah, Chris Hyser, and Dietmar Eggemann ran a discussion about the latency nice proposal; it seems that everybody agrees that it would be a useful feature to have, but there is a wide variety of opinions about what it should actually do.

Security updates have been issued by Debian (apache-log4j1.2, exim4, libexif, and openconnect), Fedora (chromium, condor, java-1.8.0-openjdk, java-1.8.0-openjdk-aarch32, mingw-ilmbase, mingw-OpenEXR, sleuthkit, and squid), Mageia (jbig2dec, libreswan, netkit-telnet, ntp, and suricata), openSUSE (mailman and nextcloud), SUSE (autoyast2, file, git, gstreamer-plugins-base, libbsd, libvirt, libvpx, libxml2, mailman, and openexr), and Ubuntu (dovecot and json-c).

Linus has released the 5.7-rc6 kernel prepatch, which contains a bit more churn than he would like. "That said, there's nothing particularly scary in here, and it's not like this rc6 is outrageously big or out of control. I was just hoping for less."

Over the years, the kernel's CPU scheduler has become increasingly aware of how much load every task is putting on the system; this information is used to make smarter task placement decisions. Sometimes, though, this logic can go wrong, leading to a situation that Valentin Schneider describes as "utilization inversion". At the 2020 Power Management and Scheduling in the Linux Kernel summit (OSPM), he described the problem and some approaches that are being considered to address it.

Linux is not heavily used in safety-critical systems — yet. There is an increasing level of interest in such deployments, though, and that is driving a number of initiatives to determine how Linux can be made suitable for safety-critical environments. At the 2020 Power Management and Scheduling in the Linux Kernel summit (OSPM), Michal Sojka shone a light on one corner of this work: testing the thermal characteristics of Linux systems with an eye toward deployment in avionics systems.

Security updates have been issued by Debian (apt, inetutils, and log4net), Fedora (kernel, mailman, and viewvc), Gentoo (chromium, freerdp, libmicrodns, live, openslp, python, vlc, and xen), Oracle (.NET Core, container-tools:1.0, and kernel), Red Hat (kernel-rt), Scientific Linux (kernel), SUSE (kernel, libvirt, python-PyYAML, and syslog-ng), and Ubuntu (json-c).

It seems that the Rust programming language has only been around for five years. "With all that's going on in the world you'd be forgiven for forgetting that as of today, it has been five years since we released 1.0 in 2015! Rust has changed a lot these past five years, so we wanted reflect back on all of our contributors' work since the stabilization of the language."

Libre Graphics World is running an extensive interview with several Inkscape developers. "I'd say we're at the point of supporting SVG as much as possible, but we've mostly given up trying to add editing features to the SVG specification. As the W3C is dominated by web browsers who don't need multi page or connectors. I dare not say much more about W3C-specific things. I know that I'm personally disappointed that Inkscape's considerable importance in the SVG creation space does not lend itself to getting the feature we intend to build into Inkscape into the actual SVG specification. This does lead to the problem that going forwards we're likely to have browser incompatibilities."

Life gets complicated for the kernel when there is nothing for the system to do. The obvious response is to put the CPU into an idle state to save power, but which one? CPUs offer a wide range of sleep states with different power-usage and latency characteristics. Picking too shallow a state will waste energy, while going too deep hurts latency and can impact the performance of the system as a whole. The timer-events-oriented (TEO) cpuidle governor is a relatively new attempt to improve the kernel's choice of sleep states; at the 2020 Power Management and Scheduling in the Linux Kernel Summit, Pratik Sampat presented a variant of the TEO governor that tries to improve its choices further.

The 5.6.13, 5.4.41, and 4.19.123 stable kernels have been released. They contain important fixes throughout the kernel tree; users should upgrade.

Security updates have been issued by Debian (apt and libreswan), Fedora (glpi, grafana, java-latest-openjdk, mailman, and oddjob), Oracle (container-tools:2.0, container-tools:ol8, kernel, libreswan, squid:4, and thunderbird), SUSE (apache2, grafana, and python-paramiko), and Ubuntu (apt and libexif).

The LWN.net Weekly Edition for May 14, 2020 is available.