Hírolvasó

The Civil Infrastructure Platform project has announced that it will be maintaining the 6.1 kernel for a minimum of ten years past its initial release (and, thus, through 2032).

CIP kernels are maintained like regular long-term-stable (LTS) kernels, and developers of the CIP kernel are also involved in LTS kernel review and testing. While regular LTS kernels are moving back to 2 years maintenance, CIP kernels are set up for 10 years. In order to enable this extended lifetime, CIP kernels are scoped-down in actively supported kernel features and target architecture. At the same time, CIP kernels accept non-invasive backports from newer mainline kernels that enable new hardware.

Programs running in the BPF machine can, depending on how they are attached, perform a number of privileged operations; the ability to load and run those programs, thus, must be a privileged operation in its own right. Almost since the beginning of the extended-BPF era, developers have struggled to find a way to allow users to run the programs they need without giving away more privilege than is necessary. Earlier this year, the idea of a BPF token ran into some opposition from security-oriented developers. Andrii Nakryiko has since returned with an updated patch set that significantly increases the granularity of the privileges that can be conferred with a BPF token.

Security updates have been issued by Debian (libcue, org-mode, python3.7, and samba), Fedora (libcue, oneVPL, oneVPL-intel-gpu, and xen), Mageia (glibc), Oracle (glibc, kernel, libssh2, libvpx, nodejs, and python-reportlab), Slackware (libcaca), SUSE (gsl, ImageMagick, kernel, opensc, python-urllib3, qemu, rage-encryption, samba, and xen), and Ubuntu (curl and samba).

The LWN.net Weekly Edition for October 12, 2023 is available.

While the vulnerability itself is pretty run-of-the-mill, the recently disclosed GNOME vulnerability has a number of interesting facets. The problem lies in a library that reads files in a fairly obscure format, but it turns out that files in that format are routinely—automatically—processed by GNOME if they are downloaded to the local system. That turns a vulnerability in a largely unknown library into a one-click remote-code-execution flaw for the GNOME desktop.

Version 8.4.0 of the curl data-transfer tool has been released, mostly in response to a relatively severe security vulnerability that can be triggered when a SOCKS5 proxy server is in use. See this blog post for details on what went wrong. "In hindsight, shipping a heap overflow in code installed in over twenty billion instances is not an experience I would recommend."

Security updates have been issued by Debian (curl, mediawiki, tomcat10, and tomcat9), Fedora (libcaca, oneVPL, oneVPL-intel-gpu, and tracker-miners), Gentoo (curl), Mageia (cups and firefox, thunderbird), Red Hat (curl, kernel, kernel-rt, kpatch-patch, libqb, libssh2, linux-firmware, python-reportlab, tar, and the virt:rhel module), Slackware (curl, libcue, libnotify, nghttp2, and samba), SUSE (conmon, curl, glibc, kernel, php-composer2, python-reportlab, samba, and shadow), and Ubuntu (curl, dotnet6, dotnet7, firefox, libx11, samba, tiff, and webkit2gtk).

The 6.5.7, 6.1.57, 5.15.135, 5.10.198, 5.4.258, 4.19.296, and 4.14.327 stable kernel updates have all been released; each contains another set of important fixes.

Back at the end of July, the Python steering council announced its intention to approve the proposal to make the global interpreter lock (GIL) optional over the next few Python releases. The details of that acceptance are still being decided on, but work on the feature is proceeding—in discussion form at least. Beyond that, though, there are efforts underway to solve that hardest of problems in computer science, naming, for the no-GIL version.

The GitHub blog describes a vulnerability in the libcue library (which is used by the GNOME desktop) that can be exploited by a remote attacker to run code on a desktop system if the target can be convinced to click on a malicious link.

The video shows me clicking a link in a webpage, which causes a cue sheet to be downloaded. Because the file is saved to ~/Downloads, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners uses libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution and pop a calculator.

Security updates have been issued by Fedora (chromium, firefox, and kernel), Gentoo (less and libcue), Red Hat (bind, libvpx, nodejs, and python3), Scientific Linux (firefox and thunderbird), SUSE (conmon, go1.20, go1.21, shadow, and thunderbird), and Ubuntu (libcue, ring, and ruby-kramdown).

The Linux Containers project has announced the release version 0.1 of the Incus system container and virtual-machine manager, which is a community-led fork of Canonical's LXD. Incus 0.1 "is roughly equivalent to LXD 5.18 but with a number of breaking changes on top of the obvious rename". There have been some changes made in the two months since the fork: With this initial release of Incus, we took the opportunity to remove a lot of unused or problematic features from LXD. Most of those changes are things we would have liked to do in LXD but couldn’t due to having strong guarantees around backward compatibility.

Incus will be similarly strict with backward compatibility in the future, but as this is the first release of the fork, it was our one big opportunity to change things.

That said, the API and CLI are still extremely close to what LXD has, making it trivial if not completely seamless to port from LXD to Incus.

There is an online version of Incus for those interested in giving it a try.

One of the significant features added to the mainline kernel during the 6.6 merge window was multi-grain timestamps, which allow the kernel to selectively store file modification times with higher resolution without hurting performance. Unfortunately, this feature also caused some surprising regressions, and was quickly ushered back out of the kernel as a result. It is instructive to look at how this feature went wrong, and how the developers involved plan to move forward from here.

Security updates have been issued by Debian (freerdp2, gnome-boxes, grub2, inetutils, lemonldap-ng, prometheus-alertmanager, python-urllib3, thunderbird, and vinagre), Fedora (freeimage, fwupd, libspf2, mingw-freeimage, thunderbird, and vim), Gentoo (c-ares, dav1d, Heimdal, man-db, and Oracle VirtualBox), Oracle (bind, bind9.16, firefox, ghostscript, glibc, ImageMagick, and thunderbird), Slackware (netatalk), SUSE (ImageMagick, nghttp2, poppler, python, python-gevent, and yq), and Ubuntu (bind9 and vim).

Linus has released 6.6-rc5 for testing. "Things are back to normal, and we have a networking pull this week."

Rafael Sadowski (rsadowski@) blogged about his participation in p2k23.

Perhaps most notable is his work in porting KDE Plasma.

Read all about it at https://rsadowski.de/posts/2023-10-09-p2k23-dublin-openbsd-hackathon/.

There is some further discussion of the work in a thread titled NEW: KDE Plasma (x11/kde-plasma) on the ports@ mailing list.

Red Hat has announced that its longstanding "rhsa-announce" mailing list will be shut down on October 10. That is the list that receives security advisories for Red Hat Enterprise Linux and a whole slew of related products. Anybody who was counting on that list for Red Hat security advisories will need to find an alternative; a few options are listed in the announcement.

The latest round of stable kernels, 6.5.6, 6.1.56, and 5.15.134, have been released. Each contains a fairly large collection of important fixes throughout the kernel tree.

On its surface, the BPF virtual machine resembles many other computer architectures; it has registers and instructions to perform the usual operations. But there is a key difference: BPF programs must pass the kernel's verifier before they can be run. The verifier imposes a long list of additional restrictions so that it can prove to itself that any given program is safe to run; getting past those checks can be a source of frustration for BPF developers. At the 2023 GNU Tools Cauldron, José Marchesi looked at the problem of compiling for verified architectures and how the compiler can generate code that will pass verification.

Security updates have been issued by Debian (grub2, libvpx, libx11, libxpm, and qemu), Fedora (firefox, matrix-synapse, tacacs, thunderbird, and xrdp), Oracle (glibc), Red Hat (bind, bind9.16, firefox, frr, ghostscript, glibc, ImageMagick, libeconf, python3.11, python3.9, and thunderbird), Scientific Linux (ImageMagick), SUSE (kernel, libX11, and tomcat), and Ubuntu (linux-hwe-5.15, linux-oracle-5.15).