LWN.net

The dynamic linker is a critical component of modern Linux systems, beingresponsible for setting up the address space of most processes. While staticallylinked binaries have become more popular over time as the tradeoffs thatoriginally led to dynamic linking become less relevant, dynamic linking is stillthe default. This article looks at what steps the dynamic linker takes toprepare a program for execution.

Security updates have been issued by Fedora (clamav and virtiofsd), Oracle (gimp), Red Hat (gnutls and nss), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t and squid), and Ubuntu (openssl).

The FreeBSD Project has announced that it intends to deprecate 32-bit platforms "over the next couple of major releases".

Once again, runc-a toolfor spawning and running OCI containers-is drawing attention due to a highseverity container breakout attack. This vulnerability is interesting forseveral reasons: its potential for widespread impact, the continued difficultyin actually containing containers, the dangers of running containersas a privileged user, and the fact that this vulnerability is made possiblein part by a response to a previouscontainer breakout flaw in runc.

Security updates have been issued by Debian (libgit2), Fedora (chromium, firecracker, libkrun, openssh, python-nikola, runc, rust-event-manager, rust-kvm-bindings, rust-kvm-ioctls, rust-linux-loader, rust-userfaultfd, rust-versionize, rust-vhost, rust-vhost-user-backend, rust-virtio-queue, rust-vm-memory, rust-vm-superio, rust-vmm-sys-util, virtiofsd, webkitgtk, and wireshark), Mageia (filezilla and xpdf), Oracle (gimp), Red Hat (libmaxminddb, linux-firmware, squid:4, and tcpdump), Slackware (xpdf), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont and suse-build-key), and Ubuntu (python-glance-store and webkit2gtk).

The 6.8-rc4 kernel prepatch is out fortesting. "Commit counts and contents look normal for this phase of therelease, nothing here really stands out."

Fedora Magazine has announced the creation of Fedora Atomic Desktops: a way of branding Fedora's growing set of rpm-ostree spins. Joseph Gayso wrote "we've seen more of our mainline Fedora Linux spins make the jump to offer a version that implements rpm-ostree. It's reached the point where it can be hard to talk about all of them at the same time. Therefore we've introduced a new brand that will serve to simplify how we discuss rpm-ostree and how we name future atomic spins." LWN covered Project Bluefin, which is based on Fedora's rpm-ostree work, in December 2023.

Over on the Collabora blog, Helen Koike writesabout the DRM-CI project for running automated continuous integration (CI)tests on multiple graphics devices in several different labs. It uses theIGT GPUtools for testing, though there are plans to expand:

Gnuplot6.0 was released inDecember2023, bringing a host of significant improvements and newcapabilities to the open-source graphing tool. Here we survey the majornew features, including filled contours in 3D, adaptive plotting resolution, watchpoints, clippingof surfaces, sector plots for making things like pie charts, and newsyntax for conditionals in gnuplot's scripting language. In addition, therearedetailed examples of the features described.

David Rowley looksdeeply into the improvements coming to the query planner inPostgreSQL16.

Security updates have been issued by Debian (webkit2gtk), Fedora (atril, chromium, gnutls, python-aiohttp, and webkitgtk), Gentoo (libxml2), Mageia (gnutls, gpac, kernel, kernel-linus, microcode, pam, and postfix), Red Hat (container-tools:2.0, container-tools:3.0, container-tools:4.0, container-tools:rhel8, gimp, libmaxminddb, python-pillow, runc, and unbound), SUSE (cosign, netpbm, python, python-Pillow, python3, and python36), and Ubuntu (libde265, linux-gcp, linux-gcp-5.4, and linux-intel-iotg).

On February 2, Google announced this year's "Season of Docs", a program complementing its Summer of Code programby providing funding to open source projects to hire technical writers to improvetheir documentation. Interested projects have until April 2 to apply.

Stephen Brennan describeskernel core dumps in excruciating detail.

Mitchell Baker has announcedthat she is stepping down from the role of Mozilla CEO, effectiveimmediately. Laura Chambers will be the new CEO "for the remainder ofthe year".

The generation of random (or, at least, unpredictable) numbers is key tomany security technologies. For this reason, the provision of random dataas a CPU feature has drawn a lot of attention over the years. A properhardware-based random-number generator can address the problems that makerandomness hard to obtain in some systems, but only if the manufacturer canbe trusted to not have compromised that generator in some way. A recentdiscussion has brought to light a different problem, though: what happensif a hardware random-number generator can be simply driven into exhaustion?

The GNU C Library project hasbeen accepted as a CVE Numbering Authority (CNA), meaning that theproject is now in control of the CVE numbers assigned to its code.

Security updates have been issued by Debian (chromium), Red Hat (gimp, kernel, kernel-rt, and runc), Slackware (expat), SUSE (libavif), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive).

The LWN.net Weekly Edition for February 8, 2024 is available.

At the beginning of November, we let it beknown that we were looking to hire a writer/editor to augment the LWNteam. In past attempts, we have found it difficult to attract writers whocould produce the kind of content that LWN readers expect. This timearound, as we have said before, was different; we had a number ofcandidates who could have filled the bill and were forced to make somedifficult choices.While "hire them all" was an attractive idea, it was not one that ourbudget would support. We did conclude, however, that we could stretch to asecond hire. So we are pleased to announce that the opportunity to bringJoe Brockmeier on board was too good to pass up - so we didn't. You willstart to see his work return to LWN within the next few days.

Go 1.22, the most recent version of the Go programming language, has been released. It comes with two language changes to for loops: a fix for a longstanding "gotcha" with accidentally sharing loop variables between iterations and adding the ability to range over integer values. There are also additions to the standard library, improved performance, and more. See the release notes for further information.

What is IP fragmentation, why is it important, and do people understandit? The answer to that last question is "not as well as they think". Thisarticle will also answer the rest of thosequestions and introduce fragquiz, a game that Iwrote to allow players to guess how IP packets will behave when they aretoo large for the network. As evidence that IP fragmentation is notwell-understood, a room full of networking experts played fragquiz and gota score that wasnowhere close to perfect. In addition, I will describe a new algorithm forfragmentation avoidance, which some colleagues and Ideveloped, that helped motivate development of fragquiz.

Security updates have been issued by Red Hat (gimp) and Ubuntu (firefox, linux-oracle, linux-oracle-5.15, and python-django).

The GNU C Library (glibc)released version 2.39 on January 31, includingseveral new features. Notable highlights include new functions for spawningchild processes, support for shadow stacks on x86_64, new security features, andthe removal of libcrypt. The glibc maintainers had also hoped to includeimprovements to qsort(), which ended up not making it into thisrelease. Glibc releases are made every six months.

Security updates have been issued by CentOS (firefox, gstreamer1-plugins-bad-free, and tigervnc), Debian (ruby-sanitize), Fedora (kernel, kernel-headers, qt5-qtwebengine, and runc), Oracle (gnutls, kernel, libssh, rpm, runc, and tigervnc), Red Hat (runc), and SUSE (bouncycastle, jsch, python, and runc).

Greg Kroah-Hartman has announced the release of the 6.7.4, 6.6.16,and 6.1.77 stable kernels. As usual, theycontain important fixes all over the kernel tree.

A common problem in kernel development is controlling when aspecific task should be done. Kernel code often executes in contexts wheresome actions (sleeping, for example, or calling into filesystems) are notpossible. Other actions, while possible, may prevent the kernel fromtaking care of a more important task in a timely manner. The kernelcommunity has developed a number of deferred-execution mechanisms designedto ensure that every task is handled at the right time. One of thosemechanisms, tasklets, has been eyed for removal for years; that removalmight just happen in the near future.

Security updates have been issued by Debian (rear, runc, sudo, and zbar), Fedora (chromium, grub2, libebml, mingw-python-pygments, and python-aiohttp), Gentoo (FreeType, GNAT Ada Suite, Microsoft Edge, NBD Tools, OpenSSL, QtGui, SDDM, Wireshark, and Xen), Mageia (dracut, glibc, nss and firefox, openssl, packages, perl, and thunderbird), Slackware (libxml2), SUSE (java-11-openjdk, java-17-openjdk, perl, python-uamqp, slurm, and xerces-c), and Ubuntu (libssh and openssl).

The 6.8-rc3 kernel prepatch is out fortesting. "A slightly larger rc3 that I'd have hoped for, although atthis stage in the release process it's not something that really worries meyet."

The Zig language2024 roadmapwas presented in a talk last week onZig Showtime (a show coveringZig news). Andrew Kelley, the benevolent dictator for life of the Zig project,presented his goalsfor the language, largely focusing on compiler performance and continuingprogress toward stabilization for the language. He discussed details of his planfor incremental compilation, and addressed the sustainability of the project interms of both code contributions and financial support.

Simon Phipps writeson the Open Source Initiative blog that the latest version of theEuropean Cyber Resilience Act is much improved: "As a result of all thiseffort from so many people, the final text of the CRA mitigated pretty muchall the risks we had identified to individual developers and to Open Sourcefoundations."

Security updates have been issued by Debian (chromium, man-db, and openjdk-17), Fedora (chromium, indent, jupyterlab, kernel, and python-notebook), Gentoo (glibc), Oracle (firefox, thunderbird, and tigervnc), Red Hat (rpm), SUSE (cpio, gdb, gstreamer, openconnect, slurm, slurm_18_08, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, squid, webkit2gtk3, and xerces-c), and Ubuntu (imagemagick and xorg-server, xwayland).

Filesystem development is not an easy task; the performance demands aretypically high, and the consequences for mistakes usually involve lost dataand irate users. The implementation of a virtual (or "pseudo") filesystem- a filesystem implemented within the kernel and lacking a normal backingstore - can also be challenging, but for different reasons. A series ofconversations around the eventfs virtual filesystem has turned a spotlighton the difficulty of creating a virtual filesystem for Linux.

A new version of the Damn SmallLinux distribution has come out with an updated definition of "damnsmall":

The 6.7.3, 6.6.15, and 6.1.76 stable kernels have been released.These contain a large number of important fixes throughout the tree, as isthe norm.

Security updates have been issued by Debian (debian-security-support, firefox-esr, openjdk-11, and python-asyncssh), Fedora (glibc, python-templated-dictionary, thunderbird, and xorg-x11-server-Xwayland), Gentoo (Chromium, Google Chrome, Microsoft Edge and WebKitGTK+), Red Hat (firefox, gnutls, libssh, thunderbird, and tigervnc), SUSE (mbedtls, rear116, rear1172a, runc, squid, and tinyssh), and Ubuntu (glibc and runc).

The LWN.net Weekly Edition for February 1, 2024 is available.

Version 2.39of the GNU C Library has been released. Changes include integration withthe x86 shadow-stack mechanism, a couple ofnew posix_spawn() variants for working with control groups, pidfd_spawn() andpidfd_spawnp(), the C2X stdbit.h header, the removalof the libcrypt library, and more. See the release notesfor details.

Version24.2 of the LibreOffice office suite is available. Changes includeAutoRecovery enabled by default, styling of comments, better floating-tablesupport, improved accessibility, and more. See the releasenotes for details.

Return-oriented programming (ROP) attacks are hard to defend against.Partial mitigations such as address-space layout randomization, stackcanaries, and other techniques are commonly deployed to try and frustrateROP attacks. Now, OpenBSD is experimenting with a newmitigation that makes it harder for attackers to make systemcalls, although some security researchers have expressed doubt that it willprove effective at stopping real-world attacks.In hisannouncement message, Theo de Raadt said that this work"makes some specific low-level attackmethods unfeasable on OpenBSD, which will force the use of other methods."

Qualys has discloseda vulnerability in the GNU C Library that can be exploited by a localattacker for root access. It was introduced in the 2.37 release, and alsobackported to 2.36.

Security updates have been issued by Debian (bind9 and glibc), Fedora (ncurses), Gentoo (containerd, libaom, and xorg-server, xwayland), Mageia (python-pillow and zlib), Oracle (grub2 and tomcat), Red Hat (avahi, c-ares, container-tools:3.0, curl, firefox, frr, kernel, kernel-rt, kpatch-patch, libfastjson, libmicrohttpd, linux-firmware, oniguruma, openssh, perl-HTTP-Tiny, python-pip, python-urllib3, python3, rpm, samba, sqlite, tcpdump, thunderbird, tigervnc, and virt:rhel and virt-devel:rhel modules), SUSE (python-Pillow, slurm, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, and xen), and Ubuntu (libde265, linux-nvidia, mysql-8.0, openldap, pillow, postfix, and xorg-server, xwayland).

EmacsConf2023 was, like itsrecent predecessors, an online conference with lots of talks about variousaspects of the Emacseditor-though, of course, it is way more than just an editor. Last year'sedition was held in early December. One of thetalks that looked interesting was on Emacsdevelopment, which was given live by John Wiegley. In it, he brieflydescribed some of the biggest features coming in Emacs30, which is the next major versioncoming for the tool.

The eBPF Foundation has published a glossy document called TheState of eBPF; it seems mostly concerned with how a small number oflarge companies are using and developing this technology.

Security updates have been issued by Debian (pillow, postfix, and redis), Fedora (python-templated-dictionary and selinux-policy), Red Hat (gnutls, kpatch-patch, libssh, and tomcat), and Ubuntu (amanda, ceph, linux-azure, linux-azure-4.15, linux-kvm, and tinyxml).

In December, the Rust project releaseda call for proposals for inclusion in the 2024 edition. Rust handlesbackward incompatible changes by usingEditions,which permit projects to specify a single stable edition for their codeand allow libraries writtenin different editions to be linked together. Proposals for Rust 2024 arenow in, and have until the end of February to be debated and decided on. Oncethe proposals are accepted, they have until May to be implemented in time forthe 2024 edition to be released in the second half of the year.

Security updates have been issued by CentOS (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, kernel, LibRaw, python-pillow, and xorg-x11-server), Debian (gst-plugins-bad1.0, libspreadsheet-parsexlsx-perl, mariadb-10.3, and slurm-wlm), Fedora (atril, dotnet8.0, gnutls, prometheus-podman-exporter, python-jinja2, sudo, and vips), Oracle (frr, kernel, php:8.1, python-urllib3, python3.9, rpm, sqlite, and tomcat), Slackware (pam), SUSE (cpio, rear23a, rear27a, sevctl, and xorg-x11-server), and Ubuntu (exim4 and firefox).

Linus has released 6.8-rc2 for testing."So go out and test. It's safe now. You trust me, right?"

While the mathematical realm of numbers is infinite, computers are onlyable to represent a finite subset of them. That can lead to problems whenarithmetic operations would create numbers that the computer is unable tostore as the intended type. This condition, called "overflow" or"wraparound" depending on the context, can be the source of bugs, including unpleasant securityvulnerabilities, so it is worth avoiding. This patchseries from Kees Cook is intended to improve the kernel's handling ofthese situations, but it is running into a bit of resistance.

Security updates have been issued by Debian (xorg-server), Fedora (chromium, dotnet8.0, firefox, freeipa, and thunderbird), Red Hat (avahi, c-ares, curl, edk2, expat, freetype, frr, git, gnutls, grub2, kernel, kernel-rt, libcap, libfastjson, libssh, libtasn1, libxml2, linux-firmware, ncurses, oniguruma, openssh, openssl, perl-HTTP-Tiny, protobuf-c, python-urllib3, python3, python3.9, rpm, samba, shadow-utils, sqlite, tcpdump, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (cpio, jasper, rear23a, thunderbird, and xorg-x11-server), and Ubuntu (jinja2, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.1, and mariadb, mariadb-10.3, mariadb-10.6).

Greg Kroah-Hartman has announced the release of the 6.7.2, 6.6.14,6.1.75, 5.15.148, 5.10.209, 5.4.268, and 4.19.306 stable kernels. As usual, theycontain a long list of fixes throughout the kernel tree.