LWN.net

Security updates have been issued by CentOS (flatpak), Debian (connman, golang-1.11, and openjpeg2), Fedora (pngcheck), Mageia (php, phppgadmin, and wpa_supplicant), openSUSE (privoxy), Oracle (flatpak and kernel), Red Hat (qemu-kvm-rhev), SUSE (kernel, python-urllib3, and python3), and Ubuntu (firefox).

Kees Cook catchesup with the security-related changes in the 5.8 kernel release."With this in place, Jump-Oriented Programming (JOP, where codegadgets are chained together with jumps and calls) is no longer availableto the attacker. An attacker’s code must make direct function calls. Thisbasically reduces the 'usable' code available to an attacker from everyword in the kernel text to only function entries (or jump targets). This isa 'low granularity' forward-edge Control Flow Integrity (CFI) feature,which is important (since it greatly reduces the potential targets that canbe used in an attack) and cheap (implemented in hardware). It’s a goodfirst step to strong CFI, but (as we’ve seen with things like CFG) it isn’tusually strong enough to stop a motivated attacker."

The newly formed Rust Foundation has announcedits existence. "Today, on behalf of the Rust Core team, I’mexcited to announce the Rust Foundation, a new independent non-profitorganization to steward the Rust programming language and ecosystem, with aunique focus on supporting the set of maintainers that govern and developthe project. The Rust Foundation will hold its first board meetingtomorrow, February 9th, at 4pm CT. The board of directors is composed of 5directors from our Founding member companies, AWS, Huawei, Google,Microsoft, and Mozilla, as well as 5 directors from project leadership, 2representing the Core Team, as well as 3 project areas: Reliability,Quality, and Collaboration." Mozilla has transferred its trademarksand domains for Rust over to the foundation.

The kernel's CFS bandwidth controller is an effective way of controllingjust how much CPU time is available to each control group. It can keepprocesses from consuming too much CPU time and ensure that adequate time isavailable for all processes that need it. That said, it's not entirelysurprising that the bandwidth controller is not perfect for every workload out there. Thispatch set from Huaixin Chang aims to make it work better for bursty,latency-sensitive workloads.

Stable kernels 5.10.14, 5.4.96, 4.19.174, and 4.14.220 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (chromium, gdisk, intel-microcode, privoxy, and wireshark), Fedora (mingw-binutils, mingw-jasper, mingw-SDL2, php, python-pygments, python3.10, wireshark, wpa_supplicant, and zeromq), Mageia (gdisk and tomcat), openSUSE (chromium, cups, kernel, nextcloud, openvswitch, RT kernel, and rubygem-nokogiri), SUSE (nutch-core), and Ubuntu (openldap, php-pear, and qemu).

The 5.11-rc7 kernel prepatch is out fortesting. "Anyway, this is hopefully the last rc for this release, unless somesurprise comes along and makes a travesty of our carefully laid plans.It happens.Nothing hugely scary stands out, with the biggest single part of thepatch being some new self-tests. In fact, about a quarter of the patchis documentation and selftests."

Greg Kroah-Hartman has released the 4.9.256and 4.4.256 in order to try to figure outif there are any user-space problems caused by the overflow of the minor version number for thosestable-kernel series. "With this release, KERNEL_VERSION(4, 9, 256) is the same as KERNEL_VERSION(4, 10, 0).Nothing in the kernel build itself breaks with this change, but given that thisis a userspace visible change, and some crazy tools (like glibc and gcc) havelogic that checks the kernel version for different reasons, I wanted to do thisrelease as an 'empty' release to ensure that everything still worksproperly." Those who could be affected would be well-advised totest this change immediately as he plans another 4.9 release in aweek's time.

As has often been pointed out, the stable-kernel releases are meant to bestable; that means they should be even more averse to ABI breaks thanmainline releases, if that is possible. This may be a hard promise to keepfor the next set of stable kernels, though, for the most mundane ofreasons: nobody thought that there would be more than 255 minor updates toany given kernel release.

Security updates have been issued by Fedora (java-11-openjdk, kernel, and monitorix), Mageia (mutt, nodejs, and nodejs-ini), Oracle (flatpak, glibc, and kernel), Red Hat (rh-nodejs14-nodejs), Scientific Linux (flatpak), and Ubuntu (flatpak and minidlna).

Of all the system calls in the Unix tradition, few are as maligned as ioctl().But ioctl() exists for a reason — for many reasons, in truth — andcannot be expected to go away anytime soon. It is thus unsurprising thatthere is interest in providing ioctl()-like functionality in theio_uring subsystem. A recent RFC patch setfrom Jens Axboe shows the form that this feature might take in theio_uring context.

Security updates have been issued by CentOS (glibc, linux-firmware, perl, and qemu-kvm), Debian (dnsmasq), Fedora (netpbm), Mageia (firefox, messagelib, python and python3, ruby-nokogiri, and thunderbird), Oracle (kernel, perl, and qemu-kvm), Red Hat (flatpak), and SUSE (openvswitch and python-urllib3).

The LWN.net Weekly Edition for February 4, 2021 is available.

Greg Kroah-Hartman has released stable kernels 5.10.13, 5.4.95, 4.19.173, 4.14.219, 4.9.255, and 4.4.255. They all contain important fixes andusers should upgrade.

The release of Firefox 85at the end of January brought a new technique for thwarting yet-anotherweb-tracking scheme. The use of browser cookies for tracking iswell-established and the browser makers have taken steps to block theworst abuses there, but users can also take steps to manage and clear thosecookies. The arms race continues, however, as tracking companies are usingbrowser caches to store what Mozilla calls "supercookies", which allowusers to be tracked across the web sites that they visit. That has led thebrowser makers to partition these caches by web site in order to preventthis tracking technique.

Greg Kroah-Hartman hasa suggestion for anybody who would like to help him maintainlong-term-stable kernel releases. "All I request is that people testthe -rc releases when I announce them, and let me know if they work or notfor their systems/workloads/tests/whatever. [...] But, if you want to do more,I always really appreciate when people email me, or stable@vger.kernel.org,git commit ids that are needed to be backported to specific stable kerneltrees because they found them in their testing/development efforts."

Security updates have been issued by Debian (open-build-service and openldap), Fedora (jasper, libebml, and tcmu-runner), openSUSE (segv_handler), Red Hat (thunderbird), Scientific Linux (kernel), SUSE (cups and openvswitch), and Ubuntu (apport and ca-certificates).

Version 4.2of the desktop-oriented Solus distribution is available. "Werecognized that Desktop Icons was an important part of the workflow of manyusers, so we spent considerable time during this development cycle ensuringthere was a solution for them as well as our downstream users ofBudgie. Expanding on this, Solus 4.2 defaults to having desktop iconsenabled to make Solus more approachable to new users." Some moreinformation on the desktop changes can be found in this blogentry from December.

The LibreOffice 7.1 "Community" release is out. "LibreOffice 7.1Community adds several interoperability improvements with DOCX/XLSX/PPTXfiles: improvements to Writer tables (better import/export and managementof table functions, and better support for change tracking in floatingtables); a better management of cached field results in Writer; support ofspacing below the header's last paragraph in DOC/DOCX files; and additionalSmartArt improvements when importing PPTX files." The announcementalso goes on at length about the new "community" label and how this release"is not targeted at enterprises".

A longstanding hole in the Sudoprivilege-delegation tool that was discoveredin late January is a potent local vulnerability. Exploiting it allows local usersto run code of their choosing as root by way of a bog-standard heap-bufferoverflow. It seems like the kind of bug that might have been found earlier viacode inspection or fuzzing, but it has remained in this security-sensitiveutility since it was introduced in 2011.

Security updates have been issued by Debian (firefox-esr, libdatetime-timezone-perl, python-django, thunderbird, and tzdata), Fedora (kf5-messagelib and qt5-qtwebengine), Mageia (kernel-linus), openSUSE (firefox, jackson-databind, and messagelib), Oracle (flatpak), Red Hat (glibc, kernel, kernel-alt, kernel-rt, linux-firmware, net-snmp, perl, qemu-kvm, and qemu-kvm-ma), SUSE (firefox, java-11-openjdk, openvswitch, terraform, and thunderbird), and Ubuntu (fastd, firefox, python-django, and qemu).

Version 2.33 of the GNU C library is out. Changes this time include anumber of dynamic linker improvements, 32-bit RISC-V support, and a numberof security fixes.

The kernel development community talks often about subsystems and subsystemmaintainers, but it is less than entirely clear about what a "subsystem" is inthe first place. People wanting to understand how kernel development workscould benefit from a clearer idea of what actually comprises a subsystemwithin the kernel. In an attempt to better understand how kerneldevelopment works, Pia Eichinger and her colleagues spent a lot of time lookingfor the actual boundaries; Eichinger presented that work at the 2021linux.conf.au online gathering.

Security updates have been issued by Arch Linux (home-assistant, libgcrypt, libvirt, and mutt), Debian (ffmpeg, kernel, libonig, libsdl2, mariadb-10.1, and thunderbird), Fedora (chromium, firefox, jasper, libebml, mingw-python3, netpbm, opensmtpd, thunderbird, and xen), Gentoo (firefox and thunderbird), Mageia (db53, dnsmasq, kernel, kernel-linus, and php-pear), openSUSE (go1.14, go1.15, messagelib, nodejs8, segv_handler, and thunderbird), Oracle (firefox, kernel, and thunderbird), Red Hat (flatpak), SUSE (firefox and rubygem-nokogiri), and Ubuntu (mysql-5.7, mysql-8.0 and python-django).

The 5.11-rc6 kernel prepatch is out fortesting. "Things look a little calmer than last week, and over-all very averagefor rc6. So - like always this late in the release schedule - I'dcertainly have liked things to be even calmer, but nothing here reallystands out."

The stable-kernel machine has produced another set of updates:5.10.12,5.4.94,4.19.172,4.14.218,4.9.254, and4.4.254.Each contains a relatively small set of important fixes.

There was a time when people who were exploring computational technologysaw it as the path toward decentralization and freedom worldwide. What wehave ended up with, instead, is a world that is increasingly centralized,subject to surveillance, and unfree. How did that come to be? In a keynote at theonline 2021 linux.conf.au event, Cory Doctorow gave his view of this problem andnamed its source: monopoly.

The GNU Privacy Guard (GnuPG or GPG) project has announced a critical security bug in Libgcrypt version 1.9.0 released January 19. "Libgcrypt is a general purpose library of cryptographic building blocks.It is originally based on code used by GnuPG. It does not provide anyimplementation of OpenPGP or other protocols. Thorough understanding ofapplied cryptography is required to use Libgcrypt." Version 1.9.1 has been released to address the problem and all users of 1.9.0 should update immediately. It is a heap buffer overflow, but no version of GnuPG uses the 1.9 series yet. "Exploiting this bug is simple and thus immediate action for 1.9.0 usersis required. A CVE-id has not yet been assigned. We track this bug athttps://dev.gnupg.org/T5275. The 1.9.0 tarballs on our FTP server havebeen renamed so that scripts won't be able to get this version anymore."

David Malcolm describesthe progress in the GCC static analyzer for the upcoming GCC 11release. "In GCC 10, I added the new -fanalyzer option, a staticanalysis pass for identifying various problems at compile-time, rather thanat runtime. The initial implementation was aimed at early adopters, whofound a few bugs, including a security vulnerability: CVE-2020-1967. BerndEdlinger, who discovered the issue, had to wade through many falsepositives accompanying the real issue. Other users also managed to get theanalyzer to crash on their code.I’ve been rewriting the analyzer to address these issues in the next major release, GCC 11. In this article, I describe the steps I’m taking to reduce the number of false positives and make this static analysis tool more robust."

Security updates have been issued by Arch Linux (dnsmasq, erlang, flatpak, go, gobby, gptfdisk, jenkins, kernel, linux-hardened, linux-lts, linux-zen, lldpd, openvswitch, podofo, virtualbox, and vlc), Fedora (erlang, firefox, nss, and seamonkey), Gentoo (imagemagick, nsd, and vlc), openSUSE (chromium and python-autobahn), Oracle (firefox and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (firefox, jackson-databind, and thunderbird), and Ubuntu (libxstream-java).

Jeffrey Walsh started off his 2021linux.conf.au presentation with a statement that, while 2020 was not the greatest year ever, there were stillsomegood things that happened; one of those was the Emacs 27.1 release.This major update brought a number of welcome new features, but alsoled to yet another discussion on the future ofEmacs. With that starting point, Walsh launched into a fast-movinglook at the history of Emacs, why users still care about it, what changesare coming, and (especially) what was involved in moving Emacs away fromthe X window system and making it work with the Wayland compositor.

Security updates have been issued by Debian (ansible, firefox-esr, and slurm-llnl), Fedora (firefox, nss, php-pear, seamonkey, and thunderbird), Gentoo (phpmyadmin and telegram-desktop), openSUSE (chromium and python-autobahn), Oracle (firefox and sudo), Red Hat (firefox), Scientific Linux (firefox), and Ubuntu (ceph, kernel, linux, linux-lts-xenial, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux-aws, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, and tcmu).

The LWN.net Weekly Edition for January 28, 2021 is available.

It would appear that "sudo" has a buffer-overflow vulnerability that allowsany local user to gain root privileges, whether or not they are in thesudoers file. It has been there since 2011. See thisadvisory for details, but perhaps run an update first.

Distribution developers do a lot of work to keep a language ecosystemworking well within the distribution. It is relatively thankless work thatnormally only becomes visible when there is a problem or complaint. ButMiro Hrončok recently put together a lookback at what the Fedora Python team did during 2020. While it is,obviously, Fedora-specific, it provides something of a look inside at thekinds of things that distribution teams work on.

Open-source software is famously able to be used by anyone for any purpose;those are some of the keystones of the opensource definition.But some companies that run open-source projects are increasingly unhappythat others are reaping some of the profits from those projects. That has led to variousefforts of "license reform" meant to try to capture those profits. Sofar, those efforts have just led to non-open-source licenses, thus projectsthat are no longer open source. We are seeingthat play out yet again with Elastic's mid-January announcement thatit was changing the license on some of its projects.

Stable kernels 5.10.11, 5.4.93, and 4.19.171 have been released. They containimportant fixes and users should upgrade.

Security updates have been issued by Arch Linux (sudo), CentOS (sudo), Debian (sudo), Fedora (kernel, php-pear, and sudo), Gentoo (cacti, mutt, and sudo), Mageia (sudo), openSUSE (sudo), Oracle (sudo), Red Hat (sudo), Scientific Linux (sudo), Slackware (sudo), SUSE (go1.14, go1.15, nodejs8, and sudo), and Ubuntu (libsndfile and sudo).

Security updates have been issued by CentOS (dnsmasq, net-snmp, and xstream), Debian (mutt), Gentoo (cfitsio, f2fs-tools, freeradius, libvirt, mutt, ncurses, openjpeg, PEAR-Archive_Tar, and qtwebengine), openSUSE (chromium, mutt, stunnel, and virtualbox), Red Hat (cryptsetup, gnome-settings-daemon, and net-snmp), Scientific Linux (xstream), SUSE (postgresql, postgresql12, postgresql13 and rubygem-nokogiri), and Ubuntu (mutt).

Version 85 ofthe Firefox browser has been released. The headline change appears tobe the isolation of internal caches to defeat the use of "supercookies" totrack users; see thisblog entry for details. "In fact, there are many differentcaches trackers can abuse to build supercookies. Firefox 85 partitions allof the following caches by the top-level site being visited: HTTP cache,image cache, favicon cache, HSTS cache, OCSP cache, style sheet cache, fontcache, DNS cache, HTTP Authentication cache, Alt-Svc cache, and TLScertificate cache."

The Python Packaging Authority (PyPA) has announced the release of pip21.0. This version removes Python 2.7 and 3.5 support, and drops supportfor legacy cache entries from pip < 20.0.

The term "browser wars" typically refers to Microsoft's attempts todominate the World Wide Web with its Internet Explorer browser in the1990s. That effort was thwarted by antitrust efforts and the rise of thefree browser now known as Firefox;ever since, the web has been defined by free software. Or so some may havethought. In the 2020s, the browser wars continue with the growingdominance of Chrome and, it would seem, the imminent removal of Chromiumfrom many Linux distributions.

Security updates have been issued by Debian (crmsh, debian-security-support, flatpak, gst-plugins-bad1.0, openvswitch, python-bottle, salt, tomcat9, and vlc), Fedora (chromium, python-pillow, sddm, and xen), Gentoo (chromium, dnsmasq, flatpak, glibc, kdeconnect, openjdk, python, thunderbird, virtualbox, and wireshark), Mageia (blosc, crmsh, glibc, perl-DBI, php-oojs-oojs-ui, python-pip, python-urllib3, and undertow), openSUSE (gdk-pixbuf, hawk2, ImageMagick, opera, python-autobahn, viewvc, wavpack, and xstream), Red Hat (dnsmasq), Slackware (seamonkey), SUSE (hawk2, ImageMagick, mutt, permissions, and stunnel), and Ubuntu (pound).

The 5.11-rc5 kernel prepatch is out fortesting. "Nothing particularly stands out. We had a couple of splice()regressions that came in during the previous release as part of the'get rid of set_fs()' development, but they were for odd cases thatmost people would never notice. I think it's just that 5.10 is nowgetting more widely deployed so people see the fallout from thatrather fundamental change in the last release."

The next round of stable kernel updates is out:5.10.10,5.4.92,4.19.170,4.14.217,4.9.253, and4.4.253.Each contains another set of important fixes.

Memory fragmentation has long been a problem for Linux systems, to thepoint that, for years, finding even two physically contiguous pages was anuncertain affair. That said, the situation has improved considerably inthe last decade or so thanks to a number of changes implemented by thememory-management developers. One of those changes is the creation of"movable"memory zones where pages can be relocated if need be. All that work is fornothing, though, if somebody comes along and pins down a page in one ofthese movable zones. Thispatch set from Pavel Tatashin seeks to prevent that from happening, butmay risk creating problems elsewhere.

Security updates have been issued by Debian (drupal7), Fedora (dotnet3.1), Gentoo (zabbix), openSUSE (ImageMagick and python-autobahn), and SUSE (hawk2 and wavpack).

Libre Arts (formerly Libre Graphics World) has posted a comprehensivesurvey of what 2021 might hold for a wide range of freecontent-creation software.The topic of fullscreen color management implementation in Wayland is back,and it’s a kinda frustrating story. In a nutshell:

The Corellium blog is carrying a description of how the Linuxport to the Apple M1 processor was done. "Many components of theM1 are shared with Apple mobile SoCs, which gave us a good runningstart. But when writing Linux drivers, it became very apparent hownon-standard Apple SoCs really are. Our virtual environment is extremelyflexible in terms of models it can accommodate; but on the Linux side, the64-bit ARM world has largely settled on a well-defined set of buildingblocks and firmware interfaces - nearly none of which were used on theM1."

As a general rule, when one attempts to open a file with a system call likeopenat2(),the expectation is that the call will not return until the job is done.But there are times where the desire to open the file is conditional onbeing able to open it immediately, without blocking. Linux has neversupported that mode well, but that may be about to change with thispatch set from Jens Axboe.