The primary job of a compiler is to translate source code into a binaryform that can be run by a computer. Increasingly, though, developers wantmore from their tools, compilers included. Since the compiler mustunderstand the code it is being asked to translate, it is in a goodposition to provide information about how that code will execute - andwhere things might go wrong. At the 2023 GNU Tools Cauldron,David Malcolm talked about recent work to improve the diagnostic outputfrom the GCC compiler.
Version23.10 of the Ubuntu distribution is out. Changes include support forhardware-backed full-disk encryption, tighter control over user namespaces,a new App Center application, and more.
Version23.05.0 of the OpenWrt distribution has been released: "OpenWrt23.05 supports over 1790 devices. Support for over 200 new devices wasadded in addition to the device support by OpenWrt 22.03". Along withnew device support, this release features a switch to the mbedtlscryptographic library, the ability to include utilities written in Rust, anupdated toolchain, and more.
Security updates have been issued by Debian (chromium, tomcat9, and webkit2gtk), Fedora (cacti, cacti-spine, grafana-pcp, libcue, mbedtls, samba, and vim), Oracle (kernel, libvpx, and thunderbird), Red Hat (bind and galera, mariadb), SUSE (exiv2, go1.20, go1.21, and kernel), and Ubuntu (ffmpeg).
The Civil Infrastructure Platform project has announcedthat it will be maintaining the 6.1 kernel for a minimum of ten years pastits initial release (and, thus, through 2032).
Programs running in the BPF machine can, depending on how they areattached, perform a number of privileged operations; the ability to loadand run those programs, thus, must be a privileged operation in its ownright. Almost since the beginning of the extended-BPF era, developers havestruggled to find a way to allow users to run the programs they needwithout giving away more privilege than is necessary. Earlier this year,the idea of a BPF token ran into someopposition from security-oriented developers. Andrii Nakryiko has sincereturned with anupdated patch set that significantly increases the granularity of theprivileges that can be conferred with a BPF token.
While the vulnerability itself is pretty run-of-the-mill, the recently disclosedGNOME vulnerability has a number of interesting facets. The problem liesin a library that reads files in a fairly obscure format, but it turns outthat files in that format are routinely-automatically-processed by GNOME ifthey are downloaded to the local system. That turns a vulnerability in alargely unknown library into a one-click remote-code-execution flaw forthe GNOME desktop.
Version8.4.0 of the curl data-transfer tool has been released, mostly inresponse to a relatively severe security vulnerability that can betriggered when a SOCKS5 proxy server is in use. See thisblog post for details on what went wrong. "In hindsight, shipping aheap overflow in code installed in over twenty billion instances is not anexperience I would recommend."
Security updates have been issued by Debian (curl, mediawiki, tomcat10, and tomcat9), Fedora (libcaca, oneVPL, oneVPL-intel-gpu, and tracker-miners), Gentoo (curl), Mageia (cups and firefox, thunderbird), Red Hat (curl, kernel, kernel-rt, kpatch-patch, libqb, libssh2, linux-firmware, python-reportlab, tar, and the virt:rhel module), Slackware (curl, libcue, libnotify, nghttp2, and samba), SUSE (conmon, curl, glibc, kernel, php-composer2, python-reportlab, samba, and shadow), and Ubuntu (curl, dotnet6, dotnet7, firefox, libx11, samba, tiff, and webkit2gtk).
The6.5.7,6.1.57,5.15.135,5.10.198,5.4.258,4.19.296, and4.14.327stable kernel updates have all been released; each contains another set ofimportant fixes.
Back at the end of July, the Python steering council announcedits intention to approve the proposal to make the global interpreter lock(GIL) optional over the next few Python releases. The details of thatacceptance are still being decided on, but work on the feature isproceeding-in discussion form at least. Beyond that, though, there areefforts underway to solve that hardest of problems in computerscience, naming, for the no-GIL version.
The GitHub blog describesa vulnerability in the libcue library (which is used by the GNOMEdesktop) that can be exploited by a remote attacker to run code on adesktop system if the target can be convinced to click on a malicious link.
Security updates have been issued by Fedora (chromium, firefox, and kernel), Gentoo (less and libcue), Red Hat (bind, libvpx, nodejs, and python3), Scientific Linux (firefox and thunderbird), SUSE (conmon, go1.20, go1.21, shadow, and thunderbird), and Ubuntu (libcue, ring, and ruby-kramdown).
The Linux Containers project hasannouncedthe release version0.1 of the Incus system container andvirtual-machine manager, which is a community-led fork of Canonical's LXD. Incus 0.1 "is roughlyequivalent to LXD 5.18 but with a number of breaking changes on top of theobvious rename". There have been some changes made in the two monthssince the fork:
One of the significant features added to the mainline kernel during the 6.6merge window was multi-grain timestamps, which allow the kernel toselectively store file modification times with higher resolution withouthurting performance. Unfortunately, this feature also caused somesurprising regressions, and was quickly ushered back out of the kernel as aresult. It is instructive to look at how this feature went wrong, and howthe developers involved plan to move forward from here.
Red Hat has announcedthat its longstanding "rhsa-announce" mailing list will be shut down onOctober10. That is the list that receives security advisories forRed Hat Enterprise Linux and a whole slew of related products. Anybody whowas counting on that list for Red Hat security advisories will need to findan alternative; a few options are listed in the announcement.
The latest round of stable kernels, 6.5.6,6.1.56, and 5.15.134, have been released. Each contains afairly large collection of important fixes throughout the kernel tree.
On its surface, the BPF virtual machine resembles many other computerarchitectures; it has registers and instructions to perform the usualoperations. But there is a key difference: BPF programs must pass thekernel's verifier before they can be run. The verifier imposes a long listof additional restrictions so that it can prove to itself that any givenprogram is safe to run; getting past those checks can be a source offrustration for BPF developers. At the 2023 GNU Tools Cauldron,Jose Marchesi looked at the problem of compiling for verified architecturesand how the compiler can generate code that will pass verification.
Security updates have been issued by Debian (grub2, libvpx, libx11, libxpm, and qemu), Fedora (firefox, matrix-synapse, tacacs, thunderbird, and xrdp), Oracle (glibc), Red Hat (bind, bind9.16, firefox, frr, ghostscript, glibc, ImageMagick, libeconf, python3.11, python3.9, and thunderbird), Scientific Linux (ImageMagick), SUSE (kernel, libX11, and tomcat), and Ubuntu (linux-hwe-5.15, linux-oracle-5.15).
Hardening the Linux kernel is an endless task, with work required onmultiple fronts. Sometimes, that work is not done in the kernel itself;other tools, including compilers, can have a significant role to play. At the 2023 GNU ToolsCauldron, Qing Zhao covered some of the work that has been done in theGCC compiler to help with the hardening of the kernel - along with workthat still needs to be done.
The eBPF in-kernel virtual machine isapproaching its tenth anniversary as part of Linux; it has grown into atool with many types of uses in the ecosystem. Alexei Starovoitov, whowas the creator of eBPF and did much of the development of it, especiallyin the early going, gave the opening talk atLinuxSecurity Summit Europe2023 on the relationship between BPF andsecurity. In it, he related some interesting history, from a somewhatdifferent perspective than what is often described, he said. Among otherthings, it shows how BPFhas been both a security problem and a security solution along the way.
The SteamOS Linuxdistribution is focused on gaming, naturally, but the effort to build ithas resulted in contributions to multiple areas in the Linux ecosystem. Alberto Garciahas been working on SteamOS and came to Bilbao, Spain to describe some of thosecontributions at Open Source Summit Europe2023. There are some obviousareas where a gaming-focused OS might contribute upstream, such asgraphics, but the talk showed contributions in several other areas as well.
Security updates have been issued by Debian (exim4), Fedora (firecracker, rust-aes-gcm, rust-axum, rust-tokio-tungstenite, rust-tungstenite, and rust-warp), Gentoo (nvidia-drivers), Mageia (chromium-browser-stable, glibc, and libwebp), Red Hat (kernel), SUSE (ghostscript and python3), and Ubuntu (firefox, libtommath, libvpx, and thunderbird).
In last week's episode, a need to preemptkernel code that is executing long-running instructions led to a deeperreexamination of how the kernel handles preemption. There are a number ofsupported preemption modes, varying from "none" (kernel code is neverpreemptible) to realtime (where the kernel is almost always preemptible).Making better use of the kernel's preemption machinery looked like apossible solution to the immediate problem, but it seems that there arebetter options in store. In short, kernel developers would like to givethe scheduler complete control over CPU-scheduling decisions.
For those who are curious about the recently concluded Git Contributor'sSummit, Taylor Blau has posted an extensive set of notesfrom the event. Topics include next-generation backends, libification,backward compatibility, project management, and more.
Version 3.12 of the Python programming language has been released. The "What's New In Python 3.12" page has plenty of details. Highlights of the release include isolated subinterpreter support, more improvements to error messages, more flexible f-strings, Linux perf support for profiling, and lots more.
Linus has released 6.6-rc4 for testing."There's nothing particularly odd in here, if you don't count a week ofno networking pull as being odd. That does result in rc4 being fairlysmall, but I suspect we'll just see a bigger rc5 to compensate."
The "Zero Day Initiative" site has posted a number of advisories (1, 2, 3, 4, 5, 6)describing a number of flaws in the Exim mail server, some of which areexploitable remotely. These problems, allegedly, were first reported tothe project in June 2022, well over one year ago. There is somedisagreement over the timing of events, with Exim developer HeikoSchlittermann claimingthat no actual information was received until last May, and an anonymousZDI representative disputingthat story.Either way, the vulnerabilities are now disclosed, but patches are not yeton offer; Schlittermann said that "Fixes are available in a protectedrepository and are ready to be applied by the distributionmaintainers", so hopefully that situation will change soon.
On September 27, 1983, Richard Stallman announced thefounding of the GNU project. His goal, which seemed wildly optimisticand unattainable at the time, was to write a complete Unix-like operatingsystem from the beginningand make it freely available. Exactly 40years later, the GNU projectcelebrated with a hacker meeting inSwitzerland. Your editor had the good fortune to be able to attend.
Security updates have been issued by Debian (firefox-esr, jetty9, and vim), Gentoo (Fish, GMP, libarchive, libsndfile, Pacemaker, and sudo), Oracle (nodejs:16 and nodejs:18), Red Hat (virt:av and virt-devel:av), Slackware (mozilla), SUSE (chromium, firefox, Golang Prometheus, iperf, libqb, and xen), and Ubuntu (linux-raspi).
While the CVE process was created in response to real problems, it's increasingly clear that CVE numbers arecreating problems of their own. At the 2023 GNU Tools Cauldron,Siddhesh Poyarekar expressed the frustration that toolchain developers havefelt as the result of arguing with security researchers about CVE-numberassignments. In response, the GNU toolchain community is trying to bettercharacterize what is - and is not - considered to be a security-relevantbug in its software.
Using larger block sizes in the kernel for I/O is a recurring topic instorage and block-layer circles. The topic came up in discussions at the Linux Storage, Filesystem, Memory-Management and BPF Summit (LSFMM)back in May. One of the participants in those discussions, Hannes Reinecke, gavea talk at Open Source Summit Europe 2023 with an overview of the reasonsbehind using larger blocks for I/O, the current status of that work, andwhere it all might lead from here.
The AI boom is clearly upon us, but there are still plenty of questionsswirling around this technology. Some of those questions are legal onesand there have been lawsuits filed to try to get clarification-and perhapsmonetary damages. Van Lindberg is a lawyer who is well-known in theopen-source world; he came to OpenSource Summit Europe2023 in Bilbao, Spain to try to put the currentwork in AI into its legal context.
Version118.0 of the Firefox browser has been released. Changes includeimproved fingerprinting prevention and automated translation: "Automatedtranslation of web content is now available to Firefox users! Unlikecloud-based alternatives, translation is done locally in Firefox, so thatthe text being translated does not leave your machine."
Security updates have been issued by Debian (exempi, glib2.0, lldpd, and netatalk), Fedora (curl, libppd, and linux-firmware), Oracle (kernel), and SUSE (Cadence, frr, modsecurity, python-CairoSVG, python-GitPython, and tcpreplay).
LWN.net