LWN.net

Paul Moore has posted hisnotes from the 2017 Linux Security Summit, held September 14and 15 in Los Angeles. "LinuxKit was designed to make it easyfor people to create their own Linux distribution, with a strong focus onminimal OS installs such as one would use in a container hostingenvironment. LinuxKit has several features that make it interesting from asecurity perspective, the most notable being the read-only rootfs which ismanaged using external tooling. Applications are installed via signedcontainer images."

Security updates have been issued by Arch Linux (apache and ettercap), Debian (gdk-pixbuf and newsbeuter), Red Hat (kernel), Slackware (httpd, libgcrypt, and ruby), SUSE (kernel), and Ubuntu (bind9, kernel, libidn2-0, libxml2, linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, linux-lts-trusty, and linux-lts-xenial).

Christian Schaller announcesPipewire, a media system that is meant to eventually replace PulseAudioand handle video as well. "Anyway as work progressed Wim decided toalso take a look at Jack, as supporting the pro-audio usecase was an areaPulseAudio had never tried to do, yet we felt that if we could ensurePipewire supported the pro-audio usecase in addition to consumer levelaudio and video it would improve our multimedia infrastructuresignificantly and ensure pro-audio became a first class citizen on theLinux desktop." A video-only version will be shipping inFedora 27.

New kernels are released regularly, but it is not entirelyclear how much in-depth testing they are actually getting. Even themainline kernel may not be getting enough of the right kind of testing. That was thetopic for a "birds of a feather" (BoF) meeting at this year's Linux PlumbersConference (LPC) held in mid-September in Los Angeles, CA. Dhaval Giani and Sasha Levin organized the BoF as a prelude to the Testingand Fuzzing microconference they were leading the next day.

The schedulerworkloads microconference at the 2017 Linux Plumbers Conference coveredseveral aspects of the kernel's CPU scheduler. While workloads were on theagenda, so were a rework of the realtime scheduler's push/pull mechanism, adistinctly different approach to multi-core scheduling, and the use oftracing for workload simulation and analysis. As the following summaryshows, CPU scheduling has not yet reached a point where all of theimportant questions have been answered.

The World Wide Web Consortium has put out apress release trumpeting its publication of the "Encrypted MediaExtensions" as an official recommendation and enshrining DRM into what waspreviously a standard for open communication. See theEFF's open letter for a less rosy view of this development."Today, the W3C bequeaths an legally unauditable attack-surface tobrowsers used by billions of people. They give media companies the power tosue or intimidate away those who might re-purpose video for people withdisabilities. They side against the archivists who are scrambling topreserve the public record of our era. The W3C process has been abused bycompanies that made their fortunes by upsetting the established order, andnow, thanks to EME, they’ll be able to ensure no one ever subjects them tothe same innovative pressures."

Peter Robinson looksat the state of open source accelerated graphics on ARM devices."Despite the two bad examples above there’s actually been a lot of good change in the last five years. We now have a number of options for fully accelerated 2D/3D graphics on ARM SoCs and I run GNOME Shell on Wayland, yes the full open source shiny, on a number of different devices regularly."

Security updates have been issued by Arch Linux (ffmpeg, lib32-libgcrypt, libgcrypt, linux-zen, and newsbeuter), Debian (emacs25, freexl, and tomcat8), Fedora (cyrus-imapd, FlightGear, freexl, gdm, kernel, LibRaw, ruby, and xen), Gentoo (binutils, chkrootkit, curl, gdk-pixbuf, gimps, git, kpathsea, mod_gnutls, perl, squirrelmail, subversion, supervisor, and webkit-gtk), Mageia (389-ds-base, kernel, kernel-linus, kernel-tmb, and mpg123), openSUSE (ffmpeg, ffmpeg2, qemu, and xen), Slackware (kernel), SUSE (xen), and Ubuntu (gdk-pixbuf).

As is sometimes his way, Linus Torvalds released 4.14-rc1 and closed the merge windowone day earlier than some might have expected. By the time, though, 11,556non-merge changesets had found their way into the mainline repository, sothere is no shortage of material for this release. Around 3,500 of thosechanges were pulled after the previous 4.14merge-window summary; read on for an overview of what was in that lastset.

The 4.14-rc1 kernel prepatch is out, andthe merge window is closed for this development cycle. "Yes, I realize this is a day early, and yes, I realize that if I hadwaited until tomorrow, I would also have hit the 26th anniversary ofthe Linux-0.01 release, but neither of those undeniable facts made mewant to wait with closing the merge window." In the end, 11,556non-merge changesets were pulled into the mainline for this release.

Processors based on the 64-bit ARM architecture have been finding their wayinto various types of systems, including mobile handsets and servers.There is adistinct gap in the middle of the range, though: there are no ARM64laptops. Bernhard Rosenkränzer and a group of colleagues set out to changethat situation by building such a laptop from available components. Heshowed up at the 2017 Open Source Summit North America to present theresult.

An advisoryfrom the National Security Authority of Slovakia warns that they have foundfake packages in PyPI, posing as well known libraries. "Copies ofseveral well known Python packages were published under slightly modified names in the official Python packagerepository PyPI (prominent example includes urllib vs. urrlib3, bzipvs. bzip2, etc.). These packages contain the exact same code as theirupstream package thus their functionality is the same, but the installationscript, setup.py, is modified to include a malicious (but relativelybenign) code." The administrators of PyPI were informed and thefake packages are gone now, however they were available from June 2017 toSeptember 2017. (Thanks to Paul Wise)

Security updates have been issued by Arch Linux (flashplugin, kernel, lib32-flashplugin, and linux-lts), CentOS (postgresql), Debian (tcpdump and wordpress-shibboleth), Fedora (lightdm, python-django, and tomcat), Mageia (flash-player-plugin and libsndfile), openSUSE (chromium, cvs, kernel, and libreoffice), Oracle (postgresql), and Ubuntu (libgcrypt20 and thunderbird).

Purism and KDE are workingtogether to adapt Plasma Mobile to Purism's Librem 5 smartphone."The shared vision of freedom, openness and personal control for end users has brought KDE and Purism together in a common venture. Both organisations agree that cooperating will help bring a truly free and open source smartphone to the market. KDE and Purism will work together to make this happen."

The stable-kernel update train continues with the release of4.13.2,4.12.13,4.9.50,4.4.88, and3.18.71.Among other things, these updates contain the fix for the recentlydisclosed Bluetooth vulnerability.

Security updates have been issued by Arch Linux (tcpdump), CentOS (bluez and kernel), Debian (wordpress-shibboleth), Fedora (augeas, bluez, emacs, and libwmf), Oracle (kernel), Red Hat (instack-undercloud, kernel, openvswitch, and postgresql), Scientific Linux (postgresql), SUSE (kernel and xen), and Ubuntu (tcpdump).

The Mozilla Security Blog announcesthat Firefox 57 will benefit from the addition of a formally verifiedcrypto package."The first result of this collaboration, an implementation of theCurve25519 key establishment algorithm (RFC7748), has just landed inFirefox Nightly. Curve25519 is widely used for key-exchange in TLS, and wasrecently standardized by the IETF. As an additional bonus, besides beingformally verified, the HACL* Curve25519 implementation is also almost 20%faster on 64 bit platforms than the existing NSS implementation (19500scalar multiplications per second instead of 15100) which represents animprovement in both security and performance to our users."

The LWN.net Weekly Edition for September 14, 2017 is available.

<p>Security for Internet of Things (IoT) devices is something of a hot topicover the last year or more. Marti Bolivar presented an overview of some ofthe antipatterns that are leading to the lack of security forthese devices at a session at the 2017 Open Source Summit North America inLos Angeles. He also had some specific recommendations for IoT developerson how to think about these problems and where to turn for help in makingsecurity a part of the normal development process.

The Free Software Foundation Europe has joined severalorganizations in publishing an open letter urging lawmakersto advance legislation requiring publicly financed software developed forthe public sector be made available under a Free and Open Source Softwarelicense. "The initial signatories include CCC, EDRi, Free SoftwareFoundation Europe, KDE, Open Knowledge Foundation Germany, openSUSE, OpenSource Business Alliance, Open Source Initiative, The Document Foundation,Wikimedia Deutschland, as well as several others; they ask individuals andother organisation to sign the open letter. The open letter will be sent to candidates for the German Parliament election and, during the coming months, until the 2019 EU parliament elections, to other representatives of the EU and EU member states."

The GNOME Project has announced the release of GNOME 3.26 "Manchester"."This release brings refinements to the system search, animations formaximizing and unmaximizing windows and support for color Emoji.Improvements to core GNOME applications include a redesigned Settingsapplication, a new display settings panel, Firefox sync in the Web browser,and many more." There are openSUSE nightly live images that includeGNOME 3.26.

At his 2017 OpenSource Summit North America talk, Matthew Garrett looked at the stateof cryptographic signing and verification of programs for Linux. Allowingpolicies that would restrict Linux from executing programs that are notsigned would provide a measure of security for those systems, but there iswork to be done to get there.Garrettstarted by talking about "binaries", but programs come in other forms(e.g. scripts) so any solution must look beyond simply binary executables.

Security updates have been issued by Arch Linux (bluez and linux-hardened), CentOS (bluez and kernel), Debian (bluez, emacs24, tcpdump, and xen), Fedora (kernel and mimedefang), Oracle (bluez and kernel), Red Hat (bluez, flash-plugin, instack-undercloud, kernel, kernel-rt, and openvswitch), Scientific Linux (bluez and kernel), Slackware (emacs and libzip), SUSE (xen), and Ubuntu (bluez and qemu).

The Android system may be based on the Linux kernel, but its developershave famously gone their own way for many other parts of the system. Thatincludes the graphics subsystem, which avoids user-space components like Xor Wayland and has special (often binary-only) kernel drivers as well. Butthat picture may be about to change. As Robert Foss described in his OpenSource Summit North America presentation, running Android on the mainlinegraphics subsystem is becoming possible and brings a number of potentialbenefits.

Ars technica reportson a set of just-disclosed Bluetooth vulnerabilities in multipleoperating systems."BlueBorne, as the researchers have dubbed their attack, is notable for its unusual reach and effectiveness. Virtually any Android, Linux, or Windows device that hasn't been recently patched and has Bluetooth turned on can be compromised by an attacking device within 32 feet. It doesn't require device users to click on any links, connect to a rogue Bluetooth device, or take any other action, short of leaving Bluetooth on."

Security updates have been issued by Debian (icedove), Fedora (file and kernel), Red Hat (chromium-browser, rh-postgresql94-postgresql, and rh-postgresql95-postgresql), and SUSE (qemu).

The kernel's configuration system can be challenging to deal with; LinusTorvalds recently called it "one ofthe worst parts of the whole project". Thus, anything that mighthelp users with the process of configuring a kernel build would bewelcome. A talk by Junghwan Kang at the 2017 Open-Source Summitdemonstrated an interesting approach, even if it's not quite ready forprime time yet.

Mongoose OS is an open-sourceoperating system for tiny embedded systems. It is designed to run ondevices such as microcontrollers, which are often constrained with memory on theorder of tens of kilobytes, while exposing a programming interface thatprovides access to modern APIs normally found on more powerful devices. Adevice running Mongoose OS has access to operating system functionalitysuch as filesystems and networking, plus higher-level software such as aJavaScript engine and cloud access APIs.

The LXC team has announcedthe release of LXC 2.1. LXC provides a userspace interface for the Linuxkernel containment features. New features include resource limit support,support for unprivileged openvswitch networks, a newlxc.cgroup.dir key, support for hybrid cgroup layout, and more.

Security updates have been issued by Debian (freerdp, mbedtls, tiff, and tiff3), Fedora (chromium, krb5, libstaroffice, mbedtls, mingw-libidn2, mingw-openjpeg2, openjpeg2, and rubygems), Mageia (bzr, libarchive, libgcrypt, and tcpdump), openSUSE (gdk-pixbuf, libidn2, mpg123, postgresql94, postgresql96, and xen), Slackware (bash, mariadb, and tcpdump), and SUSE (evince and kernel).

The Apache Struts project has put out astatement on the possible role played by a Struts vulnerability in themassive Equifax data breach. "Regarding the assertion thatespecially CVE-2017-9805 is a nine year old security flaw, one has tounderstand that there is a huge difference between detecting a flaw afternine years and knowing about a flaw for several years. If the latter wasthe case, the team would have had a hard time to provide a good answer whythey did not fix this earlier. But this was actually not the case here --wewere notified just recently on how a certain piece of code can be misused,and we fixed this ASAP. What we saw here is common software engineeringbusiness --people write code for achieving a desired function, but may notbe aware of undesired side-effects. Once this awareness is reached, we aswell as hopefully all other library and framework maintainers put highefforts into removing the side-effects as soon as possible. It's probablyfair to say that we met this goal pretty well in case ofCVE-2017-9805."

The4.13.1,4.12.12, and4.9.49stable kernel updates have been released; each contains another set ofimportant fixes. There is no 4.4.x stable update this time around.

As of this writing, just over 8,000 non-merge changesets have been pulledinto the mainline kernel repository for the 4.14 development cycle. Inother words, it looks like the pace is not slowing down for this cycleeither. The merge window is not yet done, but quite a few significantchanges have been merged so far. Read on for a summary of the mostinteresting changes entering the mainline in the first half of this mergewindow.

Security updates have been issued by Debian (icedove, libarchive, and unrar-free), Fedora (thunderbird), openSUSE (kernel), and Ubuntu (file).

The LWN.net Weekly Edition for September 8, 2017 is available.

Version 5.0.0 of the LLVM compiler infrastructure is out."This release is the result of the community's work over the past sixmonths, including: C++17 support, co-routines, improved optimizations,new compiler warnings, many bug fixes, and more". See the releasenotes (and release notes for Clang,Clangtools,lld,and polly)for details.

Drivers are a consistent source of kernel bugs, at least partly due to lessreview, but also because drivers are typically harder for tools toanalyze. A team from the University of California, Santa Barbara has setout to change that with a static-analysis tool called DR. CHECKER. In a paper[PDF] presented at the recent 26th USENIXSecurity Symposium, the team introduced the tool and the results ofrunning it on nine production Linux kernels. Those results were ratherencouraging: "it correctly identified 158 critical zero-day bugs with an overall precision of 78%".

The application for the (northern-hemisphere) Outreach winter internshipcycle is open, with applications due by October 23. "Outreachy is paid, remote, three month internship program that helpspeople traditionally underrepresented in tech make their firstcontributions to Free and Open Source Software (FOSS) communities."

Greg Kroah-Hartman has released the 4.12.11, 4.9.48, 4.4.87, and 3.18.70 stable kernels. As usual, there arefixes throughout the tree and users of those series should upgrade.

As much as we get addicted to mobile phones and online services, nobody(outside of cyberpunk fiction) actually lives online. That's why maps,geolocation services, and geographic information systems (GISes) have come to play a bigger role online. They reflect they way we live,work, travel, socialize, and (in the case of natural or human-madedisasters, which come more and more frequently) suffer. Thus there isvalue in integrating geolocation into existing web sites, but systems likeWordPress do not make supporting that easy.The software development firm LuminFirehas contributed to the spread of geolocation services by creating a library forWordPress that helps web sites insert geolocation information into webpages. Thisarticle describes how LuminFire surmounted the challenges posed byWordPress and shows a few uses for the library.

Security updates have been issued by Arch Linux (chromium and postgresql), Fedora (gd and mingw-libzip), Mageia (groovy18, libxdmcp, mariadb, and mercurial), openSUSE (salt), Red Hat (instack-undercloud, kernel-rt, openvswitch, and rh-nodejs6-nodejs-qs), and SUSE (gdk-pixbuf).

Version 2.2 of the GNU COBOL compiler is out. Changes include arelicensing to GPLv3, a set of new intrinsic functions, a direct callinterface for C functions, and more.

Kees Cook highlightsthe security-related changes in the 4.13 kernel."Daniel Micay created a version of glibc’s FORTIFY_SOURCEcompile-time and run-time protection for finding overflows in the commonstring (e.g. strcpy, strcmp) and memory (e.g. memcpy, memcmp)functions. The idea is that since the compiler already knows the size ofmany of the buffer arguments used by these functions, it can already buildin checks for buffer overflows. When all the sizes are known at compiletime, this can actually allow the compiler to fail the build instead ofcontinuing with a proven overflow. When only some of the sizes are known(e.g. destination size is known at compile-time, but source size is onlyknown at run-time) run-time checks are added to catch any cases where anoverflow might happen. Adding this found several places where minor leakswere happening, and Daniel and I chased down fixes for them."

As Steve Dower noted in his lightningtalk at the 2017 Python LanguageSummit, Python itself can be considered a securityvulnerability—because of its power, its presence on a target system isa boon to attackers. Now, Dower is trying to address parts of thatproblem with a Python Enhancement Proposal (PEP) that would enable systemadministrators and others to detect when Python is being used for anefarious purpose by increasing the "security transparency" of thelanguage. It is not a solution that truly thwarts an attacker's ability to use Python in an unauthorized way, but will make it easier foradministrators to detect, and eventually disable, those kinds of attacks.

Security updates have been issued by Debian (file, icedove, irssi, ruby2.3, and tcpdump), Fedora (libzip and openjpeg2), openSUSE (clamav-database, icu, libzypp, zypper, and php5), Oracle (389-ds-base), Red Hat (rh-maven33-groovy), SUSE (postgresql94, postgresql96, and python-pycrypto), and Ubuntu (bzr and libgd2).

One does not normally expect to see significant changes to an importantinternal memory-management mechanism in the time between the ‑rc7 prepatchand the final release for a development cycle, but that is exactly whathappened just before 4.13 was released. A regression involving thememory-management unit (MMU) notifier mechanism briefly threatened todelay this release, but a last-minute scramble kept 4.13 onschedule and also resulted in a cleanup of that mechanism.This seems like a good time to look at a mechanism that LinusTorvalds called "a badly designed mistake" and how it was madeto be a bit less mistaken.

Version 11.0 of the PulseAudio sound system has been released. Newfeatures include more hardware support, a priority change so that externalsound devices are preferred over internal devices, support for operating asa Bluetooth headset device, and the long awaited GNU Hurd port. See therelease notes for details.

Security updates have been issued by Debian (asterisk and irssi), Fedora (glibc), Gentoo (mcollective), openSUSE (pspp and wireshark), Red Hat (389-ds-base, docker-distribution, kernel-rt, and qemu-kvm-rhev), Scientific Linux (389-ds-base), SUSE (kernel, libzypp, zypper, and xen), and Ubuntu (fontforge and liblouis).

The kernel's CPU-frequency ("cpufreq") governors are charged with pickingan operating frequency for each processor that minimizes power use whilemaintaining an adequate level of performance as determined by the currentpolicy. These governors normally run locally, with each CPU handling itsown frequency management. The 4.14 kernel release, though, will enable theCPU-frequency governors to control the frequency of any CPU in thesystem if the architecture permits, a change that should improve theperformance of the system overall.

Security updates have been issued by Debian (enigmail, gnupg, libgd2, libidn, libidn2-0, mercurial, and strongswan), Fedora (gd, libidn2, mbedtls, mingw-openjpeg2, openjpeg2, and xen), Mageia (apache-commons-email, botan, iceape, poppler, rt/perl-Encode, samba, and wireshark), and openSUSE (expat, freerdp, git, libzypp, and php7).