LWN.net

Kees Cook is working on a series of patchesfor C structure randomization to improve security in the Linuxkernel. This is an important part of obfuscating the internal binary layoutof a running kernel, making kernel exploits harder. The randstructplugin is a new GCC add-on that lets the compiler randomize the layout of Cstructures. Whenenabled, the plugin will scramble the layout of the kernel structures thatare specifically designated for randomization.

Security updates have been issued by Arch Linux (flashplugin, freetype2, ghostscript, kauth, kdelibs, lib32-flashplugin, lib32-freetype2, lib32-libtirpc, libtirpc, rpcbind, and smb4k), Debian (git, qemu-kvm, and tomcat7), Mageia (feh, kernel, lxterminal, and thunderbird), openSUSE (swftools), and SUSE (flash-player, qemu, and tomcat).

The LWN.net Weekly Edition for May 11, 2017 is available.

GNU Artanis is a web application framework (WAF) written in Guile Schemeand v0.2 is its first stable release. "It is designed to support the development of dynamic websites, web applications, web services and web resources. Artanis provides several tools for web development: database access, templating frameworks, session management, URL-remapping for RESTful, page caching, and so on."

CockroachDB 1.0 has been released. "CockroachDB is a cloud-native SQL database for building global, scalable cloud services that survive disasters. But what does “cloud-native” actually mean? We believe the term implies horizontal scalability, no single points of failure, survivability, automatable operations, and no platform-specific encumbrances.To realize these product goals, development over the past year has focused on three critical areas: distributed SQL to support small and large use cases alike and scale seamlessly between them; multi-active availability for always-consistent high availability; and flexible deployment for automatable operations in virtually any environment."

As of this writing, nearly 12,000 non-merge changesets have been pulledinto the mainline repository for the 4.12 development cycle. About 7,500of these have been pulled since the first 4.12merge-window summary. Read on for an overview of what has been mergedin the last week.

At the 2017 FreeSoftware Legal and Licensing Workshop (LLW), Max Mehl presented someconcerns about EUradio equipment directive (RED) that was issued in 2014. The worry isthat the directive will lead device makers to lock down their hardware,which will preclude users from installing alternative free software onit. The problem is reminiscent of a similarsituation in the US, but that one has seemingly been resolved in favor of users—at least for now.

The latest feature release Git v2.13.0 is now available. "It iscomprised of 729 non-merge commits since v2.12.0, contributed by 65 people,15 of which are new faces. This release also contains the security patch in v2.12.3 andothers to fix CVE-2017-8386." The release notes are in theannouncement.Maintenance releases Git 2.4.12, 2.5.6, 2.6.7, 2.7.5, 2.8.5, 2.9.4, 2.10.3,2.11.2, and 2.12.3 are also available.

The Project Zero site has adetailed exploration of how to exploit CVE-2017-7308, a vulnerabilityin the kernel's packet socket implementation."Let’s see how we can exploit this vulnerability. I’m going to betargeting x86-64 Ubuntu 16.04.2 with 4.8.0-41-generic kernel version withKASLR, SMEP and SMAP enabled. Ubuntu kernel has user namespaces availableto unprivileged users (CONFIG_USER_NS=y and no restrictions on [its] usage),so the bug can be exploited to gain root privileges by an unprivilegeduser. All of the exploitation steps below are performed from within a usernamespace."

Security updates have been issued by CentOS (bind, java-1.7.0-openjdk, qemu-kvm, and thunderbird), Debian (git, libtirpc, lxterminal, radicale, rpcbind, and xen), Fedora (batik, java-1.8.0-openjdk-aarch32, kernel, pcre, and weechat), Gentoo (ffmpeg, firefox, libav, and thunderbird), Red Hat (flash-plugin, jasper, java-1.6.0-ibm, java-1.7.1-ibm, java-1.8.0-ibm, and qemu-kvm), Scientific Linux (jasper and qemu-kvm), and Ubuntu (apache2, batik, fop, freetype, and rtmpdump).

Brendan Gregg assertsthat CPU utilization is the wrong metric to be looking at when tuning asystem. Much of the time when the CPU appears to be busy, it's actually just waiting formemory. "The key metric here is instructions per cycle (insns per cycle:IPC), which shows on average how many instructions we were completed foreach CPU clock cycle. The higher, the better (a simplification). The aboveexample of 0.78 sounds not bad (78% busy?) until you realize that thisprocessor's top speed is an IPC of 4.0. This is also known as 4-wide,referring to the instruction fetch/decode path. Which means, the CPU canretire (complete) four instructions with every clock cycle. So an IPC of0.78 on a 4-wide system, means the CPUs are running at 19.5% their topspeed. The new Intel Skylake processors are 5-wide."

The archaeological evidence is murky, but it would appear that the kernel'sset_fs() function was added in November 1991 by a certain TedTs'o; it was in the 0.10 release. It is, thus, one of the oldest APIsfound within the kernel itself. Careless use of set_fs() hasalways been an easy way to create security bugs; a recent attempt to makethese bugs harder to exploit may instead result in this function being removedaltogether.

Cinnamon 3.4 has been released.This version includes support for mozjs38, support for additional Wacomdevices, a multi-process Settings Daemon, a cleaner session EXIT phase,separate processes for Nemo and desktop handling, and more. "On the spices side of things, the maintenance was moved to Github and the Cinnamon team is now actively involved in the debugging of applets, desklets, extensions and themes. Support for Cinnamon 3.4 changes is added by the team itself."

LWN recently covered a conference sessionon the OpenChain project and its recently released v1.1specification [PDF]. The talk, however, was remarkably short ondetails on what is actually in that specification. Perhaps most LWNreaders were content with that state of affairs, but your editor decided totake a closer look.

The Amnesic Incognito Live System (Tails) has adopteda SocialContract, based on the Debian Social Contract and the Tor SocialContract. "We believe that privacy, the free exchange of ideas, and equal access to information are essential to free and open societies. Through our community standards and the tools we create, we provide means that empower all people to protect and advance these ideals."

Security updates have been issued by Debian (libtirpc and libytnef), Fedora (python-fedora, roundcubemail, and tnef), Mageia (ntp and virtualbox), openSUSE (dpkg, ghostscript, kernel, libressl, mysql-community-server, quagga, tcpdump, libpcap, xen, and zziplib), Red Hat (java-1.7.0-openjdk), Scientific Linux (java-1.7.0-openjdk), and SUSE (samba).

The Thunderbird email client project has announcedthe results of its long deliberation on its future. The project willremain with Mozilla administratively, but will move to its owninfrastructure. "Thus, much has changed since 2015 – we were able toestablish a financial home at the Mozilla Foundation, we are successfullycollecting donations from our users, and the first steps of migratinginfrastructure have been taken. We started questioning the usefulness ofmoving elsewhere, organizationally. While Mozilla wants to be laser-focusedon the success of Firefox, in recent discussions it was clear that theycontinue to have a strong desire to see Thunderbird succeed. In many ways,there is more need for independent and secure email than ever. As long asThunderbird doesn’t slow down the progress of Firefox, there seems to be nosignificant obstacles for continued co-existence."

Google Open Source Blog takesa look at the progress made by the OSS-Fuzz project. "OSS-Fuzzhas found numerous security vulnerabilities in several critical open sourceprojects: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3,10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark, etc. We’ve alsohad at least one bug collision with another independent security researcher(CVE-2017-2801). (Some of the bugs are still view restricted so links mayshow smaller numbers.)" LWN coveredOSS-Fuzz last January.

The supply chain in the open-source world is lengthy and global; it alsosuffers from compliance problems with the GPL and other licenses. The OpenChain project was createdto help the companies in the supply chain with their compliance. At the2017 FreeSoftware Legal and Licensing Workshop (LLW), OpenChain program managerShane Coughlan described the project, some of its history, the releaseof version 1.1 of its specification, and more.

The deadline for submitting refereed track proposals for the 2017Linux Plumbers Conference (LPC) has been extended until May 13."The refereed track will have 50-minutepresentations on a specific aspect of Linux "plumbing" (e.g. corelibraries, media creation/playback, display managers, init systems,kernel APIs/ABIs, etc.) that are chosen by the LPC committee to begiven during all three days of the conference." LPC will be heldSeptember 13-15 in Los Angeles, CA.

The Debian Project has announced the release of Debian 8.8, the eighthupdate to its stable release Debian 8 "jessie". "This update mainlyadds corrections for security problems to the stable release, along witha few adjustments for serious problems. Security advisories were alreadypublished separately and are referenced where available."

Stable kernels 4.10.15, 4.9.27, 4.4.67, and 3.18.52 have been released. All of themcontain important fixes and users should upgrade.

Security updates have been issued by Debian (freetype, ghostscript, and roundcube), Fedora (bind99, freetype, ghostscript, icu, thunderbird, and wireshark), Gentoo (chromium, libevent, nss, and oracle-jre-bin), Mageia (audiofile, ettercap, ghostscript, libarchive, and libsamplerate), openSUSE (Chromium and thunderbird), Red Hat (bind and thunderbird), and Scientific Linux (bind and thunderbird).

It appears that the OpenWRT and LEDE communities are about to vote on aproposal covering many of the details behind merging the two projects(which forked one year ago) backtogether. The plan appears to be to go forward with the OpenWRT name, butwith the LEDE repository; domain names would be transferred to SPI.

The Android/Mobile microconference has been accepted for this year's Linux Plumbers Conference (LPC), which will be held in Los Angeles, CA, US on 13-15 September inconjunction with The Linux Foundation Open Source Summit. "Android continues to find interesting new applications and problemsto solve, both within and outside the mobile arena. Mainliningcontinues to be an area of focus, as do a number of areas of coreAndroid functionality, including the kernel. Other areas where thereis ongoing work include eBPF, Lowmemory alternatives, the Androidemulator, and SDCardFS."

Security updates have been issued by Fedora (kernel, libnl3, and log4j), openSUSE (GraphicsMagick), SUSE (kernel), and Ubuntu (shadow).

KDE e.V., which is the non-profit organization that represents the KDE community has put out its report for 2016, which was announced on KDE.News. "The KDE e.V. community report for 2016 is now available. After the introductory statement from the Board, you can read a featured article about the 20th anniversary of KDE, and an overview of all developer sprints and conferences supported by KDE e.V. The report includes statements from our Working Groups, development highlights for 2016, and some information about the current structure of KDE e.V."

On April 26, the grsecurity project announced thatit was withdrawing public access to its kernel-hardening patch sets;henceforth, they will be available only to paying customers of Open SourceSecurity, Inc., the company behind this work. This move hasyielded quite a bit of discussion and no small amount of recrimination. Itis not clear, though, that the right conclusions are being drawn from thischange.

The 1.12 release of the GStreamer multimedia framework is out. It contains many new features and bug fixes. New features include support for Intel's Media SDK for hardware-accelerated video encoding and decoding, multi-threaded video scaling and conversion, x264 can encode multiple bit depths transparently, multiple new video formats are supported, and so on. "More than 635 bugs have been fixed during the development of 1.12.This list does not include issues that have been cherry-picked into the stable 1.10 branch and fixed there as well, all fixes that ended up in the 1.10 branch are also included in 1.12.This list also does not include issues that have been fixed without a bug report in bugzilla, so the actual number of fixes is much higher."

Security updates have been issued by Arch Linux (chromium), Debian (tiff), Mageia (minicom), and SUSE (firefox, mozilla-nss, mozilla-nspr).

The LWN.net Weekly Edition for May 4, 2017 is available.

Machinelearning is a technique that has taken the computing world by stormover the last few years. As Luis Villa discussed in his2017 FreeSoftware Legal and Licensing Workshop (LLW) talk, there are legalimplications that need to be considered, especially with regard to the datasets that are used by machine-learning systems. The talk, which wasnot under theChatham HouseRule default for the workshop, also provided a simplifiedintroduction to machine learning geared toward a legal audience.

The 4.12 merge window opened on May 1; as of this writing, just over4,300 non-merge changesets have been pulled into the mainline repository.Though things are just beginning, it has the look of yet another busydevelopment cycle for the kernel community. Thus far, the bulk of thechanges merged have been in the block I/O and networking areas.

Kees Cook has done his usual roundup of new security features, this time for the 4.11 kernel. It lists seven different features and fixes with security implications, including: "A common way attackers use to escape confinement is by rewriting the user-mode helper sysctls (e.g. /proc/sys/kernel/modprobe) to run something of their choosing in the init namespace. To reduce attack surface within the kernel, Greg KH introduced CONFIG_STATIC_USERMODEHELPER, which switches all user-mode helper binaries to a single read-only path (which defaults to /sbin/usermode-helper). Userspace will need to support this with a new helper tool that can demultiplex the kernel request to a set of known binaries."

In his talk at FOSDEM 2017,Georg Greve mentioned that every recent Intel CPU contains asecond, internal CPU that you cannot audit but which can take over yourmachine. His contention was that this could be used to do bad thingswithout your consent if it turned out to be treacherous or buggy.As of May 1, 2017, the latter prediction turned out to beworryingly prescient.

Greg Kroah-Hartman has released stable kernels 4.10.14, 4.9.26, and 4.4.66. They all contain important fixes andusers should upgrade.

Security updates have been issued by Debian (libxstream-java, mysql-connector-java, tomcat7, and tomcat8), Fedora (log4j), Mageia (texlive), openSUSE (weechat), SUSE (ghostscript-library, graphite2, and xen), and Ubuntu (icu and libreoffice).

The first Operating-System-DirectedPower-Management (OSPM) Summit took place at the ReTiS Lab of the Scuola Superiore Sant'Anna in Pisa on April 3 and 4, 2017.This summit was organized as a collection of collaborative sessionsfocused on trying to improve how operating-system-directed powermanagement and the kernel's task scheduler can work togetherto achieve the goal of reducing energy consumption while still meetingperformance and latency requirements. This subject is receiving greatinterest, not least since the advent of energy-aware scheduling (EAS) andheterogeneous CPU designs.

Ivana Isadora Devcic takesa look at the recently released KDE Applications 17.04 and Plasma5.9.5. In file management there have been improvements to the Dolphin filemanager, the Okular PDF viewer, and the archiving tool Ark. The videoeditor Kdenlive has seen the biggest improvements among multimediaapplications. Several educational applications have also seensome changes. "The most obvious changes introduced in Plasma 5.9.5 are related to window decorations and other visual tweaks. Themes in the System Settings module are now sorted, Plastik window decoration supports the global menu, and Aurorae window decorations support the global menu button. KWin will respect theme colors in buttons, and you will be able to edit the default color scheme of your Plasma Desktop."

At the 2017 FreeSoftware Legal and Licensing Workshop (LLW), which was held April 26-28in Barcelona, Spain, more information about the GPL enforcement efforts by Patrick McHardyemerged. The workshop is organized by the Free Software Foundation Europe(FSFE) and its legalnetwork.A panel discussion on the final day of the workshop discussedMcHardy's methodology and outlined why those efforts are actually far fromthe worst-case scenario of a copyright troll. While the Q&A portion of thediscussion was under Chatham HouseRule (which was the default for the workshop), the discussion betweenthe three participants was not—it provided much more detail about McHardy's efforts, andcopyright trolling in general, than has been previously available publicly.

GNU Compiler Collection 7.1 has been released, 30 years after the 1.0release. "This release features various improvements in the emitteddiagnostics, including improved locations, location ranges, suggestions formisspelled identifiers, option names, fix-it hints and various new warningshave been added." There is also experimental support for all of thecurrent C++17 draft, improved optimizers, and more. (LWN previewed the 7.1 release in early April.)

Security updates have been issued by Fedora (bouncycastle, drupal8, and kernel), Mageia (389-ds-base, freetype2, libxslt, openjpeg, python-lshell, and squirrelmail), openSUSE (feh, kernel, and virtualbox), and Slackware (rxvt).

The fears of vulnerabilities lurking in Intel's "management engine"technology have just shown some validity: Intel has announceda remotely exploitable vulnerability in it's "active management technology"engine. "There is an escalation of privilege vulnerability in IntelActive Management Technology (AMT), Intel Standard Manageability (ISM),and Intel Small Business Technology versions firmware versions 6.x, 7.x,8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attackerto gain control of the manageability features provided by these products.This vulnerability does not exist on Intel-based consumer PCs."See Matthew Garrett'swriteup for a more comprehensible summary of what is known at this time.

Support for Ubuntu 12.04 (Precise Pangolin) is at an end. There will be nomore updates as of April 28, 2017. "The supported upgrade path fromUbuntu 12.04 is via Ubuntu 14.04. Users are encouraged to evaluate andupgrade to our latest 16.04 LTS release via 14.04."

Stable kernels 4.4.65 and 3.18.51 have been released. Both of themcontain important fixes and users should upgrade.

Security updates have been issued by Arch Linux (bind, curl, and dovecot), Debian (batik, fop, freetype, kedpm, libpodofo, libsndfile, libxstream-java, partclone, and tomcat7), Fedora (ansible, community-mysql, java-1.8.0-openjdk, and yara), Mageia (java-1.8.0-openjdk and xstream), openSUSE (libosip2 and ruby2.1), Oracle (kernel and nss), and SUSE (ghostscript, kvm, and mysql).

Rockbox is a replacement firmware for anumber of digital audio players. The project seemed to have faded awayalong with much of the audio-player market in general, but Rockbox is nowback with the release of version3.14. "Over 4 years have passed since the last release, and inthat time we've been busy adding features and fixing bugs to give you thebest Rockbox experience yet on the widest range of targets ever."Support for a number of devices has been added, performance and batterylife has been improved, and a number of features have been added; see theannouncement for details.

The 4.11 kernel has been released."So after that extra week with an rc8, things were pretty calm, and I'mmuch happier releasing a final 4.11 now."Some headline features in 4.11 include:a new perf ftrace commandrestarting the work of better integrating the perf and ftrace subsystems,I/O scheduling support for the multiqueue block subsystem,journaling for device-mapper RAID 4/5/6 volumes,SipHash support,some swapping scalability improvements,a new LZ4 compression implementation,the new statx() system call,and more. As always, see the KernelNewbies 4.11 pagefor lots of details.

Xda developers looksat improvements coming to the F-Droid repository of free/open sourceapps for Android. The next version of F-Droid will have screenshot andfeature graphics, bulk download and install, improved notifications fordownloads and pending updates, and the ability to translate apps metadata."F-Droid is conducting further field tests to ensure that usabilityissues with the new design are identified and resolved before the alphareleases for v0.103 is rolled out to the public. The team is also inviting feedback and suggestions to further improve the client. Additionally, the team mentions that this is one of the many improvements happening to the broader F-Droid ecosystem in 2017, and there’s more to come."

Security updates have been issued by Arch Linux (jenkins, libtiff, and webkit2gtk), Debian (ghostscript, kernel, and libreoffice), Fedora (dovecot, kernel, and tomcat), Mageia (firefox and tomcat), openSUSE (backintime and ffmpeg), and Ubuntu (ghostscript, libxslt, and nss).