Over on his blog, kernel security developer Kees Cook has a description of live patching the kernel to disable the kexec system call in older kernels. The idea is to be able to turn off kexec without rebuilding the older kernels (future kernels may be able to use the proposed /proc/sys/kernel/kexec_disabled). He examines several possible routes (ksplice, systemtap) before deciding on a more direct approach. “So, finally, I decided to just do it by hand, and wrote a friendly kernel rootkit. Instead of dealing with flipping page table permissions on the normally-unwritable kernel code memory, I borrowed from PaX’s KERNEXEC feature, and just turn off write protect checking on the CPU briefly to make the changes.”
TorrentFreak writes about a potentially troubling court decision in Germany. A company called Appwork has been threatened with a large fine for functionality committed to its open-source downloader (JDownloader2) repository by a non-employee: ““In our case, even when we didn’t even know about the functionality, which was part of an open source binary one of our open source developers used (rtmpdump), we were held liable anyway. Not from the moment on that we got notified about it, but even before,” he [Alex from Appwork] explains.
“This means that if any company or individual wants to use an open (or closed) source binary (commercial or not), they are liable for it if it contains any illegal functions. This practically means they are obligated to check every single line of code, which is almost impossible for smaller projects.”” (Thanks to Martin Jeppesen.)
After taking a few days to eat too much over the US Thanksgiving holiday,
it seemed time to clear the decks for next week by putting out the security
advisories that had accumulated over the four days.
Fedora has updated kernel (F18:
denial of service).
Gentoo has updated cpio (code
execution from 2010), namazu (multiple
vulnerabilities from 2009 and 2011), okular
(code execution from 2010), perl (multiple
vulnerabilities from 2008-2011), rssh (two
command injections from 2012), and unbound
(two denial of service flaws from 2011).
Mageia has updated 389-ds-base
(denial of service), busybox (privilege
escalation), drupal (multiple
vulnerabilities), ganglia-web (cross-site
scriptin), gnutls (code execution), graphicsmagick (denial of service), moodle (multiple vulnerabilities), polarssl (insecure private key), quassel (information leak), and subversion (two vulnerabilities).
openSUSE has updated seamonkey
(12.3: multiple vulnerabilities), chromium (12.2; 12.3:
multiple vulnerabilities), librsvg (12.x:
denial of service), nginx (11.4: security
restriction bypass), nginx-1.0 (12.2:
security restriction bypass), and samba (11.4; 12.x:
access restriction bypass).
Oracle has updated evolution
(OL6: encrypt to unintended recipient), kernel (OL6: multiple vulnerabilities),
kernel (OL6; OL5; OL6; OL5: multiple vulnerabilities), libguestfs (OL6: insecure tmp directory
usage), openssh (OL6: denial of service
from 2010), python (OL6: man-in-the-middle
spoofing vulnerability), qemu-kvm (OL6:
multiple vulnerabilities, one from 2012), ruby (OL6: code execution), and xorg-x11-server (OL6: two vulnerabilities).
Ubuntu has updated ruby1.8 and
ruby1.9.1 (two vulnerabilities).
On his blog, KDE hacker Aaron Seigo introduces Improv, the first hardware product from the Make•Play•Live community. Improv is a $75 development board, with some fairly beefy specs and running Mer OS, that will be shipping in January. It consists of two separate boards, the CPU card and the feature board, with the latter being an open hardware device. “The hardware of Improv is extremely capable: a dual-core ARM® Cortex™-A7 System on Chip (SoC) running at 1Ghz, 1 GB of RAM, 4 GB of on-board NAND flash and a powerful OpenGL ES GPU. To access all of this hardware goodness there are a variety of ports: 2 USB2 ports (one fullsize host, one micro OTG), SD card reader, HDMI, ethernet (10/100, though the feature card has a Gigabit connector; more on that below), SATA, i2c, VGA/TTL and 8 GPIO pins. The entire device weighs less than 100 grams, is passively cooled and fits in your hand.”
Gentoo has updated qtcore (two
vulnerabilities, one from 2011).
Mandriva has updated samba (BS1:
file restriction bypass).
Ubuntu has updated openjdk-6
(10.04, 12.04: multiple vulnerabilities).
Linux.com profiles Eduard Bachmakov, a Google Summer of Code student that worked on static analysis for the Linux kernel. “Much work toward creating a static analyzer for the Linux kernel had already been done as part of the LLVM project. One of the goals of Bachmakov’s internship was to demonstrate how the analzyer works through a tool that traces where errors come from and creates a report. (See an example of his checker tool, here.) He also set out to make a selection of checkers that make sense within the kernel.
“A lot (of checks) while technically correct, don’t apply. Many checks are just omitted because it’s understood that this would never happen,” Bachmakov said. “These are issues that can’t be read from the code. These are things you have to know, so there were a lot of false positives.””
Red Hat has announced the release of Enterprise Linux 6.5 (RHEL 6.5). The release has new features in multiple areas, including security, networking, virtualization, and more. “As application deployment options grow, portability becomes increasingly important. Red Hat Enterprise Linux 6.5 enables customers to deploy application images in containers created using Docker in their environment of choice: physical, virtual, or cloud. Docker is an open source project to package and run lightweight, self-sufficient containers; containers save developers time by eliminating integration and infrastructure design tasks.”
Debian has updated curl
(regression in previous security fix).
Fedora has updated bip (F19; F18:
denial of service), drupal7-context (F19; F18: ),
openstack-glance (F19: information leak),
samba (F19: access restriction bypass), and
xen (F19; F18: denial of service).
Mageia has updated curl
(unchecked certificate host name), firefox, rootcerts, nspr & nss (multiple
vulnerabilities), iceape (multiple
vulnerabilities), krb5 (M3; M2: denial of service), libjpeg (two vulnerabilities), lighttpd (three vulnerabilities), pmake (insecure tmp file usage), poppler (two vulnerabilities), and python-scipy (insecure tmp directory).
Mandriva has updated curl
(unchecked certificate host name), firefox
(ES5: multiple vulnerabilities), java-1.6.0-openjdk (ES5: multiple
vulnerabilities), java-1.7.0-openjdk (BS1:
multiple vulnerabilities), krb5 (denial of
service), libjpeg (ES5; BS1: multiple vulnerabilities), lighttpd (BS1: three vulnerabilities), nss (BS1: multiple vulnerabilities), pmake (BS1: insecure tmp file usage), poppler (BS1: two vulnerabilities), and torque (BS1: code execution).
Red Hat has updated 389-ds-base
(RHEL6: denial of service), augeas (RHEL6:
file overwrite and information leak), busybox (RHEL6: privilege escalation), coreutils (RHEL6: three vulnerabilities), dracut (RHEL6: information disclosure from
2012), evolution (RHEL6: encrypt email to
unintended recipient), glibc (RHEL6: three
vulnerabilities), kernel (RHEL6: multiple
vulnerabilities), libguestfs (RHEL6:
insecure tmp directory), luci (RHEL6: two
vulnerabilities), openssh (RHEL6: denial of
service from 2010), pacemaker (RHEL6:
denial of service), php (RHEL6: three
vulnerabilities, one from 2006), python
(RHEL6: certificate checking botch), qemu-kvm (RHEL6: privilege escalation), RDMA stack (RHEL6: two vulnerabilities, one
from 2012), samba (RHEL6: three
vulnerabilities), samba4 (RHEL6: denial of
service), sudo (RHEL6: three privilege
escalation flaws), wireshark (RHEL6: a ton
of vulnerabilities, some going back to 2012), and xorg-x11-server (RHEL6: information leak).
Ubuntu has updated thunderbird
The Google Open Source Blog has announced the release of Dart SDK 1.0. Dart is a language targeted at building web applications that was announced in October 2011. The 1.0 SDK release indicates that Dart is production-ready for web developers. “The Dart SDK 1.0 includes everything you need to write structured web applications: a simple yet powerful programming language, robust tools, and comprehensive core libraries. Together, these pieces can help make your development workflow simpler, faster, and more scalable as your projects grow from a few scripts to full-fledged web applications.”
Over at opensource.com, SELinux hacker Dan Walsh describes SELinux policy enforcement using dogs and cats. It has lots of cute cartoons (by Máirín Duffy) of the interaction between various types of dogs, a cat, food meant for each, and Tux as an enforcer of the food policies. It looks at type enforcement (TE), multi-category security (MCS), and multi-level security (MLS) using dog/cat analogies as well as relating them to the “real world”. “SElinux is a labeling system. Every process has a label. Every file/directory object in the operating system has a label. Even network ports, devices, and potentially hostnames have labels assigned to them. We write rules to control the access of a process label to an a object label like a file. We call this policy. The kernel enforces the rules.”
CIO has a summary of open source options for business software. It is a bit thin (and annoyingly broken up over multiple pages—the printable version is better), but it does cover many of the categories of business software that small businesses are likely to be interested in. Each category offers a few different options for open source solutions. “Even if you want to stick with a closed source operating system (or, the case of OS X, partially closed source), your business can still take advantage of a vast amount of open source software. The most attractive benefit of doing so: It’s generally available to download and run for nothing. While support usually isn’t available for such free software, it’s frequently offered at an additional cost by the author or a third party. It may be included in a low-cost commercially licensed version as well.”
Fedora has updated python-glanceclient (F19: missing certificate check).
SUSE has updated IBM Java 5
(SLE10SP3, SLE10SP4: multiple vulnerabilities).
The latest version of the Slackware Linux distribution, version 14.1, has been released. It comes with the 3.10.17 kernel, GNU libc 2.17, X.Org X11R7.7, GCC 4.8.2, LLVM and Clang, and more. “Slackware 14.1 brings many updates and enhancements, among which
you’ll find two of the most advanced desktop environments available
today: Xfce 4.10.1, a fast and lightweight but visually appealing and
easy to use desktop environment, and KDE 4.10.5, a recent stable release
of the 4.10.x series of the award-winning KDE desktop environment.
These desktops utilize udev, udisks, and udisks2, and many of the
specifications from freedesktop.org which allow the system administrator
to grant use of various hardware devices according to users’ group
membership so that they will be able to use items such as USB flash
sticks, USB cameras that appear like USB storage, portable hard drives,
CD and DVD media, MP3 players, and more, all without requiring sudo, the
mount or umount command.”
(Thanks to Jean-Francois L. Blavier.)
CentOS has updated Xen4CentOS
kernel (multiple vulnerabilities).
SUSE has updated vino (SLE11SP3:
denial of service).
Ubuntu has updated maas (two
align="right" alt="[Group photo]" width=250 height=155/>
The future of the realtime (aka PREEMPT_RT) kernel patch set was
agenda for the Realtime Linux minisummit—as usual—but this year’s edition
had a bit more urgency than in years past. It is clear that Thomas
Gleixner, who is doing most of the development work on the patch set, is
concerned about the future of the remaining pieces. There appears to be
minimal interest in furthering the development of realtime Linux outside of
its main sponsor, Red Hat, and that may not be a sustainable model, he
reported to both the minisummit and the concurrent 15th Real Time Linux
The final day of LinuxCon
Europe had some of the only content that was focused on the largely
European audience at the conference. Mikko Hypponen, chief research officer
at F-Secure, gave a talk about living in a surveillance state, with an
unmistakable slant toward Europe and the rest of the world outside of the
Click below (subscribers only) for the full report from LinuxCon Europe 2013.
Version 1.3 of the Wayland protocol and Weston reference compositor have been released. In the release announcement, Kristian Høgsberg says that there isn’t much that’s new in the Wayland release, which is a sign of its maturation. New pixel formats support, additional documentation, language binding support, a few bug fixes, and more. This cycle for Weston was more active with the addition of hardware-accelerated screen capture, libhybris support, support for multiple input devices of the same type, better touch support, new launching options, and more. “We’re going to try something new for 1.4 – we’ll do an alpha release a
month before the scheduled release. I’m looking at Jan 15, 2014 as
the release date for 1.4.0, and we’ll do an alpha release on Dec 16.
The motivation here is to get a snapshot out a bit earlier so we can
start testing earlier and hopefully uncover bugs earlier.”
Oracle has updated libtar (OL6:
Red Hat has updated libtar
(RHEL6: code execution).
Scientific Linux has updated ccid
(SL5: code execution from 2010), glibc
(SL5: code execution), libtar (SL6: code
execution), php53 (SL5: multiple
vulnerabilities going back to 2006), samba3x (SL5: multiple vulnerabilities), sssd (SL5: denial of service), and sudo (SL5: three privilege escalations).
Google is now offering between $500 and $3,133.7 for security improvements to core free software. That includes projects like OpenSSH, OpenSSL, BIND, libjpeg, Blink, Chromium, the Linux kernel, and more. Expansion into toolchains, web servers, SMTP servers, and VPN is planned. Patches should be submitted to the upstream project and, once they are merged, to Google for evaluation. The official rules have more details. “So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug. Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR – we want to help!”
Debian has updated nas (multiple vulnerabilities).
Mageia has updated gnupg (denial
of service), gnupg2 (multiple
vulnerabilities), libraw (two denial of
service flaws), nas (multiple
vulnerabilities), ruby-RubyGems (two denial
of service flaws), ssmtp (man-in-the-middle
vulnerability), vino (denial of service),
and xinetd (privilege escalation).
Ars technica covers Intel’s announcement of the Galileo development board, which contains a Quark 32-bit x86 CPU and is targeted at the “Internet of Things”. It was designed in conjunction with Arduino and has connections for existing Arduino “shields” in addition to USB, Ethernet, RS-232 serial, and PCIe. “Intel will be donating 50,000 Galileo boards to universities around the world as part of the collaboration, and it will be available to hobbyists for $60 or less by November 29. That price makes Galileo quite competitive with existing Arduino boards, most of which aren’t as feature complete. Intel promises full compatibility with Arduino software and existing hardware, which could make this a very attractive board for complex projects.” Galileo is also open hardware, with schematics and other information available at its home page.
Fedora has updated kernel (F18:
random number reuse in ansi_cprng).
Mandriva has updated proftpd
(BS1.0, ES5.0: denial of service).
Oracle has updated ccid (OL5:
code execution), kernel (OL5; OL6: denial of service), php53 (OL5: multiple vulnerabilities), sudo (OL5: three privilege escalation flaws),
and xinetd (OL5: information leak).
Red Hat has discontinued updates for acroread because Adobe has stopped updating
it. The “update” will disable the web browser plugin.
SUSE has updated icedtea-web
(SLE11 SP2, SP3: two code execution flaws).
David Safford’s talk for the 2013 Linux
Security Summit was in two parts—with two separate sets of slides.
That’s because the US Department of Homeland Security (DHS), which sponsored
IBM’s work on hardware roots of trust for embedded devices—part one of the talk—was quite clear
that it didn’t want to be associated with any kind of device cracking. So
part two, which concerned circumventing “verified boot” on a Samsung
ARM Chromebook, had to be a completely separate talk. The DHS’s misgivings
notwithstanding, the two topics are clearly related; understanding both
leads to a clearer picture of the security of our devices.
Subscribers can get the full report on the talk from this week’s Security page.
On his blog, Boudewijn Rempt has an interesting walk down memory lane about the history of the Krita digital painting program. It started its life in 1998 as a Qt wrapper around GIMP, called “kimp”, though the first real Krita code came from a KOffice application called KImage, which changed to KImageShop, Krayon, and, finally, in 2002, Krita (Swedish for crayon). His account has controversies, flame wars, development setbacks, and more, resulting in the high-quality application that we have today.
“I didn’t know C++ back then, but neither was I a novice programmer. I’d been earning the daily bread for me and my family for about ten years, first as an Oracle PL/SQL developer, then Visual Basic, then Java. I had written and gotten published a book on Python and Qt, so I knew Qt as well. I had no experience with graphics, though…
In October 2003 it was not possible to paint with Krita: all tools except for the layer move tool had been disabled. The paint tool was the first thing I worked on, and I was very proud when I had a tool that could place squares on the canvas — and the size of the squares was sensitive to the tablet pressure!”