All posts by corbet

[$] The case of the prematurely freed SKB

Post Syndicated from corbet original https://lwn.net/Articles/715811/rss

CVE-2017-6074 is the vulnerability identifier
for a use-after-free bug in the kernel’s network stack. This vulnerability
is apparently exploitable in local privilege-escalation attacks. The
problem, introduced in 2005, is easily fixed, but it points at a couple of
shortcomings in the kernel development process; as a result, it would not
be surprising if more bugs of this variety were to turn up in the near
future.

Subversion SHA1 collision problem statement

Post Syndicated from corbet original https://lwn.net/Articles/715873/rss

Users of the Subversion source-code management system may want to take a
look at this
post from Mark Phippard. He explains how hash collisions can corrupt a
repository and a couple of short-term workarounds. “The quick
summary if you do not want to read this entire post is that the problem is
really not that bad. If you run into it there are solutions to resolve it
and you are not going to run into it in normal usage. There will also
likely be some future updates to Subversion that avoid it entirely so if
you regularly update your server and client when new releases come out you
are probably safe not doing anything and just waiting for an update to
happen.

[$] Moving Git past SHA-1

Post Syndicated from corbet original https://lwn.net/Articles/715716/rss

The SHA-1 hash
algorithm has been known for at least a decade to be
weak; while no generated hash collisions had been reported, it was assumed
that this would happen before too long. On February 23, Google announced
that it had succeeded at this task. While the technique used is
computationally expensive, this event has clarified what most developers
have known for some time: it is time to move away from SHA-1. While the
migration has essentially been completed in some areas (SSL certificates,
for example), there are still important places where it is heavily used,
including at the core of the Git source-code management system.
Unsurprisingly, the long-simmering discussion in the Git community on
moving away from SHA-1 is now at a full boil.

Linus on Git and SHA-1

Post Syndicated from corbet original https://lwn.net/Articles/715621/rss

Linus Torvalds has posted a lengthy
explanation of why the recently created SHA-1 collision is not an
emergency for Git users. “In the pdf examples, the pdf format acted
as the ‘black box’, and what you see is the printout which has only a very
indirect relationship to the pdf encoding.

But if you use git for source control like in the kernel, the stuff you
really care about is source code, which is very much a transparent
medium. If somebody inserts random odd generated crud in the middle of your
source code, you will absolutely notice.” That said, he notes that
there is work in progress to move away from SHA-1.

[It seems that subversion users have an additional set of concerns; see this bug report
conversation for the scary story.]

LEDE v17.01.0 final

Post Syndicated from corbet original https://lwn.net/Articles/715356/rss

The final version of the LEDE router distribution’s 17.01.0 release is now
available. “LEDE 17.01.0 “Reboot” incorporates thousands of commits over the last
nine months of effort. With this release, the LEDE development team
closes out an intense effort to modernize many parts of OpenWrt and
incorporate many new modules, packages, and technologies.” LWN
recently reviewed a release-candidate
version of LEDE 17.01.

Announcing the first SHA1 collision

Post Syndicated from corbet original https://lwn.net/Articles/715348/rss

The Google security blog carries
the news of the first deliberately constructed SHA-1 hash collision.
We started by creating a PDF prefix specifically crafted to allow us
to generate two documents with arbitrary distinct visual contents, but that
would hash to the same SHA-1 digest. In building this theoretical attack in
practice we had to overcome some new challenges. We then leveraged Google’s
technical expertise and cloud infrastructure to compute the collision which
is one of the largest computations ever completed.
The SHA-1 era is truly coming to an end, even if most attackers lack access
to the computing resources needed for this particular exploit.

A draft GLIBC year-2038 design document

Post Syndicated from corbet original https://lwn.net/Articles/715242/rss

The year-2038 apocalypse is now just under
21 years away. For those who are curious about how the GNU C Library
plans to deal with this problem, there is a
draft design document out for review. “In order to avoid
duplicating APIs for 32-bit and 64-bit time, glibc will provide either one
but not both for a given application; the application code will have to
choose between 32-bit or 64-bit time support, and the same set of symbols
(e.g. time_t or clock_gettime) will be provided in both cases.

A draft glibc year-2038 design document

Post Syndicated from corbet original https://lwn.net/Articles/715242/rss

The year-2038 apocalypse is now just under
21 years away. For those who are curious about how the GNU C Library
plans to deal with this problem, there is a
draft design document out for review. “In order to avoid
duplicating APIs for 32-bit and 64-bit time, glibc will provide either one
but not both for a given application; the application code will have to
choose between 32-bit or 64-bit time support, and the same set of symbols
(e.g. time_t or clock_gettime) will be provided in both cases.

Linux Plumbers Conference call for microconferences

Post Syndicated from corbet original https://lwn.net/Articles/715234/rss

The 2017 Linux Plumbers Conference is set for September 13 to 15 in Los
Angeles, California. The core of this event is the microconferences,
focused gatherings that address a specific range of problems. The call
for microconferences for the 2017 event is now out. “Good
microconferences result in solutions to these problems and concerns, while
the best microconferences result in patches that implement those
solutions.

The “Upspin” global filesystem

Post Syndicated from corbet original https://lwn.net/Articles/715180/rss

A group of Google developers has announced
the release of (an early version of) a new global filesystem called
“Upspin”. “Upspin looks a bit like a global file system, but its
real contribution is a set of interfaces, protocols, and components from
which an information management system can be built, with properties such
as security and access control suited to a modern, networked world. Upspin
is not an ‘app’ or a web service, but rather a suite of software
components, intended to run in the network and on devices connected to it,
that together provide a secure, modern information storage and sharing
network.

The return of the Linux kernel podcast

Post Syndicated from corbet original https://lwn.net/Articles/715087/rss

After taking a few years off, Jon Masters is restarting
his kernel podcast. “In this week’s edition: Linus Torvalds
announces Linux 4.10, Alan Tull updates his FPGA manager framework, and
Intel’s latest 5-level paging patch series is posted for review. We will
have this, and a summary of ongoing development in the first of the newly
revived Linux Kernel Podcast.

The 4.10 kernel has been released

Post Syndicated from corbet original https://lwn.net/Articles/714938/rss

Linus has released the 4.10 kernel.
On the whole, 4.10 didn’t end up as small as it initially looked.
After the huge release that was 4.9, I expected things to be pretty
quiet, but it ended up very much a fairly average release by modern
kernel standards.

Features of note in this release include some long-awaited
writeback throttling work,
the ability to attach a BPF network filter
to a control group,
encryption in UBIFS filesystems,
Intel cache-allocation technology support,
and more. See the
KernelNewbies 4.10 page for lots of details.

Top 10 FOSS legal stories in 2016 (opensource.com)

Post Syndicated from corbet original https://lwn.net/Articles/714719/rss

Mark Radcliffe surveys
the most important legal issues surrounding free and open-source
software on opensource.com. “The challenge for the Linux community
is to decide when to bring litigation to enforce the GPLv2. What it means
in many situations is that to be compliant is currently left to individual
contributors rather than being based on a set of community norms. As
Theodore Ts’o noted, this issue really concerns project
governance. Although permitting individual contributors to make these
decisions may be the Platonic ideal, the tradeoff is ambiguity for users
trying to be compliant as well as the potential for rogue members of the
community (like McHardy) to create problems. The members of the Linux
community and other FOSS communities need to consider how they can best
assist the members of their community to understand what compliance means
and to determine when litigation might be useful in furtherance of the
community’s goals.