All posts by daroc

[$] An update on sealed system mappings

Post Syndicated from daroc original https://lwn.net/Articles/1006375/

Jeff Xu has been working on

a patch set that makes certain mappings in a process’s address space
impossible to change, sealing them against tampering. This has some potential
security benefits — mainly, making
sure that someone cannot relocate the
vsyscall and
vDSO mappings — but some kernel developers haven’t
been impressed with the patches.
While the core functionality (sealing the mappings) is sound, some of the
supporting code for enabling and disabling the new feature caused concern by
going against the normal design for such things. Reviewers also questioned
how this feature would interact with checkpointing and with sandboxing.

Security updates for Friday

Post Syndicated from daroc original https://lwn.net/Articles/1007252/

Security updates have been issued by AlmaLinux (libsoup), Debian (debian-security-support and redis), Fedora (expat, java-21-openjdk, lemonldap-ng, and phpMyAdmin), Mageia (chromium-browser-stable and git-lfs), Oracle (bzip2, git-lfs, libsoup, mariadb:10.11, mariadb:10.5, python-jinja2, redis, and unbound), Red Hat (git-lfs, libsoup, python-jinja2, rsync, and unbound), SUSE (buildah, chromium, google-osconfig-agent, govulncheck-vulndb, hauler, ignition, krb5, libxml2, python311-pydantic, SDL2_sound, and trivy), and Ubuntu (jquery, linux-azure, linux-azure-4.15, linux-azure-5.15, linux-hwe-5.4, linux-oracle, and mysql-8.0).

Credential-leaking vulnerability in some Git credential managers

Post Syndicated from daroc original https://lwn.net/Articles/1006691/

Security researcher RyotaK

has shared a series of vulnerabilities that all have to do with how Git
interfaces with external
credential managers. In short, while Git guards against newline characters
(\n) being injected into a repository’s URL, some programming languages
also treat carriage return characters (\r) as being newlines. Adding a
carriage return to a repository’s URL can cause Git and the credential manager
to disagree on how the URL should be parsed, ultimately resulting in Git
credentials being sent to the wrong host. Malicious repositories could include
Git submodules with malformed URLs, triggering the bug. Only password-based authentication
with an external credential manager is
vulnerable to this attack; SSH-based authentication remains secure. The Git project
has chosen to consider this a vulnerability in Git, given the large amount of
external software affected. The project has fixed the bug on its end by

releasing updates for all supported versions that ban
carriage returns in URLs entirely.

Affected software includes GitHub Desktop, Git LFS, and possibly other Git utilities:

Since Git itself doesn’t use .lfsconfig file, specifying the URL that contains
the newline character in .lfsconfig causes Git LFS to insert the newline character
into the message, while bypassing […] Git’s validation.

[$] Offline applications with Earthstar

Post Syndicated from daroc original https://lwn.net/Articles/1005639/


Earthstar is a privacy-oriented,
offline-first, LGPL-licensed database intended to support distributed
applications. Unlike other distributed storage libraries, it
focuses on providing mutable data with human-meaningful names and modification
times, which gives it an interface similar to many non-distributed
key-value databases.
Now, the developers are looking at switching to a new synchronization
protocol — one that is general enough that it might see wider adoption.

Security updates for Friday

Post Syndicated from daroc original https://lwn.net/Articles/1006103/

Security updates have been issued by Debian (chromium and python-django), Fedora (git-lfs and pam-u2f), Mageia (golang), Red Hat (java-11-openjdk with Extended Lifecycle Support, java-17-openjdk, and java-21-openjdk), SUSE (cheat, dante, docker-stable, grafana, and kernel), and Ubuntu (cacti, cyrus-imapd, HTMLDOC, and PCL).

A look at the recent rsync vulnerability

Post Syndicated from daroc original https://lwn.net/Articles/1005302/

On January 14, Nick Tait

announced the discovery of six vulnerabilities in

rsync, the popular file-synchronization tool. While software vulnerabilities are
not uncommon, the

most serious one he announced allows for remote code execution
on servers that run rsyncd — and possibly other configurations.
The bug itself is fairly simple, but this event provides a nice opportunity to
dig into it, show why it is so serious, and consider ways
the open-source community can prevent such mistakes in the
future.

Reviving None-aware operators for Python

Post Syndicated from daroc original https://lwn.net/Articles/1004893/

The idea of adding None-aware operators to Python has sprung up once
again. These would make traversing structures with None values in them
easier, by short-circuiting lookups when a None is encountered. Almost
exactly a year ago, LWN covered the previous attempt to bring
the operators to Python, but there have been periodic discussions stretching back to
2015 and possibly before. This time Noah Kim has taken up the cause. After some debate, he
eventually settled on redrafting the existing PEP to have a more limited scope,
which might finally see it move past the cycle of debate, resurrection, and abandonment that
it has been stuck in for most of the last decade.

Security updates for Friday

Post Syndicated from daroc original https://lwn.net/Articles/1005433/

Security updates have been issued by Debian (rsync and tomcat9), Fedora (chromium, mingw-python-jinja2, redict, and valkey), Gentoo (GIMP and pip), Oracle (.NET, fence-agents, ipa, kernel, python-virtualenv, raptor2, and rsync), Red Hat (.NET 8.0 and .NET 9.0), SUSE (apache2-mod_jk, git, git-lfs, kernel, python-Django, thunderbird, and xen), and Ubuntu (audacity, bcel, dotnet8, dotnet9, gimp-dds, harfbuzz, libxml2, poppler, rsync, and tqdm).

Six vulnerabilities discovered in rsync

Post Syndicated from daroc original https://lwn.net/Articles/1005129/

Nick Tait
announced on the
oss-security mailing list that

rsync, the widely used file transfer program, had a number of serious vulnerabilities.
Users can mitigate all six vulnerabilities by upgrading to
version 3.4.0, which was

released on January 14. While all users should upgrade, servers that use rsyncd are
especially impacted:

In the most severe CVE, an attacker only requires
anonymous read access to a rsync server, such as a public mirror, to
execute arbitrary code on the machine the server is running on.

[$] Chimera Linux works toward a simplified desktop

Post Syndicated from daroc original https://lwn.net/Articles/1004324/

Chimera Linux is a new distribution
designed to be “simple, transparent, and easy to pick up“. The
distribution is built from scratch, and

recently announced its first beta release. While the documentation and
installation process are both a bit rough, the project already provides a
usable desktop with plenty of useful software — one built primarily on
tools adopted from BSD.

Security updates for Friday

Post Syndicated from daroc original https://lwn.net/Articles/1004701/

Security updates have been issued by Fedora (chromium and mingw-poppler), Red Hat (dpdk, thunderbird, and webkit2gtk3), SUSE (firefox, govulncheck-vulndb, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, libmfx, openjpeg2, python310, python312, python39, tomcat, and webkit2gtk3), and Ubuntu (golang-golang-x-net).

[$] A look at the Sequoia command-line interface

Post Syndicated from daroc original https://lwn.net/Articles/1003243/

The

Sequoia OpenPGP library has been in development for some time. LWN
covered the library in 2020. Now the project’s
command-line interface has
been released. The sq tool offers a
promising alternative to the venerable

GNU Privacy Guard (GPG) tool — albeit one with a
different interface, set of terminology, and approach to the web of
trust. Several distributions are making increasing use of the tool
behind the scenes.

[$] Preventing data races with Pony

Post Syndicated from daroc original https://lwn.net/Articles/1001224/

The
Pony programming language is dedicated to
exploring how to make high-performance

actor-based systems. Started in 2014,
the language’s most notable feature is probably

reference capabilities, a system of pointer annotations that gives the developer
fine manual control over how data is shared between actors, while simultaneously
ensuring that Pony programs don’t have data races. The language is not likely to
overtake other more popular programming languages, but its ideas could be useful for
other languages or frameworks struggling with concurrent data access.

[$] Systemd takes steps toward a more secure boot process

Post Syndicated from daroc original https://lwn.net/Articles/1001730/

The systemd project has been working for some time on

promoting

unified kernel
images (UKIs), a format that bundles a kernel, initial disk image, kernel command line, and
other associated data into a single file. The advantage of the format is the ability to
authenticate the entire collection with secure boot, which makes it easier for
end users to know that their operating system hasn’t been tampered with. The
downside is the lack of flexibility and increase in disk usage, since all of the
things packaged in a UKI must be updated together. But the

recent systemd 257 release (along with other changes to be covered in

a future article) includes some
major changes to the UKI format, and the rest of the boot process, that
partially mitigate those downsides. The release also includes improvements for
hardware-locked disk encryption, which may also help secure some computers.