All posts by jake

Memory Error Detection Using GCC (Red Hat Developers blog)

Post Syndicated from jake original https://lwn.net/Articles/715438/rss

Over at the Red Hat Developers blog, Martin Sebor looks at some new (or enhanced) warnings available in GCC 7 that will help catch various types of memory errors. For example: “The -Wformat-overflow=level option detects certain and likely buffer overflow in calls to the sprintf family of formatted output functions. The option starts by determining the size of the destination buffer, which can be allocated either statically or dynamically. It then iterates over directives in the format string, calculating the number of bytes each result in output. For integer directives like %i and %x it tries to determine either the exact value of the argument or its range of values and uses the result to calculate the exact or minimum and maximum number of bytes the directive can produce. Similarly for floating point directives such as %a and %f, and string directives such as %s. When it determines that the likely number of bytes a directive results in will not fit in the space remaining in the destination buffer it issues a warning.

Ancient local privilege escalation vulnerability in the kernel announced

Post Syndicated from jake original https://lwn.net/Articles/715429/rss

Andrey Konovalov has announced the discovery and fix of a local privilege escalation in the Linux kernel. Using the syzkaller fuzzer (which LWN looked at around one year ago), he found a double-free in the Datagram Congestion Control Protocol (DCCP) implementation that goes back to at least September 2006 (2.6.18), but probably all the way back to the introduction of DCCP in October 2005 (2.6.14). “[At] this point we have a use-after-free on some_object. An attacker can
control what object that would be and overwrite it’s content with
arbitrary data by using some of the kernel heap spraying techniques.
If the overwritten object has any triggerable function pointers, an
attacker gets to execute arbitrary code within the kernel.

I’ll publish an exploit in a few days, giving people time to update.”

Security updates for Thursday

Post Syndicated from jake original https://lwn.net/Articles/715404/rss

Security updates have been issued by Arch Linux (bzip2, kernel, and linux-zen), CentOS (kernel), Debian (bitlbee, kernel, and tomcat7), Fedora (diffoscope, mujs, pcre, plasma-desktop, and tomcat), Mageia (libpcap/tcpdump and spice), Oracle (kernel), Red Hat (kernel, kernel-rt, and python-oslo-middleware), SUSE (php5 and util-linux), Ubuntu (imagemagick), and openSUSE (gd, kernel, libXpm, and libquicktime).

[$] Principled free-software license enforcement

Post Syndicated from jake original https://lwn.net/Articles/715082/rss

Issues of when and how to enforce free-software licenses, and who
should do it, have been on
some people’s minds
recently, and Richard Fontana from Red Hat decided
to continue the discussion at FOSDEM. This was a fairly lawyerly talk;
phrases like “alleged violation” and “I think that…” were scattered
throughout it to a degree not normally found in talks by developers.
This is because Fontana is a lawyer at Red Hat, and he was talking about
ideas which, while they are not official Red Hat positions, were developed
following
discussions between him and other members of the legal team at Red Hat.

Subscribers can click below for the full report of the talk by guest author Tom Yates.

Monday’s security advisories

Post Syndicated from jake original https://lwn.net/Articles/715034/rss

Debian-LTS has updated gst-plugins-bad0.10 (two vulnerabilities), gst-plugins-base0.10 (two vulnerabilities), gst-plugins-good0.10 (two vulnerabilities), gst-plugins-ugly0.10 (two vulnerabilities),
and wireshark (denial of service).

Fedora has updated bind (F24:
denial of service), python-peewee (F25; F24:
largely unspecified), sshrc (F25:
unspecified), and zoneminder (F25;
F24: information disclosure).

Gentoo has updated glibc (multiple vulnerabilities,
most from 2014 and 2015), mupdf (three
vulnerabilities), and ntfs3g (privilege escalation).

Mageia has updated gnutls (multiple vulnerabilities),
gtk-vnc (two vulnerabilities), iceape (multiple vulnerabilities), jitsi (user spoofing), libarchive (denial of service), libgd (multiple vulnerabilities), lynx (URL spoofing), mariadb (multiple vulnerabilities, almost all unspecified), netpbm (multiple vulnerabilities), openjpeg2 (multiple vulnerabilities), tomcat (information disclosure), and viewvc (cross-site scripting).

openSUSE has updated chromium
(42.2, 42.1: multiple vulnerabilities), firebird
(42.2, 42.1: access restriction bypass), java-1_7_0-openjdk (42.2, 42.1: multiple vulnerabilities), mcabber (42.2: user spoofing), mupdf (42.2, 42.1: multiple vulnerabilities), open-vm-tools (42.1: CVE with no description
from 2015), opus (42.2, 42.1: code
execution), tiff (42.2, 42.1: code
execution), and vim (42.1: code execution).

Red Hat has updated openssl
(RHEL7&6: two vulnerabilities).

Scientific Linux has updated openssl (SL7&6: two vulnerabilities).

SUSE has updated kernel (SLE12: denial of service) and kernel (SLE11:
multiple vulnerabilities, some from 2004, 2012, and 2015).

Ubuntu has updated python-crypto
(16.10, 16.04, 14.04: regression in previous update).

SystemTap 3.1 has been released

Post Syndicated from jake original https://lwn.net/Articles/714880/rss

The SystemTap team has announced the 3.1 release of the tool that allows extracting performance and debugging information at runtime from the kernel as well as various user-space programs. New features include support for adding probes to Python 2 and 3 functions, Java probes now convert all parameters to strings before passing them to probes, a new @variance() statistical operator has been added, new sample scripts have been added, and more.

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/714848/rss

Arch Linux has updated diffoscope
(file overwrite), flashplugin (multiple vulnerabilities), and lib32-flashplugin (multiple vulnerabilities).

Debian has updated spice (two vulnerabilities).

Debian-LTS has updated spice (two
vulnerabilities).

Gentoo has updated imagemagick (multiple vulnerabilities).

openSUSE has updated expat (42.2,
42.1: two vulnerabilities, one from 2012), guile (42.2, 42.1: information disclosure), libgit2 (42.2: multiple vulnerabilities), mariadb (42.2, 42.1: multiple vulnerabilities), mysql-community-server (42.1: multiple vulnerabilities),
openssl (42.2; 42.1: multiple vulnerabilities), and postfixadmin (42.2, 42.1: security bypass).

SUSE has updated java-1_7_0-openjdk (SLE12: multiple vulnerabilities).

Ubuntu has updated bind9 (denial
of service), python-crypto (16.10, 16.04,
14.04: code execution), and webkit2gtk
(16.10, 16.04: multiple vulnerabilities).

Thursday’s security updates

Post Syndicated from jake original https://lwn.net/Articles/714735/rss

Arch Linux has updated gvim (code
execution) and vim (code execution).

Red Hat has updated openstack-cinder,
openstack-glance, and openstack-nova
(OSP7.0: denial of service from 2015).

SUSE has updated kernel (SLE12:
many vulnerabilities, some from 2015 and 2014).

Ubuntu has updated libgc (code
execution) and openjdk-6 (12.04: multiple vulnerabilities).

[$] This is why I drink: a discussion of Fedora’s legal state

Post Syndicated from jake original https://lwn.net/Articles/714524/rss

Tom Callaway seems to be a very nice person who has been
overclocked to about 140% normal human speed. In only 20 minutes he gave
an interesting and highly-amusing talk that could have filled a 45-minute
slot on the
legal principles that underpin Fedora, how they got that way, and how
they work out in practice.

Subscribers can click below for the full report from FOSDEM by guest author Tom Yates.

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/714253/rss

Arch Linux has updated bind
(denial of service).

Debian has updated jasper (multiple vulnerabilities).

Debian-LTS has updated mysql-5.5
(code execution) and viewvc (cross-site scripting).

Fedora has updated bitlbee (F24:
denial of service), gnome-boxes (F24:
password disclosure), gtk-vnc (F25: two
vulnerabilities), iio-sensor-proxy (F24:
authentication bypass), java-1.8.0-openjdk-aarch32 (F25; F24: multiple vulnerabilities),
libwmf (F25: multiple vulnerabilities), mariadb (F24: multiple vulnerabilities), openssl (F24: three vulnerabilities), quagga (F25: denial of service), spice
(F25; F24:
two vulnerabilities), viewvc (F24:
cross-site scripting), and wireshark (F25:
two denial of service flaws).

Gentoo has updated firejail
(incomplete fix for previous vulnerability).

SUSE has updated opus (SLE12:
code execution) and kernel (SLE11: multiple vulnerabilities).

Ubuntu has updated linux-raspi2
(16.10: multiple vulnerabilities), linux-ti-omap4 (12.04: two
vulnerabilities), and nova-lxd (16.04: ).

Security advisories for Thursday

Post Syndicated from jake original https://lwn.net/Articles/714118/rss

Debian has updated openjdk-7
(multiple vulnerabilities), php5 (multiple vulnerabilities), and viewvc (cross-site scripting).

Fedora has updated bitlbee (F25:
denial of service), mariadb (F25: multiple vulnerabilities), redis (F25: two vulnerabilities), and viewvc (F25: cross-site scripting).

openSUSE has updated libplist
(42.2, 42.1: two vulnerabilities), opera
(42.2, 42.1: multiple vulnerabilities), and rubygem-minitar
(42.2: file overwrite).

Red Hat has updated java-1.8.0-ibm (RHEL7&6: multiple vulnerabilities).

SUSE has updated firefox (SLE11; SLE12: multiple vulnerabilities).

Ubuntu has updated openjdk-7
(14.04: multiple vulnerabilities) and oxide-qt (16.10, 16.04,
14.04: multiple vulnerabilities).

Friday’s security updates

Post Syndicated from jake original https://lwn.net/Articles/713554/rss

Arch Linux has updated qt5-webengine (multiple vulnerabilities) and tcpdump (multiple vulnerabilities).

CentOS has updated thunderbird (C7; C6; C5: multiple vulnerabilities).

Debian-LTS has updated ntfs-3g
(privilege escalation) and svgsalamander
(server-side request forgery).

Fedora has updated openldap (F25:
unintended cipher usage from 2015), and wavpack (F25: multiple vulnerabilities).

Mageia has updated openafs
(information leak) and pdns-recursor
(denial of service).

openSUSE has updated java-1_8_0-openjdk (42.2, 42.1: multiple vulnerabilities),
mupdf (42.2; 42.1: three vulnerabilities), phpMyAdmin (42.2, 42.1: multiple vulnerabilities, one from 2015),
and Wireshark (42.2: two denial of service flaws).

Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).

Scientific Linux has updated libtiff (SL7&6: multiple vulnerabilities, one from 2015) and thunderbird (multiple vulnerabilities).

Ubuntu has updated kernel (16.10; 14.04;
12.04: multiple vulnerabilities), kernel, linux-raspi2, linux-snapdragon (16.04:
two vulnerabilities), linux-lts-trusty
(12.04: code execution), linux-lts-xenial
(14.04: two vulnerabilities), and tomcat
(14.04, 12.04: regression in previous update).

Dz: Seccomp sandboxing not enabled for acme-client

Post Syndicated from jake original https://lwn.net/Articles/713464/rss

In the acme-client-portable repository at GitHub, developer Kristaps Dz has a rather stinging indictment of trying to use seccomp sandboxing for the portable version of acme-client, which is a client program for getting Let’s Encrypt certificates. He has disabled seccomp filtering in the default build for a number of reasons. “So I might use mmap, but the system call is mmap2? Great. This brings us to the second and larger problem. The C library. There are several popular ones on Linux: glibc, musl, uClibc, etc. Each of these is free to implement any standard function (like mmap, above) in any way. So while my code might say read, the C library might also invoke fstat. Great.

In general, section 2 calls (system calls) map evenly between system call name and function name. (Except as noted above… and maybe elsewhere…) However, section 3 is all over the place. The strongest differences were between big functions like getaddrinfo(2).

Then there’s local modifications. And not just between special embedded systems. But Debian and Arch, both using glibc and both on x86_64, have different kernels installed with different features. Great.

Less great for me and seccomp.” (Thanks to Paul Wise.)

Thursday’s security advisories

Post Syndicated from jake original https://lwn.net/Articles/713405/rss

Debian has updated ntfs-3g
(privilege escalation).

Debian-LTS has updated openssl
(three vulnerabilities).

Fedora has updated jasper (F25:
code execution), moodle (F24: multiple vulnerabilities), and
percona-xtrabackup (F25; F24: information disclosure).

Mageia has updated libxpm (code
execution), pdns (multiple vulnerabilities), python-pycrypto (denial of service from 2013),
and wireshark (two denial of service flaws).

openSUSE has updated bzrtp (42.2,
42.1: man-in-the-middle vulnerability), firefox (42.2, 42.1: multiple vulnerabilities), nginx (42.2, 42.1; SPH
for SLE12
: denial of service), seamonkey (42.2, 42.1: code execution), and
thunderbird (42.2, 42.1; SPH for SLE12: multiple vulnerabilities).

Red Hat has updated rabbitmq-server (OSP8.0: denial of service
from 2015) and thunderbird (multiple vulnerabilities).

Ubuntu has updated gnutls26,
gnutls28
(multiple vulnerabilities), irssi (multiple vulnerabilities), iucode-tool (16.10, 16.04: code execution), libxpm (code execution), and ntfs-3g (16.10, 16.04: privilege escalation).

[$] Three new FOSS umbrella organizations in Europe

Post Syndicated from jake original https://lwn.net/Articles/713073/rss

Last year, three new umbrella organizations for free and open-source
software (and hardware) projects emerged in Europe. Their aim is to
cater to the needs of the community by providing a legal entity for
projects to join, leaving the projects free to focus on technical and community
tasks. These organizations
(Public Software CIC, [The Commons Conservancy],
and the Center for the Cultivation of Technology)
will take on the overhead of actually running a
legal entity themselves.

Shutting down FTP services (kernel.org)

Post Syndicated from jake original https://lwn.net/Articles/712896/rss

Kernel.org has announced that it will be shutting down FTP access to its archives in two stages: March 1 will see the end of ftp.kernel.org, while December 1 is the termination date for mirrors.kernel.org.

Let’s face it — while kinda neat and convenient, offering a public NFS/CIFS server was a Pretty Bad Idea, not only because both these protocols are pretty terrible over high latency connections, but also because of important security implications.

Well, 19 years later we’re thinking it’s time to terminate another service that has important protocol and security implications — our FTP servers. Our decision is driven by the following considerations:

  1. The protocol is inefficient and requires adding awkward kludges to firewalls and load-balancing daemons
  2. FTP servers have no support for caching or accelerators, which has significant performance impacts
  3. Most software implementations have stagnated and see infrequent updates

All kernel.org FTP services will be shut down by the end of this year.

Friday’s security updates

Post Syndicated from jake original http://lwn.net/Articles/712800/rss

CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities), mysql
(C6: three vulnerabilities), squid (C7:
information leak), and squid34 (C6:
information leak).

Debian has updated libxpm (code execution).

Debian-LTS has updated asterisk
(denial of service from 2014), firefox-esr
(multiple vulnerabilities), lcms2 (denial of service), and libxpm (code execution).

Mageia has updated firefox (multiple vulnerabilities),
gstreamer (code execution), and php-phpmailer (two vulnerabilities).

openSUSE has updated apache2
(42.2: denial of service) and gstreamer-0_10-plugins-good (42.1: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities) and puppet-swift (OSP10.0: information disclosure).

Slackware has updated mozilla-thunderbird (multiple vulnerabilities).

Friday’s security updates

Post Syndicated from jake original https://lwn.net/Articles/712800/rss

CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities), mysql
(C6: three vulnerabilities), squid (C7:
information leak), and squid34 (C6:
information leak).

Debian has updated libxpm (code execution).

Debian-LTS has updated asterisk
(denial of service from 2014), firefox-esr
(multiple vulnerabilities), lcms2 (denial of service), and libxpm (code execution).

Mageia has updated firefox (multiple vulnerabilities),
gstreamer (code execution), and php-phpmailer (two vulnerabilities).

openSUSE has updated apache2
(42.2: denial of service) and gstreamer-0_10-plugins-good (42.1: multiple vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities) and puppet-swift (OSP10.0: information disclosure).

Slackware has updated mozilla-thunderbird (multiple vulnerabilities).