Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 1 hour 5 min ago

Memory Error Detection Using GCC (Red Hat Developers blog)

3 hours 16 min ago
Over at the Red Hat Developers blog, Martin Sebor looks at some new (or enhanced) warnings available in GCC 7 that will help catch various types of memory errors. For example: "The -Wformat-overflow=level option detects certain and likely buffer overflow in calls to the sprintf family of formatted output functions. The option starts by determining the size of the destination buffer, which can be allocated either statically or dynamically. It then iterates over directives in the format string, calculating the number of bytes each result in output. For integer directives like %i and %x it tries to determine either the exact value of the argument or its range of values and uses the result to calculate the exact or minimum and maximum number of bytes the directive can produce. Similarly for floating point directives such as %a and %f, and string directives such as %s. When it determines that the likely number of bytes a directive results in will not fit in the space remaining in the destination buffer it issues a warning."

Ancient local privilege escalation vulnerability in the kernel announced

4 hours 41 min ago
Andrey Konovalov has announced the discovery and fix of a local privilege escalation in the Linux kernel. Using the syzkaller fuzzer (which LWN looked at around one year ago), he found a double-free in the Datagram Congestion Control Protocol (DCCP) implementation that goes back to at least September 2006 (2.6.18), but probably all the way back to the introduction of DCCP in October 2005 (2.6.14). "[At] this point we have a use-after-free on some_object. An attacker can control what object that would be and overwrite it's content with arbitrary data by using some of the kernel heap spraying techniques. If the overwritten object has any triggerable function pointers, an attacker gets to execute arbitrary code within the kernel. I'll publish an exploit in a few days, giving people time to update."

Stable kernels 4.9.12 and 4.4.51

5 hours 3 min ago
Greg Kroah-Hartman has announced the release of the 4.9.12 and 4.4.51 stable kernels. As usual, there are important fixes in the updates and users of those kernels should upgrade.

Security updates for Thursday

6 hours 43 min ago
Security updates have been issued by Arch Linux (bzip2, kernel, and linux-zen), CentOS (kernel), Debian (bitlbee, kernel, and tomcat7), Fedora (diffoscope, mujs, pcre, plasma-desktop, and tomcat), Mageia (libpcap/tcpdump and spice), Oracle (kernel), Red Hat (kernel, kernel-rt, and python-oslo-middleware), SUSE (php5 and util-linux), Ubuntu (imagemagick), and openSUSE (gd, kernel, libXpm, and libquicktime).

LEDE v17.01.0 final

7 hours 16 min ago
The final version of the LEDE router distribution's 17.01.0 release is now available. "LEDE 17.01.0 "Reboot" incorporates thousands of commits over the last nine months of effort. With this release, the LEDE development team closes out an intense effort to modernize many parts of OpenWrt and incorporate many new modules, packages, and technologies." LWN recently reviewed a release-candidate version of LEDE 17.01.

Announcing the first SHA1 collision

8 hours 27 min ago
The Google security blog carries the news of the first deliberately constructed SHA-1 hash collision. "We started by creating a PDF prefix specifically crafted to allow us to generate two documents with arbitrary distinct visual contents, but that would hash to the same SHA-1 digest. In building this theoretical attack in practice we had to overcome some new challenges. We then leveraged Google’s technical expertise and cloud infrastructure to compute the collision which is one of the largest computations ever completed." The SHA-1 era is truly coming to an end, even if most attackers lack access to the computing resources needed for this particular exploit.

[$] LWN.net Weekly Edition for February 23, 2017

Thursday 23rd of February 2017 01:02:40 AM
The LWN.net Weekly Edition for February 23, 2017 is available.

Turunen: Qt Roadmap for 2017

Wednesday 22nd of February 2017 07:20:14 PM
Tuukka Turunen presents a roadmap for Qt. "Qt 3D was first released with Qt 5.7 and in Qt 5.8 the focus was mostly on stability and performance. With Qt 5.9 we are providing many new features which significantly improve the functionality of Qt 3D. Notable new features include support for mesh morphing and keyframe animations, using Qt Quick items as a texture for 3D elements, as well as support for physically based rendering and particles. There are also multiple smaller features and improvements throughout the Qt 3D module."

Wednesday's security advisories

Wednesday 22nd of February 2017 05:10:06 PM

CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities).

Debian has updated tomcat7 (regression in previous update) and tomcat8 (regression in previous update).

Gentoo has updated archive-tar-minitar (file overwrites) and ghostscript-gpl (multiple vulnerabilities).

openSUSE has updated profanity (42.2, 42.1: user impersonation).

SUSE has updated php7 (SLE12: multiple vulnerabilities).

Ubuntu has updated kernel (14.04: three vulnerabilities), linux, linux-raspi2 (16.10: three vulnerabilities), linux, linux-snapdragon (16.04: multiple vulnerabilities), linux, linux-ti-omap4 (12.04: three vulnerabilities), linux-lts-trusty (12.04: three vulnerabilities), linux-lts-xenial (14.04: multiple vulnerabilities), and tcpdump (multiple vulnerabilities).

[$] Principled free-software license enforcement

Wednesday 22nd of February 2017 04:47:48 PM
Issues of when and how to enforce free-software licenses, and who should do it, have been on some people's minds recently, and Richard Fontana from Red Hat decided to continue the discussion at FOSDEM. This was a fairly lawyerly talk; phrases like "alleged violation" and "I think that..." were scattered throughout it to a degree not normally found in talks by developers. This is because Fontana is a lawyer at Red Hat, and he was talking about ideas which, while they are not official Red Hat positions, were developed following discussions between him and other members of the legal team at Red Hat.

Subscribers can click below for the full report of the talk by guest author Tom Yates.

A draft glibc year-2038 design document

Wednesday 22nd of February 2017 03:56:06 PM
The year-2038 apocalypse is now just under 21 years away. For those who are curious about how the GNU C Library plans to deal with this problem, there is a draft design document out for review. "In order to avoid duplicating APIs for 32-bit and 64-bit time, glibc will provide either one but not both for a given application; the application code will have to choose between 32-bit or 64-bit time support, and the same set of symbols (e.g. time_t or clock_gettime) will be provided in both cases."

Linux Plumbers Conference call for microconferences

Wednesday 22nd of February 2017 02:32:19 PM
The 2017 Linux Plumbers Conference is set for September 13 to 15 in Los Angeles, California. The core of this event is the microconferences, focused gatherings that address a specific range of problems. The call for microconferences for the 2017 event is now out. "Good microconferences result in solutions to these problems and concerns, while the best microconferences result in patches that implement those solutions."

The "Upspin" global filesystem

Tuesday 21st of February 2017 10:32:57 PM
A group of Google developers has announced the release of (an early version of) a new global filesystem called "Upspin". "Upspin looks a bit like a global file system, but its real contribution is a set of interfaces, protocols, and components from which an information management system can be built, with properties such as security and access control suited to a modern, networked world. Upspin is not an 'app' or a web service, but rather a suite of software components, intended to run in the network and on devices connected to it, that together provide a secure, modern information storage and sharing network."

Internet-enable your microcontroller projects for under $6 with ESP8266 (Opensource.com)

Tuesday 21st of February 2017 08:16:01 PM
David Egts takes a look at the ESP8266 WiFi chip, on Opensource.com. "What is the ESP8266 exactly? The ESP8266 is a 32-bit RISC CPU made by Espressif Systems. Its clock runs at 80MHz, and it supports up to 16MB of flash RAM for program storage. These specifications are quite impressive when compared to an Arduino UNO, which runs at 16MHz, only has 32KB of RAM, and is several times more expensive. Another big difference is that the ESP8266 requires only 3.3 volts of power while most Arduinos require 5 volts. Keep this voltage difference in mind when extending your existing Arduino knowledge and projects to the ESP8266 to prevent magic smoke."

Security updates for Tuesday

Tuesday 21st of February 2017 06:02:19 PM

CentOS has updated openssl (C7; C6: two vulnerabilities).

Debian-LTS has updated gtk-vnc (two vulnerabilities).

Fedora has updated kernel (F25; F24: two vulnerabilities), mingw-gstreamer1 (F25: denial of service), mingw-gstreamer1-plugins-bad-free (F25: two vulnerabilities), mingw-gstreamer1-plugins-base (F25: multiple vulnerabilities), mingw-gstreamer1-plugins-good (F25: multiple vulnerabilities), mingw-wavpack (F25; F24: multiple vulnerabilities), and xen (F25: denial of service).

Gentoo has updated adobe-flash (multiple vulnerabilities), dropbear (multiple vulnerabilities), firefox (multiple vulnerabilities), libass (multiple vulnerabilities), libvncserver (two vulnerabilities), mariadb (multiple vulnerabilities), mysql (multiple vulnerabilities), nagios-core (multiple vulnerabilities, one from 2008), ocaml (information leak), opus (code execution), php (multiple vulnerabilities), pycrypto (denial of service), qemu (multiple vulnerabilities), redis (three vulnerabilities), tcpdump (multiple vulnerabilities), thunderbird (multiple vulnerabilities), tigervnc (code execution), and xen (code execution).

Mageia has updated ruby-archive-tar-minitar (file overwrites).

openSUSE has updated libplist (42.1: multiple vulnerabilities) and nodejs (42.1: three vulnerabilities).

Oracle has updated openssl (OL7; OL6: two vulnerabilities).

SUSE has updated flash-player (SLE12-SP1: multiple vulnerabilities).

Ubuntu has updated gtk-vnc (14.04, 12.04: two vulnerabilities), spice (16.10, 16.04, 14.04: two vulnerabilities), and tomcat6, tomcat7 (14.04, 12.04: denial of service).

The return of the Linux kernel podcast

Tuesday 21st of February 2017 03:18:22 AM
After taking a few years off, Jon Masters is restarting his kernel podcast. "In this week’s edition: Linus Torvalds announces Linux 4.10, Alan Tull updates his FPGA manager framework, and Intel’s latest 5-level paging patch series is posted for review. We will have this, and a summary of ongoing development in the first of the newly revived Linux Kernel Podcast."

Monday's security advisories

Monday 20th of February 2017 07:13:16 PM

Debian-LTS has updated gst-plugins-bad0.10 (two vulnerabilities), gst-plugins-base0.10 (two vulnerabilities), gst-plugins-good0.10 (two vulnerabilities), gst-plugins-ugly0.10 (two vulnerabilities), and wireshark (denial of service).

Fedora has updated bind (F24: denial of service), python-peewee (F25; F24: largely unspecified), sshrc (F25: unspecified), and zoneminder (F25; F24: information disclosure).

Gentoo has updated glibc (multiple vulnerabilities, most from 2014 and 2015), mupdf (three vulnerabilities), and ntfs3g (privilege escalation).

Mageia has updated gnutls (multiple vulnerabilities), gtk-vnc (two vulnerabilities), iceape (multiple vulnerabilities), jitsi (user spoofing), libarchive (denial of service), libgd (multiple vulnerabilities), lynx (URL spoofing), mariadb (multiple vulnerabilities, almost all unspecified), netpbm (multiple vulnerabilities), openjpeg2 (multiple vulnerabilities), tomcat (information disclosure), and viewvc (cross-site scripting).

openSUSE has updated chromium (42.2, 42.1: multiple vulnerabilities), firebird (42.2, 42.1: access restriction bypass), java-1_7_0-openjdk (42.2, 42.1: multiple vulnerabilities), mcabber (42.2: user spoofing), mupdf (42.2, 42.1: multiple vulnerabilities), open-vm-tools (42.1: CVE with no description from 2015), opus (42.2, 42.1: code execution), tiff (42.2, 42.1: code execution), and vim (42.1: code execution).

Red Hat has updated openssl (RHEL7&6: two vulnerabilities).

Scientific Linux has updated openssl (SL7&6: two vulnerabilities).

SUSE has updated kernel (SLE12: denial of service) and kernel (SLE11: multiple vulnerabilities, some from 2004, 2012, and 2015).

Ubuntu has updated python-crypto (16.10, 16.04, 14.04: regression in previous update).

The 4.10 kernel has been released

Sunday 19th of February 2017 11:23:05 PM
Linus has released the 4.10 kernel. "On the whole, 4.10 didn't end up as small as it initially looked. After the huge release that was 4.9, I expected things to be pretty quiet, but it ended up very much a fairly average release by modern kernel standards." Features of note in this release include some long-awaited writeback throttling work, the ability to attach a BPF network filter to a control group, encryption in UBIFS filesystems, Intel cache-allocation technology support, and more. See the KernelNewbies 4.10 page for lots of details.

Stable kernels 4.9.11 and 4.4.50

Sunday 19th of February 2017 04:56:55 PM
The 4.9.11 and 4.4.50 stable kernel updates are available; each contains the usual set of important fixes.

SystemTap 3.1 has been released

Friday 17th of February 2017 09:43:55 PM
The SystemTap team has announced the 3.1 release of the tool that allows extracting performance and debugging information at runtime from the kernel as well as various user-space programs. New features include support for adding probes to Python 2 and 3 functions, Java probes now convert all parameters to strings before passing them to probes, a new @variance() statistical operator has been added, new sample scripts have been added, and more.

More in Tux Machines

Recent open source hardware trends, from SBCs to servers

At ELC Europe, Intel MinnowBoard SBC evangelist John Hawley surveyed open hardware trends, and their impact on OS-enabled device and system development. When you mention open source hardware, people typically think about community-backed hacker boards. However, the open hardware movement is growing on many fronts, including medical devices, rocketry and satellites, 3D printers, cameras, VR gear, and even laptops and servers. At the Embedded Linux Conference Europe in October, John “Warthog9” Hawley, Intel’s evangelist for the MinnowBoard SBC, surveyed the key open hardware trends he saw in 2016. The full video, “Survey of Open Hardware 2016,” can be seen below. Read more Also in: Open Source Hardware: From SBCs to Servers

Open-O Merges with ECOMP

Linux Kernels 4.9.12 & 4.4.51 Now Available with Small Changes, Updated Drivers

Greg Kroah-Hartman announced today the general availability of two new maintenance updates for the long-term supported Linux 4.9 and Linux 4.4 kernel updates for Linux-based operating systems. Read more

Recreating the PCLinuxOS Full Monty with KDE Plasma Activities

When I recently wrote about the new PCLinuxOS release, I was a bit disappointed to find that the Full Monty version had been laid to rest. I'm sure there were a lot of good reasons for this decision, and I have no quarrel with it. But it still made me a bit sad, because I have always kept the Full Monty on at least one of my systems (it is currently on my Acer All-In-One desktop), and I often showed it to people who were curious about Linux, as an example of its breadth, depth and flexibility. So I decided that it might be a useful exercise for me to try to create the equivalent of the Full Monty desktop starting from the latest PCLinuxOS KDE5 distribution. There are two major features which distinguish the Full Monty desktop - it had six virtual desktops, each of which was dedicated to a specific use, and it had lots and lots and lots of packages installed. The desktops looked like this: Read more