Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 6 hours 57 min ago

Linux Kernel BPF JIT Spraying (grsecurity forums)

Tuesday 3rd of May 2016 05:33:02 PM
Over at the grsecurity forums, Brad Spengler writes about a recently released proof of concept attack on the kernel using JIT spraying. "What happened next was the hardening of the BPF interpreter in grsecurity to prevent such future abuse: the previously-abused arbitrary read/write from the interpreter was now restricted only to the interpreter buffer itself, and the previous warn on invalid BPF instructions was turned into a BUG() to terminate execution of the exploit. I also then developed GRKERNSEC_KSTACKOVERFLOW which killed off the stack overflow class of vulns on x64. A short time later, there was work being done upstream to extend the use of BPF in the kernel. This new version was called eBPF and it came with a vastly expanded JIT. I immediately saw problems with this new version and noticed that it would be much more difficult to protect -- verification was being done against a writable buffer and then translated into another writable buffer in the extended BPF language. This new language allowed not just arbitrary read and write, but arbitrary function calling." The protections in the grsecurity kernel will thus prevent this attack. In addition, the newly released RAP feature for grsecurity, which targets the elimination of return-oriented programming (ROP) vulnerabilities in the kernel, will also ensure that "the fear of JIT spraying goes away completely", he said.

Security advisories for Tuesday

Tuesday 3rd of May 2016 04:08:42 PM

Debian-LTS has updated openjdk-7 (multiple vulnerabilities) and smarty3 (code execution).

Fedora has updated php (F23: multiple vulnerabilities).

Gentoo has updated git (multiple vulnerabilities).

Oracle has updated mercurial (OL7: two vulnerabilities).

Scientific Linux has updated mercurial (SL7: two vulnerabilities).

Slackware has updated mercurial (code execution).

Ubuntu has updated libtasn1-3, libtasn1-6 (15.10, 14.04, 12.04: denial of service), libtasn1-6 (16.04: denial of service), openssl (multiple vulnerabilities), poppler (15.10, 14.04, 12.04: multiple vulnerabilities), and firefox (12.04: denial of service).

May Android security bulletin

Tuesday 3rd of May 2016 06:44:41 AM
The Android security bulletin for May is available. It lists 40 different CVE numbers addressed by the May over-the-air update; the bulk of those are at a severity level of "high" or above. "Partners were notified about the issues described in the bulletin on April 04, 2016 or earlier. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository over the next 48 hours. We will revise this bulletin with the AOSP links when they are available. The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."

Intl. Day Against DRM is Tuesday

Monday 2nd of May 2016 09:36:27 PM
The International Day Against DRM is May 3. "Participate in person at one of the planned events, or join us Tuesday on dayagainstdrm.org for ways to take action against DRM. There will also be a list of discounted ebook offerings from stores participating in the Day."

Security updates for Monday

Monday 2nd of May 2016 06:03:30 PM

Arch Linux has updated firefox (multiple vulnerabilities).

CentOS has updated mercurial (C7: two vulnerabilities).

Debian has updated botan1.10 (multiple vulnerabilities), chromium-browser (multiple vulnerabilities), poppler (code execution), and tardiff (two vulnerabilities).

Debian-LTS has updated botan1.10 (multiple vulnerabilities), gdk-pixbuf (two vulnerabilities), mysql-5.5 (multiple vulnerabilities), poppler (code execution), and subversion (two vulnerabilities).

Fedora has updated ansible (F23; F22: code execution), firefox (F23: multiple vulnerabilities), gd (F23: code execution), openvas-cli (F23: cross-site scripting), openvas-gsa (F23: cross-site scripting), openvas-libraries (F23: cross-site scripting), openvas-manager (F23: cross-site scripting), openvas-scanner (F23: cross-site scripting), roundcubemail (F23; F22: multiple vulnerabilities), and xen (F23; F22: multiple vulnerabilities).

Mageia has updated chromium-browser-stable (multiple vulnerabilities), firefox (multiple vulnerabilities), pgpdump (denial of service), php (multiple vulnerabilities), php-ZendFramework (multiple vulnerabilities), and roundcubemail (three vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), java-1.6.0-ibm (RHEL5,6: multiple vulnerabilities), java-1.7.0-ibm (RHEL5: multiple vulnerabilities), java-1.7.1-ibm (RHEL7: multiple vulnerabilities), mercurial (RHEL7: two vulnerabilities), and rh-mysql56-mysql (RHSCL: multiple vulnerabilities).

Slackware has updated ntp (multiple vulnerabilities), php (multiple vulnerabilities), and subversion (two vulnerabilities).

Ubuntu has updated ubuntu-core-launcher (16.04: code execution).

A guide to inline assembly code in GCC

Monday 2nd of May 2016 07:59:38 AM
The "linux-insides" series of articles has gained an overview of inline assembly in GCC. "I've decided to write this to consolidate my knowledge related to inline assembly here. As inline assembly statements are quite common in the Linux kernel and we may see them in linux-insides parts sometimes, I thought that it would be useful if we would have a special part which contains descriptions of the more important aspects of inline assembly. Of course you may find comprehensive information about inline assembly in the official documentation, but I like the rules all in one place."

Kernel prepatch 4.6-rc6

Monday 2nd of May 2016 07:41:40 AM
The 4.6-rc6 kernel prepatch is out. Linus says: "Things continue to be fairly calm, although I'm pretty sure I'll still do an rc7 in this series." As of this prepatch the code name has been changed to "Charred Weasel."

Devuan Jessie beta released

Saturday 30th of April 2016 01:45:10 PM
The Devuan community has finally gotten a beta release out for testing. "Debian GNU+Linux [sic] is a fork of Debian without systemd, on its way to become much more than that. This Beta release marks an important milestone towards the sustainability and the continuation of Devuan as an universal base distribution."

WebExtensions in Firefox 48

Friday 29th of April 2016 10:45:38 PM

At the Mozilla blog, Andy McKay announces that the browser maker has officially declared WebExtensions ready to use for add-on development. "With the release of Firefox 48, we feel WebExtensions are in a stable state. We recommend developers start to use the WebExtensions API for their add-on development." The WebExtensions support released for Firefox 48 includes improvements to the "alarms, bookmarks, downloads, notifications, webNavigation, webRequest, windows and tabs" APIs, support for a new Content Security Policy that limits where resources can be loaded from, and support in Firefox for Android. LWN looked at the WebExtensions API in December.

Friday's security updates

Friday 29th of April 2016 04:07:13 PM

Debian has updated subversion (multiple vulnerabilities).

Fedora has updated i7z (F23: denial of service).

openSUSE has updated php5 (Leap 42.1: multiple vulnerabilities).

SUSE has updated ntp (SLE11; SLE12: multiple vulnerabilities).

The ACM 2015 technical awards

Friday 29th of April 2016 07:34:27 AM
The Association for Computing Machinery has announced the recipients of its 2015 technical awards. They are Brent Walters, Michael Luby, Eric Horvitz, and: "Richard Stallman, recipient of the ACM Software System Award for the development and leadership of GCC (GNU Compiler Collection), which has enabled extensive software and hardware innovation, and has been a lynchpin of the free software movement."

X.Org votes to join SPI

Thursday 28th of April 2016 03:08:22 PM

The results of the X.Org election are in. There were two things up for a vote: four seats on the board of directors and amending the bylaws to join Software in the Public Interest (SPI). Unlike last year's election, this year's vote met the required 2/3 approval to join SPI (61 voters out of 65 members, with 54 voting "Yes", 4 "No", and 3 "Abstain"). In addition, Egbert Eich, Alex Deucher, Keith Packard, and Bryce Harrington were elected to the board.

Security updates for Thursday

Thursday 28th of April 2016 03:00:07 PM

CentOS has updated firefox (C6; C5: multiple vulnerabilities).

Debian has updated iceweasel (multiple vulnerabilities) and php5 (multiple vulnerabilities).

Fedora has updated kernel (F23: two vulnerabilities) and libtasn1 (F22: denial of service).

openSUSE has updated php5 (13.2: multiple vulnerabilities, including one from 2014).

SUSE has updated php5 (SLE12: multiple vulnerabilities, including one from 2014).

Ubuntu has updated libsoup2.4 (16.04, 15.10, 14.04: regression in previous update), oxide-qt (16.04, 15.10, 14.04: multiple vulnerabilities), php5 (15.10: regression in previous update), and thunderbird (multiple vulnerabilities).

[$] LWN.net Weekly Edition for April 28, 2016

Thursday 28th of April 2016 12:45:42 AM
The LWN.net Weekly Edition for April 28, 2016 is available.

Firefox 46.0

Wednesday 27th of April 2016 05:05:59 PM
Firefox 46.0 has been released, featuring improved security of the JavaScript Just In Time (JIT) Compiler and GTK3 integration. See the release notes for more details.

Security advisories for Wednesday

Wednesday 27th of April 2016 04:07:18 PM

CentOS has updated firefox (C7: multiple vulnerabilities).

Debian has updated mysql-5.5 (multiple vulnerabilities) and openjdk-7 (multiple vulnerabilities).

Fedora has updated rpm (F23: two vulnerabilities) and xstream (F23; F22: enabled processing of external entities).

Gentoo has updated libksba (three vulnerabilities) and wireshark (multiple vulnerabilities).

Mageia has updated libgd (code execution), samba (multiple vulnerabilities), w3m (denial of service), and wireshark (multiple vulnerabilities).

Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities).

Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities).

Scientific Linux has updated firefox (SL5,6,7: multiple vulnerabilities).

Slackware has updated firefox (multiple vulnerabilities).

Ubuntu has updated firefox (multiple vulnerabilities).

GCC 6.1 Released

Wednesday 27th of April 2016 12:14:57 PM
Version 6.1 of the GCC compiler suite is out. Changes in this release include defaulting to the C++14 standard, improved diagnostic output, full support for OpenMP 4.5, better optimization, and more; see the changelog for a full list.

New functional programming language can generate C, Python code for apps (InfoWorld)

Tuesday 26th of April 2016 08:24:42 PM
InfoWorld introduces Futhark, an open source functional programming language designed for creating code that runs on GPUs. It can automatically generate both C and Python code to be integrated with existing apps. "Most GPU programming involves using frameworks like OpenCL or CUDA, both of which use variations of C or C++ to generate code that runs on the GPU. Futhark can generate C code, but is its own language, more similar to Haskell or Standard ML than C. (Futhark is itself written in Haskell.) Futhark's creators claim that the expressiveness of the language makes it easier to describe complex operations that use parallelism. This includes the ability to support nested parallelizations (parallel operations inside other parallel operations). Futhark can do this "despite the complexities of efficiently mapping to the flat parallelism supported by hardware, as a great many programs depend on this feature," say the language's creators."

Tuesday's security updates

Tuesday 26th of April 2016 04:30:11 PM

CentOS has updated nspr (C5: two vulnerabilities), nss (C5: two vulnerabilities), nspr (C7: two vulnerabilities), nss (C7: two vulnerabilities), nss-softokn (C7: two vulnerabilities), and nss-util (C7: two vulnerabilities).

Fedora has updated ansible1.9 (F23; F22: code execution), golang (F23; F22: denial of service), gsi-openssh (F23; F22: command injection), mingw-poppler (F23; F22: code execution), mod_nss (F23; F22: invalid handling of +CIPHER operator), and webkitgtk4 (F22: multiple vulnerabilities).

openSUSE has updated flash-player (11.4: code execution).

Oracle has updated nss and nspr (OL5: two vulnerabilities) and nss, nspr, nss-softokn, and nss-util (OL7: three vulnerabilities).

Scientific Linux has updated nss, nspr, nss-softokn, nss-util (SL7: two vulnerabilities).

SUSE has updated php53 (SLE11-SP4: multiple vulnerabilities), portus (SLEM12: multiple vulnerabilities), and xen (SLES11-SP2: multiple vulnerabilities).

Finding a new home for Thunderbird

Tuesday 26th of April 2016 08:52:58 AM
The Mozilla Foundation has (in the guise of Gervase Markham) posted an update on the process of spinning off the Thunderbird mail client as a separate project. As part of that, they engaged Simon Phipps to write up a survey of possible new homes [PDF] for the project. "Having reviewed the destinations listed below together with several others which were less promising, I believe there are three viable choices for a future home for the Thunderbird Project; Software Freedom Conservancy, The Document Foundation and a new deal at the Mozilla Foundation. None of these three is inherently the best, and it is possible that over time the project might seek to migrate to a 'Thunderbird Foundation' as a permanent home (although I would not recommend that as the next step)."

More in Tux Machines

CoreOS Linux 899.17.0 Released with OpenSSL 1.0.2h, NTPd 4.2.8p7, and Git 2.7.3

The CoreOS developers have released a new version of the Linux kernel-based operating system engineered for massive server deployments, CoreOS 899.17.0. Powered by Linux kernel 4.3.6, CoreOS 899.17.0 arrived on May 3, 2016, as an upgrade to the previous release of the GNU/Linux operating system, which system administrators can use for creating and maintaining open-source projects for Linux Containers, version 899.15.0. Read more

Black Lab Brings Real-Time Kernel Patching to Its Enterprise Desktop 8 Linux OS

A few moments ago, Softpedia has been informed by Black Lab Software about the general availability of the sixth DP (Developer Preview) build of the upcoming Black Lab Linux Enterprise Desktop 8 OS. Sporting a new kernel from the Linux kernel from the 4.2 series, Black Lab Linux Enterprise Desktop 8 Developer Preview 6 arrives today for early adopters and public beta testers with real-time kernel patching, which means that you won't have to reboot your Black Lab Linux Enterprise OS after kernel upgrades. "DP6 offers you a window into what's new and whats coming when Black Lab Enterprise Desktop and Black Lab Enterprise Desktop for Education is released. As with our other developer previews it also aids in porting your applications to the new environment," said Roberto J. Dohnert, CEO, Black Lab Software. Read more

USB stick brings neural computing functions to devices

Movidius unveiled a “Fathom” USB stick and software framework for integrating accelerated neural networking processing into embedded and mobile devices. On April 28, Movidius announced availability of the USB-interfaced “Fathom Neural Compute Stick,” along with an underlying Fathom deep learning software framework. The device is billed as “the world’s first embedded neural network accelerator,” capable of allowing “powerful neural networks to be moved out of the cloud, and deployed natively in end-user devices.” Read more

ImageMagick Security Bug Puts Sites at Risk

  • Open Source ImageMagick Security Bug Puts Sites at Risk
    ImageMagick, an open source suite of tools for working with graphic images used by a large number of websites, has been found to contain a serious security vulnerability that puts sites using the software at risk for malicious code to be executed onsite. Security experts consider exploitation to be so easy they’re calling it “trivial,” and exploits are already circulating in the wild. The biggest risk is to sites that allows users to upload their own image files. Information about the vulnerability was made public Tuesday afternoon by Ryan Huber, a developer and security researcher, who wrote that he had little choice but to post about the exploit.
  • Huge number of sites imperiled by critical image-processing vulnerability
    A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images. The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.
  • Extreme photo-bombing: Bad ImageMagick bug puts countless websites at risk of hijacking
    A wildly popular software tool used by websites to process people's photos can be exploited to execute malicious code on servers and leak server-side files. Security bugs in the software are apparently being exploited in the wild right now to compromise at-risk systems. Patches to address the vulnerabilities are available in the latest source code – but are incomplete and have not been officially released, we're told.