lwn.net
Incus 6.0 LTS released
Security updates for Thursday
[$] LWN.net Weekly Edition for April 4, 2024
AlmaLinux OS - CVE-2024-1086 and XZ (AlmaLinux blog)
AlmaLinux has announced updated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, a use-after-free vulnerability in the kernel that could be exploited to gain local privilege escalation. This is notable because the fix marks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL):
In January of this year, a kernel flaw was disclosed and named CVE-2024-1086. This flaw is trivially exploitable on most RHEL-equivalent systems. There are many proof-of-concept posts available now, including one from our Infrastructure team lead, Jonathan Wright (Dealing with CVE-2024-1086). In multi-user scenarios, this flaw is especially problematic.
Though this was flagged as something to be fixed in Red Hat Enterprise Linux, Red Hat has only rated this as a moderate impact.
The AlmaLinux project would also like to note that it is not impacted by the XZ backdoor. "Because enterprise Linux takes a bit longer to adopt those updates (sometimes to the chagrin of our users), the version of XZ that had the back door inserted hadn't made it further than Fedora in our ecosystem."
Malcolm: Improvements to static analysis in the GCC 14 compiler
Solving the halting problem?
Obviously I'm kidding with the title here, but for GCC 14 I've implemented a new warning: -Wanalyzer-infinite-loop that's able to detect some simple cases of infinite loops.
See also: this report from the 2023 GNU Tools Cauldron.
Four stable kernel updates
[$] A memory model for Rust code in the kernel
KDE6 release: D-Bus and Polkit Galore (SUSE security team blog)
The SUSE security team restricts the installation of system wide D-Bus services and Polkit policies in openSUSE distributions and derived SUSE products. Any package that ships these features needs to be reviewed by us first, before it can be added to production repositories.
In November, openSUSE KDE packagers approached us with a long list of KDE components for an upcoming KDE6 major release. The packages needed adjusted D-Bus and Polkit whitelistings due to renamed interfaces or other breaking changes. Looking into this many components at once was a unique experience that also led to new insights, which will be discussed in this article.
Security updates for Wednesday
Redict 7.3.0 released
You may be wondering why Redict would be of interest to you, particularly when compared with Valkey, another Redis fork that was announced on Thursday.
In technical terms, we are focusing on stability and long-term maintenance, and on achieving excellence within our current scope. We believe that Redict is near feature-complete and that it is more valuable to our users if we take a conservative stance to innovation and focus on long-term reliability instead. This is in part a choice we've made to distinguish ourselves from Valkey, whose commercial interests are able to invest more resources into developing more radical innovations, but also an acknowledgement of a cultural difference between our projects, in that the folks behind Redict place greater emphasis on software with a finite scope and ambitions towards long-term stability rather than focusing on long-term growth in scope and complexity.
[$] How the XZ backdoor works
Versions 5.6.0 and 5.6.1 of the XZ compression utility and library were shipped with a backdoor that targeted OpenSSH. Andres Freund discovered the backdoor by noticing that failed SSH logins were taking a lot of CPU time while doing some micro-benchmarking, and tracking down the backdoor from there. It was introduced by XZ co-maintainer "Jia Tan" — a probable alias for person or persons unknown. The backdoor is a sophisticated attack with multiple parts, from the build system, to link time, to run time.
[$] Free software's not-so-eXZellent adventure
Security updates for Tuesday
[$] Improving performance with SCHED_EXT and IOCost
At SCALE this year Dan Schatzberg and Tejun Heo, both from Meta, gave back-to-back talks about some of the performance-engineering work that they do there. Schatzberg presented on the extensible BPF scheduler, which has been discussed extensively on the kernel mailing list. Heo presented on IOCost — a control group (cgroup) I/O controller optimized for solid-state disks (SSDs) — and the benchmark suite that is necessary to make it work well on different models of disk.
NetBSD 10.0 released
The netbsd-10 release branch is more than a year old now, so it is high time the 10.0 release makes it to the front stage. This matches the long time it took for the development branch to get ready for branching, a lot of development went into this new release.
This also caused the release announcement to be one of the longest we ever did.
As might be imagined, there are a lot of changes; see the above-mentioned release announcement for the details.
Security updates for Monday
Kernel prepatch 6.9-rc2
A few relevant quotes
I'm on a holiday and only happened to look at my emails and it seems to be a major mess. — Lasse Collin
The reality that we are struggling with is that the free software infrastructure on which much of computing runs is massively and painfully underfunded by society as a whole, and is almost entirely dependent on random people maintaining things in their free time because they find it fun, many of whom are close to burnout. This is, in many ways, the true root cause of this entire event. — Russ Allbery
Incredible work from Andres. The attackers made a serious strategic mistake: they made PostgreSQL slightly slower. — Thomas Munro
There is no way to discuss this in public without turning a single malicious entity into 10 000 malicious entities once the information is widely known.
Making sure the impact and mitigations are known before posting this publicly so that everyone knows what to do before the 10 000 malicious entities start attacking is just common sense. — Marc Deslauriers
Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO. The level of transparency is stellar, especially compared to proprietary software companies. What the FOSS world has accomplished in 24 hours after detection of the backdoor code in #xz deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything NOW. Which would introduce even more risks. Progress is made iteratively. Learn, adapt, repeat. — Jan Wildeboer
A backdoor in xz
I have not yet analyzed precisely what is being checked for in the injected code, to allow unauthorized access. Since this is running in a pre-authentication context, it seems likely to allow some form of access or other form of remote code execution.
The affected versions are not yet widely shipped, but checking systems for the bad version would be a good idea.
Update: there are advisories out now from Arch, Debian, Red Hat, and openSUSE.
A further update from openSUSE:
For our openSUSE Tumbleweed users where SSH is exposed to the internet we recommend installing fresh, as it’s unknown if the backdoor has been exploited. Due to the sophisticated nature of the backdoor an on-system detection of a breach is likely not possible. Also rotation of any credentials that could have been fetched from the system is highly recommended.