Brief items
Security
Google's open-source vulnerability schema
The Google Security Blog announces the release of a schema intended to describe vulnerabilities in a project-independent manner:
With this schema we hope to define a format that all vulnerability databases can export. A unified format means that vulnerability databases, open source users, and security researchers can easily share tooling and consume vulnerabilities across all of open source. This means a more complete view of vulnerabilities in open source for everyone, as well as faster detection and remediation times resulting from easier automation.
This schema is already being provided by a number projects, including Go, Rust, Python, DWF, and OSS-Fuzz.
An EPYC escape: Case-study of a KVM breakout (Project Zero blog)
Over at the Project Zero blog, Felix Wilhelm posted a lengthy account of a vulnerability he found in the Linux kernel's KVM (Kernel-based virtual machine) subsystem:In this blog post I describe a vulnerability in KVM’s AMD-specific code and discuss how this bug can be turned into a full virtual machine escape. To the best of my knowledge, this is the first public writeup of a KVM guest-to-host breakout that does not rely on bugs in user space components such as QEMU. The discussed bug was assigned CVE-2021-29657, affects kernel versions v5.10-rc1 to v5.12-rc6 and was patched at the end of March 2021. As the bug only became exploitable in v5.10 and was discovered roughly 5 months later, most real world deployments of KVM should not be affected. I still think the issue is an interesting case study in the work required to build a stable guest-to-host escape against KVM and hope that this writeup can strengthen the case that hypervisor compromises are not only theoretical issues.
Take control over your data with Rally, a novel privacy-first data sharing platform (Mozilla blog)
Over on the Mozilla blog, the company has announced a new platform, Mozilla Rally, that "puts users in control of their data and empowers them to contribute their browsing data to crowdfund projects for a better Internet and a better society". Rally comes out of work that Mozilla did with Professor Jonathan Mayer's research group at Princeton University .
Your data is valuable. But for too long, online services have pilfered, swapped, and exploited your data without your awareness. Privacy violations and filter bubbles are all consequences of a surveillance data economy. But what if, instead of companies taking your data without giving you a say, you could select who gets access to your data and put it to work for public good?[...] By leveraging the scale of web browsers – a piece of software used by billions of people around the world – Rally has the potential to help address societal problems we could not solve before. Our goal is to demonstrate that there is a case for an equitable market for data, one where every party is treated fairly, and we welcome mission-aligned organizations that want to join us on this journey.
Security quote of the week
We believe a missing factor is entrepreneurship. Cyber-crooks are running tech startups, and face the same problems as other tech entrepreneurs. There are preconditions that create the opportunity. There are barriers to entry to be overcome. There are pathways to scaling up, and bottlenecks that inhibit scaling. There are competitive factors, whether competing crooks or motivated defenders. And finally there may be saturation mechanisms that inhibit growth.— Ross AndersonOne difference with regular entrepreneurship is the lack of finance: a malware gang can’t raise VC to develop a cool new idea, or cash out by means on an IPO. They have to use their profits not just to pay themselves, but also to invest in new products and services. In effect, cybercrooks are trying to run a tech startup with the financial infrastructure of an ice-cream stall.
Kernel development
Kernel release status
The 5.13 kernel was released on June 27; in the announcement Linus said:
Of course, if the last week was small and calm, 5.13 overall is actually fairly large. In fact, it's one of the bigger 5.x releases, with over 16k commits (over 17k if you count merges), from over 2k developers. But it's a 'big all over' kind of thing, not something particular that stands out as particularly unusual.
Headline features in this release include the "misc" group controller, multiple sources for trusted keys, kernel stack randomization on every system call, support for Clang control-flow integrity enforcement, the ability to call kernel functions directly from BPF programs, minor-fault handling for userfaultfd(), the removal of /dev/kmem, the Landlock security module, and, of course, thousands of cleanups and fixes.
Stable updates: 5.12.14, 5.10.47, 5.4.129, 4.19.196, 4.14.238, 4.9.274, and 4.4.274 were released on June 30.
The first ever KernelCI hackfest
The KernelCI continuous-integration project held its first hackfest recently. Developers from the KernelCI team, Google, and Collabora worked to improve many different aspects of KernelCI testing capabilities. There are plans for more hackfests.The first-ever KernelCI hackfest was a success. It kicked off the work to enable kernel testing through Chromium OS, a product-specific userspace. Enabling full userspace images and real-world tests like video call simulations adds a lot of complexity to the testing process. However, the benefits are a clear win for the community. They allow a more thorough kernel testing and validation through real application use cases, which can exercise several different kernel areas at the same time in an organized manner. Generally, it is not simple for lower-level kernel test suites like kselftests or LTP to orchestrate a similar use case.
Quote of the week
Dealing with tricky semantics is the difference between a feature and a hack. Doing so in a way that other people can take advantage of the feature is the hallmark of a feature well done.— Casey Schaufler
Distributions
Distribution quote of the week
By programming on a limited system like FreeDOS, you constantly have to think about the tradeoffs. How much memory does my program really need to do its job? Is it faster to read a file into memory to work on it, or process the file one bit at a time? And you’re always keeping in mind what libraries and other code you use in your program. A DOS program can only be so big, so you need to be careful about how you write a DOS program.— Jim HallWhen you write DOS programs all the time, you get really good at optimizing a program. You think about programming in a different way, because you’re always considering how to do something more efficiently. That’s a challenge, but an interesting one.
Development
MyGNUHealth Personal Health Record 1.0 released
The first stable release of MyGNUHealth is out.
I am proud to announce the first stable release of MyGNUHealth, the GNU Health Personal Health Record for desktop and mobile devices. From now on, anyone can benefit from a Libre Personal Health application that respects our privacy, both from our desktops and from our libre phones (such as the PinePhone). MyGNUHealth is more than a health and activity tracker, since it incorporates state-of-the-art technology and resources from medicine, genomics and bioinformatics. Thanks to the integration with the GNU Federation, we can communicate and share the information we wish with our health professionals in real-time.
See this announcement for more information.
Development quote of the week
Road maintenance doesn't mean adding more lanes to the road every month, just means making sure the road does not break and fixing it a bit when/if it happens.— Albert Astals Cid (Thanks to Paul Wise)The same applies to software maintenance, the fact that there are no new features does not mean the software is not maintained.
Page editor: Jake Edge
Next page:
Announcements>>