Brief items

Security quote of the week

In this post, I want to showcase CVE-2021-21225, a vulnerability in V8's Array.prototype.concat implementation that I discovered in April 2021. It was used to gain code execution in Google Chrome's renderer process and won a $22000 bounty from Google which was donated to the EFF (matched by Google). The bug itself has quite an interesting history and marks all the checkboxes of a powerful V8 engine vulnerability that comes with V8 builtin bugs: works in pdfium, web workers, and JIT-less codebases.

For curiosity's sake, I checked the Chrome Renderer Remote Code Execution (RCE) rates in the Offensive Security markets and was offered $500k for this exploit paid out over 12 months with 10% paid upfront - quarterly payouts contingent on the vulnerability not being patched.

— Brendon Tiszka (Thanks to Paul Wise.)

Comments (none posted)

Kernel release status

The current development kernel is 5.14-rc6, released on August 15. "Nothing particular stands out to me. Go test, we should be getting pretty close to done with this release..."

Stable updates: 5.13.10, 5.10.58, 5.4.140, and 4.19.203 were released on August 12. Thereafter, 5.13.11, 5.10.59, 5.4.141, 4.19.204, 4.14.244, 4.9.280, and 4.4.281 were released on August 15, followed by 5.13.12, 5.10.60, 5.4.142 on August 18.

Comments (none posted)

"The kernel report" online, August 26

As part of the ramp-up to the 2021 Linux Plumbers Conference, LWN editor Jonathan Corbet will be presenting a version of "The kernel report" at 9:00AM US/Mountain time (15:00 UTC) on Thursday, August 26. Registration for LPC is not required; all are welcome for an update on the state of kernel development and a perspective on 30 years of the Linux kernel. Please come for an interesting discussion and to help the LPC crew stress-test the 2021 infrastructure.

The talk will be happening at meet.lpc.events; the more the merrier.

Comments (5 posted)

Asahi Linux progress report for August

For those waiting to run Linux on Apple M1 hardware, the the August Asahi Linux progress report is out.

Instead, a much safer approach that has been used by projects such as Nouveau in the past is to record a log of the hardware accesses that the official drivers perform on a real system, without actually looking at the code. Nouveau accomplished this by using a Linux driver to intercept accesses by Nvidia’s official Linux driver. Of course, Apple’s M1 drivers are for macOS, not Linux. While we could implement the same approach with a custom patch to the open source core of the macOS kernel, we decided instead to go one level deeper and build a hypervisor that can run the entirety of macOS, unmodified, in a VM that transparently presents it the real M1 hardware.

Comments (8 posted)

Debian 11 "bullseye" released

Debian 11, codenamed "bullseye", has been released after just over two years of development. It has lots of updates, including to half a dozen different desktop environments, lots of tools and programming languages, and, of course, more. It is available for nine different architectures.

This release contains over 11,294 new packages for a total count of 59,551 packages, along with a significant reduction of over 9,519 packages which were marked as "obsolete" and removed. 42,821 packages were updated and 5,434 packages remained unchanged.

"bullseye" becomes our first release to provide a Linux kernel with support for the exFAT filesystem and defaults to using it for mount exFAT filesystems. Consequently it is no longer required to use the filesystem-in-userspace implementation provided via the exfat-fuse package. Tools for creating and checking an exFAT filesystem are provided in the exfatprogs package.

Full Story (comments: 30)

Debian Edu / Skolelinux Bullseye released

Following the Debian "Bullseye" release is a new Skolelinux distribution for a school near you.

Debian Edu, also known as Skolelinux, is a Linux distribution based on Debian providing an out-of-the box environment of a completely configured school network. Immediately after installation, a school server running all services needed for a school network is set up just waiting for users and machines to be added via GOsa², a comfortable web interface.

Full Story (comments: none)

Distribution quote of the week

For example, there are those of us who think that the downsides of the combination of 3.0 (quilt) and patches stored unapplied in git are significant, and so we have made attempts to provide alternatives, such as git-debrebase. Contributing to Debian would be a lot less fun if we were asked to just set these reasons aside and use something which to us is clearly technically inferior.

— Sean Whitton

Comments (7 posted)

Firefox 91.0.1 and Firefox ESR 91.0.1

These releases of Firefox 91.0.1 and Firefox ESR 91.0.1 fix two issues; one caused buttons on the tab bar to be resized and the other caused tabs from private windows to be visible in non-private windows. There is also a fix for a header splitting attack, and fixes for various stability issues.

Comments (none posted)

Git 2.33.0 released

Version 2.33.0 of the Git source-code management system has been released.

As can be seen here, it turns out that this release does not have many end-user facing changes and new features, but a lot of fixes and internal improvements went into the codebase during this cycle. Also, preparation for a new merge strategy backend (can be used with "git merge -sort" today) is on its final stretch and we are hoping that it can become the default in the next release.

Comments (1 posted)

Go 1.17 is released

The Go blog has announced the release of version 1.17 of the Go programming language. The new version has some fairly small changes to the language, support for the Arm 64-bit architecture on Windows, along with other features, bug fixes, and more:

This release brings additional improvements to the compiler, namely a new way of passing function arguments and results. This change has shown about a 5% performance improvement in Go programs and reduction in binary sizes of around 2% for amd64 platforms. Support for more platforms will come in future releases.

See the release notes for more information.

Comments (1 posted)

KDE Gear 21.08

The KDE project has announced the release of KDE Gear 21.08, which updates the over 200 apps that are part of the project. The announcement highlights updates in many of the desktop tools that KDE Plasma users are accustomed to, including the Okular document viewer, the Dolphin file manager, Elisa music player, and Gwenview image viewer. The Konsole terminal application got updated as well:

Text terminals are intimidating to people who are new to Linux. But knowing just a bit about how to use them (no, you don’t need to know how to program) gives you a level of control over your machine difficult to achieve any other way.

This is doubly true when using Konsole, KDE’s very powerful spin on the classic text terminal. In fact, calling Konsole a “terminal emulator” and leaving it at that is not fair. Take Konsole’s preview feature, for example, type white, red, blue or salmon at the command line, hover the cursor over the word, and a box will appear displaying the color. You can also use HTML color codes, like #1d99f3 and get a preview of the KDE blue color.

Previews extend to images and folders: hover the cursor over an image filename in a list in Konsole and a thumbnail will pop up showing you a preview. Hovering over a folder will show you a preview of its contents. This is very useful when you want to make sure you are copying, moving, or erasing the right thing.

Comments (36 posted)

Facebook, Google, Isovalent, Microsoft and Netflix Launch eBPF Foundation as Part of the Linux Foundation

The Linux Foundation has announced the formation of the eBPF Foundation:

Founding members include Facebook, Google, Isovalent, Microsoft and Netflix. This comes in advance of the eBPF Summit, a free and virtual event taking place August 18-19, 2021.

eBPF allows developers to safely and efficiently embed programs in any piece of software, including the operating system kernel. As a result, eBPF is quickly becoming the method of choice for achieving a wide range of infrastructure use cases, delivering significant efficiency and performance gains and dramatically reducing the complexity of the system. For example, Facebook is using eBPF as the primary software-defined load balancer in its data centers, and Google is using Cilium to bring eBPF-based networking and security to the managed Kubernetes offerings GKE and Anthos.

[...] The eBPF Foundation will expand the significant level of contributions being made to extend the powerful capabilities of eBPF and grow beyond Linux. It will be the home for open source eBPF projects and technologies and nurture the community through a variety of activities, including summits and other collaboration events in order to further drive the growth and adoption of the eBPF ecosystem.

Comments (15 posted)