Brief items
Security
The quantum state of Linux kernel garbage collection (Project Zero)
The Project Zero blog has posted a detailed look at CVE-2021-0920 in the first of a two-part series on how this bug created a vulnerability that was subsequently exploited.
Google's Threat Analysis Group (TAG) discovered Samsung browser exploit chains being used in the wild. TAG then performed root cause analysis and discovered that this vulnerability, CVE-2021-0920, was being used to escape the sandbox and elevate privileges. CVE-2021-0920 was reported to Linux/Android anonymously. The Google Android Security Team performed the full deep-dive analysis of the exploit.This issue was initially discovered in 2016 by a RedHat kernel developer and disclosed in a public email thread, but the Linux kernel community did not patch the issue until it was re-reported in 2021.
Security quote of the week
So to recap: the company says it has to block farmers from having the final say over their own tractors because they could create security risks and also threaten [John] Deere's copyrights (the company even claims that locking down tractors is necessary to preventing music infringement, as though a farmer would spend $600k on a tractor so they could streamrip Spotify tracks).— Cory DoctorowBut in reality, the company itself is a dumpster-fire of information security worst practices, whose unpatched, badly configured, out-of-date tractors are a bonanza of vulnerabilities and unforced errors. What's more, the company – which claims to be staunch defenders of copyright – use their copyright locks to hide the fact that they are committing serious breaches of software copyright.
Kernel development
Kernel release status
The current development kernel is 6.0-rc1, released on August 14. Linus said:
I actually was hoping that we'd get some of the first rust infrastructure, and the multi-gen LRU VM, but neither of them happened this time around. There's always more releases. But there's a lot of continued development pretty much all over the place.
The codename has also been changed to "Hurr durr I'ma ninja sloth".
Stable updates: 5.19.1, 5.18.17, 5.15.60, 5.10.136, 5.4.210, and 4.19.255 were released on August 11, followed by the huge 5.19.2, 5.18.18, and 5.15.61 updates on August 17.
Distributions
Android 13 released
Version 13 of the Android system has landed in the Android Open Source Project; the list of changes is long.
To help users focus on the notifications that are most important to them, Android 13 introduces a new notifications runtime permission. Apps now need to request the notification permission from the user before posting notifications.
Development
Rust 1.63.0 released
Version 1.63.0 of the Rust language has been released. Changes include the addition of scoped threads, a new ownership model for raw file descriptors, and the completion of the borrow-checker transition:
As detailed in this blog post, we've fully removed the previous lexical borrow checker from rustc across all editions, fully enabling the non-lexical, new, version of the borrow checker. Since the borrow checker doesn't affect the output of rustc, this won't change the behavior of any programs, but it completes a long-running migration (started in the initial stabilization of NLL for the 2018 edition) to deliver the full benefits of the new borrow checker across all editions of Rust. For most users, this change will bring slightly better diagnostics for some borrow checking errors, but will not otherwise impact which code they can write.
Page editor: Jake Edge
Next page:
Announcements>>