Brief items
Security
GCC security features from AdaCore
The AdaCore blog describes some hardening features contributed to GCC for the GCC 14 release.
With -fharden-control-flow-redundancy, the compiler now verifies, at the end of functions, whether the traversed basic blocks align with a legitimate execution path. The purpose of this protective measure is to detect and thwart attacks attempting to infiltrate the middle of functions, thereby enhancing the overall security posture of the compiled code.
A locally exploitable glibc vulnerability
Qualys has disclosed a vulnerability in the GNU C Library that can be exploited by a local attacker for root access. It was introduced in the 2.37 release, and also backported to 2.36.
For example, we confirmed that Debian 12 and 13, Ubuntu 23.04 and 23.10, and Fedora 37 to 39 are vulnerable to this buffer overflow. Furthermore, we successfully exploited an up-to-date, default installation of Fedora 38 (on amd64): a Local Privilege Escalation, from any unprivileged user to full root. Other distributions are probably also exploitable.
Vulnerable systems with untrusted users should probably be updated in a timely manner.
Security quotes of the week
Fuzzing is fantastic for finding bugs, but for security to improve, those bugs also need to be patched. It's long been an industry-wide struggle to find the engineering hours needed to patch open bugs at the pace that they are uncovered, and triaging and fixing bugs is a significant manual toll on project maintainers. With continued improvements in using LLMs to find more bugs, we need to keep pace in creating similarly automated solutions to help fix those bugs. We recently announced an experiment doing exactly that: building an automated pipeline that intakes vulnerabilities (such as those caught by fuzzing), and prompts LLMs to generate fixes and test them before selecting the best for human review.— Dongge Liu, Oliver Chang, Jan Nowakowski, and Jan Keller on the Google security blogThis AI-powered patching approach resolved 15% of the targeted bugs, leading to significant time savings for engineers. The potential of this technology should apply to most or all categories throughout the software development process. We're optimistic that this research marks a promising step towards harnessing AI to help ensure more secure and reliable software.
Today's chatbots perform best when instructed with a level of precision that would be appallingly rude in human conversation, stripped of any conversational pleasantries that the model could misinterpret: "Draft a 250-word paragraph in my typical writing style, detailing three examples to support the following point and cite your sources." Not even the most detached corporate CEO would likely talk this way to their assistant, but it's common with chatbots.— Bruce Schneier and Albert Fox CahnIf chatbots truly become the dominant daily conversation partner for some people, there is an acute risk that these users will adopt a lexicon of AI commands even when talking to other humans. Rather than speaking with empathy, subtlety, and nuance, we'll be trained to speak with the cold precision of a programmer talking to a computer. The colorful aphorisms and anecdotes that give conversations their inherently human quality, but that often confound large language models, could begin to vanish from the human discourse.
[...] Of course, history is replete with people claiming that the digital sky is falling, bemoaning each new invention as the end of civilization as we know it. In the end, LLMs may be little more than the word processor of tomorrow, a handy innovation that makes things a little easier while leaving most of our lives untouched. Which path we take depends on how we train the chatbots of tomorrow, but it also depends on whether we invest in strengthening the bonds of civil society today.
The odds that there's a human being beta-testing [Elon] Musk's neural interface with the only brain they will ever have aren't zero. But I give it the same odds as the Raelians' claim to have cloned a human being.— Cory Doctorow
Kernel development
Kernel release status
The current development kernel is 6.8-rc2, released on January 28. "So go out and test. It's safe now. You trust me, right?"
Stable updates: 6.7.2, 6.6.14, 6.1.75, 5.15.148, 5.10.209, 5.4.268, and 4.19.306 were all released on January 25.
The 6.7.3, 6.6.15, and 6.1.76 updates are in the review process; they are due at any time.
The state of eBPF
The eBPF Foundation has published a glossy document called The State of eBPF; it seems mostly concerned with how a small number of large companies are using and developing this technology.
No doubt, eBPF will become the new layer in the new cloud native infrastructure stack, impacting the observability, performance, reliability, networking, and security of all applications, supporters say. Platform engineers will cobble together eBPF-powered infrastructure building blocks to create platforms that developers then deploy software on, adding business logic to the mix, and replacing aging Linux kernel internals that cannot keep up with today’s digital and, increasingly, cloud native world.
Development
GNU C Library 2.39 released
Version 2.39 of the GNU C Library has been released. Changes include integration with the x86 shadow-stack mechanism, a couple of new posix_spawn() variants for working with control groups, pidfd_spawn() and pidfd_spawnp(), the C2X stdbit.h header, the removal of the libcrypt library, and more. See the release notes for details.LibreOffice 24.2 Community released
Version 24.2 of the LibreOffice office suite is available. Changes include AutoRecovery enabled by default, styling of comments, better floating-table support, improved accessibility, and more. See the release notes for details.
Page editor: Jake Edge
Next page:
Announcements>>