Brief items
Security
Eliminating Memory Safety Vulnerabilities at the Source (Google Security Blog)
Here's a post on the Google Security Blog on how switching to a memory-safe language can quickly reduce vulnerabilities in a project, even if a large body of older code persists.
This leads to two important takeaways:
- The problem is overwhelmingly with new code, necessitating a fundamental change in how we develop code.
- Code matures and gets safer with time, exponentially, making the returns on investments like rewrites diminish over time as code gets older.
For example, based on the average vulnerability lifetimes, 5-year-old code has a 3.4x (using lifetimes from the study) to 7.4x (using lifetimes observed in Android and Chromium) lower vulnerability density than new code.
Remote exploit of CUPS
Security researcher Simone Margaritelli has reported a new vulnerability in CUPS, the software that many Linux systems use to manage printers and print jobs. Margaritelli describes the impact of the attack by saying:
A remote unauthenticated attacker can silently replace existing printers' (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).
The vulnerability relies on a few related problems in CUPS libraries and utilities; versions before 2.0.1 or 2.1b1 (depending on the component) may be affected.
Red Hat has released a security bulletin as well.
Security quotes of the week
Another area I've been spending a bit of time on lately is looking at how defensive security work has challenges associated with metrics. How do you measure your defensive security impact? You can't say "because we installed locks on the doors, 20% fewer break-ins have happened." Much of our signal is always secondary or retrospective, which is frustrating: "This class of flaw was used X much over the last decade so, and if we have eliminated that class of flaw and will never see it again, what is the impact?" Is the impact infinity? Attackers will just move to the next easiest thing. But it means that exploitation gets incrementally more difficult. As attack surfaces are reduced, the expense of exploitation goes up.
— Kees Cook in an interview on the Reproducible Builds project site.
The researcher demonstrated how he could trick ChatGPT into believing a targeted user was 102 years old, lived in the Matrix, and insisted Earth was flat and the LLM would incorporate that information to steer all future conversations. These false memories could be planted by storing files in Google Drive or Microsoft OneDrive, uploading images, or browsing a site like Bing—all of which could be created by a malicious attacker.— Dan Goodin in Ars TechnicaRehberger privately reported the finding to OpenAI in May. That same month, the company closed the report ticket. A month later, the researcher submitted a new disclosure statement. This time, he included a PoC that caused the ChatGPT app for macOS to send a verbatim copy of all user input and ChatGPT output to a server of his choice. All a target needed to do was instruct the LLM to view a web link that hosted a malicious image. From then on, all input and output to and from ChatGPT was sent to the attacker's website.
Our regulation of electioneering never caught up to AOL, let alone social media and AI. And deceiving videos harm our democratic process, whether they are created by AI or actors on a soundstage. But the urgent concern over AI should be harnessed to advance legislative reform. Congress needs to do more than stick a few fingers in the dike to control the coming tide of election disinformation. It needs to act more boldly to reshape the landscape of regulation for political campaigning.— Bruce Schneier
Kernel development
Kernel release status
The current development kernel is 6.12-rc1, released on September 29. Linus said:
Despite conference travel (both for me and several maintainers), things seemed to go mostly fairly normally. There's a couple of notable new features in here: For one thing, PREEMPT_RT is now mainlined and enabled as a config option (you do need to enable "EXPERT" to get the question). For another, sched_ext also got merged.
Stable updates: 6.11.1, 6.10.12, 6.6.53, and 6.1.112 were released on September 30.
Distributions
Arch Linux getting support from Valve
The Arch Linux project has announced that Valve will be helping the distribution with a couple of important initiatives:
Valve is generously providing backing for two critical projects that will have a huge impact on our distribution: a build service infrastructure and a secure signing enclave. By supporting work on a freelance basis for these topics, Valve enables us to work on them without being limited solely by the free time of our volunteers.
Górny: The perils of transition to 64-bit time_t
Michał Górny describes the challenges involved in transitioning Gentoo to year-2038-safe time representations:
There is a general agreement that the way forward is to change time_t to a 64-bit type. Musl has already switched to that, glibc supports it as an option. A number of other distributions such as Debian have taken the leap and switched. Unfortunately, source-based distributions such as Gentoo don't have it that easy. So we are still debating the issue and experimenting, trying to figure out a maximally safe upgrade path for our users.Unfortunately, that's nowhere near trivial. Above all, we are talking about a breaking ABI change.
Manjaro 24.1 released
Version 24.1 of the Arch-based Manjaro distribution is now available with the 6.10 Linux kernel, GNOME 46.5, KDE Plasma 6.1 and KDE Gear 24.08:
Plasma 6.1 on Wayland now has a feature that "remembers" what you were doing in your last session like it did under X11. Although this is still work in progress, If you log off and shut down your computer with a dozen open windows, Plasma will now open them for you the next time you power up your desktop, making it faster and easier to get back to what you were doing. At Manjaro we are still defaulting to X11, however switching to Wayland can be done easily by selecting the wanted session in your display manager.
The project also offers minimal install images with the 6.6 LTS and 6.1 LTS kernels to support older hardware as needed.
Uniting for Internet Freedom: Tor Project & Tails Join Forces (Tor blog)
The online-privacy-focused Tor project has announced that it has "joined forces and merged operations" with the Tails OS Linux distribution.
Countering the threat of global mass surveillance and censorship to a free Internet, Tor and Tails provide essential tools to help people around the world stay safe online. By joining forces, these two privacy advocates will pool their resources to focus on what matters most: ensuring that activists, journalists, other at-risk and everyday users will have access to improved digital security tools.In late 2023, Tails approached the Tor Project with the idea of merging operations. Tails had outgrown its existing structure. Rather than expanding Tails's operational capacity on their own and putting more stress on Tails workers, merging with the Tor Project, with its larger and established operational framework, offered a solution. By joining forces, the Tails team can now focus on their core mission of maintaining and improving Tails OS, exploring more and complementary use cases while benefiting from the larger organizational structure of The Tor Project.
Distributions quote of the week
We need to revisit the 'one desktop' policy. Times change, the world would be a sorry place if no policy was ever changed again and there is more than enough proof that a KDE Desktop is something that people in the Fedora project want
Development
FFmpeg 7.1 released
Version 7.1 of the FFmpeg audio/video toolkit has been released. Important changes in this release include the VVC decoder reaching stable status, and inclusion of support for MV-HEVC decoding (which is generated by recent phones and VR headsets), as well as support for Vulkan encoding with H264 and HEVC. See the announcement and changelog for full details.
Firefox 131.0 released
Version 131.0 of the Firefox browser has been released. Changes include the ability to temporarily grant permissions to sites and a preview that pops up when hovering over tabs.PostgreSQL 17 released
Version 17 of the PostgreSQL database has been released.
This release of PostgreSQL adds significant overall performance gains, including an overhauled memory management implementation for vacuum, optimizations to storage access and improvements for high concurrency workloads, speedups in bulk loading and exports, and query execution improvements for indexes. PostgreSQL 17 has features that benefit brand new workloads and critical systems alike, such as additions to the developer experience with the SQL/JSON JSON_TABLE command, and enhancements to logical replication that simplify management of high availability workloads and major version upgrades.
LWN recently covered some of the interesting new features and security enhancements in PostgreSQL 17.
Tcl/Tk 9.0 released
The most recent major release of the Tcl/Tk language and graphical-user-interface toolkit, Tcl/Tk 9.0, has been released, a mere 27 years after the 8.0 major release in 1997. There have been plenty of releases in the interim, though, as can be seen in the Tcl chronology. The 9.0 release brings 64-bit data values, better Unicode support, the ability to use zip files as filesystems, a switch to use epoll() or kqueue() where they are available, SVG support in Tk, access to notifications and other desktop-platform services in Tk, and lots more. For more information, see the release notes for Tcl and Tk that can be downloaded as Markdown files from the announcement page. (Thanks to Matt Bradley.)Development quote of the week
Enforcing an ever-increasing minimum target API level doesn't just break applications, it also makes them disappear. When a developer does not take the time to update and rebuild their application to meet the new minimum target API level, their application stops being visible to anyone on a newer Android version, whether or not the application would continue to function. As users upgrade to newer devices, applications stop being available for users to find. The pool of users that can see and install these application will only shrink until it's as if the apps don't exist at all.
A plethora of curious, useful, interesting, quirky, and historic applications are no longer available to us. Because the developers of these apps didn't, or couldn't, update them to meet target API level requirements, many apps are lost to the sands of time. And every time Google increases the minimum target API level, hiding apps that do not meet the new requirement, more applications are lost forever.
Page editor: Daroc Alden
Next page:
Announcements>>