lwn.net

The LWN.net Weekly Edition for January 28, 2021 is available.

It would appear that "sudo" has a buffer-overflow vulnerability that allows any local user to gain root privileges, whether or not they are in the sudoers file. It has been there since 2011. See this advisory for details, but perhaps run an update first.

Distribution developers do a lot of work to keep a language ecosystem working well within the distribution. It is relatively thankless work that normally only becomes visible when there is a problem or complaint. But Miro Hrončok recently put together a look back at what the Fedora Python team did during 2020. While it is, obviously, Fedora-specific, it provides something of a look inside at the kinds of things that distribution teams work on.

Open-source software is famously able to be used by anyone for any purpose; those are some of the keystones of the open source definition. But some companies that run open-source projects are increasingly unhappy that others are reaping some of the profits from those projects. That has led to various efforts of "license reform" meant to try to capture those profits. So far, those efforts have just led to non-open-source licenses, thus projects that are no longer open source. We are seeing that play out yet again with Elastic's mid-January announcement that it was changing the license on some of its projects.

Stable kernels 5.10.11, 5.4.93, and 4.19.171 have been released. They contain important fixes and users should upgrade.

Security updates have been issued by Arch Linux (sudo), CentOS (sudo), Debian (sudo), Fedora (kernel, php-pear, and sudo), Gentoo (cacti, mutt, and sudo), Mageia (sudo), openSUSE (sudo), Oracle (sudo), Red Hat (sudo), Scientific Linux (sudo), Slackware (sudo), SUSE (go1.14, go1.15, nodejs8, and sudo), and Ubuntu (libsndfile and sudo).

Security updates have been issued by CentOS (dnsmasq, net-snmp, and xstream), Debian (mutt), Gentoo (cfitsio, f2fs-tools, freeradius, libvirt, mutt, ncurses, openjpeg, PEAR-Archive_Tar, and qtwebengine), openSUSE (chromium, mutt, stunnel, and virtualbox), Red Hat (cryptsetup, gnome-settings-daemon, and net-snmp), Scientific Linux (xstream), SUSE (postgresql, postgresql12, postgresql13 and rubygem-nokogiri), and Ubuntu (mutt).

Version 85 of the Firefox browser has been released. The headline change appears to be the isolation of internal caches to defeat the use of "supercookies" to track users; see this blog entry for details. "In fact, there are many different caches trackers can abuse to build supercookies. Firefox 85 partitions all of the following caches by the top-level site being visited: HTTP cache, image cache, favicon cache, HSTS cache, OCSP cache, style sheet cache, font cache, DNS cache, HTTP Authentication cache, Alt-Svc cache, and TLS certificate cache."

The Python Packaging Authority (PyPA) has announced the release of pip 21.0. This version removes Python 2.7 and 3.5 support, and drops support for legacy cache entries from pip < 20.0.

The term "browser wars" typically refers to Microsoft's attempts to dominate the World Wide Web with its Internet Explorer browser in the 1990s. That effort was thwarted by antitrust efforts and the rise of the free browser now known as Firefox; ever since, the web has been defined by free software. Or so some may have thought. In the 2020s, the browser wars continue with the growing dominance of Chrome and, it would seem, the imminent removal of Chromium from many Linux distributions.

Security updates have been issued by Debian (crmsh, debian-security-support, flatpak, gst-plugins-bad1.0, openvswitch, python-bottle, salt, tomcat9, and vlc), Fedora (chromium, python-pillow, sddm, and xen), Gentoo (chromium, dnsmasq, flatpak, glibc, kdeconnect, openjdk, python, thunderbird, virtualbox, and wireshark), Mageia (blosc, crmsh, glibc, perl-DBI, php-oojs-oojs-ui, python-pip, python-urllib3, and undertow), openSUSE (gdk-pixbuf, hawk2, ImageMagick, opera, python-autobahn, viewvc, wavpack, and xstream), Red Hat (dnsmasq), Slackware (seamonkey), SUSE (hawk2, ImageMagick, mutt, permissions, and stunnel), and Ubuntu (pound).

The 5.11-rc5 kernel prepatch is out for testing. "Nothing particularly stands out. We had a couple of splice() regressions that came in during the previous release as part of the 'get rid of set_fs()' development, but they were for odd cases that most people would never notice. I think it's just that 5.10 is now getting more widely deployed so people see the fallout from that rather fundamental change in the last release."

The next round of stable kernel updates is out: 5.10.10, 5.4.92, 4.19.170, 4.14.217, 4.9.253, and 4.4.253. Each contains another set of important fixes.

Memory fragmentation has long been a problem for Linux systems, to the point that, for years, finding even two physically contiguous pages was an uncertain affair. That said, the situation has improved considerably in the last decade or so thanks to a number of changes implemented by the memory-management developers. One of those changes is the creation of "movable" memory zones where pages can be relocated if need be. All that work is for nothing, though, if somebody comes along and pins down a page in one of these movable zones. This patch set from Pavel Tatashin seeks to prevent that from happening, but may risk creating problems elsewhere.

Security updates have been issued by Debian (drupal7), Fedora (dotnet3.1), Gentoo (zabbix), openSUSE (ImageMagick and python-autobahn), and SUSE (hawk2 and wavpack).

Libre Arts (formerly Libre Graphics World) has posted a comprehensive survey of what 2021 might hold for a wide range of free content-creation software.

The topic of fullscreen color management implementation in Wayland is back, and it’s a kinda frustrating story. In a nutshell:

• people who are now working on this (Collabora developers) seem to have little experience with color management but they appear to be motivated to hack on the code;
• all the while people who have a crapload of experience with color management have had bad experience discussing this before, do not like the approach by the new team, and don’t seem excited to contribute to this new effort (Graeme’s spec proposal is still available).

So we might end up with an implementation that is not suitable for professional work.

The Corellium blog is carrying a description of how the Linux port to the Apple M1 processor was done. "Many components of the M1 are shared with Apple mobile SoCs, which gave us a good running start. But when writing Linux drivers, it became very apparent how non-standard Apple SoCs really are. Our virtual environment is extremely flexible in terms of models it can accommodate; but on the Linux side, the 64-bit ARM world has largely settled on a well-defined set of building blocks and firmware interfaces - nearly none of which were used on the M1."

As a general rule, when one attempts to open a file with a system call like openat2(), the expectation is that the call will not return until the job is done. But there are times where the desire to open the file is conditional on being able to open it immediately, without blocking. Linux has never supported that mode well, but that may be about to change with this patch set from Jens Axboe.

Security updates have been issued by Debian (mutt), Fedora (libntlm, mingw-python-pillow, python-pillow, and sudo), Mageia (kernel), SUSE (gdk-pixbuf, perl-Convert-ASN1, samba, and yast2-multipath), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.4, linux-hwe-5.8, linux-oracle).

The LWN.net Weekly Edition for January 21, 2021 is available.