Language Selection

English French German Italian Portuguese Spanish

Security: Systemd and X.Org

Filed under
Security
  • Systemd is bad parsing and should feel bad

     

    Systemd has a remotely exploitable bug in its DHCPv6 client. That means anybody on the local network can send you a packet and take control of your computer. The flaw is a typical buffer-overflow. Several news stories have pointed out that this client was rewritten from scratch, as if that were the moral failing, instead of reusing existing code. That's not the problem.
     

    The problem is that it was rewritten from scratch without taking advantage of the lessons of the past. It makes the same mistakes all over again.

  • Linux systems vulnerable to privilege escalation and file overwrite exploit in X.Org server

    An "incorrect command-line parameter validation" vulnerability in X.Org server makes it possible to escalate privileges as well as overwrite files. The problem affects Linux and BSD distributions using the open source X Window System implementation.

    The vulnerability has been present for a couple of years, but has been brought to light by security researcher Narendra Shinde. Unpatched system can be exploited by non-root users if X server is running with elevated privileges.

More in Tux Machines

today's howtos

Review: openSUSE Tumbleweed (2018)

My experiment with openSUSE's Tumbleweed was a mixed experience. On the positive side, Tumbleweed stays constantly up to date, providing the latest packages of software all the time. For people who regularly want to stay on the cutting edge, but who do not want to re-install or perform a major version-to-version upgrade every six months, Tumbleweed provides an attractive option. I also really like that file system snapshots are automated and we can revert most problems simply by restarting the computer and choosing an older snapshot from the boot menu. On the negative side, a number of things didn't work during my time with the distribution. Media support was broken, the Discover software manager had a number of issues and some configuration modules caused me headaches. These rough edges sometimes get fixed, but may be traded out for other problems since the operating system is ever in flux. In the long term, a bigger issue may be the amount of network bandwidth and disk space Tumbleweed consumes. Just to keep up with updates we need set aside around 1GB of downloads per month and (when Btrfs snapshots are used) even more disk space. In a few weeks Tumbleweed consumed more disk space with far fewer programs installed as my installation of MX Linux. Unless we keep on top of house cleaning and constantly remove old snapshots we need to be prepared to use significantly more storage space than most other distributions require. Tumbleweed changes frequently and uses more resources to keep up with the latest software developments. I would not recommend it for newer Linux users or for people who want predictability in the lives. But for people who want to live on the cutting edge and don't mind a little trouble-shooting, Tumbleweed provides a way to keep up with new versions of applications while providing a safety net through Btrfs snapshots. Read more

Linux 4.20-rc6

Hmm. Things look fairly normal. just under half of the patch is to drivers (gpu, networking, nvdimm, block, media..), with the rest being tooling (mostly bpf selftests) core networking, documentation and some arch updates, Some filesystem, core kernel and mm fixes in there too (we've had some last-minute THP reverts and discussion for how to re-do it next time). Most of it looks pretty small and normal. Would I have preferred for there to be less churn? Yes. But it's certainly smaller than rc5 was, so we're moving in the right direction, and we have at least one more rc to go. I say "at least", not because I'm particularly worried about the technical details and any outstanding bugs, but because of the whole holiday season timing. I still suspect that what I'll do is release 4.20 just before xmas (so with the usual "rc7->final" cadence) but then just leave a dead week for the holiday season. Again encouraging everybody to send in their pull request for the merge window *before* the holiday season, but I might just either ignore them for a week, or take it very slow and easy. And of course, if we have something worrisome come up, any technical issues can derail that plan, but I don't think there's anything bad pending now. Linus Read more Also: Linux 4.20-rc6 Kernel Released - "Looks Fairly Normal"

Audiocasts: Linux Action News, OpenBSD in Stereo, GNU World Order, Coder Radio and Open Source Security Podcast

  • Linux Action News 83
    Plus the Kernel team’s clever Spectre slowdown fix, Emby goes proprietary, Steam Link lives on, and more.
  • OpenBSD in Stereo | BSD Now 275
    DragonflyBSD 5.4 has been released, down the Gopher hole with OpenBSD, OpenBSD in stereo with VFIO, BSD/OS the best candidate for legally tested open source Unix, OpenBGPD adds diversity to the routing server landscape, and more.
  • GNU World Order
    More listener email about ZFS. Noise music. More about workflows, and how to find the right application for your task.
  • Coder Radio 334
    Mike and Chris don’t claim to have a time machine, but they still have a major problem to solve.
  • Open Source Security Podcast: Episode 126 - The not so dire future of supply chain security
    Josh and Kurt continue the discussion from episode 125. We look at the possible future of software supply chains. It's far less dire than previously expected.