Security Leftovers

• Security updates for Thursday

  Security updates have been issued by Gentoo (aiohttp, faac, isync, motion, and nextcloud), Red Hat (.NET 6.0), SUSE (libnbd, oracleasm, python-codecov, rubygem-tzinfo, sssd, and thunderbird), and Ubuntu (http-parser, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi, linux-intel-iotg, linux-oem-5.14, linux-oem-5.17, and node-moment).

• CISA Issues Warning on Active Exploitation of UnRAR Software for Linux Systems [Ed: How to distract from the major problem CISA has just pointed out]

• PyPI Package 'secretslib' Drops Fileless Linux Malware to Mine Monero [Ed: The issue here is not "Linux" but people installing malware on it]

• The quantum state of Linux kernel garbage collection (Project Zero) [LWN.net]

  The Project Zero blog has posted a detailed look at CVE-2021-0920 in the first of a two-part series on how this bug created a vulnerability that was subsequently exploited.

• Security requirements for new kernel features [LWN.net]

  The relatively new io_uring subsystem has changed the way asynchronous I/O is done on Linux systems and improved performance significantly. It has also, however, begun to run up a record of disagreements with the kernel's security community. A recent discussion about security hooks for the new uring_cmd mechanism shows how easily requirements can be overlooked in a complex system with no overall supervision. Most of the operations that can be performed within io_uring follow the usual I/O patterns — open a file, read data, write data, and so on. These operations are the same regardless of the underlying device or filesystem that is doing the work. There always seems to be a need for something special and device-specific, though, and io_uring is no exception. For the kernel as a whole, device-specific operations are made available via ioctl() calls. That system call, however, has built up a reputation as a dumping ground for poorly thought-out features, and there is little desire to see its usage spread. In early 2021, io_uring maintainer Jens Axboe floated an idea for a command passthrough mechanism that would be specific to io_uring. A year and some later, that idea has evolved into uring_cmd, which was pulled into the mainline during the 5.19 merge window. There is a new io_uring operation that, in turn, causes an invocation of the underlying device or filesystem's uring_cmd() file_operations function. The actual operation to be performed is passed through to that function with no interpretation in the io_uring layer. The first user is the NVMe driver, which provides a direct passthrough operation.

Oaxaca, Endless OS, and indigenous languages

A rural Mexican state was the setting for an initiative to use the GNOME-based Endless OS to improve education in indigenous communities. Over the last several years, the Endless OS Foundation has teamed up with the Fundación Alfredo Harp Helú Oaxaca (FAHHO) to deliver offline-first computers to those communities, but also to assist these communities in preserving their native languages. In a talk at GUADEC 2022, Rob McQueen provided a look at the project and what it has accomplished. McQueen was not slated to give the talk—he already gave an earlier presentation at the conference—but Sergio Solis, who is from Guadalajara where the conference was held, was unfortunately unable to attend due to his family coming down with COVID. McQueen apologized for flying into Mexico from England to give a talk about Mexico when he had never been to the country before. But, as the CEO of the Endless OS Foundation, McQueen is obviously knowledgeable about the project and was able to step in and pinch-hit for Solis. Read on

xorgproto 2022.2

This release introduces an new "XWAYLAND" extension:

    This extension exists to serve one purpose: reliably identifying
    Xwayland. Previous attempts at doing so included querying root window
    properties, output names or input device names. All these attempts are
    somewhat unreliable. Instead, let's use an extension - where that
    extension is present we have an Xwayland server.

    Clients should never need to do anything but check whether the extension
    exists through XQueryExtension/XListExtensions.

The DRI3 protocol was bumped to 1.3 and has a new DRI3SetDRMDeviceInUse request:

     This request provides a hint to the server about the device
     in use by this window. This is used to provide
     DRI3GetSupportedModifiers with a hint of what device to
     return modifiers for in the window_modifiers return value.
     Using this hint allows for device-specific modifiers to
     be returned by DRI3GetSupportedModifiers, for example
     when an application is renderoffloaded and eligible for
     direct scanout.

The remaining commits are the usual combination of housekeeping and
maintenance.