Tumbleweed continues to showcase the strength of a well-maintained rolling release as we move through 2025. March delivered several snapshots and several impactful changes across the software stack.

This month brought the debut of GNOME 48, delivering modern User Interface polish, performance improvements and new features like digital wellbeing tools and HDR support. On the KDE side, Plasma 6.3.3 refined fractional scaling, display handling and usability. Mesa 25.0.1 introduced ray tracing support for Intel Arc GPUs and Emacs 30.1 enhanced org-protocol handling, security, and completion features. Other packages updated were PipeWire 1.4.1, libvirt 11.1.0, GStreamer 1.26.0, PHP 8.3.19 and more. Tumbleweed now includes experimental support for parallel package downloads and a new media backend that was introduced with zypper 1.14.87 and libzypp 17.36.4; this offers a major speed boost for package management as it cuts package fetch times by more than half.

With these updates, rolling release users can enjoy an updated Linux experience that is well tested with continual integration of upstream innovations.

As always, be sure to roll back using snapper if any issues arise.

Happy updating and tumble on!

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

GNOME 48: This release brings notification stacking to reduce clutter, and delivers major performance gains, including dynamic triple buffering and faster file browsing in Files. The new image viewer adds editing tools like crop and rotate, while support for RAW formats expands functionality. The release debuts new fonts — Adwaita Sans and Mono — enhancing legibility and language support. Digital Wellbeing tools now track screen time, enforce usage limits, and provide break reminders. Battery lifespan is protected with a new 80 percent charging cap option for supported hardware. A minimalist Audio Player app joins the core apps, focusing on simple playback with waveform views. HDR support makes its system-level debut, and Text Editor receives a cleaner interface with better formatting controls. Additional features include global shortcuts for apps, improved window placement, and expanded keyboard shortcut support. Updates to Contacts, Settings, Calendar, Maps, Web, and Orca improve accessibility, UX, and performance across the desktop.

harfbuzz 11: This new major version introduces new font-function integrations for CoreText, DirectWrite, and the Rust-based Skrifa library, accessible via the new hb_font_set_funcs_using() Application Programming Interfaces. Additional APIs allow loading font-faces directly from files or blobs for FreeType, CoreText, and DirectWrite backends. The DirectWrite shaper now fully supports font variations and user features, and its API is no longer marked experimental.

emacs 30.1:. This major release introduces several enhancements, including improved org-protocol handling on GNU/Linux, native code execution for the default process filter, and better input handling with consistent mouse wheel events. It tightens network security by warning about weak crypto standards and ensures HTTP requests don’t expose user emails. Support for Tree-Sitter submodes was added, and icomplete-in-buffer improvements enhance completion behavior. The GTK xwidgets build is disabled due to a webkit2gtk regression.

Mesa 25.0.1 and 25.0.2: The 25.0.1 version enables ray tracing support for Intel Arc GPUs (boo#1238732) and improves build configuration by switching to %gcc_version instead of hardcoded CXX. A workaround was added to explicitly set CXX=g++-14 to resolve compiler detection errors during build. Also includes fixes for building on Tumbleweed and ensures GCC 13 is used for Leap/SLES 15 builds (bsc#1238713). The 25.0.2 version maintains OpenGL 4.6 and Vulkan 1.4 API support, though actual reported versions vary by driver. This update fixes VRAM detection problems, flickering in Resident Evil 2, a Vulkan issue with DOOM 2016 on AMD 780M, a segmentation fault in AMD VDPAU deinterlacing, and crashes on Raspberry Pi 5 with v3dv.

KDE Plasma 6.3.3: KWin resolves several issues, including tiling, stacking, and modifier state bugs, and adds better support for hardware with complex display setups. Discover improves changelog visibility and flattens case-sensitive sorting for offline updates. Breeze adjusts menu bar styling and resolves Qt6 MinGW build regressions. Plasma Desktop patches task manager tooltips and improves keyboard layout handling, while Plasma Workspace improves system tray tab focus and resolves calendar navigation bugs. Powerdevil enhances Dell laptop charging support and warns users of power settings that increase energy use. KPipewire, KScreenLocker, and Spectacle all receive targeted fixes, and QQC2 Breeze Style syncs its visual elements with the desktop style for consistency.

KDE Gear 24.12.3: KDE’s Dolphin resolves a crash when opening new tabs with search and prevents view settings loss. Podcast app Kasts addresses playback and sorting issues, while Kate improves HUD behavior, session handling, and editor font consistency. Kdenlive eliminates multiple crash scenarios related to audio playback and clip transitions. Okular refines digital signature handling and fixes display bugs. Konsole patches escape sequence behavior, avoids infinite loops, and improves session settings. Konqueror restores proper translation extraction for UI elements. Kitinerary expands extractor support with new scripts for Eventyay, SBB, and Ghotel reservations. Tokodon and PlasmaTube improve UI consistency and media playback, particularly for PeerTube and Akkoma. Multiple apps, including Umbrello, Cantor, and Calligra, gain compatibility with CMake 4, ensuring smoother builds.

selinux-policy 20250305: This update brings fixes like labeling /var/log/php-fpm.log as httpd_log_t and allowing systemd-networkd to read/write memfd objects in tmpfs. Support was added for SSH keygen to connect via vsockets and for Plymouth debug logs. Apache2 binaries are now labeled correctly, and the kmscon module is enabled. Packaging improvements remove bashisms from scriptlets, fix a broken variable reference, improve the rpmlintrc, and reduce duplicates using fdupes.

systemd 257.4: Notable changes include better handling of posix.fork() in triggers (bsc#1238566), updates to systemctl edit to handle missing unit masking errors more gracefully, and improved verity settings for MountImages. Shell completions now include systemd-creds, and additional test coverage was added for verity and extension features. Journalctl respects --quiet with --setup-keys, and logind now starts system-wide idle tracking at initialization. The update also fixes some man page typos and improves compatibility with openSUSE in mkosi builds.

php8 8.3.19: This update fixes memory leaks in BCMath, GD, Phar, and zlib, as well as crashes and unexpected behavior in the core engine, FFI, and Opcache JIT compilation. Several CVEs were resolved in the shutdown sequence and enhancements were also made to FPM path handling.

gimp 3.0.2: One of the first minor updates from the 3.0 version resolves crashes related to brush selection and font handling in the text tool and improves UI consistency with adjustments to headerbar colors, spacing, and dark theme panel separation. Tools and plug-ins received usability improvements, including reordered line art detection options, new toggle icons, and fixes for metadata editor and gradient flare crashes. The build system includes packaging cleanups and now requires GEGL 0.4.58.

ovmf 202502: A quarter’s worth of updates adds X64 support for SRAT and MADT table generation, introduces dynamic stack cookie support across multiple architectures, and integrates RNG PPI and PEI libraries. It also updates to OpenSSL 3.4.x and enhances CI tooling. The release also resolves bugs such as image relocation overflows, QEMU random number generation support, and uninitialized variable warnings in various components.

Key Package Updates

Kernel Source 6.13.6 - 6.13.8: The 6.13.8 release re-enables OpenVPN support after fixing related issues. Notable updates involve improvements and bug fixes across subsystems such as memory management, networking, RDMA, Bluetooth, Wi-Fi, DRM, and various architecture-specific components. The 6.13.7 kernel introduces OVPN Data Channel Offload, including multi-peer support, TCP transport, key and peer management via netlink and integration with ethtool. Additional updates address memory leaks, use-after-free vulnerabilities in ksmbd, hardware compatibility for Dell and Lenovo systems in Advanced Linux Sound Architecture, and multiple improvements across RDMA, KVM for LoongArch, Btrfs, and DRM subsystems. The 6.13.6 release includes numerous fixes and enhancements across subsystems such as RDMA, networking, SCSI, NFS, and Bluetooth. Key updates address memory and race condition bugs in RDMA/mlx5, correct behavior in NFS O_DIRECT writes, and improve error handling across various drivers. It also includes architecture-specific improvements for x86 and arm, and adds forgotten AMD models to microcode SHA checks. The update resolves several bugs noted in bsc#1012628.

sdbootutil: This update includes several fixes and enhancements. Boot entry measurement is now supported for grub2-bls, and set-default-snapshot is made consistent. It now validates the ESP mount point and ensures correct behavior when called from snapper. Additional improvements include quieting OpenSSL output, storing passwords in the cryptenroll keyring, updated help entries, typo fixes, and stricter input validation.

git 2.49.0: This version introduces support for shallow clones from arbitrary commits and adds git backfill to bulk-fetch missing blobs in blobless clones. git gc gains a --expire-to option, and git repack can now use an alternative path-hash for better delta selection. The [help] autocorrect = 1 setting now runs typo corrections immediately, and git rev-list --missing=print-info provides more detail on missing objects.

PipeWire 1.4.1: Fixes were made for device disappearance issues caused by incorrect SplitPCM channel specs and restores MIDI functionality on older kernels lacking UMP support. It resolves crashes in audioconvert due to resampler misconfigurations and adds improved error reporting for UCM config issues. Bluetooth stability is improved with a fix for crashes during incoming calls.

nvme-cli 2.12: This user space tooling introduces new commands like reachability-associations-log, host-discovery-log, and rotational-media-info-log, enhancing NVMe 2.1 log support and diagnostics. The release improves error handling, completion scripts, and JSON outputs, while also updating documentation and plugins, including OCP 2.6 telemetry. Several bugs and build issues were fixed, and libnvme dependencies were updated.

Evolution 3.56.0: This personal info management application introduces numerous bug fixes and UI improvements across Mail, Calendar, Tasks, and Contacts. Highlights include corrected time zone comparisons in Tasks, improved memory handling, better icon handling, a fix for crashes on quit, and enhancements to Unified Inbox behavior. The update replaces legacy GTK widgets with modern equivalents like GtkGrid, removes deprecated APIs (e.g., GTimeVal, GtkAlignment, GtkArrow), and now requires glib 2.70. Multiple translation updates and interface refinements round out the release.

GTK3 3.24.49 and GTK4 4.18.2: The 3.24.49 version fixes crashes related to IM context and drag-and-drop with GtkPlug/GtkSocket. On Wayland, it improves cursor handling and resolves menu malfunctions caused by bad crossing events. With 4.18.2, there were enhancements and fixes for popovers, clipboard leaks, Wayland drag surfaces, and X11 scaling behavior. New features include Wayland cursor-shape protocol support, OpenGL backend for Android, and improvements to font rendering, accessibility, and inspector tools.

GStreamer 1.26.0: Major features including support for H.266/VVC and LCEVC video codecs, closed caption enhancements and new HLS/DASH sinks. It introduces elements for AWS and Speechmatics transcription, new Vulkan and CUDA improvements, and richer RTSP, RTP, and WebRTC capabilities. There’s expanded support for Matroska, MPEG-TS, and ISO MP4 formats, plus tools for real-time analytics and visualization. Notable changes include new QUIC-based elements, advanced A/V encoder/decoder support, and GTK, Qt, and Direct3D12 backend upgrades.

libvirt 11.1.0: The ‘fs’ storage backend was de-modularized and is now built-in. Support for VirtualBox 6.1 APIs were dropped due to upstream end of life. New features include support for ccwgroup-based qeth devices on mainframes, event handling for cloud-hypervisor VMs, virtio-mem memory devices for s390 guests and passt as a backend for vhostuser interfaces. The QEMU driver now retains I/O error messages for later retrieval via virDomainGetMessages(). Bug fixes include better domain status checking in ssh-proxy, AppArmor profile updates for SGX memory, and a crash fix when starting domains on hosts with unknown CPU models.

Bug Fixes and Security Updates

Several key security vulnerabilities were addressed this month. Common Vulnerabilities and Exposures this month are:

Security Updates

apache2-mod_php8 8.3.19:

• CVE-2024-11235: This vulnerability identifier has been reserved for future disclosure.
• CVE-2025-1219: This vulnerability identifier has been reserved for future disclosure.
• CVE-2025-1736: This vulnerability identifier has been reserved for future disclosure.
• CVE-2025-1861: This vulnerability identifier has been reserved for future disclosure.
• CVE-2025-1734: This vulnerability identifier has been reserved for future disclosure.
• CVE-2025-1217: This vulnerability identifier has been reserved for future disclosure.

libxslt:

• CVE-2025-24855: Fixed a use-after-free in libxslt during nested XPath evaluations, leading to potential crashes.
• CVE-2024-55549: Fixed a use-after-free in libxslt’s namespace handling related to result prefix exclusions.

php8 8.3.19:

• CVE-2024-11235: This vulnerability identifier has been reserved for future disclosure.
• CVE-2025-1219: This vulnerability identifier has been reserved for future disclosure.
• CVE-2025-1736: This vulnerability identifier has been reserved for future disclosure.
• CVE-2025-1861: This vulnerability identifier has been reserved for future disclosure.
• CVE-2025-1734: This vulnerability identifier has been reserved for future disclosure.
• CVE-2025-1217: This vulnerability identifier has been reserved for future disclosure.

webkit2gtk3::

• CVE-2025-24201: An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. Maliciously crafted web content may be able to break out of the Web Content sandbox.

libarchive

• CVE-2025-1632: Fixed a null pointer dereference in libarchive’s bsdunzip.c, which could lead to local crashes.
• CVE-2025-25724: Fixed unchecked strftime return in list_item_verbose, which could cause denial of service with crafted TAR files.

389-ds 3.1.2~git+:

• CVE-2025-2487: Fixed a NULL pointer dereference in 389 Directory Server during MODDN operations, potentially causing denial of service.

zvbi 0.2.44:

• CVE-2025-2173: Fixed an uninitialized pointer in vbi_strndup_iconv_ucs2, which could lead to remote crashes.
• CVE-2025-2174: Fixed an integer overflow in vbi_strndup_iconv_ucs2, potentially leading to remote exploitation.
• CVE-2025-2175: Fixed an integer overflow in _vbi_strndup_iconv, which could be exploited remotely.
• CVE-2025-2176: Fixed an integer overflow in vbi_capture_sim_load_caption, potentially leading to remote exploitation.
• CVE-2025-2177: Fixed an integer overflow in vbi_search_new, which could be exploited remotely.

wpa_supplicant:

• CVE-2025-24912: Fixed improper handling of crafted RADIUS packets in hostapd, which could cause authentication failures.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

March 2025 highlighted what makes Tumbleweed a standout rolling release: fast access to the latest technologies, paired with the stability of rigorous automated testing. From introducing GNOME 48’s digital wellbeing tools and HDR support, KDE Plasma 6.3.3’s usability improvements, to delivering ray tracing support for Intel Arc GPUs with Mesa 25, this month brought substantial upgrades for users across desktop and hardware stacks.

The addition of parallel package downloads and media backend enhancements in zypper marks a significant step forward for performance and user experience.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

If you are planning to attend the openSUSE Conference 2025 2025 from June 26 – 28, there are important visa requirements you should be aware of.

If you are not a citizen of a Schengen country, you should check the visa requirements and exemptions for entry into Germany. Some participants may also need a formal invitation letter explaining the nature of the visit. An alphabetical list of countries requiring an invitation letter is available on the Federal Foreign Office website. If you require such a letter, please email ddemaio@opensuse.org as soon as possible.

The Travel Support Program does not cover the cost of obtaining a visa. Attendees are responsible for any visa-related expenses.

The conference is scheduled to take place in Nuremberg, Germany.

The call for presentations is still open. Consider submitting a talk for the conference before April 30. People can submit talks based on the following length and topics:

Presentations can be submitted for the following length of time:

• Lightning Talk (10 mins)
• Short Talk (30 mins)
• Virtual Talk (30 mins)
• Long Talk (45 mins)
• Workshop (1 hour)

The following tracks are listed for the conference:

• Cloud and Containers
• Community
• Embedded Systems and Edge Computing
• New Technologies
• Open Source
• openSUSE
• Open Source for Business: Beyond Code into Sustainability Track

Volunteers who would like to help the with the organization of the conference are encouraged to email ddemaio@opensuse.org or attend a weekly community meetings.

Conferences need sponsors to support community driven events to keep events free and open to new contributing members. Companies can find sponsorship information or donate to the Geeko Foundation to assist with funds that will go toward the conference.

On this day in 1943 Vangelis was born. The very first CD I bought over three decades ago was composed by him: Chariots of Fire. After so many years, I still love his music.

As you can see, I do not have everything by him. I do not like his earliest and latest works that much, but almost everything in between. Unfortunately I could not find everything on CD. For example, I loved “Soil Festivities”, especially since I was a soil engineer during my college years. But not only is it not available on CD (even used), it is also missing from streaming services.

Several times I learned years later that the music I was listening to was actually a movie soundtrack. Chariots of Fire is one of them, as well as Blade Runner. It became one of my favorite movies, and it’s the only movie I have on 4K bluray.

I’m listening to Vangelis right now and expect to listen to a few more of his albums today :-)

Or, on TIDAL: https://listen.tidal.com/album/103208768

Dear Tumbleweed users and hackers,

The latest snapshot is just hot off the press and ready to consume – It’s just the latest in a series of five snapshots (0320, 0321, 0324, 0325, and 0326) published this week. Unlike last week, this week, most changes were more in the background.

The five snapshots brought you these changes:

• Samba 4.22.0
• Linux kernel 6.13.7 & 6.13.8
• Mesa 25.0.2
• Shadow 4.17.4
• Bind 9.20.7
• Gimp 3.0.2
• Poppler 25.03.0
• Timezone 2025b

From what we’ve seen, either in the staging areas or from announcements on the mailing list, these are the topics being worked on:

• Linux kernel 6.14.0
• GCC 15 as distro compiler, see https://build.opensuse.org/staging_workflows/openSUSE:Factory/staging_projects/openSUSE:Factory:Staging:Gcc7
• CMake 4.0
• Python setuptools 78.0
• LLVM 20: breaks build of Mozilla Firefox
• Removal of pcre(1). Please help with that cleanup, port to PCRE2. See https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/BK3SPPFOM3LI6K5PTXPKZMKMIUIPOEXS/
• More work towards proper display-manager service integration, https://en.opensuse.org/openSUSE:DisplayManagerRework
• The removal of the HPC stack has been proposed. See https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/7VAP572DMVET3CPGOSB2OCOFEQ5CPWJE/

A new zypper experimental media backend and support for parallel package downloads have been introduced with the release of libzypp version 17.36.4 and zypper version 1.14.87.

These enhancements, according to an email on the factory mailing list, improve the performance of package management by reducing the time required to fetch packages and metadata.

The update provides two main features: an ability to fetch packages using concurrent connections, and a simplified media backend that improves connection reuse and metadata handling. Both features are currently in an experimental phase and must be manually enabled.

Before the feature is officially enabled by default, parallel package downloading can be enabled by setting an environment variable before executing a zypper operation. This allows multiple packages to be downloaded simultaneously, improving overall speed.

To Enable parallel downloads

env ZYPP_PCK_PRELOAD=1 zypper dup

The number of concurrent downloads can be configured in the zypp.conf file using the following directive:

download.max_concurrent_connections = 5

The default is 5. However, higher values may yield better performance depending on system resources and network conditions.

The new media backend can be enabled with a separate environment variable. The backend eliminates overhead by avoiding metalink fetching and multi-server file splitting. It is optimized for better connection reuse during metadata fetches.

To enable the new media backend

env ZYPP_CURL2=1 zypper ref

While these two features are separate, they are most effective when used together. Using metalink= URLs in .repo files can further improve mirror performance. However, baseurl= remains the preferred setting for production systems due to its trusted key behavior.

The following versions are required to use the new features:

• libzypp version 17.36.4 or newer
• zypper version 1.14.87 or newer

These are available in Tumbleweed and Slowroll. Users can test out these new enhancements on Leap or immutable desktop variants Aeon and Kalpa using Distrobox.

Users of openSUSE-repos on Tumblweed gained mediahandler=curl2 as part of the repository urls as well as preset ZYPP_PCK_PRELOAD=1 via /etc/profile.d/opensuse_repos.sh with the latest openSUSE-repos update.

Leap 15 and 16 users can currently get the zypper update with these enhancements from the development repository.

To install the updated packages, users can switch to a root shell with sudo su - and run zypper in <package-name>.

https://download.opensuse.org/repositories/zypp:/Head/

The parallel downloads should allow systems on slow or high-latency connections to make better use of available bandwidth. Metadata refreshes become more efficient with the new backend. These improvements also reduce setup time in CI/CD pipelines and automated environments.

The following are some benchmark results listed in the email on the factory mailing list:

Scenario                                           Time
--------------------------------------------  --------
Download 100MB / ~250 packages
Default (MultiCurl)                               68.7 sec
New Backend (ZYPP_CURL2=1)                        29.6 sec
Parallel Downloads (ZYPP_PCK_PRELOAD=1)           13.1 sec

Download 1.02GB / 407 packages into empty rootfs
Default (MultiCurl)                               281.1 sec
New Backend (ZYPP_CURL2=1)                        208.5 sec
Parallel Downloads (ZYPP_PCK_PRELOAD=1)           119.6 sec

These results show significant improvements in real-world scenarios with total execution time reduced by more than 50 percent in some cases.

Although still experimental, these options are available now for users who wish to enable and test them.

Users who’d like to provide feedback can respond to the mailing list thread or submit a bug report against libzypp bugzilla component.

The more feedback the sooner the feature can be made official.

Tutorial

Watch our tutorial on the openSUSE YouTube channel showing its use and setup.

As political winds shift across the globe, the digital world is not immune to the turbulence. Governments and organizations across the globe are reassessing their dependencies, especially those tied to large, centralized tech firms.

While headlines paint a world splintering along geopolitical lines, the open-source community is quietly doing what it has always done best; building global tools for global freedom.

A recent example of this is an EU OS initiative—a European blueprint for a locked-down, KDE Plasma-based Linux distribution aimed at public-sector use.

Though technically not a new operating system, EU OS serves as a proof-of-concept for deploying a Linux system.

The project put together info on government deployments like LiMux in Germany and GendBuntu in France, and endorses the public money, public code philosophy.

However, there is a case for broader OS inclusion without piggybacking a popular EU sovereignty narrative.

While this naming is trying to address a narrative, a multiple Linux distributions should be integrated into any government’s strategy.

The current Fedora+KDE direction is mature, but relying on one distro and one desktop environment introduces avoidable risks. Instead, it would be wise for all governmnets to embrace alternatives like Aeon with GNOME, alongside another immutable Plasma-based choice of Kalpa.

Why? Security. Different distributions and desktops reduce the risk of a single point of failure. If vulnerabilities emerge, they won’t simultaneously impact every system.

Another reason is tailored user experience. GNOME offers a simple interface for general office users, while KDE’s power-user features may be more appropriate for technical users.

As immutable OSes with transactional updates, Aeon and Kalpa share the same robust core stemming from Tumbleweed updates, which offer rollback, system integrity and layered deployments with seamless updates. Both Aeon and Kalpa were designed from the ground up for modern, containerized and cloud-hybrid environments.

The broader idea needing discussion for governments goes beyond what a distro standard is. In an age of ransomware, cloud lock-in, and surveillance capitalism, it’s time to move beyond traditional desktop OS thinking.

The open-source world already has the tools to move forward with a new way of thinking:

• Immutability with transactional updates (MicroOS, Aeon, Kalpa, Kinoite)
• Declarative system configuration (Agama, Ansible)
• Desktop options for varying user needs (GNOME, KDE Plasma, Xfce)
• Open identity and authentication standards (LDAP, OpenID)
• Transparent package formats (Flatpak, RPM)

Let’s not get lost in the flags, logos or headlines. While politics shift and trade alliances fray, the open-source movement remains one of the most stable, borderless, and collaborative human endeavors on the planet.

If you’re looking for freedom, look no further than this space — it’s been enduring longer than the EU’s own monetary standard.

The future of tech doesn’t need to be American. It doesn’t need to be Chinese. It needs to be open.

This is part of a series on Upgrade to Freedom where we offer reasons to transition from Windows to Linux.

Last December, the CD shop where I bought most of my collection closed its doors for good. I had seen it coming — the owner had been gradually winding down the business in preparation for retirement — but after nearly 30 years of shopping there, it was still a tough moment.

This logo belongs to Periferic Records - Stereo Kft.. Back in the nineties, during my university years, I used to look for this logo at concerts, always hoping to spot a bearded man selling an incredible selection of CDs. Imagine my surprise when, in 2002, I attended a concert and discovered that the organizer was none other than that same bearded man — who also happened to be one of my second cousins!

From that moment on, I became a regular at the shop. The owner was a publisher of some of my favorite music, including Hungarian progrock and piano albums. Some standout names: After Crying, Vedres Csaba, and Solaris. While the shop specialized in progrock — with a selection unlike anywhere else — it also offered a wide variety of other genres.

When I received my first big paycheck, I went straight to the store and bought dozens of CDs. Today, streaming services like TIDAL and Spotify have recommendation engines, but back then, nothing could beat the personalized recommendations from the shop’s staff. More than once, I walked out with a free CD as a bonus, one of which became an all-time favorite: Townscream – Nagyvárosi Ikonok.

Unlike many music shops that play background music on low-quality systems, Stereo had StandArt speakers from Heed Audio. These speakers, almost as old as the shop itself, created an immersive listening experience. Though I often rushed in just to pick up an order, on the rare occasion that I had time, I would linger to listen — sometimes discovering new music to take home.

The website still exists, and you can get an ever shorter list of available CD titles by e-mail. In December, I spent most of my free time going through their list of albums, listening to samples on TIDAL and YouTube — nearly 1,500 albums in total. Through this process, I found some rare gems, including one CD I bought purely for its intriguing title: God-Sex-Money. Well, actually the description, “Recommended for Wakeman/Emerson fans,” sealed the deal :-)

Even now, whenever I’m near the old shop, I instinctively start walking toward it — only to remember that an important part of my life is gone forever. But it lives on in my CD collection and my memories.

Table of Contents

• 1) Introduction
• 2) wait3() as a Side Channel in Setuid Programs
• 3) File Existence Test (CVE-2024-0149)
• 4) Bugfix
• 5) CVE Assignment
• 6) Other Packages
• 7) Timeline
• 8) References

1) Introduction

nvidia-modprobe is a setuid-root helper utility for the proprietary Nvidia GPU display driver that loads kernel modules and creates character devices required for userspace GPU access. Normally, drivers do this via udev. However, kernel licensing restrictions prohibit Nvidia’s proprietary kernel module from generating uevents, which are required for udev to work. Therefore this special helper is needed.

We reviewed nvidia-modprobe as part of our whitelisting process, which requires an audit for all newly introduced setuid binaries in openSUSE. The version we reviewed was 550.127.05 and this report is based on that version. Upstream released a bugfix in version 550.144.03 and a security advisory.

2) wait3() as a Side Channel in Setuid Programs

The wait3() system call allows the calling process to obtain status information for child processes, similar to waitpid(). Unlike waitpid(), wait3() also returns resource usage information. The measurements returned by this call include CPU time, memory consumption and lower-level information such as the number of minor and major page faults that occurred during the child’s runtime. See also man 2 getrusage.

Perhaps surprisingly, wait3() also works for setuid sub-processes, leaking quite a bit of information about the behavior of the target program, which is running with elevated privileges.

A convenient way to try this out is GNU Time, a small utility that spawns a target process and prints the output of wait3(), for example:

/usr/bin/time -v nvidia-modprobe

3) File Existence Test (CVE-2024-0149)

In the case of nvidia-modprobe, we can leverage wait3() for a file existence test.

When executed with the option -f NVIDIA-CAPABILITY-DEVICE-FILE (an arbitrary path), nvidia-modprobe performs the following steps:

• attempt to open the supplied path as root
  • if the path does exist:
    • read one or more lines
    • parse each line (implemented safely)
    • exit silently, return code 0
  • if the path does not exist:
    • exit silently, return code 0

It turns out that reading the first line of the supplied path sometimes causes a minor page fault. The number of page faults is not perfectly constant across multiple executions, depending on whether the page mapped by the kernel is dirty or not. However, if the file does not exist, it cannot be read, and therefore no page faults will be triggered. We can execute nvidia-modprobe repeatedly, calculate the median number of page faults, and infer whether the supplied path exists or not, even if the caller does not have the necessary file system permissions.

Simplified example:

$ /usr/bin/time -q --format=%R nvidia-modprobe -f /root/.bash_history
80

$ /usr/bin/time -q --format=%R nvidia-modprobe -f /root/does/not/exist
79

The output fluctuates, but it only takes a few repetitions to get a reliable signal from the median.

4) Bugfix

Upstream published a bugfix. This commit limits the queried path to files below /proc/driver/nvidia before attempting to read from it, eliminating the information leak.

5) CVE Assignment

Upstream assigned CVE-2024-0149 for this issue.

6) Other Packages

Considering the relatively obscure nature of this side channel attack, we decided to briefly look into a couple of other packages exhibiting similar usage patterns:

• shadow
  • chsh: negative
• util-linux
  • mount -T: negative
  • umount: negative
• v4l-linux: positive, but does not require wait3(), and the issue was already known (CVE-2020-1369).

Even though we did not find additional instances of this problem, and the severity of this vulnerability is rather low, it’s still one of many pitfalls to keep in mind when writing or auditing setuid programs.

7) Timeline

8) References

• nvidia-modprobe GitHub repository
• Nvidia security advisory
• Bugfix commit 83b777c
• getrusage(2)

Table of Contents

• 1) Introduction
• 2) Synce4l Synchronous Ethernet Daemon
• 3) Fwupd 2.0 D-Bus and Polkit Changes
• 4) Tuned Revisited
• 5) iio-sensor-proxy Revisited
• 6) systemd-sysupdated D-Bus Service
• 7) AppArmor aa-notify Polkit Policy
• 8) Conclusion
• 9) References

1) Introduction

Winter time is coming to an end (at least in the northern hemisphere, where most of the SUSE security team members are located), and with this we want to take a look back at what happened during the last three months in our team. We have already posted about a number of bigger topics that kept us busy over the winter:

• privilege separation issues in SSSD
• problematic return values in pam-u2f
• authentication bypass in dde-api-proxy
• authentication bypass in pam_pkcs11
• admittance of kio-admin into openSUSE
• problematic log directory permissions in Below
• file existence test in nvidia-modprobe

As usual in the spotlight series, in this post we want to give an insight into some of our work beyond these reports: reviews that did not lead to significant security findings, but still kept us busy and in some cases also led to upstream improvements. The topics again mostly involve Polkit authentication and D-Bus APIs, but we also looked proactively into a piece of networking software that raised our interest.

2) Synce4l Synchronous Ethernet Daemon

Our team is monitoring changes and additions to openSUSE Tumbleweed, most notably systemd services that newly appear in packages. The synce4l package raised our interest, because it contains a daemon which is running with full root privileges and is also networked. The package implements synchronous Ethernet, a low level protocol that basically maintains a shared clock between multiple hosts in an Ethernet subnet.

The project is implemented in the C programming language and consists of about 7.000 lines of code. The sensitivity of C programs to memory handling issues, the fact that the synce4l daemon runs as root and the niche topic of synchronous Ethernet is a mixture that makes it an interesting code review target.

We reviewed the source code in early January and fortunately couldn’t find any issues in it. The attack surface on the network is rather small. Even though by default there is no trust established between participants of the protocol, there is only an integer value exchanged between nodes. Corruption of this value cannot negatively influence a system running synce4l (beyond the protocol itself, naturally). The daemon also creates a UNIX domain socket in /tmp, but access to it is limited to root. The project employs a good coding style and we did not have any concerns left when we were finished with the review.

3) Fwupd 2.0 D-Bus and Polkit Changes

In January the openSUSE maintainer for fwupd packaged the major version 2.0 update, which required a follow-up audit by our team. fwupd is part of most Linux distributions and provides mechanisms to automatically upgrade firmware on the system. The fwupd daemon runs as root and implements a D-Bus interface with Polkit authentication. We have already reviewed it many times when changes to these interfaces have occurred.

Even though this time fwupd has received a major version update, there have only been moderate changes to the D-Bus and Polkit aspects of the software. Generally, the implementation of the D-Bus interface in fwupd is more on the complex side. Polkit authentication is implemented properly, but it is only applied to a subset of the D-Bus methods offered by the daemon. This means that one has to carefully differentiate between the methods that require Polkit authentication, and the ones that don’t require any authentication at all. This is what we did during the review; fortunately we couldn’t find any problems with the unauthenticated methods.

One notable feature that has been added in this fwupd release allows it to run its own dedicated D-Bus instance, likely for lean and mean environments or for use in early boot scenarios, when no system D-Bus is available. When this feature is in use then no Polkit authentication will be performed, likely because no Polkit daemon is present either in this situation. This mode will only be active when the environment variable FWUPD_DBUS_SOCKET is passed to the daemon, however, and should not be reachable in regular installations of fwupd.

There was one new Polkit action org.freedesktop.fwupd.emulation-load, which was allowed for users in a local session without authentication. The corresponding D-Bus method accepts JSON data, either directly or placed in a compressed archive which is passed to the daemon. This is used to load “hardware emulation data” into fwupd. This sounded like a strong privilege for a regular user to have, and thus we inquired upstream if this lax authentication setting was actually necessary. The outcome was that we could raise the authentication requirement to auth_admin, thereby improving security in fwupd.

4) Tuned Revisited

tuned has seen quite a number of changes recently, which also led to a local root exploit finding in November. We received yet another review request in January due to further changes in the area of D-Bus configuration and Polkit actions.

Security-wise there was not much interesting to find in these changes. A number of Polkit actions have been renamed, and tuned optionally provides a drop-in replacement for the UPower D-Bus interface now. We accepted the changes without further ado.

5) iio-sensor-proxy Revisited

iio-sensor-proxy is another package that we already reviewed in the past but that popped up again in January due to changes in its D-Bus configuration. The package provides a D-Bus interface for different hardware sensors like ambient light sensor, accelerometer or proximity sensor. During the review we found that a newly added net.hadess.SensorProxy.Compass.ClaimCompass D-Bus method was unauthenticated, while other similar methods required Polkit authentication.

We reported the issue privately to upstream. The lack of authentication was confirmed and upstream fixed the issue. We did not request a CVE or publish a dedicated report about this, because the impact of the issue is assumed to be low. Such smaller findings still show the usefulness of code reviews that can lead to improvements in upstream code and configuration before software is shipped to openSUSE users.

6) systemd-sysupdated D-Bus Service

In February we received a request to review an experimental systemd component called sysupdated. When reading the program description one could be inclined to think that systemd is now on a quest to replace package managers. The main purpose of this daemon is only to keep container assets and other images up-to-date, however.

sysupdated comes with a larger D-Bus interface protected - in parts - by Polkit. Some read-only properties and method calls are available without Polkit authentication. Systemd components rely on shared code to implement D-Bus services and Polkit authentication. Compared to the last time we had a look into these shared routines, it felt as if the complexity increased quite a lot in this area. You can have a look at this Bugzilla comment to get an impression of the complexities that are involved there these days. One reason for the increased complexity could be the addition of the Varlink IPC mechanism, which can also use Polkit for authentication.

Despite the perceived complexity in the D-Bus and Polkit handling, we couldn’t find any problematic aspects in the implementation. There was one decision to be made about the Polkit action org.freedesktop.sysupdate1.update. The authentication requirements for it are by default set to auth_admin:auth_admin:yes, meaning that users in a local session can update assets managed by sysupdated without authentication. This is also documented in the upstream Polkit policy. This only allows to update assets to the most recent version, not to any specific version nor to downgrade the version. It also doesn’t allow to install any new assets. For this reason we allow updates without authentication in our Polkit easy profile while the other profiles have been hardened to require admin authentication.

7) AppArmor aa-notify Polkit Policy

In February a request arrived to whitelist Polkit actions used by the aa-notify helper which has been added to the AppArmor package. This utility is a graphical program similar to setroubleshoot for SELinux, and allows to identify AppArmor violations and modify the AppArmor profile to allow actions that have been denied.

The two Polkit actions that needed reviewing allow to execute a Python script found in
/usr/lib/python3.11/site-packages/apparmor/update_profile.py via pkexec using a specific command line parameter. This script performs the task of actually modifying the AppArmor profile according to the provided input files. Due to the nature of the script there is no way to execute it safely without admin authentication. This is reflected in the Polkit action settings, which always require auth_admin authorization.

The implementation of the script is a bit peculiar in some ways, and some parts also seem incomplete. The one aspect that was important to check here was that the script must not act in dangerous ways on the file system, e.g. by using unsafe temporary files or by writing to locations that are under control of unprivileged users. We could not find issues of this kind at the time we reviewed it.

As the script can only be invoked with admin credentials and since there is no legit use case to lower this authentication requirement, we did not dig a lot deeper here and accepted the new Polkit policy. We want to keep an eye on this script, however, since it has some potential to be changed in ways that could harm the local system security.

8) Conclusion

Once more, we hope that with this post we have been able to give you some additional insights into our daily review work for openSUSE and SUSE products. Feel free to reach out to us if you have any questions about the content discussed in this article. We expect the spring issue of the spotlight series to be available in about three months from now.

9) References

• synce4l review bug
• fwupd 2.0 review bug
• tuned review bug
• iio-sensor-proxy review bug
• systemd-sysupdated review bug
• AppArmor aa-notify review bug

Recently we enabled nightly syslog-ng builds and container builds for arm64. It means that from now on, you can run the latest syslog-ng on 64bit ARM platforms. For this test, I used a Raspberry Pi 3 running the latest Raspberry Pi OS. As I use Podman everywhere else (I am an openSUSE / Fedora guy), I also installed it here for container management.

Read more at https://www.syslog-ng.com/community/b/blog/posts/nightly-arm64-syslog-ng-container-builds-are-now-available