Hi,

We were contacted by Lukas Euler from Positive Security, to inform us that Travel Support Program (TSP), the application we use to reimburse the costs of traveling to events where you can promote or are organized by the project, had a significant security flaw that impacted our and others' production systems. We have since patched the vulnerability, contacted other organizations that also use the software, and have spent some time and wrote a script to parse logs, in order to asses the impact. Over the span of the last 2 years, the flaw has not been abused, outside of a script written by Lukas, which read contents of the production database via brute force.

The what & the how¶

In essence, the flaw allowed an attacker to see if any arbitrary string is in the database by detecting size of a response to a request with a query containing the string, table by table. Let me illustrate:

Observe the following requests:

"GET /events.json?q[end_date_gteq]=0&q[name_eq]=Open Mainframe Summit&q[requests_comments_body_cont]=a HTTP/1.1" 200 516
"GET /events.json?q[end_date_gteq]=0&q[name_eq]=Open Mainframe Summit&q[requests_comments_body_cont]=aa HTTP/1.1" 200 12

• /events.json is our public api endpoint containing all the events ever created on the instance
• end_date_gteq means match to end_date greater or equal to what is after the equals sign
• name_eq means match to name equal (not case sensitive) to what is after the equals sign
• requests_comments_body_cont means all the comment bodies that contain what is after the equals sign in all the requests that were created

As you can see, the two requests have wildly different response sizes (last number), the one with 516B returned a body containing the details of the event, while the second one with 12B did not, because no comment body in any request associated with that event matched string 'aa'. Since every reimbursement request has to have an event that is attached to it, you could find contents of every comment in the database if you spent the time going through every character one by one. Of course, the comments are the least of our worry in an application that deals with addresses and bank information. Bank information is attached to a reimbursement, which is mapped directly onto a request, so that's easy enough to find. You could find users through any object created by them, comments, reimbursements, requests, and from there you have an easy time getting to address information.

The why¶

By default the Ransack library that we use for querying various objects in the frontend allows for querying any association of those objects. We didn't limit the scope of association or columns that could be accessed by it. Since all the objects within the database of TSP are associated in some way or another, that gave just anybody access to the entire database.

Here's some documentation on the subject:
https://activerecord-hackery.github.io/ransack/going-further/associations/
https://activerecord-hackery.github.io/ransack/getting-started/search-matches/

And the way to fix the scopes that ransack can access:
https://activerecord-hackery.github.io/ransack/going-further/other-notes/#authorization-allowlistingdenylisting

How we fixed it:
https://github.com/openSUSE/travel-support-program/commit/d22916275c51500b4004933ff1b0a69bc807b2b7

Github Advisory:
https://github.com/openSUSE/travel-support-program/security/advisories/GHSA-2wwv-c6xh-cf68

Huge thanks to Lukas and the Positive Security team for letting us know about this, we wouldn't have known about this without you, and our data would have been in jeopardy.

The Ender3 is seemingly a fantastic, inexpensive, entry level machine to get you started in the wondrous world of 3D printing. I would hardly call it the most quality, feature-rich machines out there but the incredible affordability is what makes is a great starting place. This wasn’t the first 3D printer I became familiar with […]

Dear Tumbleweed users and hackers,

Almost 2% of 2023 is already behind us. Week 1 is, from experience, always a still rather quiet week. Many contributors are still with their families or are just stretching some vacation. But, of course, only ‘many’ and by far not all. Tumbleweed managed to release 7 snapshots since the last review (1230, 1231, 20230101…20230105).

The main changes shipped were:

• Qt5 qtwebengine 5.15.12
• Mesa 22.3.2
• xorg-x11-server 22.1.6
• Linux kernel 6.1.2
• Poppler 23.01.0
• xz 5.4.0
• ImageMagic 7.1.0.57

Staging projects start to be more filled up again, mostly with a lot of python-* updates (too many to list). The main updates sticking out are:

• Python pytest 7.2.0
• Meson 1.0.0
• KDE Plasma 5.26.5
• Linux kernel 6.1.3
• GnuPG 2.4: breaks gpgme:qt and seahorse (fix for seahorse in the queue)
• Libzypp 17.31.7: PackageKit fix arrived
• Python Sphinx 6.1
• Boost 1.81.0: breaks libetonyek and LibreOffice
• Ruby 3.2 is being tested to become the default ruby version: YaST is failing
• Switch to openSSL 3: tracked in Staging:N

From time to time we should ask ourselves how are we doing. Are we successful, are we on the right track, are we heading to the right direction, are we fast enough, are we accelerating or slowing down?

This time I am talking about the openSUSE Linux Distribution and about the SUSE Linux Enterprise Server.

And here I quickly would like to note an important disclaimer with a short story.

I’ve completed the first version of a book of instructions to use Samba’s client Group Policy. You can download a pdf or ebook here, purchase a print copy from Amazon, or you can read the web version. I’m only charging printing cost for the physical book (in accordance with the license). Digital copies are all free.

The purpose of the book is to provide detailed instructions to get folks up and running using Samba’s client Group Policy. I’ve received numerous requests for help on the mailing lists, and many of the questions are simple ones. Previously none of this information was documented well anywhere.

If you encounter problems getting setup, or find errors in the book, please contact me. You can also contribute to the book if you wish.

Installing syslog-ng on Mac is easy, if you use Homebrew for 3rd party packages. Previously, you had to install dependencies and then compile syslog-ng from source. Now, a single command takes care of everything!

Read the rest of my blog at https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-is-now-available-in-homebrew

Some maintenance operations caused a long downtime on our reference server. In the lines below you will find a detailed explanation of what happened. Impact Our reference server was offline for around 2 hours. The application responded with a maintenance message or with a 503 HTTP error (Service Unavailable). No one was able to work with the API or web interface during that time. Root Causes It is common to perform updating operations in our...

A few weeks ago I started to notice some problems with my computer and ultimately discovered that it had a RAM failure. It wasn’t quite obvious to me that the RAM was failing until I did some digging. I have previously written about that time-vacuum of an experience. Thinking the the worst, that the larger […]

In all my time using computers, I haven’t had a memory failure since the late 80s on Commodore 64 which was likely caused by a static discharge. Every computer since, laptop or desktop, traveling around the world, have not seen any sort of memory issue. I’ve gong through hard drives, replaced screens, keyboards and touch […]

Hack Week is the time SUSE employees experiment, innovate & learn interruption-free for a whole week! Across teams or alone, but always without limits.

This year the Hack Week was this week, the last week of January and for my first SUSE hack week I decided to work in something funny, LILS.

Linux Immersive Learning System (LILS)

I don't think that this is a good name, but don't focus on it. The main idea of this project is to create some basic machinery to be able to write "interactive" tutorials or games using the INK language.

This is not an original idea, indeed all I've done is something that's currently working on EndlessOS, and was the main idea behind the dead project Hack Computer, you can even take a look to the Hack app in flathub. But I wanted to work around this, and create something simpler, from scratch.

I wanted to build something simple, with just Python, and make it simple enough to be able to build other tools on top. The design is simple, an INK parser, with a simple game runner. In the INK script you can define commands, to do something special, and wait for events with listeners, to wait for an event in the OS to continue.

With this basic functionality it's possible to build different user interfaces for different environments. And the original idea was to make the commands and listeners something extensible with a simple API, but that's something that I have not done yet, it's all Python functions without extension point.

The code can be found in github.

The INK parser

The most complex part of this project is the INK language parser. The Ink parser is free software and there's a Linux version that you can use to parse and compile to json, but I wanted to create my own parser with Python.

I've spent most of the Hack Week time fighting with the parser and indeed was the most challenging and fun part, because I've not worked a lot with parsers and it's not something easy as pie 😛️.

I remember creating a java compiler long time ago, when I was in the Seville University, for the Language Processors course. We did that with ANTLR, so starting from that, and looking for a Python lib, I found the Lark project. So if you like regular expressions, writing a grammar is a lot more FUN.

At the end I was able to support some basic INK language with support for:

• Text
• Tag support
• Options, with suppress text support
• Knots, Stitches and Diverts
• Include other .ink files
• Variable definition and basic operations
• Knots and Stitches automatic visiting count variables
• Conditional options using variables

It still fails in some cases, the comments and TODO placed in between text is not detected correctly and there's a lot of complex stuff that's not supported yet, but with what's supported right now it's possible to create complex scripts with loops and complex game graphs, so it's good enough to build games just with it.

GNOME shell extension

To integrate with the system I've done a simple GNOME shell extension. The extension just shows the text as bubbles and options as buttons, it's really simple and I've no time to make it something ready to be used, but I was able to make something usable.

To be able to run the LILS python library from gjs I've created a simple dbus service that exposes the basic InkScript class functionality as a dbus API.

I was thinking about being able to change the desktop background, depending of the value of a background variable in the script and do something similar to play music and sounds, so it could be a cool game engine with some additions.

SUSE Hack Week

So this Hack week was really fun and I learned a lot. It's really great that SUSE does things like this, letting us work in different projects for a week, to learn, to grow or to just explore different paths.