The August syslog-ng newsletter is now on-line:

• Version 4.8.0 of syslog-ng improves FreeBSD and MacOS support
• syslog-ng Prometheus exporter
• Experimental syslog-ng packages for Amazon Linux 2023

It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2024-08-4-8-0-release-prometheus-amazon-linux

We’ve introduced several new features in OBS designed to foster collaboration among OBS users. Customized labels for better organization, setting custom links for your bug tracker and markdown formatting for project/package descriptions. Those features are intended to give you more insight into your work, helping you stay focused on what matters most. These updates are part of the Foster Collaboration and Labels beta programs. You can find more information about the beta program here. Introduction...

Table of Contents

• Introduction
• Deepin File Manager D-Bus Service
• Deepin App Services (Config Manager)
• KDE6 Release Final Touches and Improvements
• Review of SUSE’s OpenSSH Downstream Patches
• Review of Croc Upstream Bugfixes
• Revisit of Backintime D-Bus Service
• KDE Plasma Kameleonhelper Service for RGB LED Controls
• OpenVPN Data Channel Offload (dco) Linux Kernel Module
• Emacs Games setuid/setgid Highscore Sharing Helper
• Summary and Outlook

Introduction

Our blog has been silent for a few months, since we did not make any major security findings during this time. Still our team has not been inactive. A lot of time is spent looking into programs where no notable security issues are found, or discussing with upstream developers about improvements in their software. This is the first edition of the SUSE security spotlight, a post that aims to give a quick overview of recent activities in the area of code reviews and the proactive security efforts in our team.

Deepin File Manager D-Bus Service

Deepin is a Linux desktop environment with a focus on support for the Chinese language. Many parts of Deepin have already been reviewed by us and have been accepted into openSUSE distributions, often after various security findings have been addressed. The review for Deepin’s file manager D-Bus service has been going on for years without bearing fruit, though.

The review is kind of a moving target, since upstream only partly fixes the issues we report, drops some of the problematic code, but also comes up with new code, that sometimes even contains new issues. The file manager service was initially missing any form of Polkit authentication, granting dangerous operations to any actors in the system. We decided not to request CVEs at the time, because there was no end of issues in the service and keeping track of all of them seemed like a waste of precious time for such a broken service. A party unknown to us did obtain CVE-2023-50700 for the missing Polkit authentication part in the meantime, though.

We revisited the service recently since the package maintainer told us that a new version with fixes was available. Sadly there are still too many issues left to accept the package into openSUSE.

Deepin App Services (Config Manager)

Another Deepin component that is waiting to be allowed into openSUSE is the Config Manager D-Bus service, which is part of a project called Deepin App Services. There is a review that has been in progress for a while now, and that we have revisited a couple of times. So far we found three different ways to achieve path traversal to trick the D-Bus service into processing untrusted files outside the intended system configuration directory.

Upstream fixed these issues one by one as we reported them, currently we are still waiting for cleanup in the packaging, otherwise we believe the service can soon be added to openSUSE Tumbleweed.

KDE6 Release Final Touches and Improvements

Since the large post we did about the KDE6 release, a couple of improvements have been achieved. The DrKonqi D-Bus component has been improved by upstream and the new release is by now included in openSUSE Tumbleweed as well. Also, after longer discussions and tests, upstream merged changes to KAuth that allow to pass open file descriptors to KAuth helpers. The necessary changes have been rather small in the end, and the change should allow to implement more robust KDE authentication helpers in the future.

Review of SUSE’s OpenSSH Downstream Patches

In the light of the discovery of the XZ library backdoor for OpenSSH, we decided to have a closer look into the shape of the integration of OpenSSH into our products. As part of this endeavor we did a detailed review of all the patches we currently apply to the upstream OpenSSH codebase.

Since OpenSSH is a sensitive, sometimes complex and also old component, quite a history of patches has piled up by now. The good news is that nothing truly problematic was found in the patches during the review. We will attempt to upstream as many of these patches as possible to avoid having to maintain them on our end, and to let all users of OpenSSH profit from the changes. This is a long-term effort though, that will take its time.

Review of Croc Upstream Bugfixes

Croc is a file sharing utility that allows arbitrary parties to exchange data “easily and securely”. In September 2023 we published a series of security issues that we identified in this utility. The cooperation with the upstream author proved somewhat difficult, until in May 2024 bugfixes arrived. Only with some delay have we been able to check up on the fixes. Most of them are addressed by now, except for two:

• although escape and control sequences in filenames are now detected and transmission is aborted, the problematic filenames are still output to the terminal. This remaining issue can be fixed easily, though.
• there have been some improvements to prevent received files to end up in dangerous home directory locations. Quite a number of problems remain, though. We suggested to our Croc package maintainer to add a sandbox wrapper script using container techniques, to make the package acceptable for openSUSE.

Revisit of Backintime D-Bus Service

Backintime is a backup software that ships a D-Bus helper service. We reviewed it quite a long time ago in 2017. D-Bus configuration paths recently changed in the package, which was an occasion to revisit the software and check that it is still sane. Nothing relevant changed in the D-Bus component though, so we went ahead with adapting our whitelistings for this service.

KDE Plasma Kameleonhelper Service for RGB LED Controls

Kameleonhelper is a KDE6 add-on D-Bus service that configures RGB LEDs (like on gaming keyboards) to match the KDE desktop’s color scheme. We performed a review of the service, since its addition to openSUSE was requested. The service basically only tunes some files in SYSFS for adjusting the RGB values of compatible devices. The single exposed D-Bus method is accessible to locally logged-in users without further authentication.

A typical danger in such services are path traversal attacks, i.e. that paths outside of the desired SYSFS location can be written to. There are no such problems found in this D-Bus service, luckily. There were a few quirks in the code, though, that have been addressed by a merge request by now.

OpenVPN Data Channel Offload (dco) Linux Kernel Module

An out-of-tree kernel module for OpenVPN has been added to openSUSE, which raised security concerns. The purpose of the kernel module is to accelerate OpenVPN network I/O and its encryption operations, by performing the tasks in kernel space.

The codebase of the module is of medium size. Only users with root permissions are allowed to use the socket APIs exposed by the kernel module. The local system security should not be weakened by this. Regarding the processing of network packets from remote parties, the code also looks sensible. The involved kernel frameworks provide a good base to prevent most bad things from happening. Although packet headers for IP, TCP and UDP are touched directly in some spots, the majority of the code is concerned with just opaque processing of the data for encryption/decryption and forwarding it between related parties. We could not identify any issues in the module’s code.

Emacs Games setuid/setgid Highscore Sharing Helper

Playing games in your favorite editor and sharing your highscore with other users on the system? If that brings back good old memories to you then this review is just for you. We have been asked to accept a setgid-games highscore helper program for the Emacs editor into the distribution. We always thought that using setuid binaries for sharing highscores was just an academic example from UNIX programming textbooks. But such a program actually exists, and it is already over 20 years old.

The source code for this program is rather naive and misses protection against many of the problematic aspects of setuid/setgid programs: sanitization of environment variables, sanitization of the process’s umask, no proper verification of input path arguments and other issues. Even if all these problems were fixed, the current program design does not offer any kind of protection against arbitrary manipulation of game scores, or against filling up the file system with insanely large highscore files.

We don’t believe that there are many users left on earth that actually want to share highscores on a multi-user system this way. We thus rejected the request to include this program with a setgid-games bit. Any users that want to use this feature can manually assign the required bit e.g. by using the openSUSE permissions settings.

Summary and Outlook

With this post we want to offer an insight into the every day business of the proactive SUSE product security team. Even when we don’t have any actual CVEs to report, we are constantly investing resources into open source security in various ways: by revisiting software we already reviewed in the past, by performing code reviews that yield no major problems, by having follow-up discussions with upstream about bugfixes or by rejecting components that aren’t considered healthy for the security stance of our products.

We are planning to make a series of blog posts of this kind in the future, to highlight some of our efforts, that otherwise would not be well visible. Note that this series focuses on the work of the proactive SUSE security team, while there is also the reactive SUSE security team, which is monitoring and managing CVEs and security issues in SUSE products, to make sure that SUSE customers and openSUSE users always get the latest security fixes, an area that warrants its own series of blog posts; actually we’re considering to provide something in this direction as well in the future.

Dear Tumbleweed users and hackers,

Despite the summer vacation period being in full swing, there is enough throughput to produce snapshots. During the last week, we created 6 of them, of which 5 could be published (The failed one was held back due to issues uncovered with Mesa 21.1.5, see https://bugzilla.opensuse.org/show_bug.cgi?id=1228164 for details).

The five delivered snapshots (0803, 0805, 0806, 0807, and 0808) contained these changes:

• GCC 14.2
• GStreamer 1.24.6
• libzypp 17.35.9
• Shim 15.8
• Linux kernel 6.10.3
• libxml 2.12.9
• Procps 4 (no longer as an alternative, but as a native replacement of procps 3.x)
• fwupd 1.9.23
• GNOME 46.4
• KDE Plasma 6.1.4

Staging projects are currently busy building test distributions and running QA on these changes:

• glibc 2.40
• Rust 1.80
• KDE Frameworks 6.5.0
• cURL 8.9.1: breaks test suites of libzypp and python-tornado6
• nftables 1.1.0: openQA is far from happy; nftables’ python bindings seem not to work
• go 1.22 as default: only transactional-update-notifier seems to be blocking
• Switch the default ffmpeg version from 6 to 7: xine-lib as the only blocker. A submit request is pending for the development project
• dbus-broker: some progress was made last week; most QA tests are fine, there is just a race condition on shutdown (likely not new, but dbus-daemon might have waited longer to report it, by when the system had completely shut down and the error has been ‘swallowed’)
• GCC 14: phase 2: use gcc14 as the default compiler – lots of help needed: https://build.opensuse.org/project/show/openSUSE:Factory:Staging:Gcc7

I had a mild annoyance when trying to browse the Steam store on multiple machines. The screen was just blank. I didn’t do anything about it immediately because I could browse the store on Firefox. What was also weird is that although the Community and my user page were also blank, the library was not. […]

A few weeks ago I was in Lille, France for Pass the SALT, a conference focused on open-source software and security, and gave a training on sudo. Ever since the conference, I’ve been approached by people asking if I could give sudo training(s) for or through their organization. Instead of writing a short answer to everyone in private, here is more detailed public response.

The short answer: it depends :-)

The long answer is a bit more complicated, but it’s well summarized in the short answer. Why?

First of all: I am not a trainer. Yes, I taught various subjects at university level, both as a graduate and as a PhD student. Along the way, I also provided introductory Linux training for banks and various certificate preparations. However, it was a long time ago in the galaxy. Yes, I can teach, but it is not my primary focus.

I am an open-source contributor, evangelist, and product guy. Sharing knowledge, training, teaching, name it whatever you want, is just a small part of my job and my interests. Both as an evangelist and product guy, learning from my audience equally important. Visitors of the Pass the SALT conference are very open to discussions, both during the training and in the hallway. Many of the sudo 1.9 features were born from discussions at this conference. Unfortunately, a traditional teacher-student setup, especially if it is in a virtual classroom, makes this two way communication and learning impossible. I am more of a product guy than a teacher, so I’m not that interested in simply teaching. You can find my article on the evangelist mindset at: https://opensource.com/article/21/1/open-source-evangelist

Secondly: I am not a sudo expert. Yes, I know some of the most advanced sudo features. I helped in designing, testing and issue reporting some of them. However, I’m not a practicing sysadmin anymore. I know the basics of sudo, and some of the most advanced or most recent features, but not much in-between. Over 90% of the people at my sudo talks and training have never heard about the advanced features I talk about, and most of them go home planning to test at least some of them in their environments. On the other hand, unlike me, they have some solid sudo foundations. They are interested in the advanced stuff.

TL;DR: I am very happy to go to conferences in real life, where I have a chance to have a two way communication with the audience. Where I do not have to teach the basics, and it is not just teaching, but also a discussion with active sudo users.

If you still think that I can be of any help for you, you can contact me on LinkedIn, Twitter, and Mastodon. You can find more details in the upper right corner of my blog.

PS: if you are a BSD guy, come to my training session at the EuroBSD conference: https://events.eurobsdcon.org/2024/talk/FLCHU3/

We kicked off a new feature in OBS. The goal is to have a unified way of listing requests for all the different places like packages, projects and what is currently found under “Tasks”. We started this by porting some of the core functionality of the “Tasks” page to the new unified version with a couple of search and filter options. The Request Index feature is part of the beta program and the requests list...

The Freedesktop.org Specifications directory contains a list of common specifications that have accumulated over the decades and define how common desktop environment functionality works. The specifications are designed to increase interoperability between desktops. Common specifications make the life of both desktop-environment developers and especially application developers (who will almost always want to maximize the amount of Linux DEs their app can run on and behave as expected, to increase their apps target audience) a lot easier.

Unfortunately, building the HTML specifications and maintaining the directory of available specs has become a bit of a difficult chore, as the pipeline for building the site has become fairly old and unmaintained (parts of it still depended on Python 2). In order to make my life of maintaining this part of Freedesktop easier, I aimed to carefully modernize the website. I do have bigger plans to maybe eventually restructure the site to make it easier to navigate and not just a plain alphabetical list of specifications, and to integrate it with the Wiki, but in the interest of backwards compatibility and to get anything done in time (rather than taking on a mega-project that can’t be finished), I decided to just do the minimum modernization first to get a viable website, and do the rest later.

So, long story short: Most Freedesktop specs are written in DocBook XML. Some were plain HTML documents, some were DocBook SGML, a few were plaintext files. To make things easier to maintain, almost every specification is written in DocBook now. This also simplifies the review process and we may be able to switch to something else like AsciiDoc later if we want to. Of course, one could have switched to something else than DocBook, but that would have been a much bigger chore with a lot more broken links, and I did not want this to become an even bigger project than it already was and keep its scope somewhat narrow.

DocBook is a markup language for documentation which has been around for a very long time, and therefore has older tooling around it. But fortunately our friends at openSUSE created DAPS (DocBook Authoring and Publishing Suite) as a modern way to render DocBook documents to HTML and other file formats. DAPS is now used to generate all Freedesktop specifications on our website. The website index and the specification revisions are also now defined in structured TOML files, to make them easier to read and to extend. A bunch of specifications that had been missing from the original website are also added to the index and rendered on the website now.

Originally, I wanted to put the website live in a temporary location and solicit feedback, especially since some links have changed and not everything may have redirects. However, due to how GitLab Pages worked (and due to me not knowing GitLab CI well enough…) the changes went live before their MR was actually merged. Rather than reverting the change, I decided to keep it (as the old website did not build properly anymore) and to see if anything breaks. So far, no dead links or bad side effects have been observed, but:

If you notice any broken link to specifications.fd.o or anything else weird, please file a bug so that we can fix it!

Thank you, and I hope you enjoy reading the specifications in better rendering and more coherent look!

The votes are in, and the openSUSE Asia Summit Organization Committee is pleased to announce the winner of the openSUSE.Asia Summit 2024 logo competition.

The openSUSE Asia Summit Organization Committee would like to extend our heartfelt gratitude for invaluable contribution to the openSUSE.Asia Summit 2024 Logo Competition.

Choosing this year’s logo was tough because every submitted work was excellent, and the top three received equal votes.

We have finally decided to select Bayu Aji’s work from Indonesia as the logo of openSUSE.Asia Summit 2024.

Congratulations, Bayu! The winner will receive a special “Geeko Mystery Box”.

This year’s competition attracted 7 fantastic submissions from around the globe. The designs were all exceptional, and the votes were cast by the openSUSE.Asia Committee and Local Team. We sincerely thank everyone who participated in the voting process.

We would also like to express our appreciation to all the participants in the logo competition: Haruo Yoshino, Goofy Scalar, Kukuh Syafaat, Nikita Tripathi, and Daniel Galleguillos Cruz. We look forward to seeing you at the Summit!

Dear Tumbleweed users and hackers,

As it happens every now, there are weeks when we build more snapshots than we publish. That’s exactly what happened during this week. We held back two snapshots – one due to kernel 6.10 which behaved very strange on QXL graphics, and the 2nd one due to sstemd 256 vs kiwi fights, where initrd is now extra protected and made some kiwi features misbehave, incl. self-install on MicroOS. So these were at least some things openQA could protect our users. Unfortunately, some issues with systemd and Aeon have remained unnoticed; see https://bugzilla.opensuse.org/show_bug.cgi?id=1228659)

Besides all this, we have released 4 snapshots during this week (0726, 0730, 0731, and 0801), containing these updates:

• Qemu 9.0.2
• bind 9.20.0
• AppArmor 4.0.2
• cURL 8.9.0
• Linux kernel 6.10.2
• 389-ds 3.1.1
• Mozilla Firefox 128.0.3
• git 2.46.0
• sysuser-tools 3.3
• cryptsetup 2.7.4

The staging areas are currently filled with these packages, many of them almost ready to be shipped:

• Mesa 24.1.5
• GStreamer 1.24.6
• GCC 14.2.0
• cURL 8.9.1: breaks test suites of libzypp and python-tornado6
• glibc 2.40: The only build failure left is samba
• Rust 1.80: virtiofsd is the one holding up here
• nftables 1.1.0: openQA is far from happy; nftables’ python bindings seem not to work
• go 1.22 as default: only transactional-update-notifier seems to be blocking
• Switch the default ffmpeg version from 6 to 7: mostly xine-lib and qt*-webengine failing; forcibly using older versions is still possible, as many packages are explicitly still on ffmpeg-4
• dbus-broker: some networking issue after upgrades left to work out
• GCC 14: phase 2: use gcc14 as the default compiler – lots of help needed: https://build.opensuse.org/project/show/openSUSE:Factory:Staging:Gcc7