It is with great joy that I officially announce the release in the openSUSE family (Leap and Tumbleweed) of the new package focused on cryptography resistant to the post-quantum era.

The libzupt library is designed to offer encryption and decryption of files and binary data in memory using a hybrid approach based on ML-KEM-768 + X25519.

libzupt is a modern SDK that simplifies the adoption of post-quantum cryptography in real-world applications. Currently, it has initial support for C++, Python, and Java, with support for Node.js (under development). Its goal is to make the implementation of advanced cryptographic mechanisms accessible without compromising usability for developers.

libzupt, created by Alessandro de Oliveira Faria, is a modern SDK that simplifies the adoption of post-quantum cryptography in real-world applications. Currently, it has initial support for C++, Python, and Java, with Node.js support (under development). Its goal is to make the implementation of advanced cryptographic mechanisms accessible without compromising usability for developers.

The project originates from the Zupt initiative, conceived by Cristian Cezar Moisés. As a tribute, the library inherited the name of the original project. Zupt, in turn, is a compression and backup tool that already incorporated advanced concepts such as authenticated AES-256 encryption and post-quantum key encapsulation.

The motivation behind libzupt is directly linked to the evolution of modern cryptography. The ML-KEM algorithm was standardized by NIST on August 13, 2024, as a secure key encapsulation mechanism for post-quantum scenarios. It allows for the secure establishment of keys even in insecure channels, anticipating future threats.

Below is a simple example of using libzupt in Python:

import zupt
encryptor = zupt.Encryptor(keypair.public_key)
message = b"Hello, Post-Quantum World! This is a secret message."
ciphertext, enc_header = encryptor.encrypt(message)

The main benefit of natively providing this library in openSUSE, is that it allows current applications to be prepared for a scenario where quantum computing could compromise classical algorithms, such as Shor’s Algorithm.

By combining traditional cryptography with mechanisms resistant to quantum computing, libzupt adds a strategic layer of protection. This enables the development of more resilient systems, ensuring the confidentiality and integrity of data in the long term, even in the face of technological evolution.

For more information, go to software opensuse or the source.

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from April 17 to 23.

Blogs this week cover a Tumbleweed weekly review delivering seven snapshots with notable updates including GNOME 50, KDE Plasma 6.6.4, and Linux kernel 6.19.12. The week also features the venue announcement for openSUSE.Asia Summit 2026 in Yogyakarta, a SUSE Security Team winter spotlight, performance tuning improvements in syslog-ng, a hands-on look at Cockpit as a YaST replacement, and more.

Here is a summary and links for each post:

Kookbook Updates to Version 0.3.0

The KDE Blog covers the 0.3.0 release of Kookbook, a recipe management application created by KDE developer Sune Vuorela. The update brings minor bug fixes along with a migration to Qt6. The application stores recipes as Markdown files and offers ingredient indexing, tag-based organization, and flexible synchronization through external tools like Git or Nextcloud.

Testing Cockpit, the YaST Replacement in openSUSE Tumbleweed

Victorhck in the Free World explores Cockpit, the web-based system management tool that is replacing YaST in openSUSE. After installing the cockpit-client-launcher and resolving missing GTK dependencies, the author found the interface clean and well-organized with familiar configuration options alongside modern features for managing storage, networks, and software repositories.

New Performance Tuning Possibilities in syslog-ng

Peter Czánik’s Blog discusses performance enhancements coming to syslog-ng 4.12 that achieved seven million events per second under laboratory conditions. While the figure represents a benchmark rather than a real-world deployment number, Peter explains that the underlying technologies are already available on the development branch or have existed for some time but lacked sufficient promotion and testing.

Best JPG to PDF Converters for Speed and Ease

The KDE Blog evaluates a range of JPG to PDF conversion tools, from desktop options like KDE Plasma’s Service Menus to online platforms such as Adobe Acrobat Online and iLovePDF. The post weighs each tool’s strengths regarding conversion speed, ease of use, and privacy, and also covers mobile solutions like CamScanner for document digitization.

AI Workshop at Linux Center Valencia

The KDE Blog announces a free AI-focused event organized by Slimbook at their Linux Center facility in Paterna, Valencia on April 25, 2026. The workshop features three sessions: an overview of current AI tools, a hands-on tutorial for running AI locally using Ollama and Fox, and an advanced session on creating autonomous AI assistants for personal computers.

From Virtual Desktop Deployment to Running Local AI – New Barcelona Free Software Talk

The KDE Blog announces a Barcelona Free Software talk on Tuesday April 28, 2026 at 19:00 at Akasha Hub in Barcelona, featuring Alberto Larraz, co-founder of IsardVDI. The talk traces IsardVDI’s 14-year journey from a Free Software alternative to Citrix and VMware Horizon in educational settings to a versatile platform that now leverages GPU management to run local AI inference workloads. Attendees will learn how IsardVDI can be used to generate images, run LLM chats, and power local code assistants using sovereign AI models.

SUSE Security Team Spotlight Winter 2025/2026

The SUSE Security Team winter report documents code review activities across multiple software projects. The team examined systemd releases v258 through v260, snapd transparency features, various D-Bus services including bootkitd and rtkit, and investigated SteamOS and Deepin desktop components. A revisit of Deepin software revealed persistent vulnerabilities in the accounts service, prompting the team to deprioritize future Deepin reviews.

openSUSE.Asia Summit 2026 Announces Venue at Universitas Gadjah Mada

openSUSE News announces that the openSUSE.Asia Summit 2026 will be held October 3–4 at the Teaching Industry Learning Center of Universitas Gadjah Mada in Yogyakarta, Indonesia. Organizers anticipate around 350 participants over two days of talks, workshops, and community activities. The venue was selected for its modern facilities and the university’s strong reputation as a leading Indonesian institution focused on education, research, and innovation.

Per-Screen Virtual Desktops and Wayland Session Restore – This Week in Plasma

The KDE Blog covers the latest This Week in Plasma highlights, including a major new feature in Plasma 6.7 that allows each monitor to independently switch between virtual desktops. KWin has also gained support for the Wayland session management protocol, paving the way for applications to remember their size and position after a system restart. The edition also rounds up numerous UI improvements, such as drag-and-drop support for app launchers, a new standard Badge component in Kirigami, and a range of bug fixes across Plasma 6.6.4, 6.6.5, and 6.7.

Hello Old New ‘Projects’ Directory!

Matthias Klumpp’s Blog introduces the xdg-user-dirs 0.20 release, which now enables a Projects directory by default in Linux home folders. The folder offers a standardized location for project files that do not cleanly belong in existing categories like Documents or Music. Users who prefer the old layout can simply delete the folder and the utility will adjust accordingly, while administrators can customize default locations through configuration files.

Tumbleweed – Review of the Week 2026/16

Victorhck and dimstar cover a busy week with seven Tumbleweed snapshots delivered in seven days across snapshots 0410 through 0416. Major updates included GNOME 50, KDE Plasma 6.6.4, Samba 4.23.6, PHP 8.4.20, GStreamer 1.28.2, and Linux kernel 6.19.12, along with improvements to transactional-update’s soft-reboot functionality. Looking ahead, the team is preparing significant upgrades such as Linux kernel 7.0, LLVM 22, and GCC 16 as the system compiler.

Episode 72 of KDE Express: Plasma 6.6.4, Gear 26.04 and More News

The KDE Blog shares the latest episode of KDE Express, a Spanish-language podcast covering the KDE community and open source software. The episode highlights significant releases including Plasma 6.6.4 and KDE Gear 26.04, along with developments across various KDE applications and distributions.

View more blogs or learn to publish your own on planet.opensuse.org.

Table of Contents

• 1) Introduction
• 2) Helper Overview
• 3) Security Issues
  • 3.a) Arbitrary chown() via Symlink Attack in sync() Method
  • 3.b) Arbitrary File Deletion in reset() Method
  • 3.c) Symlink Attack via /var/lib/plasmalogin/wallpapers in save() Method
  • 3.d) Missing Integrity Check of Configuration Data in save() Method
  • 3.e) Lack of File Descriptor and File Size Verification in save() Method
• 4) Suggested Fixes
• 5) Severity
• 6) Upstream Bugfix
• 7) CVE Assignment
• 8) Timeline
• 9) References

1) Introduction

In recent releases of the KDE desktop environment a fork of the SDDM display manager called plasma-login-manager has been integrated. As usual this led to a review in our team for the privileged D-Bus components contained in the package. While most of the code remains the same, the new upstream added a privileged D-Bus helper called plasmaloginauthhelper, which suffers from defense-in-depth security issues. The full details of the issues will be discussed in the following sections.

For this review we looked into plasma-login-manager version 6.6.2.

2) Helper Overview

plasmaloginauthhelper makes the D-Bus interface “org.kde.kcontrol.kcmplasmalogin” accessible to all users in the system via the D-Bus system bus. It offers three actions sync(), reset() and save() which are all by default protected by Polkit’s auth_admin setting.

These methods allow to manage configuration data stored in the home directory of the plasmalogin service user, which has a preset of /var/lib/plasmalogin. The helper runs with full root privileges and interprets various client-supplied data. The plasmalogin home directory has the following permissions:

drwxr-x--- 5 plasmalogin plasmalogin 4.0K Mar 24 13:25

Actually this helper is also a kind of fork of a helper found in the sddm-kcm repository, which we covered in a previous report. It seems the codebase has not improved since then, but rather additional attack surface has been added in the meantime.

3) Security Issues

3.a) Arbitrary chown() via Symlink Attack in sync() Method

In the sync() method the helper service naively performs chown() calls on files located in the service user’s home directory (/var/lib/plasmalogin), allowing a plasmalogin to root exploit.

The chown() is performed for the paths $PLASMALOGIN_HOME/.config, $PLASMALOGIN_HOME/.config/fontconfig as well for a list of configuration files like plasmarc placed into $PLASMALOGIN_HOME/.config.

A compromised plasmalogin service account can place symbolic links here to direct the chown() to arbitrary files in the system. After the chown() the helper writes client-supplied content into these files, which will also end up in arbitrary files in case of a symlink attack.

This method’s logic would also allow deletion of certain files like plasmarc in arbitrary directories, would the relevant statement in the service implementation not lack the final filename component in the path construction:

QFile(homeDir + QStringLiteral("/.config/")).remove();

Thus this removal logic doesn’t work at all at the moment, since it attempts to remove the .config directory instead of the actual configuration files.

3.b) Arbitrary File Deletion in reset() Method

In the reset() method the paths $PLASMALOGIN_HOME/.cache and $PLASMALOGIN_HOME/.config/fontconfig are recursively deleted. For this purpose the Qt API QDir::removeRecursively() is used. The implementation of this function follows symbolic links even in the final path component, which means that a compromised plasmalogin service user can leverage this logic to achieve the deletion of arbitrary directory trees in the system.

3.c) Symlink Attack via /var/lib/plasmalogin/wallpapers in save() Method

In the save() method the path /var/lib/plasmalogin/wallpapers is created and opened by root, using a system call sequence affected by a race condition. A compromised plasmalogin user can replace the directory by a symbolic link in time for the service to write wallpaper files to arbitrary locations in the system, leading to local Denial-of-Service (DoS) and integrity violation.

In this spot the helper employs a low-level openat2() system call to avoid symbolic link resolution, but this only applies to the actual files placed within the wallpaper directory, not to the directory itself, which is naively opened before that.

3.d) Missing Integrity Check of Configuration Data in save() Method

In the save() method the contents of the file /etc/plasmalogin.conf can be completely controlled by the caller. Since this method is protected by auth_admin Polkit authentication this is basically acceptable, but there is not even an integrity or syntax check of the data, the method blindly forwards whatever the client passes to it into this file, without a maximum size limit or any sanity checks. While this is not directly a security issue it is a lack of robustness, because the D-Bus service is responsible for maintaining a sane structure of the privileged configuration file, preventing a broken system e.g. in case of buggy clients.

3.e) Lack of File Descriptor and File Size Verification in save() Method

For the actual wallpaper files, file descriptor passing is employed, which is good. There is no upper limit enforced on the amount of data placed into the wallpapers directory, however, which allows to exhaust disk space in /var/lib/plasmalogin.

Even file descriptors passed from clients should be verified to check whether they refer to regular files and have no unexpected file flags set. This verification is missing.

4) Suggested Fixes

We suggested the following fixes to upstream:

• Foremost the helper should drop privileges to the plasmalogin user before performing any file system operations in /var/lib/plasmalogin, thereby eliminating all symlink attack surface. There still remains Denial-of-Service (DoS) attack surface if the service user places e.g. a named FIFO pipe somewhere. Avoiding this requires careful inspection of each path component by the service before opening it.
• The helper should verify the structure and size of data written to /etc/plasmalogin.conf.
• The helper should place a limit on the maximum amount of space which may be used for wallpapers in the plasmalogin user’s home directory.
• The helper should verify the type and flags of file descriptors passed by the client. The descriptors should not have special file types and they should not have any unexpected flags like O_PATH set.

5) Severity

None of the issues in this report is exploitable in a default installation of plasma-login-manager. Most of the problems affect the situation when the plasmalogin service user is compromised and thus affect defense-in-depth.

It is conceivable, however, that some actions in the helper, like the wallpaper management, could be reduced to lesser authentication requirements like a Polkit yes setting for locally logged-in users in the future, be it due to upstream changes or due to choices made by system integrators. Then further problems like disk space exhaustion by other unprivileged users could sneak in as well.

Based on the high severity of the defense-in-depth issues shown in this report, our assessment is that there is effectively no separation between root and the plasmalogin service user account.

6) Upstream Bugfix

At this time there is no bugfix available by upstream, but a security fix is planned for the next Plasma release on May 12. We have not been involved in upstream’s bugfix process so far and have no knowledge about the approach that will be taken to address the issues from this report.

7) CVE Assignment

We suggested a single CVE assignment relating to the lack of privilege drop of the D-Bus service, which is the root cause of most of the issues described in this report. In coordination with upstream we assigned CVE-2026-25710 and shared it with them to track these defects.

8) Timeline

9) References

• blog post about issues in sddm-kcm6
• blog post about the introduction of file descriptor passing in kauth
• openSUSE plasma-login-manager KCM helper review bug
• plasmaloginauthhelper code
• plasma-login-manager repository

A few years back I did a quick exploration of what GNOME app icons might look like in an alternate universe where we kept on using VGA displays. Chiselling pixels away is therapeutic. So while there is absolutely no use for these, I keep on making them if only to bring some attention to what really matters for GNOME, having nice apps.

Here's a batch of mostly GNOME Circle app icons, with some 3rd party ones thrown in.

If you're reading this on my site rather than Planet GNOME or some flickering terminal in an abandoned Vault, then congratulations. You've stumbled upon a working Pip-Boy module! Found it half-buried under irradiated rubble, its phosphor display still humming with that familiar green glow. Enjoy these icons the way the dwellers of Vault 101 were always meant to, one glorious scanline at a time.

Dear Tumbleweed users and hackers,

Week 17 has been quite active: a total of 900 requests have been accepted over the days, and 5 snapshots (0417, 0418, 0419, 0420, and 0422) have been successfully tested and published. One additional one was tested but then discarded due to a regression in grub2-bls / rollback snapshot selection.

The most relevant changes shipped as part of those 5 snapshots were:

• KDE Gear 26.04.0
• Mesa 26.0.5
• iproute2 7.0
• Nano 9.0
• openldap 2.6.13
• Cups 2.4.17
• gimp 3.2.4
• libxml 2.15.3
• php 8.5.5

As usual, the next snapshot is already building, and staging projects are filled with things being tested. We can expect these changes to come our way anytime soon:

• LLVM 22 (snapshot 0423+)
• Systemd 260.1
• GNOME 50.1
• Mozilla Firefox 150
• Coreutils 9.11
• Linux kernel 7.0.1
• Rust 1.95
• sed 4.10
• SELinux-policies: Change store root-path for selinux modules from /var/lib/selinux to /etc; this is to stabilize usage on transactional systems further
• glibc 2.43, metabug: https://bugzilla.opensuse.org/show_bug.cgi?id=1257250
• GCC 16 as system compiler

On April’s fool’s day, I shared that syslog-ng can reach 7 million EPS. This test lab result was in part possible thanks to a few performance enhancements coming to syslog-ng version 4.12.

How 7 million EPS is possible? Before diving deeper, let me repeat it: 7 million EPS is just a lab testing result, not (yet) possible in the real world. However, the technologies enabling this are already available on the development branch of syslog-ng, or have been available for ages, just not tested or promoted enough.

Read more at https://www.syslog-ng.com/community/b/blog/posts/new-performance-tuning-possibilities-in-syslog-ng

Table of Contents

• 1) Introduction
• 2) systemd v258 - v260 Continued Reviews of D-Bus and Varlink Changes
• 3) snapd: Follow-up Audit for Transparent Inclusion of Snap Systemd Services
• 4) bootkitd: D-Bus Service for Manipulating Bootloader Configuration
• 5) libpgpr: RPM PGP Signature Parsing Library
• 6) GDM: Changes and Additions in Release 50
• 7) rtkit: D-Bus Service to Support Unprivileged Realtime Scheduling
• 8) SteamOS Package Additions
  • jupiter-fan-control
  • gamescope-session-steam-factory-reset
  • jupiter-hw-support
• 9) Revisit of Deepin Desktop D-Bus Services after Removal from openSUSE
  • Backlight Helper
  • Accounts Service
  • Summary
• 10) Conclusion

1) Introduction

The winter months have passed for us and as usual we want to give you an overview of what topics our team covered in the area of code reviews during this time. We did not publish any dedicated security reports for a while, after we had to deal with a little burst of publications at the beginning of the year. Still we haven’t been idle during this time and looked into various packages and components, which we will cover in this post.

The next section discusses continued review efforts surrounding new systemd releases. Section 3 covers a follow-up audit of changes in the Snap package manager. Section 4 looks at bootkitd, a D-Bus service for managing bootloader configuration. Section 5 deals with libpgpr, a signature parsing library which was pulled out of the RPM package manager codebase. Section 6 is about changes we reviewed in a new release of GNOME display manager (GDM). Section 7 contains a review report about the rtkit real-time scheduling D-Bus service. Section 8 provides an insight into efforts to package SteamOS components for openSUSE Tumbleweed. Section 9 looks into an attempt to get Deepin desktop components back into openSUSE.

2) systemd v258 - v260 Continued Reviews of D-Bus and Varlink Changes

We already gave an insight into our efforts of reviewing changes in systemd v258 in our previous spotlight post. Meanwhile systemd upstream has established a new release model leading to more frequent releases and backports of new features into existing stable branches. This has caused an increase of review requests in our team, as can be seen by the following list of review bugs we received since the v258 version release:

• bsc#1257388: follow-up review of backported code in systemd 258.3
• bsc#1257943: follow-up review of backported code in systemd 258.4
• bsc#1255368: review of changes introduced in systemd 259
• bsc#1259318: review of changes introduced in systemd 260

The review of changes in systemd 260 has just been finished and the new version is about to become available in openSUSE Tumbleweed soon. The backports into stable 258 branches have been easy to review so far, since they are mostly clean cherry-pick merges of changes reviewed by us earlier already.

So far we did not find any issues in the continued changes in systemd, but it remains a challenging review target especially in the area of virtual machine and container APIs, as we have explained in earlier posts on the topic.

3) snapd: Follow-up Audit for Transparent Inclusion of Snap Systemd Services

After we accepted snap into openSUSE Tumbleweed a while ago we received a follow-up review request, which revolves around a feature to transparently make systemd services available which have been installed via Snaps.

We have accepted the change, but asked the packagers to include a notice in the package informing openSUSE users that systemd services installed via Snaps are not covered by the security review processes of SUSE product security.

4) bootkitd: D-Bus Service for Manipulating Bootloader Configuration

Bootkitd is a D-Bus service for programmatically managing bootloader configuration. We received a review request for its inclusion into openSUSE Tumbleweed. The service is implemented in the Rust programming language and is a simple case regarding security, since it is only accessible by root. Thus no privilege boundaries are crossed and privilege escalation is not a concern.

5) libpgpr: RPM PGP Signature Parsing Library

libpgpr is a library which has been recently separated from the main RPM package manager codebase. Its purpose is the parsing and verification of PGP signatures as they are found embedded in RPM files. Given the sensitive nature of PGP cryptography and potentially crafted input data, we have been asked to check the security of this library.

The library consists of a legacy C codebase living up to the C90 standard. The library API is not well documented and not very consistent at the moment. At the same time the code is concerned with memory management and binary data structure parsing of high complexity. These shortcomings notwithstanding, the implementation seems to have matured over time and we believe there are currently no major errors to be found when processing untrusted data.

In our opinion, the biggest danger regarding security in this codebase will likely be future changes which might introduce regressions. Also users of the library won’t easily know what to expect of the API, since requirements are not clearly marked (e.g. which parameters are optional, when memory ownership transfers happen and so on).

We provided comprehensive comments on the codebase to upstream, suggesting various refactoring, improvements and test coverage to bring the project up to a more modern standard.

6) GDM: Changes and Additions in Release 50

In February our openSUSE Gnome Display Manager (GDM) maintainers started preparing the upgrade for release 50, which was in Beta testing at the time, but should be fully released by now. The new version triggered a follow-up review of D-Bus and Polkit related features in GDM.

GDM is tightly integrated with GNOME remote desktop (GRD) these days and the changes we’ve seen here are related to this integration. The differences compared to the previous version of GDM have been small in the area of D-Bus and Polkit, though, and no problematic additional attack surface has been added in this version.

7) rtkit: D-Bus Service to Support Unprivileged Realtime Scheduling

The rtkit daemon has been around on Linux distributions for a long time. Its purpose it to allow unprivileged programs in the system to make use of real-time scheduling features in a controlled fashion. Linux offers two real-time scheduling policies SCHED_RR and SCHED_FIFO, which perform Round-robin or First-in First-out scheduling respectively. Rogue processes running under one of these policies can easily lock up the complete system due to no other userspace threads being scheduled by the kernel anymore. For this reason, only tasks holding the CAP_SYS_NICE capability (usually only root) are allowed to assign these scheduling settings.

This is where rtkit comes in: it offers a D-Bus interface to allow unprivileged processes to enjoy real-time scheduling features while being under supervision of the rtkit daemon to prevent any negative side effects.

In a recent update of rtkit to version 0.14, changes in its D-Bus configuration triggered a follow-up review after over a decade since our team last looked at it. rtkit is installed and running (or activatable) by default on a number of Linux distributions like openSUSE, Debian or Fedora. Due to this prevalence of rtkit in Linux systems, the inherent danger of a local Denial-of-Service and in light of the amount of time passed since the last full review, we thought it wise to have a fresh look at the service’s implementation.

The rtkit D-Bus configuration follows a bit of an unusual approach by maintaining a deny list of methods which may not be invoked by non-root users. This is not ideal, since additional methods will automatically be accessible to all users in the system, should a developer forget to update the deny list. At the moment no problems exist in this area, however.

The blacklisted D-Bus methods which are only accessible to root affect the global state of the daemon. The remaining D-Bus methods are used to request real-time scheduling for caller-owned processes. These methods are additionally protected by Polkit authentication; the related Polkit actions are set to yes for local users in an active session, meaning that local interactive users can invoke them without authentication.

The implementation of Polkit authentication relies on rather complex custom code based on the “unix-process” Polkit authentication subject. This subject is often affected by race conditions and the D-Bus “system-bus-name” subject should rather be used. In this case the use of “unix-process” is acceptable, since the request includes not only the client’s PID but also its process start time and UID, which is retrieved from the UNIX domain socket D-Bus connection. Thus there should be no way that race conditions can be exploited in a way that the client is mistaken for root, for example.

The actual application of real-time scheduling to a client’s target process is highly affected by race conditions, due to the retrieval of data from /proc/<pid> and the fact that processes can disappear and/or be repurposed at any time. The developers are obviously aware of the potential issues, since they verify the target process’s properties before and after changing its scheduling properties. Such detection of a race condition after the fact is problematic when the risk is a lockup of the whole system.

Due to this, the daemon also maintains a watchdog and a canary thread to counteract any unexpected effects of unprivileged real-time scheduling. The watchdog runs at the highest real-time scheduling priority and periodically monitors whether the canary thread, which is running with low scheduling priority, is still being scheduled. If a stall is detected, then the watchdog thread removes the real-time scheduling settings from all registered client tasks to recover the system. Additionally the daemon monitors the amount of requests individual users are sending, and blocks them if a threshold is exceeded.

It is clear that the implementation of this service is confronted with various uncertainties and it tries to make up for them. The overall result is not ideal but should be good enough to prevent major security issues. An improvement to the design could be to obtain a directory file descriptor for /proc/<pid> of the target process, verify the process’s credentials and further on only use the directory file descriptor anymore for accessing process data. Explicit PID file descriptors might also help in some other spots these days (they can also be used for authentication with Polkit now, for example).

8) SteamOS Package Additions

There is continued effort by community packagers to bring SteamOS-related components to openSUSE. We already covered one of these components in one of last year’s spotlight posts. This winter we received three additional review requests in this area. Packaging these components is often difficult, because the programs use fixed non-standard paths and approaches that don’t fit well into a general-purpose Linux distribution. We will look into the individual packages in the following sub-sections.

jupiter-fan-control

This review is about a fan control daemon which regulates the speed of the Steam Deck fan. The daemon itself is acceptable, it mostly deals with hardware information and controls found in /sys and therefore it crosses no security boundaries. It also creates a world-readable logfile in /var/log, which only contains fan data, however, thus not resulting in a relevant information leak towards unprivileged users.

A Polkit action allows to start and stop the daemon by providing the administrator password, which is also fine. A wrapper script which performs these start/stop actions is placed into /usr/bin/steamos-polkit-helpers/jupiter-fan-control, which is a non-standard location, but according to the packager is hard-coded into SteamOS components and cannot be changed.

gamescope-session-steam-factory-reset

This review is concerned with a set of scripts which allow to perform a factory reset operation on SteamOS. On openSUSE there is nothing sensible that can be done in terms of a factory reset, thus the packager added scripts that are in effect no-ops. Still these scripts were supposed to be invoked with root privileges via Polkit authentication. After a longer discussion with the maintainer we decided to take a different approach that does not require to run dummy scripts with root privileges, but still allows system integrators to hook into the process and change the behaviour.

jupiter-hw-support

The third review is concerned with a bunch of SteamOS scripts that automatically perform actions like mounting removable devices without requiring authentication, expecting a single “deck” interactive user in the system. The community packager discussed some aspects of these privileged operations with us and how to best integrate them into openSUSE. The effort is still ongoing.

9) Revisit of Deepin Desktop D-Bus Services after Removal from openSUSE

A year ago we announced the removal of Deepin desktop components from openSUSE because of policy violations and bad security. Deepin upstream promised to improve the problematic components and we offered to have a fresh look at things when they would have something new to show. As a result a follow-up review bug was created in which the Deepin package maintainer claimed that all reported security issues were fixed by upstream. The following sections discuss two of the D-Bus components we revisited in this context.

Backlight Helper

A small D-Bus helper for controlling laptop backlight seemed like a promising start; the code is clean and conservative. It is lacking Polkit authentication, however, which means that any user in the system can meddle with the backlight. Such settings are usually restricted to local interactive users in an active session. We informed upstream about this shortcoming and there is supposed to be a fix available by now, but we didn’t look into it yet.

Accounts Service

The Deepin accounts service offers a larger D-Bus interface for managing user accounts in the system. We looked into version 6.1.66 of the project. Unfortunately we quickly discovered new security issues in this component:

• the CreateGuestUser() D-Bus method, which requires admin authentication, creates a user account with an empty password and a home directory in a random location in /tmp. The creation of this directory is affected by a race condition, which could allow other users in the system to pre-create the directory. A home directory in /tmp is highly unusual and empty passwords, even for guest accounts, are bad practice.
• the SetHomeDir() D-Bus method, which requires only user-level self-authentication, allows to move the user’s home directory into arbitrary new locations, even /root. This operation is performed via the command line usermod -m -d <new-home-path> <username>. The only aspect that prevents a simple local root exploit is that usermod refuses to perform the operation if the calling user still has processes running in the system. How this API function could ever be used meaningfully for self-administration, then, is puzzling. It might be possible for an attacker to overcome this check, however, by quickly killing all of its processes just in time for the usermod invocation to succeed.
• the SetPassword() D-Bus method, again accessible by providing the user password, is affected by multiple issues:
  • the new user password is leaked in the process command line constructed in ModifyPasswd().
  • the function removeLoginKeyring() which is invoked in this context operates as root in the user’s home directory, offering local Denial-of-Service attack surface.
  • an insufficient check is made by the D-Bus service, which tries to verify whether the client is running a trusted password change application. The check is affected by a race condition and can be circumvented by malicious clients.
  • the function newPwdChangerX() performs a chown() on the client’s .XAuthority file placed into /run/user/<uid>/.XAuthority, which is a local root exploit attack vector.

The openSUSE Deepin packager informed us that there are also fixes for these issues available by now, but we did not get around to verify them yet.

Summary

Due to the recurring number of security issues, the amount of time required by upstream to address them and a lack of a formal security fix workflow in the Deepin project we stopped assigning CVEs for the issues we find in Deepin. We don’t see much value in further CVEs since the security issues are often quickly replaced by other security issues, thus resulting mostly in noise. Overall we don’t recommend to use Deepin components until the security culture of Deepin upstream improves.

By now we are also treating Deepin review requests with lower priority, since the efforts which went on for years still haven’t yielded acceptable results and we would rather invest our resources into other, more promising packages.

10) Conclusion

One of the fundamental goals of the SUSE Security Team is to keep a high standard regarding software available in SUSE distributions. Not blindly accepting new software releases is necessary to uphold this commitment, which also means often revisiting software we already looked into before.

Keeping up with the fast pace of projects like systemd can be challenging in this regard, but the security issues we continue to find e.g. in Deepin software show that this work is still useful. The Spotlight series is one way to highlight this continuous and not always necessarily glamorous work.