In recent testing scenarios involving a build and NetworkManager, a significant issue has surfaced: the network stack becomes non-operational.

Users are advised to postpone system updates for now, but if users have already updated, use Snapper to rollback; it’s important to note that while the issue primarily affects GNOME setups with Wicked, it can also impact servers without these components.

This problem has been consistently reproducible since at least the 20240825 Tumbleweed build. Bind 9.20.1 received an update has changes to DNS query handling and system controls, which may have inadvertently contributed to the network stack issue.

The root cause appears to be a race condition between Wicked and the D-Bus system, which results in the network stack failing to initialize properly. When Wicked is launched, it struggles to interact with D-Bus, leading to the failure of various dependent network services.

System logs show that D-Bus is either not fully active or not recognized by Wicked at the time of initialization, triggering a series of failures across services like DHCP and AutoIPv4.

This sequence of events will leave the rolling release’s network stack inoperative, often requiring a manual restart to restore network functionality.

To address this problem, initial efforts are focusing on modifying the service dependencies in the systemd service files. One proposed solution may be adding After=dbus.service to the Wicked service configuration. However, this adjustment alone may prove insufficient in many cases.

Further investigation is leading to more proposed solutions. The issue also appears to extend beyond Wicked, potentially affecting other services and indicating broader implications for the system’s initialization processes. The transition of NetworkManager and Wicked in some setups has uncovered the critical race condition affecting the network stack’s initialization. While recent adjustments to the systemd service configurations have significantly mitigated the issue, ongoing testing and further refinements are essential to achieve consistent network functionality. Users are advised to use snapper’s rollback to maintain proper network stack initialization.

_{^{(Image made with DALL-E)}}

We are always looking for new ways to store log messages. Quickwit is a new contender, designed for log storage, and among others, it also provides an Elasticsearch-compatible API. From this blog, you can learn about Quickwit, and how to forward log messages from syslog-ng to it using the Elasticsearch-compatible API.

Read more at https://www.syslog-ng.com/community/b/blog/posts/first-steps-with-quickwit-and-syslog-ng

Dear Tumbleweed users and hackers,

Week 34 seemed to go almost without drama. Most snapshots passed openQA without big incidents. Most! In one snapshot, we tested updating to openSSH 9.8p1—general functionality was fine. Still, the SELinux policies have not yet been adjusted, which resulted in OpenSSH servers not starting up on MicroOS-based systems. This is nothing we want to give out to our users so we held back snapshot 0821. This will be worked out and openSSH 9.8p1 will be delivered as soon as possible. With this taken into account, 5 snapshots passed QA and could be published (0816, 0817, 0818, 0819, and 0820)

The five snapshots brought you the following changes:

• Linux kernel 6.10.5: this helped unblock the s390 port
• PCRE2 10.44
• PHP 8.3.10
• Bash 5.2.32
• systemd 256.5
• osc 1.9.0, fixing CVE-2024-22034. The file storage on disk has been updated, which causes issues with obs-service-source_validator not being able to handle the new layout. A fix is being worked on (https://github.com/openSUSE/obs-service-source_validator/pull/141) and we will deliver this as part of the Update channel and in future snapshots as soon as possible.

Looking at the staging areas, it seems like the vacation period is ending – and more things are getting ready soon. Currently, the teams are working on those changes:

• LibreOffice 24.8.0
• KDE Gear 24.08.0
• Mozilla Firefox 129.0.1
• perl-Bootloader will be renamed to update-bootloader: it’s been a while since there was no perl code in there anymore
• dbus-broker: All staging tests have passed. We plan on integrating this into full snapshots early next week
• GCC 14: phase 2: use gcc14 as the default compiler – All relevant build failures in Ring0 and Ring1 have been resolved. This has moved ‘up’ (to Staging:O) to get Staging QA runs. In rare cases, this might find some runtime issues stemming from the new compiler, but we do not think this would happen. Taking current progress into account, we should be able to switch by the end of August (dates are predictions, no commitment)

For many years, the official syslog-ng container and development containers were based on Debian Testing. We are switching to Debian Stable now. Learn about the history and the reasons for the change now.

Read more at https://www.syslog-ng.com/community/b/blog/posts/we-are-switching-syslog-ng-containers-from-debian-testing-to-stable

openqa-mq is a small CLI tool that receives openQA related events from RabbitMQ. It is part of the openqa-mon packages and will work for OSD and for OOO.

Dear Tumbleweed users and hackers,

Week 33 was busy, but busy in a good way. We managed to clear almost all stagings out, except the ‘long lasting’ topics like GCC, and dbus-broker, which we carried for a few weeks already. Other than that, the queue has been emptied (At the time of writing, there are now 54 pending requests to Factory). Summer vacation helped us achieve this result. And the fact, that we produced 7 snapshots (one discarded) during the last week.

The six published snapshots (0809, 0810, 0811, 0812, 0813, and 0815) brought you those changes:

• GCC 13.3.1
• glibc 2.40
• KDE Frameworks 6.5.0
• Mozilla Firefox 129.0
• NetworkManager 1.48.8
• binutils 2.43
• cURL 8.9.1
• Linux kernel 6.10.4
• GO 1.22 has become the new default Go compiler version
• FFMPEG default has switched from version 6 to version 7

As mentioned, stagings are almost empty – the few things currently left are:

• Linux kernel 6.10.5
• dbus-broker: some progress was made last week; most QA tests are fine, there is just a race condition on shutdown (likely not new, but dbus-daemon might have waited longer to report it, by when the system had completely shut down and the error has been ‘swallowed’)
• GCC 14: phase 2: use gcc14 as the default compiler – great progress has been made and we believe we will be able to switch during Week 34

The August syslog-ng newsletter is now on-line:

• Version 4.8.0 of syslog-ng improves FreeBSD and MacOS support
• syslog-ng Prometheus exporter
• Experimental syslog-ng packages for Amazon Linux 2023

It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2024-08-4-8-0-release-prometheus-amazon-linux

We’ve introduced several new features in OBS designed to foster collaboration among OBS users. Customized labels for better organization, setting custom links for your bug tracker and markdown formatting for project/package descriptions. Those features are intended to give you more insight into your work, helping you stay focused on what matters most. These updates are part of the Foster Collaboration and Labels beta programs. You can find more information about the beta program here. Introduction...

Table of Contents

• Introduction
• Deepin File Manager D-Bus Service
• Deepin App Services (Config Manager)
• KDE6 Release Final Touches and Improvements
• Review of SUSE’s OpenSSH Downstream Patches
• Review of Croc Upstream Bugfixes
• Revisit of Backintime D-Bus Service
• KDE Plasma Kameleonhelper Service for RGB LED Controls
• OpenVPN Data Channel Offload (dco) Linux Kernel Module
• Emacs Games setuid/setgid Highscore Sharing Helper
• Summary and Outlook

Introduction

Our blog has been silent for a few months, since we did not make any major security findings during this time. Still our team has not been inactive. A lot of time is spent looking into programs where no notable security issues are found, or discussing with upstream developers about improvements in their software. This is the first edition of the SUSE security spotlight, a post that aims to give a quick overview of recent activities in the area of code reviews and the proactive security efforts in our team.

Deepin File Manager D-Bus Service

Deepin is a Linux desktop environment with a focus on support for the Chinese language. Many parts of Deepin have already been reviewed by us and have been accepted into openSUSE distributions, often after various security findings have been addressed. The review for Deepin’s file manager D-Bus service has been going on for years without bearing fruit, though.

The review is kind of a moving target, since upstream only partly fixes the issues we report, drops some of the problematic code, but also comes up with new code, that sometimes even contains new issues. The file manager service was initially missing any form of Polkit authentication, granting dangerous operations to any actors in the system. We decided not to request CVEs at the time, because there was no end of issues in the service and keeping track of all of them seemed like a waste of precious time for such a broken service. A party unknown to us did obtain CVE-2023-50700 for the missing Polkit authentication part in the meantime, though.

We revisited the service recently since the package maintainer told us that a new version with fixes was available. Sadly there are still too many issues left to accept the package into openSUSE.

Deepin App Services (Config Manager)

Another Deepin component that is waiting to be allowed into openSUSE is the Config Manager D-Bus service, which is part of a project called Deepin App Services. There is a review that has been in progress for a while now, and that we have revisited a couple of times. So far we found three different ways to achieve path traversal to trick the D-Bus service into processing untrusted files outside the intended system configuration directory.

Upstream fixed these issues one by one as we reported them, currently we are still waiting for cleanup in the packaging, otherwise we believe the service can soon be added to openSUSE Tumbleweed.

KDE6 Release Final Touches and Improvements

Since the large post we did about the KDE6 release, a couple of improvements have been achieved. The DrKonqi D-Bus component has been improved by upstream and the new release is by now included in openSUSE Tumbleweed as well. Also, after longer discussions and tests, upstream merged changes to KAuth that allow to pass open file descriptors to KAuth helpers. The necessary changes have been rather small in the end, and the change should allow to implement more robust KDE authentication helpers in the future.

Review of SUSE’s OpenSSH Downstream Patches

In the light of the discovery of the XZ library backdoor for OpenSSH, we decided to have a closer look into the shape of the integration of OpenSSH into our products. As part of this endeavor we did a detailed review of all the patches we currently apply to the upstream OpenSSH codebase.

Since OpenSSH is a sensitive, sometimes complex and also old component, quite a history of patches has piled up by now. The good news is that nothing truly problematic was found in the patches during the review. We will attempt to upstream as many of these patches as possible to avoid having to maintain them on our end, and to let all users of OpenSSH profit from the changes. This is a long-term effort though, that will take its time.

Review of Croc Upstream Bugfixes

Croc is a file sharing utility that allows arbitrary parties to exchange data “easily and securely”. In September 2023 we published a series of security issues that we identified in this utility. The cooperation with the upstream author proved somewhat difficult, until in May 2024 bugfixes arrived. Only with some delay have we been able to check up on the fixes. Most of them are addressed by now, except for two:

• although escape and control sequences in filenames are now detected and transmission is aborted, the problematic filenames are still output to the terminal. This remaining issue can be fixed easily, though.
• there have been some improvements to prevent received files to end up in dangerous home directory locations. Quite a number of problems remain, though. We suggested to our Croc package maintainer to add a sandbox wrapper script using container techniques, to make the package acceptable for openSUSE.

Revisit of Backintime D-Bus Service

Backintime is a backup software that ships a D-Bus helper service. We reviewed it quite a long time ago in 2017. D-Bus configuration paths recently changed in the package, which was an occasion to revisit the software and check that it is still sane. Nothing relevant changed in the D-Bus component though, so we went ahead with adapting our whitelistings for this service.

KDE Plasma Kameleonhelper Service for RGB LED Controls

Kameleonhelper is a KDE6 add-on D-Bus service that configures RGB LEDs (like on gaming keyboards) to match the KDE desktop’s color scheme. We performed a review of the service, since its addition to openSUSE was requested. The service basically only tunes some files in SYSFS for adjusting the RGB values of compatible devices. The single exposed D-Bus method is accessible to locally logged-in users without further authentication.

A typical danger in such services are path traversal attacks, i.e. that paths outside of the desired SYSFS location can be written to. There are no such problems found in this D-Bus service, luckily. There were a few quirks in the code, though, that have been addressed by a merge request by now.

OpenVPN Data Channel Offload (dco) Linux Kernel Module

An out-of-tree kernel module for OpenVPN has been added to openSUSE, which raised security concerns. The purpose of the kernel module is to accelerate OpenVPN network I/O and its encryption operations, by performing the tasks in kernel space.

The codebase of the module is of medium size. Only users with root permissions are allowed to use the socket APIs exposed by the kernel module. The local system security should not be weakened by this. Regarding the processing of network packets from remote parties, the code also looks sensible. The involved kernel frameworks provide a good base to prevent most bad things from happening. Although packet headers for IP, TCP and UDP are touched directly in some spots, the majority of the code is concerned with just opaque processing of the data for encryption/decryption and forwarding it between related parties. We could not identify any issues in the module’s code.

Emacs Games setuid/setgid Highscore Sharing Helper

Playing games in your favorite editor and sharing your highscore with other users on the system? If that brings back good old memories to you then this review is just for you. We have been asked to accept a setgid-games highscore helper program for the Emacs editor into the distribution. We always thought that using setuid binaries for sharing highscores was just an academic example from UNIX programming textbooks. But such a program actually exists, and it is already over 20 years old.

The source code for this program is rather naive and misses protection against many of the problematic aspects of setuid/setgid programs: sanitization of environment variables, sanitization of the process’s umask, no proper verification of input path arguments and other issues. Even if all these problems were fixed, the current program design does not offer any kind of protection against arbitrary manipulation of game scores, or against filling up the file system with insanely large highscore files.

We don’t believe that there are many users left on earth that actually want to share highscores on a multi-user system this way. We thus rejected the request to include this program with a setgid-games bit. Any users that want to use this feature can manually assign the required bit e.g. by using the openSUSE permissions settings.

Summary and Outlook

With this post we want to offer an insight into the every day business of the proactive SUSE product security team. Even when we don’t have any actual CVEs to report, we are constantly investing resources into open source security in various ways: by revisiting software we already reviewed in the past, by performing code reviews that yield no major problems, by having follow-up discussions with upstream about bugfixes or by rejecting components that aren’t considered healthy for the security stance of our products.

We are planning to make a series of blog posts of this kind in the future, to highlight some of our efforts, that otherwise would not be well visible. Note that this series focuses on the work of the proactive SUSE security team, while there is also the reactive SUSE security team, which is monitoring and managing CVEs and security issues in SUSE products, to make sure that SUSE customers and openSUSE users always get the latest security fixes, an area that warrants its own series of blog posts; actually we’re considering to provide something in this direction as well in the future.

Dear Tumbleweed users and hackers,

Despite the summer vacation period being in full swing, there is enough throughput to produce snapshots. During the last week, we created 6 of them, of which 5 could be published (The failed one was held back due to issues uncovered with Mesa 21.1.5, see https://bugzilla.opensuse.org/show_bug.cgi?id=1228164 for details).

The five delivered snapshots (0803, 0805, 0806, 0807, and 0808) contained these changes:

• GCC 14.2
• GStreamer 1.24.6
• libzypp 17.35.9
• Shim 15.8
• Linux kernel 6.10.3
• libxml 2.12.9
• Procps 4 (no longer as an alternative, but as a native replacement of procps 3.x)
• fwupd 1.9.23
• GNOME 46.4
• KDE Plasma 6.1.4

Staging projects are currently busy building test distributions and running QA on these changes:

• glibc 2.40
• Rust 1.80
• KDE Frameworks 6.5.0
• cURL 8.9.1: breaks test suites of libzypp and python-tornado6
• nftables 1.1.0: openQA is far from happy; nftables’ python bindings seem not to work
• go 1.22 as default: only transactional-update-notifier seems to be blocking
• Switch the default ffmpeg version from 6 to 7: xine-lib as the only blocker. A submit request is pending for the development project
• dbus-broker: some progress was made last week; most QA tests are fine, there is just a race condition on shutdown (likely not new, but dbus-daemon might have waited longer to report it, by when the system had completely shut down and the error has been ‘swallowed’)
• GCC 14: phase 2: use gcc14 as the default compiler – lots of help needed: https://build.opensuse.org/project/show/openSUSE:Factory:Staging:Gcc7