Thu, Dec 5th, 2024

icecream!

Lots of KDE hacking these days, and that comes with compiling large amounts of code. Right now, I am installing, well building from source Plasma Mobile on an “old” laptop so I can test some patches natively on a touchscreen device. The machine has just two cores (hyperthreaded), so builds take rather long, especially if you build Qt and all that 80+ packages that are needed for a fully working Plasma system.
One of the tools that do an incredible job while being super flexible to use is icecream. Icecream (or “icecc“) allows you to distribute your build over multiple machines, it basically ships compile-jobs with all that’s needed to other machines on a local network, meaning you can parallelize your builds.

Icecream has this nice visualization tool, called icecream-monitor which you can stare at while your builds are running (in case you don’t have anyone handy for a sword-fight). In the screenshot you can see manta, the underpowered laptop doing a 32 parallel job build over the network. miro is my heavy workstation, 8 cores and 128GB of RAM, it duely gets the bulk of the work assigned, frame is my (Framework) laptop, which is also quite beefy, gets something to do too, but not taxed as heavily as that build monster in my basement office.
Icecream can be used with most environments that have you run your compiler locally. Different distros are no problem! Just a matching CPU architecture is needed. Icecream does its job by providing its own g++ and gcc binaries, which will relay the build jobs transparently to either your local machine or across the network. So you basically install it, adjust your PATH variable to make sure icecc’s g++ is found before your system’s compiler and start your build. Other machines you want to join in for the fun just need to run icecc-scheduler and they will be automatically discovered as build slaves on your network. If you want to further speed up builds, it works with ccache as well.

Please note that you only want to do this in a trusted environment, we’re shipping executables around the network without authorization!

The syslog-ng newsletter looks odd

Recently I was asked why the syslog-ng newsletter looks odd. At first I did not even understand what is the problem. Then I realized that I kept using the same format for the past 14 years, that was optimized for UNIX terminals :-)

So, what is the problem? 14 years ago I was kindly asked by syslog-ng users to use plain text e-mails instead of HTML formatting. Of course it also means that there is no easy way to emphasize titles in the newsletter. For that I started to use a long list of hyphens under the titles, equal length to the title. It all looks perfect in a terminal window, which has fixed width fonts. It definitely looks odd in a GUI e-mail client, which does not use fixed width fonts. Something like this:

This is a really nice title

---------------------------

The lenght of the line and the title are different. Luckily the mailing list archive also uses a fixed width font when showing e-mails. So, if you take a look at the last syslog-ng newsletter, you will see that it looks completely OK: https://lists.balabit.hu/pipermail/syslog-ng/2024-December/026735.html

So, what is next? My suspicion is that over the past decade even the most diehard terminal users started to use graphical e-mail clients (most likely a web browser). Starting next year I’ll switch to HTML formatting, hoping that nobody will complain :-)

syslog-ng logo

The syslog-ng Insider 2024-12: FreeBSD audit; 4.8.1; conferences

The December syslog-ng newsletter is now on-line:

  • FreeBSD audit source for syslog-ng

  • Version 4.8.1 of syslog-ng is now available

  • Where should I present syslog-ng and sudo?

It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2024-12-freebsd-audit-4-8-1-conferences

syslog-ng logo

Wed, Dec 4th, 2024

Leap Micro 6.1 Release Candidate

Release Candidate images of Leap Micro 6.1 can be found at get.opensuse.org.

At this point we’re only awaiting confirmation of the Leap Micro 6.1 maintenance setup prior making an official release; hopefully coming later this week.

Please be aware that the release of Leap Micro 6.1 means the end of life for Leap Micro 5.5.

Users are advised to upgrade to either Leap Micro 6.0 or 6.1 and can find details about release cycle on the openSUSE wiki.

Users upgrading from previous releases can consider our experimental opensuse-migration-tool. The migration tool will be part of Leap Micro 6.1+; users from older release can still get the tool from git.

See our Leap Micro upgrade wiki for more information about upgrade options.

See SLE Micro 6.1 Release notes and a summary for a list of changes in the Leap Micro 6.1 Alpha announcement.

Tue, Dec 3rd, 2024

openSUSE Empowers Creative Professionals

Creative professionals exploring alternatives that allow them to continue working without investing in costly new hardware and software upgrades can look at Linux as the end of Windows 10 approaches.

Distributions and flavors like openSUSE’s Tumbleweed, Leap, Slowroll, Kalpa and Aeon and other Linux distributions offer an excellent platform for creators with a wide variety of powerful, open-source tools designed to meet the needs of artists, designers, photographers, videographers and video editors.

From Indie short films to podcasts, open-source software and tools are available as a Flatpak, AppImage or as a native applications for creative people to create.

Many user-friendly tools are viable alternatives to popular, proprietary commercial applications like Photoshop, Illustrator, Final Cut Pro and others.

This article explores some of the top creative tools available on Linux and how transitioning to openSUSE can help creative professionals maintain, or even improve, their productivity.

Transitioning from Photoshop to GIMP

For many creatives, Photoshop is the go-to application for photo editing and graphic design. However, GIMP is an excellent open-source alternative that provides a wide range of professional-grade features.

GIMP supports many file formats, including PSD and offers powerful tools for retouching, editing and manipulating images. Creative professionals will find familiar features like layers, masks, blending modes and a variety of brushes. GIMP also supports high-bit-depth images and allows users to create professional-quality designs.

GIMP may have a slightly different workflow than Photoshop, but it is flexible, customizable and its plugin support makes it a highly versatile tool for image editing and graphic design. Many users find that GIMP offers all the functionality they need to complete complex projects.

Alternatives to Illustrator: Inkscape

For vector graphics, Inkscape is a known alternative to Illustrator. Inkscape is a powerful, free tool for creating logos, illustrations and scalable graphics. It supports common vector formats, including SVG, AI, and EPS, which make it easy to integrate into existing workflows.

Inkscape’s interface is intuitive for Illustrator users and features many of the same tools, such as the Pen tool, curves, shape tools and layer management. Its active development community ensures frequent updates, and the software is highly customizable through extensions and plugins.

For those focused on scalable design and illustration, Inkscape provides a professional-grade environment without the subscription fees associated with cloud creative services. This saves costs and opens people’s minds to the alternatives that are available.

Video Editing: Kdenlive and Blender

Creative professionals working in video production and editing have strong options to use both Kdenlive and Blender. Kdenlive, which is part of the KDE ecosystem, is a feature-rich video editor that provides tools for cutting, splitting and arranging video clips. It supports multiple video and audio tracks, transitions, effects and keyframe animation, which makes it suitable for everything from simple edits to more complex projects.

Blender is an industry-leading, open-source application meant for those working on 3D animation, video effects or visual effects (VFX). Blender’s capabilities include 3D modeling, animation, rendering and compositing, as well as a fully functional video editor. Blender is widely used in professional studios for film, game development and visual effects, which makes it a powerful option for creative professionals. Blender’s source code is governed by the GNU General Public License, embodying the same principles of freedom and collaboration that drives distributions like openSUSE and others.

Audio Production: Ardour and Audacity

Creative professionals working in music production, sound design or podcasting have options. Software packages like Ardour and Audacity offer powerful audio editing solutions. Ardour is a digital audio workstation (DAW) that supports multi-track recording, mixing and mastering. It is widely used for professional audio production, supporting VST plugins and offers advanced feature sets comparable to Logic Pro and Pro Tools.

Audacity is a simple and easy-to-use tool for audio editing; it’s ideal for basic recording, podcasting and sound editing tasks. It’s perfect for quick edits and simple projects, with support for a variety of audio formats and built-in effects.

3D Modeling and Animation: Blender

Blender deserves a second mention here because of its dominance in the field of 3D modeling and animation. Blender’s comprehensive suite of tools allows users to create everything from character animations to architectural models. It offers sculpting tools, UV unwrapping, rigging, particle simulation, and more.

For creative professionals used to proprietary 3D modeling software like Autodesk Maya or 3ds Max, Blender provides a comparable, if not superior, set of features with the added benefit of being open-source.

Publishing and Layout: Scribus

For professionals in publishing or those who need to create print-ready materials, Scribus is a capable desktop publishing tool. It provides features for designing brochures, books, magazines and other print materials. It’s similar to InDesign and just as functional.

Scribus supports advanced typography, CMYK colors, ICC color profiles and PDF export, which makes it a professional solution for designers working on print projects. With a clean, organized interface, it makes a transition from InDesign relatively smooth.

Why openSUSE?

Besides Windows 10 expiring and having to spend more than $100 USD for an upgrade depending on the country you live in, openSUSE provides a solid environment for creative professionals to transition to a new operating system. It offers stability, security and flexibility that allows users to customize their systems to fit their specific needs. Tumbleweed, which is openSUSE’s rolling release version, ensures access to the latest versions of creative software, while the Leap version offers long-term stability with fewer updates; Leap is ideal for users who prefer to avoid frequent changes.

With software centers and tools like openSUSE’s YaST configuration tool, managing software and updates are incredibly easy; this can be a big advantage for those new to Linux.

Creative professionals can continue producing high-quality work without the need for expensive software subscriptions or hardware upgrades. From GIMP and Inkscape to Blender and Ardour, the open-source Linux ecosystem offers powerful, free alternatives that rival commercial counterparts.

The “Upgrade to Freedom!” campaign is here to help creative people make the switch. By choosing openSUSE, you not only gain access to a suite of professional-grade tools but also extend the life of your hardware and avoid contributing to e-waste.

Now is the perfect time for creative professionals to embrace the freedom of open-source software and continue thriving on Linux.

This is part of a series on Upgrade to Freedom where we offer reasons to transition from Windows to Linux.Those who would like to order a laptop with Linux, can visit slimbook.com or other providers of Linux machines.

Fri, Nov 29th, 2024

Tumbleweed – Review of the week 2024/48

Dear Tumbleweed users and hackers,

After hackweek, we see a bunch of nifty changes coming our way. I have not seen everything by far, but there is at least a replacement for openSUSE-welcome planned on the GNOME Desktop (a variant of GNOME Tour), Lubos has just announced a new migration tool and there will certainly be many more things popping up in the next few days/weeks. During the last week, we have managed to deliver six snapshots (1121, 1122, 1124, 1125, 1126, and 1127)

The most relevant changes delivered are:

  • Mesa 24.2.7 & 24.3.0
  • ICU 76.1
  • gpgme 1.24.0
  • GTK 4.16.6 & 4.16.7
  • LLVM 19.1.4
  • PHP 8.3.14
  • CMake 3.31.0
  • GNOME 47.2
  • KDE Plasma 6.2.4
  • Qt 5.15.16
  • Debugedit 5.1

Amongst the initially mentioned changes, we are currently also testing these updates in the Factory Staging areas:

  • Mozilla Firefox 133.0
  • LibreOffice 24.8.3.2
  • Python setuptools 75.6
  • systemd 257
  • SQLite 3.47.1
  • Linux kernel 6.12.1

Upgrading to Leap Micro 6.1 Beta with opensuse-migration-tool

Leap Micro 6.1 Beta was released last Wednesday. Images can be found at get.opensuse.org As this is mostly a rebrand of SUSE Linux Enterprise Micro 6.1, unless some serious issues are found, users can expect a quick transition to RC and GA next week.

We’re introducing a new migration tool with Leap Micro 6.1 which should hopefully ease future upgrades to a Leap Micro releases, specifically new major versions. Let’s have a look at how to deploy it from git on older Leap Micro releases as well as how to install it on Leap Micro 6.1 Beta.

The main benefit for the user is that you don’t have to deal manually with any repository changes that might have been introduced in a new releases. This will hopefully lead to smoother and more straightforward upgrades. As of now the opensuse-migration-tool is still experimental.

Testing the tool with Leap Micro container from your Leap or Tumbleweed

We have to be running an older version of Leap Micro to be able to upgrade to 6.1.

Since we’re using distrobox in this example our host can be running Leap, Tumbleweed, Aeon. Distrobox will have access to your home directory, including the git checkout.

The key is to use –pre-release to have Leap Micro 6.1 as an available upgrade target.

$ git clone https://github.com/openSUSE/opensuse-migration-tool.git
$ cd opensuse-migration-tool
$ distrobox create --image registry.opensuse.org/opensuse/leap-micro/6.0/toolbox --name micro60
$ distrobox enter micro60 # from now on inside distrobox
$ zypper in bc jq curl dialog sed gawk
$ ./opensuse-migration-tool --pre-release --dry-run
$ sudo ./opensuse-migration-tool --pre-release # Chooose Leap Micro 6.1
$ cat /etc/os-release # should confirm that you've upgraded to 6.1

Enjoy your new Leap Micro 6.1 Beta container

If you trash your container, just type exit podman stop micro60 or docker stop micro60 followed by distrobox rm micro60. And you can start all over again.

Testing the tool on Leap Micro host or inside the VM

Here we have to use transactional-update shell as we’re working inside Leap Micro 6.0 or even 5.5 host or a VM. Just like in the previous case, the important piece is to try it from a Leap Micro release older than 6.1, as otherwise, the only migration target would be MicroOS.

Make sure to use –pre-release to have 6.1 Beta as a viable migration target.

$ sudo transactional-update shell # from now on inside shell
$ zypper in git bc jq curl dialog sed gawk 
$ git clone https://github.com/openSUSE/opensuse-migration-tool.git
$ cd opensuse-migration-tool
$ ./opensuse-migration-tool --pre-release --dry-run
$ sudo ./opensuse-migration-tool --pre-release  # Choose Leap Micro 6.1 as a target
$ reboot

*Enjoy Leap Micro 6.1 Beta

Don’t worry In case you mess up, we’re using transactional-update shell. You can always boot the previous snapshot.

Testing Leap Micro 6.1 to MicroOS upgrade migration

Since there is no newer point release than Leap Micro 6.1 Beta, the only migration/upgrade target would be MicroOS.

The point of this example is to show that the Leap Micro 6.1 repository already contains the opensuse-migration-tool Therefore there is no need to run it from a git checkout unless you want to tinker with it.

$ sudo transactional-update shell
$ zypper in opensuse-migration-tool # Will work only on Leap Micro 6.1
$ sudo opensuse-migration-tool --dry-run # to oversee what would change
$ sudo opensuse-migration-tool # MicroOS is expected to be the only migration option from Leap Micro 6.1 Beta

Don’t bother re-running the opensuse-migration-tool once you upgrade to MicroOS which is in fact openSUSE Tumbleweed. There is really nothing newer that you could migrate to, and you’ll get the message that openSUSE Tumbleweed is unsupported. This behavior is expected.

Known issues

Bug 1233982 - Upgrade to 6.1 (netcfg) failed

This particular issue will for sure pop up in your distrobox-based experiments. Distrobox mounts over /etc/hostname with a bind mount and the upgrade of netcfg will fail on post-script. This is safe to ignore (type i in interactive zypper dup).

The migration tool tries to run non-interactively at first, and in case it fails it leaves problem resolution on the user by re-running zypper dup in interactive mode.

Contributing

If you’re interested in contributing feel free to send PR, report issues or features against openSUSE/opensuse-migration-tool Github repository

Tumbleweed Monthly Update - November 2024

This month, the rolling-release continues to shine as a well-oiled machine. November brings key updates for Mesa, gtk4, php8, postgresql17 and more. Alongside these key updates, important security fixes arrived for mozjs128, postgresql, Firefox, and OpenSC, which resolved several CVEs to help bolster your system’s resilience. The fresh design introduced last month, with its revamped logo and day/night-themed wallpapers, continues to enhance Tumbleweed’s aesthetic appeal while the updates this month improve functionality and security.

As always, remember to roll back using snapper if any issues arise.

Happy updating and tumble on!

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

  • GTK4 4.16.6 and 4.16.7: The newest version reduces the size of error underlines in text rendering for better visual clarity. The 4.16.6 version provides fixes for a smoother user experience. Wayland color management is now opt-in, helping prevent compatibility issues with KWin. Users can experiment with this feature by setting GDK_DEBUG=color-mgmt. Improvements include preventing emoji selection when inserted in GtkText, setting default window icons from the application ID in GtkApplication and enhancing GtkFontChooser to make its dialog more adaptable.The release also includes updated translations.
  • postgresql 17.2: The package received two updates this month and resolves an ABI break affecting extensions that interact with ResultRelInfo and restores the functionality of ALTER {ROLE|DATABASE} SET role. Logical replication slots now handle restart_lsn correctly to avoid backward movement. The update prevents deletion of required WAL files during pg_rewind and fixes race conditions with shared statistics entries. Index statistics in contrib/bloom are now correctly counted. The update fixes an assertion failure in regular expression parsing caused by disconnected NFA sub-graphs.
  • gnutls 3.8.8: Improvements in this package were made in post-quantum cryptography and Online Certificate Status Protocol handling. Experimental support for X25519MLKEM768 and SecP256r1MLKEM768 key exchange algorithms in TLS 1.3 were added that align with the final ML-KEM standard. This update requires liboqs 0.11.0 or newer. Additionally, the library now validates all records in OCSP responses, ensuring the server certificate is checked against all available records instead of only the first. Improvements in handling malformed compress_certificate extensions bring stricter RFC 8879 compliance, replacing incorrect alerts with illegal_parameter and rejecting overlong extension data.
  • KDE Plasma 6.2.3:
    Bluedevil improves PIN entry behavior, while Breeze resolves a potential null pointer issue. Discover updates its backend for compatibility with fwupd 2.0.0 and corrects review visibility in the Application Page. KWin receives extensive updates, including fixes for crashes, colormap leaks, file descriptor handling, and HDR brightness management. Plasma Desktop fixes app tooltips, task manager icon alignment, emoji search, and optimizes activity management. Other components like KPipeWire, KSystemStats, and Powerdevil improve stream handling, sensor robustness, and brightness adjustments, respectively. Plasma Mobile simplifies and cleans up the Action Drawer and enhances app list navigation and search functionality. Plasma Audio Volume Control ensures accurate device name updates, while Plasma Workspace adjusts logout screen behavior, theme defaults, and mobile user interface fixes.
  • KDE Gear 24.08.3: Elisa fixes missing icons on certain platforms. K3b corrects file pattern parsing for ripped files and removes deprecated MusicBrainz code. KAccounts-Integration improves logging, fixes dangling references, and handles missing files gracefully. Kate addresses session group saving, export order for SQL and builds on openSUSE with updated dependencies. Kdenlive resolves multiple crashes and improves project handling, proxy generation, and timeline management. KIO-Extras adds WebP thumbnail support. Kitinerary expands ticket extraction support for multiple transport services and improves handling of Renfe and Agoda formats. Konsole fixes issues with OSC color commands.
  • KDE Frameworks 6.8.0: Baloo now excludes model/obj and text/rust from indexing. Breeze Icons adds support for text/x-typst mimetype icons and unifies index themes for better consistency. Extra CMake Modules gain Python bindings and improved static Qt6 support. KIO sees improvements in http handling, resizing in KFilePlacesView, and overall UX enhancements. Kirigami resolves various issues with icons, themes, and overlays, improving usability. KTextEditor enhances session restore, template handling, and introduces comprehensive swap file tests. Solid restores media change handling for audio CDs and adopts libmount on Linux for better functionality. This release also includes numerous bug fixes, CI improvements for static builds, enhanced Qt 6 compatibility, and updated translations.
  • gnome-control-center 47.2: GNOME users see accessibility improvements by removing excessive “screen” labels. The appearance settings fix accidental resets of accent colors. Lemory leak are addressed in the Apps section, while Color ensures profiles are connected before use. Printers fix an incorrect tooltip in the “Add Printer” button. Updated translations are included.
  • ruby3.3 3.3.6: This update includes the merging of JSON 2.7.2 and reline 0.5.10, along with an upgrade to REXML 3.3.9. The release resolves significant bugs, such as improper object freeing when using Data_Make_Struct, broken IO#close functionality under Fiber scheduling, and errors with multibyte path names on Windows. Additional fixes address issues with Float handling ASCII-incompatible strings, memory management in IO::Buffer operations, and discrepancies in instance_method behavior across Ruby versions. This version also corrects corrupt RUBY_DESCRIPTION metadata when specific flags are used and improves hash key retrieval after Process.warmup.

Key Package Updates

  • Mesa 24.3.0: The package introduces a new stable release with updates enhancing its graphical capabilities and addressing security and build issues. The update refreshes patches for various vulnerabilities, including CVE-2023-45913, CVE-2023-45919, and CVE-2023-45922, while incorporating fixes for Python 3.6 build compatibility and other adjustments. Deprecated options like -Ddri3=enabled and -Ddri-search-path have been removed to streamline the build configuration. Vulkan 1.3 is now supported on Raspberry Pi 4 and 5 via v3dv, while the NVK driver adds support for important extensions like VK_EXT_descriptor_buffer, VK_KHR_dynamic_rendering_local_read, and VK_KHR_pipeline_binary. RADV sees new features and Shader support is significantly enhanced. Full details can be accessed in the release notes.
  • kernel-source 6.11.8: Key updates for the Linux Kernel address issues like dangling pointers in virtual socket and hyper-v socket initialization, improved support for AMD audio on certain laptops, and fixes for display rendering and timeout handling in Intel and AMD graphics drivers. The update resolves several memory management, file system and USB-related bugs, which includes USB Type-C and serial device handling. Fixes were made to Thunderbolt connections, media device parsing, and the management of system clocks and platformance features for AMD processors. Updates to the Btrfs file system enhance subvolume flag management and quota handling.
  • GStreamer 1.24.9: Fixes include better timestamp handling in flvmux, RTPManager keyframe management and enhanced SRT and V4L2 support. Updates optimize aggregator, playbin3, and qtdemux, with broader format and library compatibility.
  • gpgme 1.24.0: This package brings several significant enhancements and fixes, including extended decryption and verification commands that now support direct file output. Encryption and signing commands also allow input data to be read from files. Additional features include improved handling of designated revocation keys, new context flags for advanced operations like importing options and processing all signatures and the introduction of an easier method to change owner trust and enable or disable keys. The Qt library now supports simultaneous builds for Qt 5 and Qt 6, enabling file-based operations for encryption and signing while offering better integration for importing options and appending detached signatures.
  • gtk4 4.16.3: This update enhances how default cursor themes are handled by searching within XDG directories to ensure better compatibility with Wayland environments. The default cursor size now matches the gsettings schema and provides a more consistent user experience. The fallback process for portal settings was refined as settings_portal is cleared when switching to fallback without portal settings. This release also includes updated translations.
  • php8 8.3.14: Fixes include addressing segmentation faults in DOM, GD, and FFI, memory leak in Reflection and OpenSSL, and use-after-free vulnerabilities in SPL and sockets. The update also resolves overflows in multiple modules, such as mbstring, streams and GMP for more stable and secure handling of edge cases. Notable security improvements include patches for out-of-bounds writes in LDAP CVE-2024-8932, heap buffer over-reads in MySQLnd CVE-2024-8929, and CRLF injection vulnerabilities in streams CVE-2024-11234.
  • ibus 1.5.31: This includes enhanced CI support for both generic setups and Wayland environments, as well as updates to compose keys based on the latest Xorg and GTK standards. The release transitions to using localectl for XKB configuration retrieval in Wayland, enhancing integration. Security improvements include a change to the IBus unique name, while updates to XKB engines and Unicode categories ensure broader compatibility. This version resolves various issues, including problems with X11 applications and games, Emoji handling, Flatpak integration, and preedit behavior in specific input methods like m17n:sa:itrans.

Bug Fixes and Security Updates

Several key security vulnerabilities were addressed this month:

  • Firefox 132:
  • CVE-2024-10458: Permission leak via embed or object elements.
    • CVE-2024-10459: Use-after-free in layout with accessibility, potentially leading to an exploitable crash.
    • CVE-2024-10460: Confusing display of origin for external protocol handler prompt.
    • CVE-2024-10461: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response.
    • CVE-2024-10462: Origin of permission prompt could be spoofed by a long URL.
    • CVE-2024-10463: Cross-origin video frame leak in some conditions.
    • CVE-2024-10468: Race conditions in IndexedDB could cause memory corruption and a potentially exploitable crash.
    • CVE-2024-10464: History interface could cause a Denial of Service condition.
    • CVE-2024-10465: Clipboard “paste” button persisted across tabs, allowing a potential spoofing attack.
    • CVE-2024-10466: DOM push subscription message could hang Firefox, causing it to become unresponsive.
    • CVE-2024-10467: Memory safety bugs fixed, potentially exploitable to run arbitrary code.
  • php8 8.3.14:
    • CVE-2024-8932: An out-of-bounds access in the LDAP extension’s ldap_escape function.
    • CVE-2024-8929: A heap buffer over-read in MySQLnd that could leak partial heap content.
    • CVE-2024-11233: An issue in the Streams component allowing potential CRLF injection via proxy configurations.
    • CVE-2024-11234: A vulnerability in the Streams component related to CRLF injection.
    • CVE-2024-11236: Integer overflows in PDO DBLIB and PDO Firebird quoters, leading to out-of-bounds writes.
  • opensc 0.26.0:
    • CVE-2024-45615: Uninitialized values in libopensc and pkcs15init could lead to undefined behavior.
    • CVE-2024-45616: Incorrect checks or usage of APDU response values in libopensc may result in uninitialized values.
    • CVE-2024-45617: Missing or incorrect return value checks in libopensc can cause uninitialized values.
    • CVE-2024-45618: Similar issues in pkcs15init due to improper return value handling.
    • CVE-2024-45619**: Improper handling of buffer or file lengths in libopensc.
    • CVE-2024-45620**: Similar buffer or file length handling issues in pkcs15init.
    • CVE-2024-8443**: A heap buffer overflow in the OpenPGP driver during key generation.
  • libsoup:
    • CVE-2024-52531: A buffer overflow in soup_header_parse_param_list_strict could occur during UTF-8 conversion in applications using libsoup versions prior to 3.6.1. This issue cannot be triggered by input received over the network.
    • CVE-2024-52532: An infinite loop and excessive memory consumption were possible when reading certain patterns of WebSocket data from clients in libsoup versions before 3.6.1.
  • mozjs128 128.4.0:
    • CVE-2024-10458: Permission leak via embed or object elements.
    • CVE-2024-10459: Use-after-free in layout with accessibility.
    • CVE-2024-10460: Confusing display of origin for external protocol handler prompt.
    • CVE-2024-10461: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response.
    • CVE-2024-10462: Origin of permission prompt could be spoofed by long URL.
    • CVE-2024-10463: Cross-origin video frame leak.
    • CVE-2024-10464: History interface could cause a Denial of Service condition.
    • CVE-2024-10465: Clipboard “paste” button persisted across tabs.
    • CVE-2024-10466: DOM push subscription message could hang Firefox.
    • CVE-2024-10467: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4
  • postgresql17 17.1:
    • CVE-2024-10976: Incomplete tracking of tables with row-level security could allow reused queries to access unintended rows.
    • CVE-2024-10977: Error messages during SSL or GSS protocol negotiation could be spoofed by a man-in-the-middle.
    • CVE-2024-10978: Incorrect privilege assignment could allow less-privileged users to view or modify unintended rows.
    • CVE-2024-10979: In PL/Perl, unprivileged database users could alter sensitive process environment variables, potentially leading to arbitrary code execution.
  • libssh2_org 1.11.1:
    • CVE-2023-48795: A vulnerability that could cause mishandled handshake and sequence numbers, allowing attackers to bypass integrity checks and downgrade security features in certain OpenSSH extensions.
  • Xen 4.19.0_06:
    • CVE-2024-45818: Fixed a deadlock in x86 HVM standard VGA handling.
    • CVE-2024-45819: Only x86 systems running PVH guests are affected; HVM and PV guests are not vulnerable. The libxl toolstack may leak data to PVH guests via ACPI tables.
  • python-tornado6 6.4.2:
    • CVE-2024-52804: The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue

Conclusion

November 2024 was another stellar month for Tumbleweed as it showcased its commitment to delivering the newest software with an impressive array of updates. Notable updates to Mesa, GTK4, KDE Plasma, PostgreSQL and more provide rolling release users with the latest in open-source technology for a secure and robust system. Keep rolling forward, and don’t forget to check out the detailed changelogs and discussions on the openSUSE Factory mailing list. Here’s to another month of seamless updates—happy tumbling!

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

stalld: unpatched fixed temporary file use and other issues

Table of Contents

1) Introduction

Stalld is a daemon that aims to prevent starvation of operating system threads on Linux. It has recently been added to openSUSE Tumbleweed and we performed a routine review of the contained systemd service. During the review we noticed a couple of security issues that should be addressed.

We reached out to upstream via their GitLab issue tracker and created a public and a private issue (still private), but never got any reaction. After nearly three months without a reply we decided to publish the available information now.

This report is based on stalld version v1.19.6.

2) Use of Fixed Temporary File Path /tmp/rtthrottle in scripts/throttlectl.sh

The throttlectl.sh script, which is called with root privileges as a pre and post script in stalld’s systemd unit, is using the fixed /tmp path /tmp/rtthrottle to cache the original values found in /proc/sys/kernel/sched_rt_runtime_us and /proc/sys/kernel/sched_rt_period_us. This allows for a symlink attack and a file pre-creation attack.

A symlink attack can only work if the Linux kernel’s protected_symlinks setting is not in effect. If that would be the case then an attacker could place a symlink at the location causing throttlectl to overwrite arbitrary files in the system, allowing for a local Denial-of-Service.

2.b) File Pre-Creation Attack

Pre-creating the path in /tmp/rtthrottle will always work, even if the protected_regular setting in the kernel is active. This is the case because the shell redirection in the script (like in the line echo $period > $path/sched_rt_period_us) will fall back to opening the target file without O_CREAT in the open() flags, if creating the file fails. Without O_CREAT the protected_regular logic no longer triggers.

This means that if a local attacker pre-creates the file, the script will write to a file owned by the attacker. By the time the script tries to restore the values from this file, the local attacker can place arbitrary values in it, which will in turn be written to the pseudo files in /proc/sys/kernel/sched_rt_*. This is a kind of local Denial-of-Service or a local integrity violation. It is not an information leak, because the content of these pseudo files is world-accessible anyway.

2.c) Exploitability

When stalld starts at boot time, there is not much opportunity for unprivileged local users to exploit this issue. If the service is started at a later time, or restarted, then the attack vector is exploitable, though.

2.d) Suggested Fix

To fix this, we suggest to place the file into the /run/stalld directory, which is owned by root. This directory is already created via stalld’s systemd unit.

In the systemd unit some hardenings like PrivateTmp=yes could also be applied to prevent any future temporary file issues of this type.

The throttlectl script should also set the errexit shell option to make it exit upon any unexpected errors.

3) The fill_process_comm() Function Might Read Unexpected Control Characters

The fill_process_comm() function reads the content of /proc/<pid>/comm from potentially untrusted processes in the system. The data found in there is obtained from the name of the executable that the kernel executed. Executable names can contain any data, except for the / character. This also includes control characters like \r or even terminal control sequences. This string is used by stalld to write information to logs. By embedding a carriage return in an executable name, a local attacker could achieve log spoofing.

To fix this, we suggest to transform any non-alphanumeric characters in the string into some safe character like ?.

4) Experimental FIFO Boosting Feature might have a Danger of Locking up the System

Via the --force_fifo command line switch, stalld can be instructed to “boost” stalled tasks by switching them to SCHED_FIFO scheduling. We are wondering what happens if a “rogue task” is assigned to this scheduler. As far as we know, if such a task never yields the CPU again, the whole system could lock up. This might require stalld to run under SCHED_FIFO itself, using a higher scheduling priority than the boosted task, to prevent any such situation.

5) Potential Race Conditions when Accessing /proc/<pid>/{status,comm}

As usual, when iterating over the processes in the /proc file system, race conditions can occur. Target processes could attempt to replace themselves by other processes, confusing stalld. We don’t believe that the “stall” situation can be provoked easily by a local attacker, though, thus the possibility to exploit anything in this direction is likely small.

We just mention this as a hint to the reader, maybe we’re overlooking something more critical here.

6) Weird umask() Setting used in daemonize()

The daemonize() function applies a new umask to the daemon process by calling umask(DAEMON_UMASK). The constant for this has a weird value, though:

/*
 * Daemon umask value.
 */
#define DAEMON_UMASK  0x133  /* 0644 */

We don’t know why an octal 0644 value isn’t used in the first place, instead of writing this as a comment only. The constant 0x133 corresponds to an octal value of 0463, though. It will mask out the owner-readable bit, read-write bits for the group and write-execute bits for world. This is likely not what was intended here.

Luckily no world-writable files will come into existence this way, but the misconfiguration could lead to strange effects in the future, e.g. because the owner of the file will not have read permissions for it.

We don’t believe this is a security issue, which is why we created a public issue in the upstream GitLab tracker for this.

7) CVE Assignments

Since upstream did not react and therefore also didn’t confirm any of these issues, we did not request any CVEs from Mitre until now. The fixed temporary file usage issue 2) likely is worthy of a CVE assignment, though.

8) Timeline

2024-09-09 We reported the issues (1, 2) in the upstream GitLab project, offering coordinated disclosure for the sensitive issues.
2024-11-13 After getting no reaction for such a long time we commented in the issue, asking for a reply until 2024-11-22, otherwise we would publish the issue on our end.
2024-11-28 We published the information without upstream fixes being available.

9) References

Thu, Nov 28th, 2024

Project to have AMA with SUSE’s GM

The openSUSE community is invited to an online engagement with SUSE’s General Manager for Business Critical Linux on Dec. 3 at 16:00 UTC.

Rick Spencer, who leads the SUSE Linux Enterprise and SUSE Multi-Linux Manager teams, works closely with those contributing to openSUSE as part of his day-to-day roles. He is eager to strengthen the ties between SUSE and the openSUSE communities.

The Ask Me Anything session is an opportunity for open dialogue with members of the project and open-source contributors.

Participants can ask questions, share insights and learn about SUSE’s ongoing initiatives involving openSUSE and open-source development. Questions can also be submitted in advance to Rick Spencer or Gerald Pfeifer to guide the discussion.

Event Details:

  • Event: openSUSE Open Door Session with Rick Spencer

  • Date: Dec. 3, 2024

  • Time: 17:00–17:45 CET / 11:00–11:45 ET

  • Location: Online

How to Participate:

Spencer provided the keynote at this year’s openSUSE Conference.