Recently, syslog-ng 4.5.0 was released with many new features. These include sending logs to OpenObserve using its JSON API, support for Google Pub/Sub, a new macro describing message transport mechanisms like RFC 3164 + TCP, an SSL option to ignore validity periods, and many more. You can find a full list of new features and bug fixes in the release notes at: https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.5.0

In this blog, you can find some pointers on how to install the very latest syslog-ng version and learn how you can configure syslog-ng to use the OpenObserver JSON API: https://www.syslog-ng.com/community/b/blog/posts/version-4-5-0-of-syslog-ng-is-now-available-with-openobserve-json-api-support

Dear Tumbleweed users and hackers,

This has been a week filled with Tumbleweed snapshots. Six of them, to be precise (1116, 1117, 1119, 1120, 1121, and 1122). The most relevant changes that could be delivered this week include:

• Linux kernel 6.6.2
• btrfsprogs 6.6.2
• fwupd 1.9.8 & 1.9.9
• GStreamer 1.22.7
• Node.JS 21.2.0
• Pipewire 0.3.85
• Poppler 23.11.0
• LibreOffice 7.6.3.1
• libxml 2.11.6
• LLVM 17.0.5

Staging projects are far from full: only five out of 15 have anything in them, and 4 of them are not even expected to move at the moment. So keep those things coming! The relevant changes (including the non-moving stagings) are:

• the package cnf-rs will be renamed to cnf (matching the command name)
• PHP 8.2.13
• libxml 2.12.0 in Staging:L – I can’t even start to list what is not building
• Sudo/polkit changes with the introduction of a sudo/wheel group to allow the user to choose if they want to use this over the way we configured sudo so far (targetpw). The sudo submission is interfering on some level with toolbox (toolbox -r id fails to return the expected info so far)
• c-ares 1.21.0: breaks nodejs
• wxWidgets 3.2.3: breaks wxPython bindings
• Testing of the two compiler flags -fcf-protection=full and -ftrivial-auto-var-init=pattern
• RPM 4.19: no further progress made (user handling conflict between sysuser-tools and RPMs new implementation)
• dbus-broker: no progress: openQA fails to even launch the network stack in the installer

This week has produced more than a few openSUSE Tumbleweed snapshots with a moderate downloaded size of packages for those who did a zypper dup.

Snapshot 20231122 is the latest to arrive for openSUSE’s rolling release users. An update of the super-thin layer on the DBus interface, fwupd, arrived in the snapshot; the 1.9.9 version includes a new generic request feature that identifies the device power cable status to enhance devices’ power management capabilities. The package also incorporates support for specific hardware like the Lenovo X1 Yoga Gen 7 530E. The update of git 2.43.0 had a multitude of enhancements, which includes improvements in handling the --rfc option within git format-patch and the package enhances maintenance job schedules, updates handling of authentication data in libsecret keyrings and adds flexibility for aliases in command-line completion scripts. The update of transactional-update 4.5.0 improves handling of permissions when creating overlays in libtukit, introduces support for rollback via the library, implements snapshot delete and rollback methods in tukitd and adding checks for missing arguments in tukit commands like close and abort. There was also some code cleanup for the software package. A few more packages updated in the snapshot like xen 4.18.0_04 and package installer python-pip 23.3.1, which resolves issues related to error handling, metadata normalization, and handling of removed versions.

An update of openvpn 2.6.8 arrived in snapshot 20231121. The new version fixes issues such as a SIGSEGV crash caused by an unsuccessful TLS handshake that had memory issues leading to sending freed memory to the peer and fixes hard incompatibilities between client and server versions. The update removes certain obsolete features, adds warnings for specific configuration combinations and introduces improvements to the build systems for Windows platforms. A 17.0.5 update of llvm17 made adjustments for testing clang-tools-extra and liker LLD components while maintaining consistency in test adaptations. The Linux Kernel also updates in the snapshot as kernel-source updates to version 6.6.2 and resolves multiple issues within the Wi-Fi subsystem, including RCU usage warnings and other improvements across the kernel codebase. Several other packages updated in the snapshot including ImageMagick 7.1.1.21, yast2-trans and more.

While not having the most packages of the week, snapshot 20231120 was fairly sizable due to an update of libreoffice 7.6.3.1. The updated office suite version fixes crash occurrences, misalignments in document layout, errors in the PDF export and the incorrect display of tables and text frames in .DOCX files. For more in-depth information can be found in the LibreOffice changelog. The update of gnutls 3.8.2 resolves a timing side-channel vulnerability within the RSA-PSK key exchange that was known as CVE-2023-5981. The utility also introduces Application Programming Interfaces functions enabling Elliptic Curve Diffie-Hellman and Diffie–Hellman key protocol agreement. The update of image editor inkscape 1.3.1 addresses more than 30 crashes and freezes, which particularly impacts PDF import and Live Path Effects. The package provides two new features; the first is the ability to split text into individual letters while the other new feature allows for a disablement of snapping to grid lines. Gradient dithering is now also available. More than half a dozen other packages were updated in the snapshot.

Flatpak 1.15.6 and harfbuzz 8.3.0 both updated in snapshot 20231119. The 8.3.0 version of the text shaping engine enhances the memory barrier to prevent potential segfaults and various fixes related to subsetting and instancing. The option name hb-subset has been renamed to --variations for consistency among tools. Flatpak mandates a requirement for bubblewrap version 0.8.0 in distributions that compile Flatpak separately.The package enhances security by setting user namespace limits and improves the handling of environment variables for subsandboxes initiated by flatpak-portal. The gnome-bluetooth 42.7 resolves issues related to the Obex Push server’s automatic acceptance of files from paired devices. The bluez-gnome fork tackles bugs causing inconsistencies between the device’s connection switch appearance and the actual connection state. The update of webkit2gtk3 2.42.2 addresses a Content Security Policy regression that previously impacted Unity WebGL applications. The package also resolves CVE-2023-41983 and CVE-2023-42852, which allowed for the processing of web content that may have led to arbitrary code execution. A few other packages updated in the snapshot.

Snapshot 20231117 has several package update. Bash 5.2.21 includes multiple upstream patches to address various issues like resolving an off-by-one error causing command substitutions to fail within a here-document. The package fixes cases where the shell incorrectly attempted to set the terminal’s process group back to the shell’s and also fixes for problems related to returning tokens during syntax errors. An update of AppStream 0.16.4 introduces new features including the allowance of hyphens in the last segment of a component-ID and the implementation of the developer element for unique developer IDs. The update of bind 9.18.20 addresses issues such as incorrect resigning of unsigned inline-signed zones containing DNSSEC records and Service Location Protocol has been disabled by default for openSUSE Factory and ALP due to bsc#1214884. Other packages to update in the snapshot were gstreamer 1.22.7, libcrypt 1.10.3, libstorage-ng 4.5.157, nodejs21 21.2.0, pipewire 0.3.85, poppler 23.11.0 and several more.

The openSUSE community’s logo contest submission phase is now complete and voting for the logos has begun.

This competition marks a pivotal moment for openSUSE and the voting goes until Dec. 10.

Before making any selections, people are encouraged to visit en.opensuse.org/Logocontest and view the logos before voting.

The number of submissions speaks volumes about the community’s enthusiasm and engagement with 18 submissions for Kalpa, 24 submissions for Slowroll, 21 submissions for Leap, 32 submissions for Tumbleweed and an impressive 36 submissions for a potential new openSUSE logo.

The submissions symbolizes the collaborative spirit within open-source communities and showcases the diverse set of ideas and creativity from contributors around the world. Brand image can influence user perception and community engagement in open-source projects, and a big THANK YOU goes out to all the people who submitted a logo design.

While the project had several chameleon-inspired designs, the distribution’s submissions varied in concepts and styles. The intent of the competition was to have the submitted logo designs depict a unified brand for the openSUSE Project.

New openSUSE distribution logos like Leap Micro, Aeon, and MicroOS are designed with simple shapes and lines for uniqueness and interest, which were typically empty outlines. Some submissions did fulfill this design concept. It’s important to note that although Leap Micro, Aeon, and MicroOS are mentioned, new logos for these were not part of competition. However, these can be affected by a generalized theme.

The person doing the branding changes and maintenance has a say in any changes. The ultimate brand decision will rest with members of the project doing the implementation, but the results from this logo competition will provide an expressed opinion of the brand identity project wide.

Winners of the contest will be announced following the vote tally and will be sent a “Geeko Mystery Box” as a token of appreciation for their contributions.

Last month the community announced a logo competition for a new openSUSE logo as well as four openSUSE distributions; Tumbleweed, Leap, Slowroll and Kalpa.

Vote now at survey.opensuse.org.

PostgreSQL is a capable and mature database, which comes in a major or minor version number (e.g. 16.0). Minor releases never change the internal storage, so the database always remains compatible with earlier and later minor releases. However major version releases do not have such a guarentee. We are running a single PostgreSQL database as a podman container and I recently (today) had the glorious task of migrating this database to the next major version. In this blog post I describe how we did this migration.

This report is about the problematic use of fixed temporary paths in the hpps program from the hplip project. Hplip is a collection of utilities for HP printer and scanner devices.

There is currently no upstream fix available for this issue and this publication happens after 90 days of attempted coordinated disclosure, but upstream did not react to my report.

Update 2024-01-04: I have been informed that upstream release 3.23.12 published on 2023-11-30 silently fixes this issue. The fix is based on the patch that I suggested in this report.

This report is based on the latest upstream release 3.23.8 of hplip.

The Issue

The program /usr/lib/cups/filter/hpps uses a number of insecure fixed temporary files that can be found in prnt/hpps/hppsfilter.c:

prnt/hpps/hppsfilter.c:1027:        sprintf(booklet_filename, "/tmp/%s.ps","booklet");
prnt/hpps/hppsfilter.c:1028:        sprintf(temp_filename, "/tmp/%s.ps","temp");
prnt/hpps/hppsfilter.c:1029:        sprintf(Nup_filename, "/tmp/%s.ps","NUP");

These paths are only used if “booklet printing” is enabled. For testing, the logic can be forced by invoking the program similar to this:

$ export PPD=/usr/share/cups/model/manufacturer-PPDs/hplip-plugin/hp-laserjet_1020.ppd.gz
$ /usr/lib/cups/filter/hpps some-job some-user some-title 10 HPBookletFilter=10,fitplot,Duplex=DuplexTumble,number-up=1

The program will expect data to print on stdin this way. Just typing in some random data and pressing Ctrl-d will make it continue. There is a chance that it will crash, though, since error returns from parsing errors are largely not checked in this program.

The three paths are created and opened using fopen(), so no special open flags are in effect that would prevent following symlinks, also the O_EXCL flag is missing to prevent opening existing files. The resulting system calls look like this (for creation / opening for reading):

openat(AT_FDCWD, "/tmp/temp.ps", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
openat(AT_FDCWD, "/tmp/temp.ps", O_RDONLY)

Furthermode there is a chmod() on the /tmp/temp.ps file:

hppsfilter.c:110 chmod(temp_filename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);

The data to print (from stdin) is written to this file, and the file is also made world readable explicitly via this chmod(). The issues with these paths are multifold:

• There is a local information leak, since the print job data will become visible to everybody in the system.
• There is violated data integrity, since other users can pre-create these files and manipulate e.g. the data to print.
• This may allow to create files in unexpected places, by placing symbolic links, if the Linux kernel’s symlink protection is not active.
• Similarly it may allow to grant world read privileges to arbitrary files by following symlinks during the chmod().
• It may allow further unspecified impact if crafted data is placed into /tmp/temp.ps which is processed by the complex PS_Booklet() function.

I did not research the impact of the issue further to see whether this could lead to local code execution in the context of the user that is invoking hpps.

Suggested Patch

To fix this issue all three fixed temporary paths need to be replaced by unpredictably named temporary files that are safely created. I authored a suggested patch that accomplishes this. This patch also drops the chmod(). The purpose of it is unclear, so it is possible that this breaks something, if other processes with different privileges need to access this file.

There is no patch or any other information available from upstream.

Affectedness

Since, to my knowledge, there is no public version control system for hplip, it is difficult to determine when this issue has been introduced. By taking some samples from older SUSE distributions I found the issue to be present at least since upstream release 3.19.12 from 2019-12-12.

CVE Assignment

Since HP is a CVE CNA, it is itself responsible for assigning a CVE. Since there is no reaction from upstream I don’t know if or when CVEs will be available.

Timeline

References

• hplip SourceForge Project page
• hplip release 3.23.8 which this review was based on
• private hplip Launchpad security issue detailing these issues
• suggested patch to fix the issue

The time has arrived for people to begin submitting talks for openSUSE Conference 2024.

This year’s conference theme is: Evaluating the Future: Where Are We Going?

The theme sets the stage for exploring the evolving landscape of technology and open-source innovation. We invite those people submitting a talk for this year’s conference to delve into talks that will inspire thought-provoking discussions, analyses and predictions about the future trajectory of open-source development, emerging technologies, the openSUSE project and more.

Until April 15, people can submit proposals for a talk or workshop to share insights and their expertise.

The conference is scheduled to take place June 27 to 29 in Nuremberg, Germany.

Presentations can be submitted for the following length of time:

• Lightning Talk (10 mins)
• Virtual Lightning Talk (10 mins)
• Short Talk (30 mins)
• Virtual Talk (30 mins)
• Long Talk (45 mins)
• Workshop (1 hour)

The following tracks are listed for the conference:

• Cloud and Containers
• Community
• Embedded Systems and Edge Computing
• New Technologies
• Open Source
• openSUSE

Speakers are encouraged to submit proposals that align with this year’s theme.

Topics under this theme might include:

• Futuristic Trends: Predictions and insights into upcoming technological trends shaping open-source landscapes.
• Ethical Tech: Discussions on the ethical implications of technological advancements and how open-source communities can navigate them.
• Innovation and Disruption: Exploring how innovation drives disruptions and reshapes industries within the open-source ecosystem.
• Sustainability and Accessibility: Evaluating how open-source technologies contribute to sustainable and accessible solutions for the future.
• Emerging Challenges: Addressing challenges and obstacles that might hinder the progress of open-source development in the coming years.
• Collaborative Futures: Assessing the role of collaboration and community-driven efforts in shaping the future of open-source projects.

Volunteers who would like to help the Program Committee and/or the Organizing Team can email ddemaio@opensuse.org or attend normally scheduled community meetings.

Conferences need sponsors to support community driven events to keep events free and open to new contributing members and companies can find sponsorship information on the project’s wiki page.

The openSUSE community began the process for openSUSE Board Elections 2023. The process is a celebration of community involvement and a cornerstone of our open-source spirit.

The elections are structured into three distinct phases, each playing a crucial role in selecting dedicated leaders to steer the project’s future.

Phase 0: Setting the Stage

Phase 0, which started Nov. 15, marks the initiation of the Board Election process. This period serves as the Call for Nominations and Applications for Board candidacy. Individuals interested in running for the openSUSE Board are urged to step forward, mindful of the significant two-year commitment required for the role. Candidates must be openSUSE members, and the Election Committee ensures a fair process by prohibiting committee officials from standing for election to avoid conflicts of interest. This process runs until Nov. 30.

Phase 1: Campaign and Awareness

Following the closure of the announcement process, Phase 1 starts on Dec. 1. This stage sparks the campaign period where candidates showcase their vision, plans, and aspirations for openSUSE. The community becomes the focal point of the campaigners.

Phase 2: Voting Time

Transitioning into Phase 2 on Dec. 15, the community takes center stage in influencing the project’s direction. Ballots open, allowing eligible members to cast their votes via a secure electronic system. Each vote is crucial and shapes the leadership that will guide openSUSE in the upcoming years. There are two seats available for this year’s board.

For any inquiries or clarifications, individuals can reach out to the committee at election-officials@opensuse.org.

By actively participating in the openSUSE Board Elections 2023, every member contributes to the shared vision of a stronger, more resilient open-source community.

The countdown has begun and we look forward to reading the announcements from the new candidates on the openSUSE Project mailing list.

openSUSE.Asia Summit 2024: Call for Host

The openSUSE.Asia Summit is an annual openSUSE conference in Asia and a great opportunity where contributors and enthusiasts from Asia come together and meet face to face. The event focuses primarily on the openSUSE distribution, its applications for personal and enterprise use, and open source culture.

In 2023, we held an offline openSUSE Asia Summit from October 21-22 at Chongqing University of Posts and Telecommunications.

And we ready to call for hosts to you who are interested in hosting the openSUSE.Asia Summit 2024

Here is the date you need take notes:

• March 4: Deadline of application
• March 31: Announcement of the next host

openSUSE:Asia Summit Tips for Organizers at: https://en.opensuse.org/openSUSE:Asia_Summit_Tips_for_Organizers

Please refer to it before writing your proposal.

How to Submit ?

Please send your proposal by email to both opensuse-summit@opensuse.org and opensuseasia-summit@googlegroups.com. Proposal should contain:

• Venue and capacity (we prefer using campus building, but any alternative can be discuss later)
• How to reach your city and venue
• Budget Estimation
  • Conference Venue
  • T-shirt
  • Tea break, Lunch, Dinner, Conference Tour, etc.
• Introduction to your community who will organize the summit

Please help to spread the words and we are looking forward to hearing from you soon!

Further information about openSUSE.Asia Summit is available at: https://en.opensuse.org/Portal:Asia_Summit