In the first part of my music recommendation blog series I mentioned that many people turn to me for some less mainstream music. For quite a long time I thought that listening to cellos playing metal is already something niche. Then it turned out that many people around me love this kind of music. Recently I found something really niche: church organ and drums :-)

I love the sound of the church organ. I listened to this instrument as a kid a lot, and I could not get bored of it. I often hear the church organ with drums and several other instruments playing together in contemporary music, and I love it. However, it has never been just the organ and the drums. I have some mixed feelings here: listening to 3-4 songs with just a drums and a church organ is fun. But that’s my limit. So, here I show you three songs.

The first song I have ever listened to was Drumorg playing Popcorn. It is a fun arrangement, and probably the only in this blog, what most other people also find nice:

TIDAL: https://listen.tidal.com/album/114460337/track/114460341

The next song is a lot more dividing. Many consider it blasphemy: playing the single best known church organ piece with drums. Other consider it fantastic, and listen to it often. The first time I heard it was when someone demonstrated a new pair of self-built speakers to me. At that time the speakers were far from being perfect, however I listened to the music at home, and I liked it:

I was curious, if there is anyone else combining these two instruments. I found one more, the Symphonic Rock Duo, but that was all:

TIDAL: https://listen.tidal.com/artist/18467717

I hope I did not scare you away with this music from my blog series! :-) See you next week!

Rolling release users of openSUSE Tumbleweed who did a zypper dup on and after Monday will have a couple new major version updates.

El Presidente made an appearance in snapshot 20231127 when the red carpets was rolled out for PipeWire; Its 1.0 major version, also known as “El Presidente,” brings significant enhancements and numerous fixes like resolving memory management issues related to memfd and dma-buf leaks during buffer uploads. This audio and video package for Linux introduces improvements in time reporting for Advanced Linux Sound Architecture affecting Interrupt Request, which results in reduced timing deviations. Documentation was enhanced and improvements were made with Bluetooth codecs, which introduces the [LC3 codec](https://en.wikipedia.org/wiki/LC3_(codec); this is a the successor to the the SBC codec. Mozilla Firefox also had a major version update and took care of more than a handful of Common Vulnerabilities and Exposures. Its 120.0 version addresses several security vulnerabilities. CVE-2023-6204, which made it possible for a leak of memory data, was fixed and CVE-2023-6213, which showed evidence of memory corruption that was presumed to exploit the running of arbitrary code, was also fixed. The tool to query connected USB devices, usbutils, had version 017 resolve issues like displaying entries for devices with no interfaces and improving power/wakeup display via lsusb.py. The changes also ensure better adherence to system libdir and includedir along with various other optimizations. The snapshot had icewm 3.4.4. The X window manager expands image format support for TIFF, WEBP, JXL, JP2, RAW, SVG, and TGA in icewmbg. The package has crash fixes, improves color interpretation for themes and provides a more stable and feature-rich user experience. The package for conversion between Traditional Chinese, Simplified Chinese and Japanese Kanji (Shinjitai) opencc updates to 1.1.7 in the snapshot. It adds support for Python 3.12 and Node.js 20. A few other packages update in the snapshot along with transmission 4.0.4, which resolves issues such as metadata transmission to peers, memory allocation, file renaming collisions, and locale errors affecting number rounding in statistics display.

While snapshot 20231126 had no red carpet treatment for a new president, php8 8.2.13 arrived in the snapshot and demanded attention. The update resolves issues like double-free occurrences and incorrect behavior in various components like Opcache, OpenSSL, XMLReader and more. The update addresses error handling and potential crashes. An update of selinux-policy 20231124 fixes Bugzilla issue bsc#1216903 that involves an error message indicating a permission denied error when attempting to apply firewall rules. The update of libbpf 1.3.0 brings support for netfilter and introduces new section definitions, utility macros and extended functionalities for work with ring buffers. An update of libsolv 0.7.27 introduces zstd support for the installcheck tool, enhances compression capabilities, and implements the putinowndirpool cache. This new cache significantly accelerates file list handling within the repo_write function to enhance overall performance. A couple other packages were updated in the snapshot.

Just two packages were updated in snapshot 20231124. New versions of kernel-firmware-nvidia-gspx-G06 545.29.06 improves compatibility and functionality for a kernel module driver and another NVIDIA signing package was also updated in the snapshot.

Recently, syslog-ng 4.5.0 was released with many new features. These include sending logs to OpenObserve using its JSON API, support for Google Pub/Sub, a new macro describing message transport mechanisms like RFC 3164 + TCP, an SSL option to ignore validity periods, and many more. You can find a full list of new features and bug fixes in the release notes at: https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.5.0

In this blog, you can find some pointers on how to install the very latest syslog-ng version and learn how you can configure syslog-ng to use the OpenObserver JSON API: https://www.syslog-ng.com/community/b/blog/posts/version-4-5-0-of-syslog-ng-is-now-available-with-openobserve-json-api-support

Dear Tumbleweed users and hackers,

This has been a week filled with Tumbleweed snapshots. Six of them, to be precise (1116, 1117, 1119, 1120, 1121, and 1122). The most relevant changes that could be delivered this week include:

• Linux kernel 6.6.2
• btrfsprogs 6.6.2
• fwupd 1.9.8 & 1.9.9
• GStreamer 1.22.7
• Node.JS 21.2.0
• Pipewire 0.3.85
• Poppler 23.11.0
• LibreOffice 7.6.3.1
• libxml 2.11.6
• LLVM 17.0.5

Staging projects are far from full: only five out of 15 have anything in them, and 4 of them are not even expected to move at the moment. So keep those things coming! The relevant changes (including the non-moving stagings) are:

• the package cnf-rs will be renamed to cnf (matching the command name)
• PHP 8.2.13
• libxml 2.12.0 in Staging:L – I can’t even start to list what is not building
• Sudo/polkit changes with the introduction of a sudo/wheel group to allow the user to choose if they want to use this over the way we configured sudo so far (targetpw). The sudo submission is interfering on some level with toolbox (toolbox -r id fails to return the expected info so far)
• c-ares 1.21.0: breaks nodejs
• wxWidgets 3.2.3: breaks wxPython bindings
• Testing of the two compiler flags -fcf-protection=full and -ftrivial-auto-var-init=pattern
• RPM 4.19: no further progress made (user handling conflict between sysuser-tools and RPMs new implementation)
• dbus-broker: no progress: openQA fails to even launch the network stack in the installer

This week has produced more than a few openSUSE Tumbleweed snapshots with a moderate downloaded size of packages for those who did a zypper dup.

Snapshot 20231122 is the latest to arrive for openSUSE’s rolling release users. An update of the super-thin layer on the DBus interface, fwupd, arrived in the snapshot; the 1.9.9 version includes a new generic request feature that identifies the device power cable status to enhance devices’ power management capabilities. The package also incorporates support for specific hardware like the Lenovo X1 Yoga Gen 7 530E. The update of git 2.43.0 had a multitude of enhancements, which includes improvements in handling the --rfc option within git format-patch and the package enhances maintenance job schedules, updates handling of authentication data in libsecret keyrings and adds flexibility for aliases in command-line completion scripts. The update of transactional-update 4.5.0 improves handling of permissions when creating overlays in libtukit, introduces support for rollback via the library, implements snapshot delete and rollback methods in tukitd and adding checks for missing arguments in tukit commands like close and abort. There was also some code cleanup for the software package. A few more packages updated in the snapshot like xen 4.18.0_04 and package installer python-pip 23.3.1, which resolves issues related to error handling, metadata normalization, and handling of removed versions.

An update of openvpn 2.6.8 arrived in snapshot 20231121. The new version fixes issues such as a SIGSEGV crash caused by an unsuccessful TLS handshake that had memory issues leading to sending freed memory to the peer and fixes hard incompatibilities between client and server versions. The update removes certain obsolete features, adds warnings for specific configuration combinations and introduces improvements to the build systems for Windows platforms. A 17.0.5 update of llvm17 made adjustments for testing clang-tools-extra and liker LLD components while maintaining consistency in test adaptations. The Linux Kernel also updates in the snapshot as kernel-source updates to version 6.6.2 and resolves multiple issues within the Wi-Fi subsystem, including RCU usage warnings and other improvements across the kernel codebase. Several other packages updated in the snapshot including ImageMagick 7.1.1.21, yast2-trans and more.

While not having the most packages of the week, snapshot 20231120 was fairly sizable due to an update of libreoffice 7.6.3.1. The updated office suite version fixes crash occurrences, misalignments in document layout, errors in the PDF export and the incorrect display of tables and text frames in .DOCX files. For more in-depth information can be found in the LibreOffice changelog. The update of gnutls 3.8.2 resolves a timing side-channel vulnerability within the RSA-PSK key exchange that was known as CVE-2023-5981. The utility also introduces Application Programming Interfaces functions enabling Elliptic Curve Diffie-Hellman and Diffie–Hellman key protocol agreement. The update of image editor inkscape 1.3.1 addresses more than 30 crashes and freezes, which particularly impacts PDF import and Live Path Effects. The package provides two new features; the first is the ability to split text into individual letters while the other new feature allows for a disablement of snapping to grid lines. Gradient dithering is now also available. More than half a dozen other packages were updated in the snapshot.

Flatpak 1.15.6 and harfbuzz 8.3.0 both updated in snapshot 20231119. The 8.3.0 version of the text shaping engine enhances the memory barrier to prevent potential segfaults and various fixes related to subsetting and instancing. The option name hb-subset has been renamed to --variations for consistency among tools. Flatpak mandates a requirement for bubblewrap version 0.8.0 in distributions that compile Flatpak separately.The package enhances security by setting user namespace limits and improves the handling of environment variables for subsandboxes initiated by flatpak-portal. The gnome-bluetooth 42.7 resolves issues related to the Obex Push server’s automatic acceptance of files from paired devices. The bluez-gnome fork tackles bugs causing inconsistencies between the device’s connection switch appearance and the actual connection state. The update of webkit2gtk3 2.42.2 addresses a Content Security Policy regression that previously impacted Unity WebGL applications. The package also resolves CVE-2023-41983 and CVE-2023-42852, which allowed for the processing of web content that may have led to arbitrary code execution. A few other packages updated in the snapshot.

Snapshot 20231117 has several package update. Bash 5.2.21 includes multiple upstream patches to address various issues like resolving an off-by-one error causing command substitutions to fail within a here-document. The package fixes cases where the shell incorrectly attempted to set the terminal’s process group back to the shell’s and also fixes for problems related to returning tokens during syntax errors. An update of AppStream 0.16.4 introduces new features including the allowance of hyphens in the last segment of a component-ID and the implementation of the developer element for unique developer IDs. The update of bind 9.18.20 addresses issues such as incorrect resigning of unsigned inline-signed zones containing DNSSEC records and Service Location Protocol has been disabled by default for openSUSE Factory and ALP due to bsc#1214884. Other packages to update in the snapshot were gstreamer 1.22.7, libcrypt 1.10.3, libstorage-ng 4.5.157, nodejs21 21.2.0, pipewire 0.3.85, poppler 23.11.0 and several more.

The openSUSE community’s logo contest submission phase is now complete and voting for the logos has begun.

This competition marks a pivotal moment for openSUSE and the voting goes until Dec. 10.

Before making any selections, people are encouraged to visit en.opensuse.org/Logocontest and view the logos before voting.

The number of submissions speaks volumes about the community’s enthusiasm and engagement with 18 submissions for Kalpa, 24 submissions for Slowroll, 21 submissions for Leap, 32 submissions for Tumbleweed and an impressive 36 submissions for a potential new openSUSE logo.

The submissions symbolizes the collaborative spirit within open-source communities and showcases the diverse set of ideas and creativity from contributors around the world. Brand image can influence user perception and community engagement in open-source projects, and a big THANK YOU goes out to all the people who submitted a logo design.

While the project had several chameleon-inspired designs, the distribution’s submissions varied in concepts and styles. The intent of the competition was to have the submitted logo designs depict a unified brand for the openSUSE Project.

New openSUSE distribution logos like Leap Micro, Aeon, and MicroOS are designed with simple shapes and lines for uniqueness and interest, which were typically empty outlines. Some submissions did fulfill this design concept. It’s important to note that although Leap Micro, Aeon, and MicroOS are mentioned, new logos for these were not part of competition. However, these can be affected by a generalized theme.

The person doing the branding changes and maintenance has a say in any changes. The ultimate brand decision will rest with members of the project doing the implementation, but the results from this logo competition will provide an expressed opinion of the brand identity project wide.

Winners of the contest will be announced following the vote tally and will be sent a “Geeko Mystery Box” as a token of appreciation for their contributions.

Last month the community announced a logo competition for a new openSUSE logo as well as four openSUSE distributions; Tumbleweed, Leap, Slowroll and Kalpa.

Vote now at survey.opensuse.org.

PostgreSQL is a capable and mature database, which comes in a major or minor version number (e.g. 16.0). Minor releases never change the internal storage, so the database always remains compatible with earlier and later minor releases. However major version releases do not have such a guarentee. We are running a single PostgreSQL database as a podman container and I recently (today) had the glorious task of migrating this database to the next major version. In this blog post I describe how we did this migration.

This report is about the problematic use of fixed temporary paths in the hpps program from the hplip project. Hplip is a collection of utilities for HP printer and scanner devices.

There is currently no upstream fix available for this issue and this publication happens after 90 days of attempted coordinated disclosure, but upstream did not react to my report.

Update 2024-01-04: I have been informed that upstream release 3.23.12 published on 2023-11-30 silently fixes this issue. The fix is based on the patch that I suggested in this report.

This report is based on the latest upstream release 3.23.8 of hplip.

The Issue

The program /usr/lib/cups/filter/hpps uses a number of insecure fixed temporary files that can be found in prnt/hpps/hppsfilter.c:

prnt/hpps/hppsfilter.c:1027:        sprintf(booklet_filename, "/tmp/%s.ps","booklet");
prnt/hpps/hppsfilter.c:1028:        sprintf(temp_filename, "/tmp/%s.ps","temp");
prnt/hpps/hppsfilter.c:1029:        sprintf(Nup_filename, "/tmp/%s.ps","NUP");

These paths are only used if “booklet printing” is enabled. For testing, the logic can be forced by invoking the program similar to this:

$ export PPD=/usr/share/cups/model/manufacturer-PPDs/hplip-plugin/hp-laserjet_1020.ppd.gz
$ /usr/lib/cups/filter/hpps some-job some-user some-title 10 HPBookletFilter=10,fitplot,Duplex=DuplexTumble,number-up=1

The program will expect data to print on stdin this way. Just typing in some random data and pressing Ctrl-d will make it continue. There is a chance that it will crash, though, since error returns from parsing errors are largely not checked in this program.

The three paths are created and opened using fopen(), so no special open flags are in effect that would prevent following symlinks, also the O_EXCL flag is missing to prevent opening existing files. The resulting system calls look like this (for creation / opening for reading):

openat(AT_FDCWD, "/tmp/temp.ps", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
openat(AT_FDCWD, "/tmp/temp.ps", O_RDONLY)

Furthermode there is a chmod() on the /tmp/temp.ps file:

hppsfilter.c:110 chmod(temp_filename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);

The data to print (from stdin) is written to this file, and the file is also made world readable explicitly via this chmod(). The issues with these paths are multifold:

• There is a local information leak, since the print job data will become visible to everybody in the system.
• There is violated data integrity, since other users can pre-create these files and manipulate e.g. the data to print.
• This may allow to create files in unexpected places, by placing symbolic links, if the Linux kernel’s symlink protection is not active.
• Similarly it may allow to grant world read privileges to arbitrary files by following symlinks during the chmod().
• It may allow further unspecified impact if crafted data is placed into /tmp/temp.ps which is processed by the complex PS_Booklet() function.

I did not research the impact of the issue further to see whether this could lead to local code execution in the context of the user that is invoking hpps.

Suggested Patch

To fix this issue all three fixed temporary paths need to be replaced by unpredictably named temporary files that are safely created. I authored a suggested patch that accomplishes this. This patch also drops the chmod(). The purpose of it is unclear, so it is possible that this breaks something, if other processes with different privileges need to access this file.

There is no patch or any other information available from upstream.

Affectedness

Since, to my knowledge, there is no public version control system for hplip, it is difficult to determine when this issue has been introduced. By taking some samples from older SUSE distributions I found the issue to be present at least since upstream release 3.19.12 from 2019-12-12.

CVE Assignment

Since HP is a CVE CNA, it is itself responsible for assigning a CVE. Since there is no reaction from upstream I don’t know if or when CVEs will be available.

Timeline

References

• hplip SourceForge Project page
• hplip release 3.23.8 which this review was based on
• private hplip Launchpad security issue detailing these issues
• suggested patch to fix the issue