Dear Tumbleweed users and hackers,

This has been a week filled with Tumbleweed snapshots. Six of them, to be precise (1116, 1117, 1119, 1120, 1121, and 1122). The most relevant changes that could be delivered this week include:

• Linux kernel 6.6.2
• btrfsprogs 6.6.2
• fwupd 1.9.8 & 1.9.9
• GStreamer 1.22.7
• Node.JS 21.2.0
• Pipewire 0.3.85
• Poppler 23.11.0
• LibreOffice 7.6.3.1
• libxml 2.11.6
• LLVM 17.0.5

Staging projects are far from full: only five out of 15 have anything in them, and 4 of them are not even expected to move at the moment. So keep those things coming! The relevant changes (including the non-moving stagings) are:

• the package cnf-rs will be renamed to cnf (matching the command name)
• PHP 8.2.13
• libxml 2.12.0 in Staging:L – I can’t even start to list what is not building
• Sudo/polkit changes with the introduction of a sudo/wheel group to allow the user to choose if they want to use this over the way we configured sudo so far (targetpw). The sudo submission is interfering on some level with toolbox (toolbox -r id fails to return the expected info so far)
• c-ares 1.21.0: breaks nodejs
• wxWidgets 3.2.3: breaks wxPython bindings
• Testing of the two compiler flags -fcf-protection=full and -ftrivial-auto-var-init=pattern
• RPM 4.19: no further progress made (user handling conflict between sysuser-tools and RPMs new implementation)
• dbus-broker: no progress: openQA fails to even launch the network stack in the installer

Otro mes que apuro para publiar esta típica entrada. Sigo la iniciativa #viernesdeescritorio con una nueva captura, con la que llegaré a casi dos años seguidos compartiendo «Mi escritorio» de forma mensual, una mirada a la intimidad de mi entorno de trabajo. De esta forma, bienvenidos a mi escritorio Plasma de noviembre 2023, el décimosegundo del año (por la ración doble de febrero) que sigue destacando por su simplicidad.

Mi escritorio Plasma de noviembre 2023 #viernesdeescritorio

Esta va a ser la cuadragésimosegunda (42 para los que nos cuesta leer esto) vez que muestro mi escritorio Plasma 5 en público, lo cual es número nada desdeñable de entradas que sigue creciendo de forma constante. Hice un recopilatorio con los 12 escritorios del 2022 y tengo pendiente seguir con otros, para finalizar con una entrada que los recopile todos… pero eso será en un futuro.

En esta ocasión sigo en mi equipo de sobremesa que es el que má utilizo estas últimas semanas, un Slimbook Kymera AMD el cual tiene instalado un KDE Neon 22.04 actualizado Plasma 5.27.9 con KDE Frameworks 5.111 y versión 5.15.11 de las Qt siendo mi sistema gráfico Waylando, dejando atrás ya (por fin) X11. Solo puedo decir que todo me funciona bien ejecutando incluso juegos por Protón, en Linux sí se puede jugar.

Sigo con el tema global Edna, del gran Jomada el cual ya ha aparecido muchas veces en el blog, aunque he vuelto a la barra clásica inferior ya que he tenido algún que otro problema con alguna que otra aplciación. He cambiado el fondo ya que estoy con un proyecto ambientado en el mundo de los superhéroes Marvel y siempre me ha parecido muy interesante el Spider-man 2099 desde que los crearan Peter David como guionista y Rick Leonardi como dibujante allá por los años 90.

Los iconos son los Kora que quedan muy en temas oscuros. Respecto a plasmoides tengo solo uno: Clock Asitoki, un plasmoide que me muestra la hora y día en el fondo de escritorio.

El resultado de mi escritorio Plasma de octubre de 2023 es un entorno de trabajo oscuro y, como siempre, funcional que podéis ver en la imagen inferior (pinchad sobre ella para verlo un poco más grande).

La entrada Mi escritorio Plasma de noviembre 2023 #viernesdeescritorio se publicó primero en KDE Blog.

This week has produced more than a few openSUSE Tumbleweed snapshots with a moderate downloaded size of packages for those who did a zypper dup.

Snapshot 20231122 is the latest to arrive for openSUSE’s rolling release users. An update of the super-thin layer on the DBus interface, fwupd, arrived in the snapshot; the 1.9.9 version includes a new generic request feature that identifies the device power cable status to enhance devices’ power management capabilities. The package also incorporates support for specific hardware like the Lenovo X1 Yoga Gen 7 530E. The update of git 2.43.0 had a multitude of enhancements, which includes improvements in handling the --rfc option within git format-patch and the package enhances maintenance job schedules, updates handling of authentication data in libsecret keyrings and adds flexibility for aliases in command-line completion scripts. The update of transactional-update 4.5.0 improves handling of permissions when creating overlays in libtukit, introduces support for rollback via the library, implements snapshot delete and rollback methods in tukitd and adding checks for missing arguments in tukit commands like close and abort. There was also some code cleanup for the software package. A few more packages updated in the snapshot like xen 4.18.0_04 and package installer python-pip 23.3.1, which resolves issues related to error handling, metadata normalization, and handling of removed versions.

An update of openvpn 2.6.8 arrived in snapshot 20231121. The new version fixes issues such as a SIGSEGV crash caused by an unsuccessful TLS handshake that had memory issues leading to sending freed memory to the peer and fixes hard incompatibilities between client and server versions. The update removes certain obsolete features, adds warnings for specific configuration combinations and introduces improvements to the build systems for Windows platforms. A 17.0.5 update of llvm17 made adjustments for testing clang-tools-extra and liker LLD components while maintaining consistency in test adaptations. The Linux Kernel also updates in the snapshot as kernel-source updates to version 6.6.2 and resolves multiple issues within the Wi-Fi subsystem, including RCU usage warnings and other improvements across the kernel codebase. Several other packages updated in the snapshot including ImageMagick 7.1.1.21, yast2-trans and more.

While not having the most packages of the week, snapshot 20231120 was fairly sizable due to an update of libreoffice 7.6.3.1. The updated office suite version fixes crash occurrences, misalignments in document layout, errors in the PDF export and the incorrect display of tables and text frames in .DOCX files. For more in-depth information can be found in the LibreOffice changelog. The update of gnutls 3.8.2 resolves a timing side-channel vulnerability within the RSA-PSK key exchange that was known as CVE-2023-5981. The utility also introduces Application Programming Interfaces functions enabling Elliptic Curve Diffie-Hellman and Diffie–Hellman key protocol agreement. The update of image editor inkscape 1.3.1 addresses more than 30 crashes and freezes, which particularly impacts PDF import and Live Path Effects. The package provides two new features; the first is the ability to split text into individual letters while the other new feature allows for a disablement of snapping to grid lines. Gradient dithering is now also available. More than half a dozen other packages were updated in the snapshot.

Flatpak 1.15.6 and harfbuzz 8.3.0 both updated in snapshot 20231119. The 8.3.0 version of the text shaping engine enhances the memory barrier to prevent potential segfaults and various fixes related to subsetting and instancing. The option name hb-subset has been renamed to --variations for consistency among tools. Flatpak mandates a requirement for bubblewrap version 0.8.0 in distributions that compile Flatpak separately.The package enhances security by setting user namespace limits and improves the handling of environment variables for subsandboxes initiated by flatpak-portal. The gnome-bluetooth 42.7 resolves issues related to the Obex Push server’s automatic acceptance of files from paired devices. The bluez-gnome fork tackles bugs causing inconsistencies between the device’s connection switch appearance and the actual connection state. The update of webkit2gtk3 2.42.2 addresses a Content Security Policy regression that previously impacted Unity WebGL applications. The package also resolves CVE-2023-41983 and CVE-2023-42852, which allowed for the processing of web content that may have led to arbitrary code execution. A few other packages updated in the snapshot.

Snapshot 20231117 has several package update. Bash 5.2.21 includes multiple upstream patches to address various issues like resolving an off-by-one error causing command substitutions to fail within a here-document. The package fixes cases where the shell incorrectly attempted to set the terminal’s process group back to the shell’s and also fixes for problems related to returning tokens during syntax errors. An update of AppStream 0.16.4 introduces new features including the allowance of hyphens in the last segment of a component-ID and the implementation of the developer element for unique developer IDs. The update of bind 9.18.20 addresses issues such as incorrect resigning of unsigned inline-signed zones containing DNSSEC records and Service Location Protocol has been disabled by default for openSUSE Factory and ALP due to bsc#1214884. Other packages to update in the snapshot were gstreamer 1.22.7, libcrypt 1.10.3, libstorage-ng 4.5.157, nodejs21 21.2.0, pipewire 0.3.85, poppler 23.11.0 and several more.

The openSUSE community’s logo contest submission phase is now complete and voting for the logos has begun.

This competition marks a pivotal moment for openSUSE and the voting goes until Dec. 10.

Before making any selections, people are encouraged to visit en.opensuse.org/Logocontest and view the logos before voting.

The number of submissions speaks volumes about the community’s enthusiasm and engagement with 18 submissions for Kalpa, 24 submissions for Slowroll, 21 submissions for Leap, 32 submissions for Tumbleweed and an impressive 36 submissions for a potential new openSUSE logo.

The submissions symbolizes the collaborative spirit within open-source communities and showcases the diverse set of ideas and creativity from contributors around the world. Brand image can influence user perception and community engagement in open-source projects, and a big THANK YOU goes out to all the people who submitted a logo design.

While the project had several chameleon-inspired designs, the distribution’s submissions varied in concepts and styles. The intent of the competition was to have the submitted logo designs depict a unified brand for the openSUSE Project.

New openSUSE distribution logos like Leap Micro, Aeon, and MicroOS are designed with simple shapes and lines for uniqueness and interest, which were typically empty outlines. Some submissions did fulfill this design concept. It’s important to note that although Leap Micro, Aeon, and MicroOS are mentioned, new logos for these were not part of competition. However, these can be affected by a generalized theme.

The person doing the branding changes and maintenance has a say in any changes. The ultimate brand decision will rest with members of the project doing the implementation, but the results from this logo competition will provide an expressed opinion of the brand identity project wide.

Winners of the contest will be announced following the vote tally and will be sent a “Geeko Mystery Box” as a token of appreciation for their contributions.

Last month the community announced a logo competition for a new openSUSE logo as well as four openSUSE distributions; Tumbleweed, Leap, Slowroll and Kalpa.

Vote now at survey.opensuse.org.

Check on a website the announcements published on openSUSE factory mailing list about the new openSUSE Tumbleweed snapshots published

openSUSE Tumbleweed tumbleweed is a GNU/Linux rolling release distribution. This means that new snapshots are released regularly that update the system and keep it up to date with the latest and tested software.

On average, about 5 snapshots are published per week, which bring system updates.

Every time a new snapshot is published, an email is published with the announcement and a detail of the updated packages and their changes on the openSUSE project factory mailing list to which you can subscribe or follow their feeds.

In addition to those announcements, that mailing list receives a lot of traffic with emails on many other topics related to the development of the project, not just Tumbleweed.

But you may only be interested in reading or consulting an announcement from time to time, and separating those messages from all the traffic and discussions that take place on the mailing list.

To do this, I have created the project that I am going to tell you about below. Something that I had in mind for a long time and that has now materialized.

On my Raspberry Pi, the software that Selairi developed runs and makes it possible to crawl a feed, in this case the one from the mailing list, but in this case I have modified it so that it filters by the title of the post that interests me and I rejected the others.

In this way, it extracts the announcements of new publications, stores them in a database and creates an html file that I host in GitLab and is thus available to everyone who wants to consult it.

After a few days of testing and changes to adapt the style of the page, the website is now available to consult all the announcements of new openSUSE Tumbleweed snapshots in one place:

• https://victorhck.gitlab.io/tumbleweed_snapshots/

In addition to the announcements, I have also included weekly reviews of what happened at openSUSE Tumbleweed, which are published in English and which I translate and publish promptly on my blog.

I hope that for you who use Tumbleweed, this is a useful site to consult, either sporadically or regularly when it comes to staying up to date with the latest openSUSE Tumbleweed news.

In addition, this website has its own feeds to which you can subscribe and read the news directly in your favorite feed reader. Check the url on this page:

• https://victorhck.gitlab.io/tumbleweed_snapshots/RSS.html

The page is intended to be simple and without much distraction. You will see the date on which the feed was published and a link to the post in the mailing list where you can check the news of that snapshot.

It has no analytics or tracking, beyond what the GitLab services where the page is hosted do. The website has no official relationship with the openSUSE project, since it is a service that I provide personally.

Any problem, improvement or comment will be well received and attended to in the best possible way, that is why my email or the comments on this article are available. I hope you find it interesting.

Links

• https://victorhck.gitlab.io/tumbleweed_snapshots/
• https://gitlab.com/victorhck/tumbleweed_snapshots
• https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/
• https://github.com/selairi/planetlibre

Consulta en una web los anuncios publicados en la lista de correo sobre las nuevas instantáneas de openSUSE Tumbleweed publicadas

openSUSE Tumbleweed es una distribución de GNU/Linux rolling release. Esto significa que de manera regular se van publicando nuevas instantáneas o snapshots que actualizan el sistema y lo mantienen al día con software a la última y probado.

Si sigues mis revisiones de novedades semanales que publico en el blog, de media se publican unas 5 snapshots a la semana, que traen actualizaciones del sistema.

Cada vez que se publica una nueva snapshot, en la lista de correo de factory del proyecto openSUSE a la que te puedes suscribir o seguir sus feeds, se publica un correo con el anuncio y un detalle de los paquetes actualizados y sus cambios.

Además de esos anuncios, esa lista de correo recibe bastante tráfico con correos de muchos otros temas relacionados con el desarrollo del proyecto, no solo de Tumbleweed.

Pero puede que solo te interese leer o consultar de vez en cuando algún anuncio, y separar esos mensajes de todo el tráfico y discusiones que se realizan en la lista de correo.

Para ello, he creado el proyecto del que te voy a hablar a continuación. Algo que hace tiempo que tenía en mente y que ahora se ha materializado.

De manera similar a como se genera PlanetaLibre, he creado una web muy simple en HTML que también se hospeda en el servicio de GitLab Pages.

En mi Raspberry Pi, corre el software que creó Selairi y que hace posible que se rastree un feed, en este caso el de la lista de correo, pero en este caso lo he modificado para que filtre por el título del post que me interesa y rechazé los demas.

De ese modo, extrae los anuncios de nuevas publicaciones, los almacena en una base de datos y crea un archivo html que yo alojo en GitLab y así está disponible para todo el mundo que quiera consultarla.

Después de unos días de pruebas y cambios para adecuar el estilo de la página, ya está disponible la web para consultar todos los anuncios de nuevas snapshots de openSUSE Tumbleweed en un solo lugar:

• https://victorhck.gitlab.io/tumbleweed_snapshots/

Además de los anuncios también he incluido para que se añadan las revisiones semanales de lo acontecido en openSUSE Tumbleweed que se publican en inglés y que traduzco y publico puntualmente en mi blog.

Espero que para ti que usas Tumbleweed, este sea un sitio útil de consulta, ya sea de manera esporádica o regular a la hora de estar al día de las novedades de openSUSE Tumbleweed.

Además esta web dispone de sus propios feeds a los que te puedes suscribir y leer las novedades directamente en tu lector de feeds preferidos. Consulta la url en esta página:

• https://victorhck.gitlab.io/tumbleweed_snapshots/RSS.html

La página pretende ser simple y sin mucha distracción. Verás la fecha en la que se ha publicado el feed y un enlace al post en la lista de correo donde podrás consultar las novedades de esa snapshot.

No tiene analíticas ni rastreo, más allá de lo que lo hagan los servicios de GitLab en el que se aloja la página. La web no tiene relación alguna con el proyecto openSUSE, ya que es un servicio que realizo a modo personal.

Cualquier problema, mejora o comentario será bien recibido y atendido de la mejor manera posible, para eso está disponible mi correo o los comentarios de este artículo. Espero que os resulte interesante.

Enlaces de interés

• https://victorhck.gitlab.io/tumbleweed_snapshots/
• https://gitlab.com/victorhck/tumbleweed_snapshots
• https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/
• https://github.com/selairi/planetlibre

PostgreSQL is a capable and mature database, which comes in a major or minor version number (e.g. 16.0). Minor releases never change the internal storage, so the database always remains compatible with earlier and later minor releases. However major version releases do not have such a guarentee. We are running a single PostgreSQL database as a podman container and I recently (today) had the glorious task of migrating this database to the next major version. In this blog post I describe how we did this migration.

Vuelven las charlas y talleres a Linux Center València, el espacio creado por Slimbook para la divulgación del Software Libre . De esta forma me complace compartir una nueva charla-taller que se celebrará en sus instalaciones que lleva por título «Ciberseguridad en red» donde, a cargo de José Mor , se hablará sobre este aspecto ya fundamental de nuestro día a día.

Ciberseguridad en red en Linux Center València

Ya es un clásico del blog hablar de la compañía valenciana de ensamblaje de dispositivos compatibles 100% con el Software Libre conocida como Slimbook. Tras su primera charla en octubre que inició esta nueva temporada de eventos vuelven a promocionar el Software Libre mediante actividades comunitarias que realizan en su Linux Center.

De esta forma el próximo sábado 25 de noviembre vamos a poder disfrutar de una nueva charla-taller titulada «Ciberseguridad en red» a cargo de José Mor, miembro fundador de la organización Whihax, comunidad de tecnología y de seguridad de la información.

El índice del taller es el siguiente:

1. Introducción a la seguridad en red (PPT).
2. Enfoque doméstico vs empresarial (PPT).
3. Instalación y uso de PiHole con Slimbook Zero. (Taller)
4. Listas personalizadas, análisis de tráfico, otros tips. (Taller)

Como vemos un tema de candente actualidad y que define perfectamente la sociedad a la ques estamos abocados. Conocer todo lo que se pueda sobre este tema es crucial para ser un ciudadano responsable.

El curso es preencial, por tanto no se va a retransmitir por streaming pero se colgará un resumen del curso en nuestro canal de Youtube, varias semanas después del evento.

La información adicional que necesitas es esta:

Plazas Total: 20 (corre que suelen agotarse)

¿Curso Gratuito o de Pago?: GRATUITO gracias a SLIMBOOK y a José.

Duración del evento: 2h + Preguntas y respuestas

¿Podemos retransmitirlo via streaming?: No

Localización: Linux Center (Grupo Odín). Ronda de la Química s/n Edificio ABM L’Andana, 7ª planta Frente a Parque Técnológico 46980 Paterna, Valencia

Más información: Linux Center

¿Qué es Whihax?

Aprovecho para promocionar a la Ccomunidad a Whihax, entusiastas, desarrolladores y profesionales de la seguridad informática con la filosofía de reportar y/o conocer las vulnerabilidades existentes en los ámbitos de Internet, Hardware y Software que empleamos diariamente.

Más información: Whihax

La entrada Ciberseguridad en red en Linux Center València se publicó primero en KDE Blog.

This report is about the problematic use of fixed temporary paths in the hpps program from the hplip project. Hplip is a collection of utilities for HP printer and scanner devices.

There is currently no upstream fix available for this issue and this publication happens after 90 days of attempted coordinated disclosure, but upstream did not react to my report.

Update 2024-01-04: I have been informed that upstream release 3.23.12 published on 2023-11-30 silently fixes this issue. The fix is based on the patch that I suggested in this report.

This report is based on the latest upstream release 3.23.8 of hplip.

The Issue

The program /usr/lib/cups/filter/hpps uses a number of insecure fixed temporary files that can be found in prnt/hpps/hppsfilter.c:

prnt/hpps/hppsfilter.c:1027:        sprintf(booklet_filename, "/tmp/%s.ps","booklet");
prnt/hpps/hppsfilter.c:1028:        sprintf(temp_filename, "/tmp/%s.ps","temp");
prnt/hpps/hppsfilter.c:1029:        sprintf(Nup_filename, "/tmp/%s.ps","NUP");

These paths are only used if “booklet printing” is enabled. For testing, the logic can be forced by invoking the program similar to this:

$ export PPD=/usr/share/cups/model/manufacturer-PPDs/hplip-plugin/hp-laserjet_1020.ppd.gz
$ /usr/lib/cups/filter/hpps some-job some-user some-title 10 HPBookletFilter=10,fitplot,Duplex=DuplexTumble,number-up=1

The program will expect data to print on stdin this way. Just typing in some random data and pressing Ctrl-d will make it continue. There is a chance that it will crash, though, since error returns from parsing errors are largely not checked in this program.

The three paths are created and opened using fopen(), so no special open flags are in effect that would prevent following symlinks, also the O_EXCL flag is missing to prevent opening existing files. The resulting system calls look like this (for creation / opening for reading):

openat(AT_FDCWD, "/tmp/temp.ps", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
openat(AT_FDCWD, "/tmp/temp.ps", O_RDONLY)

Furthermode there is a chmod() on the /tmp/temp.ps file:

hppsfilter.c:110 chmod(temp_filename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);

The data to print (from stdin) is written to this file, and the file is also made world readable explicitly via this chmod(). The issues with these paths are multifold:

• There is a local information leak, since the print job data will become visible to everybody in the system.
• There is violated data integrity, since other users can pre-create these files and manipulate e.g. the data to print.
• This may allow to create files in unexpected places, by placing symbolic links, if the Linux kernel’s symlink protection is not active.
• Similarly it may allow to grant world read privileges to arbitrary files by following symlinks during the chmod().
• It may allow further unspecified impact if crafted data is placed into /tmp/temp.ps which is processed by the complex PS_Booklet() function.

I did not research the impact of the issue further to see whether this could lead to local code execution in the context of the user that is invoking hpps.

Suggested Patch

To fix this issue all three fixed temporary paths need to be replaced by unpredictably named temporary files that are safely created. I authored a suggested patch that accomplishes this. This patch also drops the chmod(). The purpose of it is unclear, so it is possible that this breaks something, if other processes with different privileges need to access this file.

There is no patch or any other information available from upstream.

Affectedness

Since, to my knowledge, there is no public version control system for hplip, it is difficult to determine when this issue has been introduced. By taking some samples from older SUSE distributions I found the issue to be present at least since upstream release 3.19.12 from 2019-12-12.

CVE Assignment

Since HP is a CVE CNA, it is itself responsible for assigning a CVE. Since there is no reaction from upstream I don’t know if or when CVEs will be available.

Timeline

References

• hplip SourceForge Project page
• hplip release 3.23.8 which this review was based on
• private hplip Launchpad security issue detailing these issues
• suggested patch to fix the issue

The time has arrived for people to begin submitting talks for openSUSE Conference 2024.

This year’s conference theme is: Evaluating the Future: Where Are We Going?

The theme sets the stage for exploring the evolving landscape of technology and open-source innovation. We invite those people submitting a talk for this year’s conference to delve into talks that will inspire thought-provoking discussions, analyses and predictions about the future trajectory of open-source development, emerging technologies, the openSUSE project and more.

Until April 15, people can submit proposals for a talk or workshop to share insights and their expertise.

The conference is scheduled to take place June 27 to 29 in Nuremberg, Germany.

Presentations can be submitted for the following length of time:

• Lightning Talk (10 mins)
• Virtual Lightning Talk (10 mins)
• Short Talk (30 mins)
• Virtual Talk (30 mins)
• Long Talk (45 mins)
• Workshop (1 hour)

The following tracks are listed for the conference:

• Cloud and Containers
• Community
• Embedded Systems and Edge Computing
• New Technologies
• Open Source
• openSUSE

Speakers are encouraged to submit proposals that align with this year’s theme.

Topics under this theme might include:

• Futuristic Trends: Predictions and insights into upcoming technological trends shaping open-source landscapes.
• Ethical Tech: Discussions on the ethical implications of technological advancements and how open-source communities can navigate them.
• Innovation and Disruption: Exploring how innovation drives disruptions and reshapes industries within the open-source ecosystem.
• Sustainability and Accessibility: Evaluating how open-source technologies contribute to sustainable and accessible solutions for the future.
• Emerging Challenges: Addressing challenges and obstacles that might hinder the progress of open-source development in the coming years.
• Collaborative Futures: Assessing the role of collaboration and community-driven efforts in shaping the future of open-source projects.

Volunteers who would like to help the Program Committee and/or the Organizing Team can email ddemaio@opensuse.org or attend normally scheduled community meetings.

Conferences need sponsors to support community driven events to keep events free and open to new contributing members and companies can find sponsorship information on the project’s wiki page.