×
Security

Ubuntu Linux Impacted By Decade-Old 'needrestart' Flaw That Gives Root (bleepingcomputer.com) 30

Five local privilege escalation (LPE) vulnerabilities in the Linux utility "needrestart" -- widely used on Ubuntu to manage service updates -- allow attackers with local access to escalate privileges to root. The flaws were discovered by Qualys in needrestart version 0.8, and fixed in version 3.8. BleepingComputer reports: Complete information about the flaws was made available in a separate text file, but a summary can be found below:

- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH environment variable extracted from running processes. If a local attacker controls this variable, they can execute arbitrary code as root during Python initialization by planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter used by needrestart is vulnerable when processing an attacker-controlled RUBYLIB environment variable. This allows local attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the process.
- CVE-2024-48991: A race condition in needrestart allows a local attacker to replace the Python interpreter binary being validated with a malicious executable. By timing the replacement carefully, they can trick needrestart into running their code as root.
- CVE-2024-10224: Perl's ScanDeps module, used by needrestart, improperly handles filenames provided by the attacker. An attacker can craft filenames resembling shell commands (e.g., command|) to execute arbitrary commands as root when the file is opened.
- CVE-2024-11003: Needrestart's reliance on Perl's ScanDeps module exposes it to vulnerabilities in ScanDeps itself, where insecure use of eval() functions can lead to arbitrary code execution when processing attacker-controlled input.
The report notes that attackers would need to have local access to the operation system through malware or a compromised account in order to exploit these flaws. "Apart from upgrading to version 3.8 or later, which includes patches for all the identified vulnerabilities, it is recommended to modify the needrestart.conf file to disable the interpreter scanning feature, which prevents the vulnerabilities from being exploited," adds BleepingComputer.
GNU is Not Unix

FLTK 1.4 Released (fltk.org) 19

Longtime Slashdot reader slack_justyb writes: The Fast Light Toolkit released version 1.4.0 of the venerable, though sometimes looking a bit dated, toolkit from the '90s. New in this version are better CMake support, HiDPI support, and initial support for Wayland on Linux and Wayland on FreeBSD. Programs compiled and linked to this library launch using Wayland if it is available at runtime and fall back to X11 if not. FLTK 1.4.0 can be downloaded here. Documentation is also available.
Linux

Linux Kernel 6.12 Has Been Released (omgubuntu.co.uk) 54

Slashdot unixbhaskar writes: Linus has released a fresh Linux kernel for public consumption. Please give it a try and report any glitches to the maintainers for improvement. Also, please do not forget to express your appreciation to those tireless folks who did all the hard work for you.
The blog OMG Ubuntu calls it "one of the most biggest kernel releases for a while," joking that it's a "really real-time kernel." The headline feature in Linux 6.12 is mainline support for PREEMPT_RT. This patch set dramatically improves the performance of real-time applications by making kernel processes pre-emptible — effectively enabled proper real-time computing... Meanwhile, Linus Torvalds himself contributes a new method for user-space address masking designed to claw back some of the performance lost due to Spectre-v1 mitigations.

You might have heard that kernel devs have been working to add QR error codes to Linux's kernel panic BSOD screen (as a waterfall of error text is often cut off and not easily copied for ad-hoc debugging). Well, Linux 6.12 adds support for those during Direct Rendering Manager panics...

A slew of new RISC-V CPU ISA extensions are supported in Linux 6.12; hybrid CPU scaling in the Intel P-State driver lands ahead of upcoming Intel Core Ultra 2000 chips; and AMD P-State driver improves AMD Boost and AMD Preferred Core features.

More coverage from the blog 9to5Linux highlights a new scheduler called sched_ext, Clang support (including LTO) for nolibc, support for NVIDIA's virtual command queue implementation for SMMUv3, and "an updated cpuidle tool that now displays the residency value of cpuidle states for a clearer and more detailed view of idle state information when using cpuidle-info." Linux kernel 6.12 also introduces SWIG bindings for libcpupower to make it easier for developers to write scripts that use and extend the functionality of libcpupower, support for translating normalized error addresses reported by an AMD memory controller into system physical addresses using a UEFI mechanism called platform runtime mechanism (PRM), as well as simplified loading of microcode patches on AMD Zen and newer CPUs by using the family, model, and stepping encoded in the patch revision number...

Moreover, Linux 6.12 adds support for running as a protected guest on Android as well as perf and support for a bunch of new interconnect PMUs. It also adds the final conversions to the new Intel VFM CPU model matching macros, rewrites the PCM buffer allocation handling and locking optimizations, and improves the USB audio driver...

Transportation

'Automotive Grade Linux' Will Promote Open Source Program Offices for Automakers (prnewswire.com) 28

Automotive Grade Linux is a collaborative open source project developing "an open platform from the ground up that can serve as the de facto industry standard" for fast development of new features. Automakers have joined with tech companies and suppliers to speed up development (and adoption) of "a fully open software stack for the connected car" — hosted at the Linux Foundation, and "with Linux at its core..."

And this week they created a new Open Source Program Office expert group, led by Toyota, to promote the establishment of Open Source Program Offices within the automotive industry, "and encourage the sharing of information and best practices between them." Open source software has become more prevalent across the automotive industry as automakers invest more time and resources into software development. Automakers like Toyota and Subaru are using open source software for infotainment and instrument cluster applications. Other open source applications across the automotive industry include R&D, testing, vehicle-to-cloud and fleet management. "Historically, there has been little code contributed back to the open source community," said Dan Cauchy, Executive Director of Automotive Grade Linux. "Often, this was because the internal procedures or IT infrastructure weren't in place to support open source contributions. The rise of software-defined vehicles has led to a growing trend of automakers not just using, but also contributing, to open source software. Many organizations are also establishing Open Source Program Offices to streamline and organize open source activities to better support business goals."

Automakers including Toyota, Honda, and Volvo have already established Open Source Program Offices. The new AGL OSPO Expert Group provides a neutral space for them to share pain points and collaborate on solutions, exchange information, and develop best practices that can help other automakers build their own OSPOs. "Toyota has been participating in AGL and the broader open source community for over a decade," said Masato Endo, Group Manager of Open Source Program Group, Toyota. "We established an OSPO earlier this year to promote the use of open source software internally and to help guide how and where we contribute. We are looking forward to working with other open source leaders to solve common problems, collaborate on best practices, and invigorate open source activities in the automotive industry."

The AGL OSPO EG is led by Toyota with support from Panasonic and AISIN Corporation.

Red Hat Software

Red Hat is Acquiring AI Optimization Startup Neural Magic (techcrunch.com) 4

Red Hat, the IBM-owned open source software firm, is acquiring Neural Magic, a startup that optimizes AI models to run faster on commodity processors and GPUs. From a report: The terms of the deal weren't disclosed. MIT research scientist Alex Matveev and professor Nir Shavit founded Somerville, Massachusetts-based Neural Magic in 2018, inspired by their work in high-performance execution engines for AI. Neural Magic's software aims to process AI workloads on processors and GPUs at speeds equivalent to specialized AI chips (e.g. TPUs). By running models on off-the-shelf processors, which usually have more available memory, the company's software can realize these performance gains.

Big tech companies like AMD and a host of other startups, including NeuReality, Deci, CoCoPie, OctoML and DeepCube, offer some sort of AI optimization software. But Neural Magic is one of the few with a free platform and a collection of open source tools to complement it. Neural Magic had so far managed to raise $50 million in venture capital from backers like Andreessen Horowitz, New Enterprise Associations, Amdocs, Comcast Ventures, Pillar VC and Ridgeline Ventures.

Linux

Intel Sees a 3888.9% Performance Improvement in the Linux Kernel - From One Line of Code (phoronix.com) 61

An anonymous reader shared this report from Phoronix: Intel's Linux kernel test robot has reported a 3888.9% performance improvement in the mainline Linux kernel as of this past week...

Intel thankfully has the resources to maintain this automated service for per-kernel commit/patch testing and has been maintaining their public kernel test robot for years now to help catch performance changes both positive and negative to the Linux kernel code. The commit in question causing this massive uplift to performance is mm, mmap: limit THP alignment of anonymous mappings to PMD-aligned sizes. The patch message confirms it will fix some prior performance regressions and deliver some major uplift in specialized cases...

That mmap patch merged last week affects just one line of code.

This week the Register also reported that Linus Torvalds revised a previously-submitted security tweak that addressed Spectre and Meltdown security holes, writing in his commit message that "The kernel test robot reports a 2.6 percent improvement in the per_thread_ops benchmark."
AI

Linus Torvalds Dismisses AI Industry as '90% Marketing' (tomshardware.com) 103

Linux creator Linus Torvalds has blasted the AI industry as "90% marketing and 10% reality" even as he acknowledged AI's transformative potential. Speaking to TFiR, Torvalds said he would "basically ignore" AI until the hype subsides, predicting meaningful applications would emerge in five years.

The Finnish software pioneer singled out ChatGPT and graphic design as current practical use cases. His criticism follows Baidu CEO's recent warning of an impending AI bubble burst, claiming only 1% of companies would survive the fallout. "I think AI is really interesting, and I think it is going to change the world. And, at the same time, I hate the hype cycle so much that I really don't want to go there," Torvalds said.
Networking

DTrace for Linux Comes to Gentoo (gentoo.org) 14

It was originally created back in 2005 by Sun Microsystems for its proprietary Solaris Unix systems, "for troubleshooting kernel and application problems on production systems in real time," explains Wikipedia. "DTrace can be used to get a global overview of a running system, such as the amount of memory, CPU time, filesystem and network resources used by the active processes," explains its Wikipedia entry.

But this week, Gentoo announced: The real, mythical DTrace comes to Gentoo! Need to dynamically trace your kernel or userspace programs, with rainbows, ponies, and unicorns — and all entirely safely and in production?! Gentoo is now ready for that!

Just emerge dev-debug/dtrace and you're all set. All required kernel options are already enabled in the newest stable Gentoo distribution kernel...

Documentation? Sure, there's lots of it. You can start with our DTrace wiki page, the DTrace for Linux page on GitHub, or the original documentation for Illumos. Enjoy!

Thanks to Heraklit (Slashdot reader #29,346) for sharing the news.
Linux

Linus Torvalds Comments On The Russian Linux Maintainers Being Delisted (phoronix.com) 203

Ancient Slashdot reader szo shares a report from Phoronix: Quietly merged into this week's Linux 6.12-rc4 kernel was a patch that removes a number of kernel maintainers from being noted in the official MAINTAINERS file that recognizes all of the driver and subsystem maintainers. [...] [Greg Kroah-Hartman who authored the patch] simply commented in there: "Remove some entries due to various compliance requirements. They can come back in the future if sufficient documentation is provided." [...] The commonality of all these maintainers being dropped? They appear to all be Russian or associated with Russia. Most of them with .ru email addresses. Linux creator Linus Torvalds has since commented on the situation: Ok, lots of Russian trolls out and about. It's entirely clear why the change was done, it's not getting reverted, and using multiple random anonymous accounts to try to "grass root" it by Russian troll factories isn't going to change anything. And FYI for the actual innocent bystanders who aren't troll farm accounts - the "various compliance requirements" are not just a US thing.

If you haven't heard of Russian sanctions yet, you should try to read the news some day. And by "news," I don't mean Russian state-sponsored spam. As to sending me a revert patch - please use whatever mush you call brains. I'm Finnish. Did you think I'd be *supporting* Russian aggression? Apparently it's not just lack of real news, it's lack of history knowledge too.

Linux

Linus Torvalds Growing Frustrated By Buggy Hardware, Theoretical CPU Attacks (phoronix.com) 73

jd writes: Linus Torvalds is not a happy camper and is condemning hardware vendors for poor security and the plethora of actual and theoretical attacks, especially as some of the new features being added impact the workarounds. These workarounds are now getting very expensive, CPU-wise.

TFA quotes Linus Torvalds:

"Honestly, I'm pretty damn fed up with buggy hardware and completely theoretical attacks that have never actually shown themselves to be used in practice.

"So I think this time we push back on the hardware people and tell them it's *THEIR* damn problem, and if they can't even be bothered to say yay-or-nay, we just sit tight.

Because dammit, let's put the onus on where the blame lies, and not just take any random shit from bad hardware and say 'oh, but it *might* be a problem.'"

Android

Is Google Preparing to Let You Run Linux Apps on Android, Just like ChromeOS? (androidauthority.com) 28

"Google is developing a Linux terminal app for Android," reports the blog Android Authority. "The Terminal app can be enabled via developer options and will install Debian in a virtual machine.

"This app is likely intended for Chromebooks but might also be available for mobile devices, too." While there are ways to run some Linux apps on Android devices, all of those methods have some limitations and aren't officially supported by Google. Fortunately, though, Google is finally working on an official way to run Linux apps on Android... This Terminal app is part of the Android Virtualization Framework (AVF) and contains a WebView that connects to a Linux virtual machine via a local IP address, allowing you to run Linux commands from the Android host...

A set of patches under the tag "ferrochrome-dev-option" was recently submitted to the Android Open Source Project that adds a new developer option called Linux terminal under Settings > System > Developer options. This new option will enable a "Linux terminal app that runs inside the VM," according to its proposed description. Toggling this option enables the Terminal app that's bundled with AVF...

Google is still working on improving the Terminal app as well as AVF before shipping this feature... What's particularly interesting about the patch that adds these settings is that it was tested on "tangorpro" and "komodo," the codenames for the Pixel Tablet and Pixel 9 Pro XL respectively. This suggests that the Terminal app won't be limited to Chromebooks like the new desktop versions of Chrome for Android.

Crime

Halcyon Announces Anti-Ransomware Protection for Enterprise Linux Environments (linux-magazine.com) 14

Formed in 2021 by cybersecurity professionals (and backed by high-powered VCs including Dell Technologies Capital), Halcyon sells an enterprise-grade anti-ransomware platform.

And this month they announced they're offering protection against ransomware attacks targeting Linux systems, according to Linux magazine: According to Cynet, Linux ransomware attacks increased by 75 percent in 2023 and are expected to continue to climb as more bad actors target Linux deployments... "While Windows is the favorite for desktops, Linux dominates the market for supercomputers and servers."
Here's how Halcyon's announcement made their pitch: "When it comes to ransomware protection, organizations typically prioritize securing Windows environments because that's where the ransomware operators were focusing most of their attacks. However, Linux-based systems are at the core of most any organization's infrastructure, and protecting these systems is often an afterthought," said Jon Miller, CEO & Co-founder, Halcyon. "The fact that Linux systems usually are always on and available means they provide the perfect beachhead for establishing persistence and moving laterally in a targeted network, and they can be leveraged for data theft where the exfiltration is easily masked by normal network traffic. As more ransomware operators are developing the capability to target Linux systems alongside Windows, it is imperative that organizations have the ability to keep pace with the expanded threat."

Halcyon Linux, powered through the Halcyon Anti-Ransomware Platform, uniquely secures Linux-based systems offering comprehensive protection and rapid response capabilities... Halcyon Linux monitors and detects ransomware-specific behaviors such as unauthorized access, lateral movement, or modification of critical files in real-time, providing instant alerts with critical context... When ransomware is suspected or detected, the Halcyon Ransomware Response Engine allows for rapid response and action.... Halcyon Data Exfiltration Protection (DXP) identifies and blocks unauthorized data transfers to protect sensitive information, safeguarding the sensitive data stored in Linux-based systems and endpoints...

Halcyon Linux runs with minimal resource impact, ensuring critical environments such as database servers or virtualized workloads, maintain the same performance.

And in addition, Halcyon offers "an around the clock Threat Response team, reviewing and responding to alerts," so your own corporate security teams "can attend to other pressing priorities..."
Desktops (Apple)

Asahi Linux Brings Support For AAA Gaming To Apple Silicon Macs (liliputing.com) 21

An anonymous reader quotes a report from Liliputing: The Fedora Asahi Remix GNU/Linux distribution is now shipping with alpha versions of OpenGL, OpenCL, and Vulkan graphics drivers that allow you to play some games on Macs with M1 or M2 series processors. But there are a few things to keep in mind. One is that most of the PC games you're likely going to want to play are designed to run on Windows PCs with DirectX drivers and x86 processors. So there's some emulation required to get them to run on Macs with ARM-based processors, a Linux-based operating system, and Vulkan drivers.

Some of the work was also made possible by the folks at Valve, who developed the Proton software that allows many PC games to run on Linux. And during a live demo at XDC 2024, developer Alyssa Rosenzweig demonstrated the Steam game client loading and running on an Apple Silicon Mac running Asahi Linux. For that reason, it takes a lot of RAM -- according to the Asahi team, "most games require 16GB of memory due to emulation overhead." So you're probably not going to be able to do much entry-level gaming on an entry-level Mac with just 8GB of RAM.

Some of the titles that have been confirmed to be playable include Cyberpunk 2077, The Witcher 3, Fallout 4, Control, Portal 2, and Ghostrunner. But there's a difference between playable and smooth. Developers say performance improvements will be required before "newer AAA titles" can run at 60 frames per second or higher. But less demanding games like Hollow Knight should run at full speed.

Linux

Linus Torvalds Asks Kernel Devs To Write Better Git Merge Commit Messages (phoronix.com) 38

Phoronix's Michael Larabel reports: Yesterday when announcing the Linux 6.12-rc2 kernel, Linus Torvalds asked that the kernel maintainers do a better job moving forward with their commit messages. In particular, Torvalds is hoping that kernel maintainers will do a better job using an active, imperative voice when describing the changes within their pull requests.

The Linux creator explained in the 6.12-rc2 announcement: "Anyway, on a completely different note: I try to make my merge commit messages be somewhat "cohesive", and so I often edit the pull request language to match a more standard layout and language. It's not a big deal, and often it's literally just about whitespace so that we don't have fifteen different indentation models and bullet syntaxes. I generally do it as I read through the text anyway, so it's not like it makes extra work for me. But what *does* make extra work is when some maintainers use passive voice, and then I try to actively rewrite the explanation (or, admittedly, sometimes I just decide I don't care quite enough about trying to make the messages sound the same). So I would ask maintainers to please use active voice, and preferably just imperative. [...]"

Portables

Pine64's Linux-Powered E-Ink Tablet is Making a Return (omgubuntu.co.uk) 19

"Pine64 has confirmed that its open-source e-ink tablet is returning," reports the blog OMG Ubuntu: The [10.1-inch e-ink display] PineNote was announced in 2021, building on the success of its non-SBC devices like the PinePhone (and later Pro model), the PineTab, and PineBook devices. Like most of Pine64's devices, software support is largely tackled by the community. But only a small batch of developer units were ever sold, primarily by enthusiasts within the open-source community who had the knowledge and desire to work on getting a modern Linux OS to run on the hardware, and adapt to the e-ink display.

That process has taken a while, as Pine64's community bloggers explain:

"The PineNote was stuck in a chicken-and-egg situation because of the very high cost of manufacturing the device (ePaper screens are sadly still expensive), and so the risk of manufacturing units that then didn't have a working Linux OS and would not sell was huge."

However, the proverbial egg has finally hatched. The PineNote now has a reliable Debian-based OS, developed by Maximilian Weigand. This is described as "not only a bare-bones capable OS but a genuinely daily-usable system that 'just works'" according to the Pine64 blog. ["This is excellent as it also moves the target audience from developers to every day users. You should be able to power on the device and drop into a working Gnome experience."] It is said to use the GNOME desktop plus a handful of extensions designed to ensure the UI adapts to working well with an e-ink display. Software pre-installed includes Xournal++ for note taking, Firefox for web browsing, and Foliate for reading ebooks, among others. [And it even runs Doom...]

Existing PineNote owners can download the the new OS image, flash it to their device, and help test it... Touch and stylus input are major selling points of the PineNote, positioning it as a libre alternative to leading e-ink note-taking devices like the Remarkable 2, Onyx BOOX, and Amazon Scribe.

"I do not (yet) have a launch date target," according to the blog post, "as behind-the-scenes the Pine Store team are still working on all things production."

But the update also links to some blog posts about their free and open source smartwatch PineTime...

Slashdot Top Deals