#glibc
Various Sourceware projects will be present at @fosdem plus various overseers and of course @conservancy staff.
Get your talk submissions in before end of the week (December 1st) to these developer rooms:
https://inbox.sourceware.org/gdb/6a2e8cbf-0d63-24e7-e3c2-c3d286e2e6d9@redhat.com/
https://inbox.sourceware.org/gcc/36fadb0549c3dca716eb3b923d66a11be2c67a61.camel@redhat.com/
#gdb #libabigail #systemtap #valgrind #binutils #elfutils #gcc #newlib #glibc #gnupoke #cgen
New larger x86_64 buildbot container builder provided by @osuosl is online:
https://builder.sourceware.org/buildbot/#/workers/39
It does the larger #gcc and #glibc builds so the other container builders can do quicker (smaller) builds without having to wait on the big jobs.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #45/2023 is out! It includes the following and much more:
➝ 🔓 ✈️ #Boeing breach: LockBit leaks 50 GB of data
➝ 🇨🇳 World’s largest commercial bank #ICBC confirms #ransomware attack
➝ 🔓 ☁️ Sumo Logic alerts customers about #securityincident; advises rotate Sumo Logic API access keys
➝ 🔓 🇮🇪 Electric Ireland admits data breach that could see customer financial data compromised
➝ 🔓 🇨🇦 #TransForm says ransomware data breach affects 267,000 patients
➝ 🔓 🇸🇬 #Singapore Marina Bay Sands reward members data breached, over 650k people exposed
➝ 🇮🇱 🇵🇸 🇮🇷 Cyber ops linked to #Israel-#Hamas conflict largely improvised, researchers say
➝ 🧨 🤖 #OpenAI confirms #DDoS attacks behind ongoing #ChatGPT outages
➝ 🛍️ 💸 Fake Ledger Live app in #Microsoft Store steals $768,000 in #crypto
➝ 🔓 🐰 ‘Looney Tunables’ #Glibc Vulnerability Exploited in #Cloud Attacks
➝ 🇺🇸 🇷🇺 US Sanctions Russian National for Helping Ransomware Groups Launder Money
➝ 🇮🇷 🇮🇱 Iranian Hackers Launch Destructive Cyber Attacks on Israeli #Tech and #Education Sectors
➝ 🇫🇷 🇬🇧 #France, #UK Seek Greater Regulation of Commercial #Spyware
➝ 🇪🇺 🤐 #Europe is trading security for digital #sovereignty
➝ 🇷🇺 🇺🇦 Russian Hackers Used #OT Attack to Disrupt Power in #Ukraine Amid Mass Missile Strikes
➝ 🦠 🚪 Highly invasive #backdoor snuck into #opensource packages targets developers
➝ 🦠 🇰🇵 N. Korea's #BlueNoroff Blamed for Hacking #macOS Machines with ObjCShellz #Malware
➝ 🫣 #Signal tests usernames that keep your phone number private
➝ 🔐 Microsoft Authenticator now blocks suspicious #MFA alerts by default
➝ ☁️ 💰 Researchers Uncover Undetectable #CryptoMining Technique on #Azure Automation
➝ 👥 💰 Data Brokers Expose Sensitive US Military Member Info to Foreign Threat Actors: Study
➝ 🩹 Microsoft Says Exchange ‘Zero Days’ Disclosed by #ZDI Already Patched or Not Urgent
➝ 🐛 Veeam warns of critical bugs in #Veeam ONE monitoring platform
📚 This week's recommended reading is: "How the F*ck Did This Happen?: A guide for executives who need to understand Cyber Security in plain, actionable language" by Dr Darryl Carlton
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
https://infosec-mashup.santolaria.net/p/infosec-mashup-week-452023
There needs to be something easier and better than #Python with up-to-date bindings that can support building #Qt stuff with #musl libc. I really don't like using Python and only do because C++ (or rather, #CMake) is too hard to do new stuff in for me and CXX-Qt won't build with musl (could target a #glibc distro like #DanctNix #Arch, but then I'd be ignoring the entire set of devices supported by #postmarketOS). Why can't I just use #VB transpiled to #Rust?
Setting up dpkg Multiarch on Ubuntu 22.04, libc dependency error #glibc #crosscompilation
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Gene Goykhman, Sergey Alexandrovich Bugaev, Wang Diancheng, Warren Thomas Everett Wilkinson, and Xinyuan Zhang for assigning their copyright to the FSF! #GNU #Emacs #glibc #GDB #GNUstep #GNUHurd #GNUMach #GCC Learn more at https://u.fsf.org/3ht #CopyrightAssignments
@xChaos zde odmítnu odpovědět s odkazem na #GDPR, kdy nejsem oprávněn se vykecávat na sockách o tom co za blbosti se moji zákazníci snaží provozovat... :)
Původní nápad však pochází z doby kdy jsem chtěl buildit balíčky pro #raspbian a v #qemu #arm emulaci dochazelo k problémům v #glibc a kompilace havarovala. Tak jsem se rozhodl kompilovat nativně přímo na fyzickém hardware.
je za tím spousta práce v oblasti systémove integrace a už to nějak funguje.
Základem jsou multiplatfomní docker image: https://github.com/VitexSoftware/BuildImages
A potom #Ansible který mi z novýho pi udělá dron pro #Jenkinse s #Docker engine. Ten jsem ještě nepublikoval ale pokud by byl zájem rád jej poskytnu.
Noch mal Glück gehabt! Die Sicherheitslücken die Gestern im dem #wordpress Update 6.3.2 gestopft wurden erlauben kein Ausführen von Shellbefehlen. Ansonsten hätte das mit der #glibc #sicherheitslücke eine explosive Mischung gegeben.
https://de.wordpress.org/2023/10/wordpress-6-3-2-wartungs-und-sicherheitsversion/
🐧 From ZDNET:
「 The vulnerability was introduced in April 2021 with the release of glibc 2.34. The flaw is a buffer overflow weakness in the glibc's ld.so dynamic loader, a crucial component responsible for preparing and executing programs on Linux systems. The vulnerability is triggered when processing the GLIBC_TUNABLES environment variable, making it a significant threat to system integrity and security 」
"Critical #glibc Buffer Overflow #Vulnerability named #LooneyTunables Allows Local Privilege Escalation"
To all my #Linux🐧people out there.
Make sure you update!
#CyberSecurity #TechNews #SecurityNews #CyberSecurityNews #BufferOverflow #Kubuntu #Ubuntu
https://thehackernews.com/2023/10/looney-tunables-new-linux-flaw-enables.html
Danke #debian 12.2 und der #sicherheitslücke #CVE20234911 in der #glibc bin ich hier schon den ganzen Tag dabei Updates einzuspielen. Update haben teilweise auch was meditatives und beruhigendes. So kann man auch mal einen entspannten Sonntag verbringen ... 🤔
I'm looking for a new #gnutools job; long story short, my current employer is pushing me to retire early as part of a division-wide "reorganization", but I want to keep working. I'm a current #gcc and #binutils maintainer and have also contributed to #gdb, #glibc, #newlib, and #qemu. Lately I've been working on adding GCC front-end support for #openmp, but I've also done back-end things for multiple architectures, and I write documentation. DM me for more details and contact info.
So far we had #glibc and #curl with major security problems this month. Lets see what else #spooktober has up its sleeve... 🥴
After the #glibc libc-alpha and #gcc gcc-patches mailinglist tests to avoid From rewriting worked out nicely we enabled the same settings to some other mailinglists.
The other gcc patches lists for #libstdc++, #libgccjit, #fortran and #gcc-rust. And those project that use #patchwork, #newlib, #elfutils, #libabigail and #gdb.
This hopefully makes mailing patches and using git am on them a bit nicer.
Please contact us if you have any issues with the mailinglists.
https://sourceware.org/mission.html#organization
Did you know that you can install #glibc packages on #termux now?, Thanks to maintainer Maxython https://github.com/maxython you may now install pacman and install glibc apps from the gpkg repo!
Schwachstelle in C-Bibliothek: Looney Tunables gefährdet zahlreiche Linux-Systeme (Update 1) https://www.computerbase.de/2023-10/schwachstelle-in-c-bibliothek-looney-tunables-gefaehrdet-zahlreiche-linux-systeme/#update-2023-10-06T18:25 #Linux #glibc #Schwachstelle #Sicherheitslücke
#glibc #security alert
„We successfully exploited this vulnerability and obtained full root privileges on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, Debian 12 and 13; other distributions are probably also vulnerable and exploitable (one notable exception is Alpine Linux, which uses musl libc, not the glibc).”
https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
Via: Bleeping Computer.
There is a new vulnerability affecting Linux users. specifically, "Loony Tunables" affects Glibc and is vulnerable to LOCAL attacks only. Patches are already rolling out.
This week’s news about the "Looney Tunes flaw" highlighted a condition which can allow a local user to access root privileges from the command line. Part of the RL Security team's task is to have mitigation strategies ready for such cases - reporting vulnerabilities and suggesting fixes upstream, and also writing our own extra packages.
This week, the Security SIG has published our extra packages and formalized a wiki: https://rockylinux.org/news/security-sig-update/ #looneytunables #securityupdate #glibc
PoC for CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so
🔗https://github.com/leesh3288/CVE-2023-4911
🔗https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
"Looney Tunables: Local Privilege Escalation in the glibc's ld.so (CVE-2023-4911)"
New Linux vulnerability in the GNU C library can lead to privilege escalation https://www.linux-magazine.com/Online/News/New-Linux-Vulnerability-Enables-a-Privilege-Escalation #LooneyTunables #Linux #vulnerability #patch #Qualys #glibc #Debian #Ubuntu #Fedora
Schwachstelle in C-Bibliothek: Looney Tunables gefährdet zahlreiche Linux-Systeme https://www.computerbase.de/2023-10/schwachstelle-in-c-bibliothek-looney-tunables-gefaehrdet-zahlreiche-linux-systeme/ #Linux #glibc #Schwachstelle #Sicherheitslücke
C developers: "Rust's memory safety is not a 'feature' of your program. It doesn't automatically make it better."
CVE-2023-4911: "Well hello there!"
I don't know about others but security is a pretty big feature in my books!
#security #linux #cve20234911 #libc #glibc #Rust #C #MemorySafety
Herrjemine … von der #sicherheitslücke #CVE20234911 in der #glibc is ja mal wieder so gut wie alles betroffen.
#glibc #vulnerability #security Qualys initial discovery and details
https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
A severe vulnerability, CVE-2023-4911, has been discovered in the GNU C Library (glibc), affecting various Linux distributions, including Fedora, Ubuntu, Debian, Red Hat Enterprise Linux (RHEL), and Red Hat Virtualization. The vulnerability allows a local attacker to elevate limited local privileges to full root when launching binaries with SUID permission. While it has been fixed in upstream glibc, many downstream systems require updates to address the issue. Cybersecurity firm Qualys, which identified the vulnerability, warns that it poses a significant threat due to its ubiquity in Linux environments and ease of exploitation.
Detailed Advisory: https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
#Linux #vulnerability #Security #Ubuntu #Fedora #Redhat #Glibc #Qualys #Privacy #CVE #RHEL #TechBites #Tech
"🐧 Looney Tunables: A New Linux Flaw Unveiled 🚨"
A new Linux vulnerability, dubbed "Looney Tunables," has been unearthed, posing a significant threat to major distributions like Fedora, Ubuntu, and Debian. This flaw, identified as CVE-2023-4911 (CVSS score: 7.8), resides in the GNU C library's ld.so dynamic loader and could potentially enable a local privilege escalation, granting a threat actor root privileges. The bug, discovered by cybersecurity firm Qualys, was introduced in April 2021 and impacts the processing of the GLIBC_TUNABLES environment variable. 🐛🛑
Source: The Hacker News
Tags: #Linux #Vulnerability #LooneyTunables #PrivilegeEscalation #Cybersecurity #GNU #glibc #CVE20234911 🐧🔐🚨
@thegibson Setting up #Debian on #musl #voidlinux to #chroot into for installing #leapmotion software to control my new hand/motion tracker/controller. I got it all set up correctly and everything, and when I go for the install, the terminal spits out this:
Error: Missing Dependency: #glibc
Thought I could cheat the system. Long story short, installed the GLIBC variant of Void on a USB, booted into it, and redid the process of converting and installing (guide coming soon).
@etam @rq the point is that #Docker only exists because #Glibc bricks the #Userland all the time.
Were this not the case we'd have either #Juju or jist basic scripts (see #Zulip's Installer) that does setup all the stuff...
Docker is just an ugly workaround re: #Linux using that shit, and the sad part is that it's a legitimate issue, otherwise it would not exist to vegin with!!!
@rq yeah, the #Enshittification is the problem.
If #Glibc wasn't a piece of shit that knowingly and willingly bricks #Userspace all the time #Docker would neither have a right to exist nor legitimate reason to be used.
Software that uses the crypt password hashing API is now using the implementation provided by #libxcrypt instead of #glibc’s, which enables support for more secure algorithms
https://github.com/besser82/libxcrypt/blob/v4.4.28/lib/hashes.conf#L41
https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-22.11-highlights
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Gene Goykhman, Sergey Alexandrovich Bugaev, Wang Diancheng, Warren Thomas Everett Wilkinson, and Xinyuan Zhang for assigning their copyright to the FSF! #GNU #Emacs #glibc #GDB #GNUstep #GNUHurd #GNUMach #GCC Learn more at https://u.fsf.org/3ht #CopyrightAssignments
@TheEvilSkeleton @orowith2os thx for the heads-up.
Sadly that is a common occurence and the only good option I know of is to yeet assholes away...
One of the reasons why I don't want #GNUtils on #OS1337 is because the #FSF readmitted #RMS with 0 consequences!
https://www.youtube.com/watch?v=R2SKenHRhMg via @ncommander
Also #Glibc bricks shit all the time and "just recompile it" doesn't work for a minimalist #embedded-#Linux distro!
A colleague of mine gave me this link yesterday: https://github.com/Mymaqn/reenabling_fsop_on_libc2_35
I have tested a bitm and It does seem to be true that FSOP is possible again with GLIBC 2.35. No mitigation available yet.
The method requires strong primitives which are not seen too often (multiple arb. writes, libc leak and libc read), but it is possible.
I suspect that it will only be a matter of time before an easier method will be found.
GNU Spotlight with Amin Bandali: Seventeen new GNU releases in the last month including #Binutils, #Coreutils, #Emacs, #Gama, #Glibc, #Lilypond, "LinuxLibre #Poke, and more. Full details: https://u.fsf.org/40h Big thanks to @bandali0 @bandali, all the devs, and other contributors!
I have been doing some reading on relative relocations and **RELR** (`-z pack-relative-relocs`) and found 2 great posts!
☘️ https://maskray.me/blog/2021-10-31-relative-relocations-and-relr
💠 https://glandium.org/blog/?p=4297 (Hacking the #ELF format for #Firefox, 12 years later ; doing better with less)
@alexr Sorry, but it really doesn't make sense to me to compare anything just regarding #Linux vs #Linuxulator. The kernel(!) as a source of indeterminism is very unlikely, everything else (like #glibc where the allocator is implemented) is the same. I don't see what I would gain from that huge amount of work here.
@beforewisdom @Yehuda @fsf exactly.
As for the #GNUtils like #bash, I do work on getting rid of them as well where I can.
I am currently working on a #minimalist #embedded distro based off #toybox / #Linux + #musl, because #Glibc is a shitty mess that bricks stuff at random in minor version updates for no good reason!
http://os1337.com
Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Gene Goykhman, Sergey Alexandrovich Bugaev, Wang Diancheng, Warren Thomas Everett Wilkinson, and Xinyuan Zhang for assigning their copyright to the FSF! #GNU #Emacs #glibc #GDB #GNUstep #GNUHurd #GNUMach #GCC Learn more at https://u.fsf.org/3ht #CopyrightAssignments
Added these symlinks.
#glibc needs some "convincing" to install *everything* to /usr, but it works.
It solves the issue on #aarch64 and #i386 (which both install the program interpreter to /lib by default).
It does NOT solve the issue on #amd64, where the program interpreter is installed to /lib64, but *something* during #GCC build insists on finding it in /usr/lib instead. 🤯
Trying a hack with a hardlink now (after learning that glibc's ldconfig just deletes symlinks to the program interpreter).
And now, we have a working #Linux #bash running in #FreeBSD's #linuxulator
Which also finally makes the "ldd" script installed by #glibc work 😎
Ok, enough for today 😉
https://github.com/Zirias/zfbsd-ports/blob/linux/shells/linux-bash/Makefile
We have #glibc, #zlib, #binutils, #gmp, #mpfr and #mpc ... in theory everything needed to build a full-featured native #gcc for C and C++. Oh wow. Now, trying to create *this* port 😎
Edit: My hope is that with the --sysroot option (set to ${LINUXBASE}), this new toolchain will only ever look for libraries inside ${LINUXBASE}, avoiding weird build issues you might get when using the existing linux-c7-devtools port. Well, I'm not sure I fully understand this --sysroot magic 🙈
I'm carefully optimistic now again 😎
After first building very basic/limited "-bootstrap" versions of binutils and gcc into a separate prefix, it seems I could finally build a complete #GNU cross (#FreeBSD -> #Linux) toolchain, including #binutils, #glibc and #gcc (with libstdc++). This final cross gcc at least passed the most basic sanity check -- it successfully compiles an empty program 🙈
Now doing a bit of cleanup and then trying whether this beast is able to build the *real* (native) glibc for a new #Linuxulator userland 😎
@thindil Oh there *is* binary compatibility for sure. The #Linux kernel typically doesn't break its userspace-facing #ABI. #Glibc and #GCC's libstdc++ use symbol versioning to provide backwards compatibility.
The issue starts with all the other libs, there's no standard for some "base" GNU/Linux system. That's where all these (IMHO damn broken) ideas like #AppImage, #Flatpak etc come from. Of course, you could just link statically instead, seems people don't get that any more 🙈
Anyways, quite some binary #Linux software will work "anywhere" as long as the required libs are not too old (looking e.g. at browsers...). And having a #Linuxulator userland built from source *should* enable you to just add ports for missing libraries. Well, in theory 🙈
@thindil I can certainly use #FreeBSD "tools" (gmake, bison, gettext, whatever) for building this cross-toolchain. But indeed, for libraries, they need to be built targeting #Linux. And because #GCC with the full feature set needs e.g.#glibc when targeting Linux, but then you need GCC to *build* glibc, I need at least some "bootstrapping" ports. It's really a mess.
Once I have a full-featured cross GCC targeting Linux ready, I'll stop for a while to party 😂
#glibc 2.38 is out 🎉
Among other things like strlcpy & strlcat (I know, right?), it includes many fixes and improvements in the #Hurd port, and a brand new x86_64-gnu (aka 64-bit Hurd) port!
https://sourceware.org/pipermail/libc-alpha/2023-July/150524.html
Yet some of my proposed patch sets didn't make it into 2.38, so expect more in 2.39 😉
@bitpirate @gamingonlinux I mean don't get me wrong, it really shines in compatibility as @fuchsiii has shown me several times: Even ancient #Windows games will run better than under Windows...
But personally I think that #Proton / #Wine / #DXVK should be transitional mechanisms and not be turned into a perpetual crutch...
Not that I dislike it per-se but #glibc is the reason most #CCSS (incl. #Games) doesn't get #native|ly-running #ports!
Just one?
#Glibc is the major preventor of #Linux becoming the norm since #GNU literally brick shit with minor updates, and the #FSF outright ignores the the fact that #CCSS exist and not everything is #FLOSS and that people should not have to recompile their stuff!
Otherwise everything that has been touched or associated with #RMS / #Stallman is tainted and him being reinstated will continue to damage #FreeSoftware for years to come.
@lunaa @yura @torvalds because as much as we all want our favorite #FLOSS to run first, there will always be some #CCSS that can't be replaced.
That's why #Proton (#Wine + #DXVK) are seen as "necessary" (not even evil at all) mechanisms so people can even do basic #Gaming on #Linux, because #glibc prevents people from playing old #native Linux games that ain't FLOSS'd!
@lunaa @yura @torvalds I know...
There's a reason Distros like #AlpineLinux, #ChimeraLinux and almost all #embedded systems using #Busybox or #Toybox want to get rid of #glibc if not replace it with something like #uClinux, #musl,or another #libc...
Because glibc bricking stuff with minor updates kills any #CCSS and any non-#FLOSS that can't be recompiled.
And what RMS et. al. may see as intentional, I think is the biggest issie that prevents #Linux from dominating #Desktop|s!
@fuchsiii @thelinuxcast @Vivaldi yeah, #glibc makes long-term support outside of #LTS distros like #RHEL, #SLES / #SLED, #OracleLinux and #Ubuntu LTS basically impossible unless one is a hardcore #Stallmanist and hates everything not #GPL-licensed and would rather want to see #Users suffer than accept that #CCSS is as valid to exist as #FLOSS...
The proposed patch removes the use of the faccessat() function and instead relies on fstatat64().
The system I'm testing on is a 64-core/128-thread beast, and I found that building with -j32 is actually significantly faster than with -j128 (39 minutes vs 1 hour).
So the faccessat() function must be causing some sort of serialization that essentially causes a denial of service with that many jobs?
Any guesses what is going on here?
Overview of current #GLIBC #heap #exploitation #techniques up to GLIBC 2.34, including their ideas and introduced mitigations along the way by @434b
https://0x434b.dev/overview-of-glibc-heap-exploitation-techniques/
"Adhemerval Zanella (5):
linux: Add posix_spawnattr_{get,set}cgroup_np (BZ 26731)
posix: Add pidfd_spawn and pidfd_spawnp (BZ 30349)
posix: Add pidfd_fork (BZ 26371)
posix: Add PIDFDFORK_NOSIGCHLD for pidfd_fork
linux: Add pidfd_getpid"
YES YES YES, TO ALL OF IT.
https://sourceware.org/pipermail/libc-alpha/2023-July/149741.html
glibc 2.37 is now out! https://sourceware.org/pipermail/libc-alpha/2023-February/145190.html #glibc @gnutools
I'm having a bit of an #ADHD moment and I am considering cooking together a new minimal #Linux distribution, something along the lines of #AlpineLinux but with #glibc and #tdnf.
Is there even space for a new contender or will this become yet another half-finished directory in ~/projects?