LWN Headlines

Regehr: GCC 4.8 Breaks Broken SPEC 2006 Benchmarks

John Regehr explains how new optimizations in GCC 4.8.0 can break code making use of undefined behavior. "A C compiler, upon seeing d[++k], is permitted to assume that the incremented value of k is within the array bounds, since otherwise undefined behavior occurs. For the code here, GCC can infer that k is in the range 0..15. A bit later, when GCC sees k<16, it says to itself: 'Aha-- that expression is always true, so we have an infinite loop.'"

GCC 4.8.0 released

The GCC 4.8.0 release is out. "Extending the widest support for hardware architectures in the industry, GCC 4.8 has gained support for the upcoming 64-bit ARM instruction set architecture, AArch64. GCC 4.8 also features support for Hardware Transactional Memory on the upcoming Intel Haswell CPU architecture." There's a lot of new stuff in this release; see the changes file and LWN's GCC 4.8.0 coverage for details.

OpenSSH 6.2 released

OpenSSH 6.2 is out. New features include some new encryption modes, the ability to require multiple authentication protocols (requiring both public key and a password, for example), key revocation list support, better seccomp-filter sandbox support, and more.

Friday's security updates

CentOS has updated boost (code execution) and qt (information disclosure).

Fedora has updated kernel (multiple vulnerabilities), mediawiki (F17, F18; session fixation flaw), perl (denial of service), and privoxy (F17, F18; proxy spoofing).

openSUSE has updated telepathy-gabble (denial of service).

Oracle has updated boost (code execution) and qt (information disclosure).

Red Hat has updated boost (code execution), Django (multiple vulnerabilities), openstack-cinder (multiple vulnerabilities), openstack-nova (multiple vulnerabilities), openstack-packstack (insecure file handling), and qt (information disclosure).

Scientific Linux has updated boost (code execution) and qt (information disclosure).

Russell: GCC and C vs C++ Speed, Measured

Rusty Russell ran an investigation to determine whether code compiled with the GCC C++ compiler is slower than code from the C compiler. "With this in mind, and Ian Taylor’s bold assertion that 'The C subset of C++ is as efficient as C', I wanted to test what had changed with some actual measurements. So I grabbed gcc 4.7.2 (the last release which could do this), and built it with C and C++ compilers." His conclusion is that the speed of the compiler is the same regardless of how it was built; using C++ does not slow things down.

China to standardize on Ubuntu

Canonical has announced a collaboration with the Chinese government to create a standard operating system reference architecture based on the Ubuntu distribution. "The initial work of the CCN Joint Lab is focused on the development of an enhanced version of the Ubuntu desktop with features specific to the Chinese market. The new version is called Ubuntu Kylin and the first version will be released in April 2013 in conjunction with Ubuntu’s global release schedule. Future work will extend beyond the desktop to other platforms."

Security updates for Thursday

Debian has updated libapache2-mod-perl2 (regression in previous security fix) and smokeping (cross-site scripting).

Fedora has updated firebird (F17; F18: remote code execution).

openSUSE has updated typo3-cms (two vulnerabilities) and pidgin (multiple vulnerabilities).

Red Hat has updated java-1.6.0-sun (Web Start and browser plugin EOL).

Ubuntu has updated python-nova (two vulnerabilities), python-keystone (12.10: incorrect revocation checking), clamav (multiple unspecified vulnerabilities), and OMAP4 kernel (12.10: multiple vulnerabilities).

[$] Anatomy of a user namespaces vulnerability

An exploit posted on March 13 revealed a rather easily exploitable security vulnerability (CVE 2013-1858) in the implementation of user namespaces. That exploit enables an unprivileged user to escalate to full root privileges. Although a fix was quickly provided, it is nevertheless instructive to look in some detail at the vulnerability, both to better understand the nature of this kind of exploit and also to briefly consider how this vulnerability came to appear inside the user namespaces implementation.

Tor 2012 Annual Report

The Tor Project has announced the availability of its 2012 annual report. (PDF) "Tor’s daily usage continues to increase in size and diversity, bringing secure, global channels of communication and privacy tools to journalists, law enforcement, governments, human rights activists, business leaders, militaries, abuse victims and average citizens concerned about online privacy." (Thanks to Paul Wise)

Security advisories for Wednesday

CentOS has updated sssd (C6: privilege violation).

Fedora has updated telepathy-gabble (F18: denial of service), gnome-online-accounts (F18: information disclosure), kernel (F18: privilege escalation), and sudo (F17: privilege escalation).

openSUSE has updated transmission (code execution), wireshark (12.3, 12.2, 12.1; 11.4: multiple vulnerabilities), sudo (12.3, 12.2, 12.1; 11.4: privilege escalation), firebird (12.3, 12.2, 12.1; 11.4: code execution), perl (12.3, 12.2, 12.1; 11.4: multiple vulnerabilities), krb5 (denial of service), and java-1_7_0-openjdk (code execution).

Oracle has updated sssd (OL6: privilege violation).

Red Hat has updated kernel (RHEL 6.1 EUS; RHEL 6.3 EUS: kernel-mode code execution) and sssd (RHEL6: privilege violation).

Scientific Linux has updated sssd (SL6: privilege violation).

SUSE has updated Ruby on Rails (multiple vulnerabilities) and rubygem-merb-core (multiple vulnerabilities).

Ubuntu has updated perl (denial of service).

Plasma Media Center 1.0.0 released

The first release of the Plasma Media Center has been announced. "KDE's Plasma Media Center (PMC) is aimed towards a unified media experience on PCs, Tablets, Netbooks, TVs and any other device that is capable of running KDE. PMC can be used to view images, play music or watch videos."

MongoDB 2.4 release

Version 2.4 of the MongoDB "NoSQL" database system has been released. Headline features include a new text search facility, spherical geometry support, hash-based sharding, Kerberos authentication, and more; see the release notes for details.

Goodbye Malcolm (Tredinnick)

The Django community mourns the passing of Malcolm Tredinnick. "Malcolm was a long-time contributor to Django, a model community member, a brilliant mind, and a friend. His contributions to Django — and to many other open source projects — are nearly impossible to enumerate. Many on the core Django team had their first patches reviewed by him; his mentorship enriched us. His consideration, patience, and dedication will always be an inspiration to us."

Ubuntu to halve support length for non-LTS releases (The H)

The H reports that support for Ubuntu's non-LTS releases will be shortened to nine months. "In a meeting of the Ubuntu Technical Board last night, the technical leadership of Canonical's Linux distribution decided to halve the support time for non-LTS releases to nine months. At the same time, the developers want to make it easier for users of the distribution to get up-to-date packages on a regular basis without the need to perform explicit upgrades of the whole distribution. Attending the meeting, Matt Zimmerman, Colin Watson and Stéphane Graber unanimously agreed on these points and also clearly voted against moving Ubuntu into a rolling release model. The changes will be implemented in the maintenance schedule starting with the release of Ubuntu 13.04 ("Raring Ringtail") on 25 April."

Tuesday's security updates

CentOS has updated krb5 (C6: denial of service).

Mageia has updated clamav (multiple vulnerabilities).

Oracle has updated krb5 (OL6: denial of service).

Red Hat has updated krb5 (RHEL6: denial of service).

Scientific Linux has updated krb5 (SL6: denial of service).

SUSE has updated java5 (SLES 10 SP3 LTSS: multiple vulnerabilities), java2 (SUSE CORE 9: multiple vulnerabilities).

Ubuntu has updated kernel (12.04 LTS; 12.10: multiple vulnerabilities) and Quantal HWE kernel (12.04 LTS: multiple vulnerabilities).

[$] When does the FSF own your code?

Many pixels have been expended in the discussion of contributor agreements that transfer copyright from developers to a company or foundation. But, for developers in many projects, the discussion is moot, in that the requirement for an agreement exists and the papers must be signed before contributions to the project can be made. But, even then, there are some interesting details that merit attention. A recent discussion regarding one developer's contributions to the Emacs Org mode project shows how expansive and poorly understood such agreements can be in some cases.

Pages