LWN Headlines

LibreOffice 4.0: First Take (ZDNet)

ZDNet reviews the LibreOffice 4.0 release. "The Document Foundation (the organization behind LibreOffice) calls version 4 a milestone release. It's hard to agree, though — unless the milestone is more like the starting line. On the surface this looks like a welcome point release that improves compatibility, although bringing the Android remote presentation control to Windows will make it more significant. However, after all this time we were hoping for a much more major update."

Security updates for Tuesday

CentOS has updated elinks (C5; C6: information disclosure).

Fedora has updated samba (F18; F17; F16: multiple vulnerabilities in SWAT), libupnp (F18; F17; F16: multiple vulnerabilities), dnsmasq (F18: access restriction bypass), sssd (F17: file modification and denial of service), httpd (F17: multiple vulnerabilities), samba4 (F17: multiple vulnerabilities in SWAT), and freetype (F17: denial of service).

Mandriva has updated java-1.6.0-openjdk (multiple unspecified vulnerabilities).

openSUSE has updated opera (12.1; 11.4: multiple vulnerabilities), libvirt (12.2; 12.1: code execution as root), wireshark (12.2, 12.1; 11.4: multiple vulnerabilities), samba (12.2, 12.1; 11.4: multiple vulnerabilities in SWAT), ruby on rails (12.2, 12.1; 11.4: multiple vulnerabilities), flash-player (12.1; 11.4: multiple vulnerabilities), and gnutls (12.1: denial of service).

Oracle has updated elinks (OL6; OL5: information disclosure).

Red Hat has updated elinks (information disclosure) and openstack-keystone (denial of service).

Scientific Linux has updated elinks (information disclosure).

Slackware has updated openssl (regression in previous update).

Ubuntu has updated gnome-screen-saver (12.10: unauthorized session access), postgresql (information disclosure/denial of service), and kernel (10.04 LTS; 11.10: denial of service/information leak).

Pitt: umockdev: record and mock hardware for debugging and testing

Martin Pitt introduces umockdev, a device simulation library. "The umockdev-run program builds a sandbox using libumockdev, can load *.umockdev and *.ioctl files into it, and run a program in that sandbox. I. e. it is a CLI interface to libumockdev, which is useful in the 'debug a failure with a particular device' use case if you get the text dumps from a bug report."

[$] LCA: The X-men speak

Linux.conf.au 2013 in Canberra provided an interesting window into the world of display server development with a pair of talks about the X Window System and one about its planned successor Wayland (a talk which will be the subject of its own article shortly). First, Keith Packard discussed coming improvements to compositing and rendering. He was followed by David Airlie, who talked about recent changes and upcoming new features for the Resize, Rotate and Reflect Extension (RandR), particularly to cope with multiple-GPU laptops. Each talk was entertaining enough in its own right, but they worked even better together as the speakers interjected their own comments into one another's Q&A period (or, from time to time, during the talks themselves).

Emont: Video decoding in a sandbox

Guillaume Emont describes his work using the Chromium sandbox mechanism to make video decoding in GStreamer more secure. "The way setuid-sandbox works is rather straightforward: there is a sandboxme command that needs to be installed setuid root. You run sandboxme my_command and then from inside my_command, you first set up the file descriptors that you will need (being careful not to put there anything that could allow to escape the sandbox, more on that later), and then you call the provided chrootme() function, which will tell the sandboxme process to restrict the privileges that my_command has (e.g. it can still read and write on the fds that it has open, but it cannot open new ones)."

Some weekend security updates

Lest the LWN mailbox collapse under the load of security advisories (many of which are Java-related) coming through, we'll send them out now:

CentOS has updated java-1.6.0-openjdk (C5, C6: 20 CVE numbers) and java-1.7.0-openjdk (C5, C6: 22 CVE numbers).

Fedora has updated squid (F17, F18: denial of service), kernel (F18: local privilege escalation), sssd (F18: local privilege escalation and denial of service), java-1.6.0-openjdk (F16: 20 CVE numbers), java-1.7.0-openjdk (F16, F17, F18: 22 CVE numbers), wordpress (F17, F18: multiple vulnerabilities), rubygem-activesupport (F16, F17: nasty remote vulnerabilities), android-tools (F16, F17, F18: temporary file vulnerability), and openstack-nova (F17: unauthorized volume access).

Mageia has updated apache-poi (denial of service), libreoffice (denial of service), mariadb (code execution, denial of service, and information disclosure), and abrt (privilege escalation).

Mandriva has updated libssh (denial of service).

openSUSE has updated kernel (credential spoofing) and mysql (code execution, denial of service, and information disclosure).

Oracle has updated java-1.6.0-openjdk (OL5, OL6: 20 CVE numbers) and java-1.7.0-openjdk (OL6: 22 CVE numbers).

Red Hat has updated java-1.6.0-openjdk (RHEL5, RHEL6: 20 CVE numbers) and java-1.7.0-openjdk (RHEL5-6: 22 CVE numbers).

Scientific Linux has updated java-1.6.0-openjdk ( SL5, SL6: 20 CVE numbers) and java-1.7.0-openjdk (SL5-6: 22 CVE numbers).

Slackware has updated openssl (multiple vulnerabilities).

Chromatic: Goodnight, Parrot

Perl developer Chromatic has posted a post-mortem of sorts for the Parrot virtual machine. "Because volunteer time and interest and skills are not fungible, some of the people working Parrot had goals very different from mine. I wanted a useful and usable Perl 6 which allowed me to use (for example) PyGame and NLTK from Python and (if it had existed at the time) a fast CSS traversal engine from a JavaScript implementation. Other people wanted other things which had nothing to do with Perl 6. I won't speak for anyone else, but I suspect that the combination of a deliberate distancing of Parrot from Perl 6, including separate repositories, the arm's length of a six month deprecation policy, and an attempt to broaden Parrot's focus beyond just Rakudo created rifts that have only widened by now."

Kernel prepatch 3.8-rc7

The 3.8-rc7 kernel prepatch is out. Linus says: "Anyway, here it is. Mostly driver updates (usb, networking, radeon, regulator, sound) with a random smattering of other stuff (btrfs, networking, so on. And most everything is pretty small."

OpenPlans: EveryBlock and OpenBlock (and something new)

The OpenPlans blog reports on the abrupt shutdown of EveryBlock, a popular "hyperlocal" news site run by NBC (and which was initially based on open source code). "What we lost today was a powerful (closed) engine for gathering data from many different sources and making sense of it," OpenPlans says, adding that it hopes the EveryBlock shutdown will reignite interest in the open source fork of the original codebase, OpenBlock. Others have commented on the sudden shutdown as well, including Mozilla OpenNews, which said the site "exemplified new approaches" to journalism.

Kroah-Hartman: AF_BUS, D-Bus, and the Linux kernel

Greg Kroah-Hartman writes about plans to get D-Bus functionality into the kernel (a topic last covered here in July, 2012). "Our goal (and I use 'goal' in a very rough term, I have 8 pages of scribbled notes describing what we want to try to implement here), is to provide a reliable multicast and point-to-point messaging system for the kernel, that will work quickly and securely. On top of this kernel feature, we will try to provide a 'libdbus' interface that allows existing D-Bus users to work without ever knowing the D-Bus daemon was replaced on their system."

Friday's security updates

CentOS has updated xen (denial of service).

Debian has updated ircd-hybrid (denial of service).

Fedora has updated libexif (F16, F17; multiple vulnerabilities) and libvirt (F16 and F17; privilege escalation).

Mageia has updated couchdb (multiple vulnerabilities), flash-player-plugin (multiple vulnerabilities), nagios (denial of service), openssl (multiple vulnerabilities), and opera (multiple vulnerabilities).

Oracle has updated kernel 2.6.39 (multiple vulnerabilities), kernel 2.6.32 (multiple vulnerabilities), and xen (denial of service).

Red Hat has updated flash-plugin (multiple vulnerabilities) and xen (denial of service).

Scientific Linux has updated xen (denial of service).

Slackware has updated curl (code execution).

Gräßlin: Client Side Window Decorations and Wayland

KWin hacker Martin Gräßlin discusses client side decorations (CSD) and Wayland on his blog. He notes that while Weston—the reference Wayland compositor—requires CSD, nothing in the Wayland protocol does. "I had a talk with Andy from Qt Wayland fame about the CSD implementation and he explained [to] me that inside Qt the CSD code gives some overhead and that they have a flag to turn them off. Which is great. And we in KWin already have server side decorations and will need to keep them around for legacy X applications. What's the point then to use CSD in Qt if we already have the decorations and can give the application a better performance? Well none and that's why I plan to use server side decoration in KWin on Wayland."

Pages