Gentoo Weekly Newsletter: December 8th, 2003

1.  Gentoo News

Summary

• Gentoo: 2004 and beyond
• Gentoo rsync.gentoo.org server compromised
• 'emerge rsync' etiquette
• More Praise: Linux Journal

We're very pleased to announce the launch of three major efforts: Gentoo Linux 2004, Portage-ng and catalyst. Starting with the next release of Gentoo Linux (Gentoo Linux 2004,) Gentoo Linux will move to a quarterly release schedule. More info is available in the Roadmap for Gentoo Linux 2004.

In addition, we're pleased to announce the start of development on "portage-ng," the successor to the ever-popular portage package manager. Learn more at our Portage project page and our in-progress architecture specification document for Portage-ng development. Portage-ng will be a true community effort, and we encourage you to get involved.

And then there's catalyst. Starting with Gentoo Linux 2004, all releases (including LiveCDs) will be fully user-rebuildable using our new catalyst build technology. Using catalyst, Gentoo users will be able to easily create their own customized Gentoo releases, LiveCDs, GameCDs -- you name it. The current development version of catalyst supports building stages and GRP sets on AMD64 (both 64-bit and 32-bit x86), x86 and PowerPC. LiveCD/GameCD building will be released by the end of the year. Keep up-to-date on catalyst by visiting our (currently sparse) catalyst project pages. Enjoy!

Gentoo rsync.gentoo.org server compromised

On 2 December at approximately 03:45 UTC, one of the servers that makes up the rsync.gentoo.org rotation was compromised, possibly via a remotely exploitable rsync buffer overflow. Please also be sure to read GLSA-200312-02 and upgrade to kernels without the brk vulnerability.

The compromised system had both an IDS and a file integrity checker installed and we have a very detailed forensic trail of what happened once the box was breached, so we are reasonably confident that the portage tree stored on the box was unaffected. This box has been removed from all rsync.*.gentoo.org rotations and will remain so until forensic analysis has been completed and it has been wiped and rebuilt. For more details, see the GLSA.

In regards to the hard work involved in logging, tracking down and fixing this rsync vulnerability, Gentoo would like to extend thanks to Andrea Barisani, Nedd Ludd, Kurt Lieber, and Corey Shields (of the Gentoo Infrastructure team,) Michael Warfield and the ISS team, and the rsync development team for handling the recent issues. A special thanks goes to Dave Monnier, Lead Security Engineer for the Information Technology Security Office of Indiana University, and his team, for their assistance as well.

'emerge rsync' etiquette

Over recent weeks we have noticed an increase in the number of connection attempts people make to the rsync servers per day. Because rsync is quite intensive on the server (both for CPU and disk access), syncing many times a day wastes a lot of resources apart from bandwidth; during the time it's processing such a request it could be serving someone else with a greater number of changes in their portage tree.

As such, we request that people endeavour to run `emerge sync' at most once or twice a day; if you have several machines in a LAN, then set up a local rsync mirror updating from `rsync.gentoo.org' instead of targetting any particular mirror.

We reserve the right to monitor users' connection-rates in order to preserve server performance.

More praise: Linux Journal

This week Gentoo Linux has received praise from another Linux periodical: Linux Journal. In their review of Gentoo, they say that "In addition to endless customization possibilities and performance improvements, Gentoo offers solid documentation and a strong community support base".

2.  Featured Developer of the Week

Arcady Genkin

Figure 2.1: Arcady Genkin

Our featured developer this week is Arcady Genkin (agenkin), who helps maintain many of the sound and video ebuilds in portage, notably alsa-drivers and xine. His primary duties are implementing bug fixes and ensuring that ebuild packages remain current. He has significant experience as an Open-Source developer, having been a core developer on the Squirrelmail project and the primary author of the nhmon tool for simultaneous monitoring of a large number of hosts.

Currently residing in downtown Toronto, Canada, Arcady is originally from St. Petersburg, Russia. He is a graduate of the Engineering School of Electronics in St. Petersburg, where he studied production of micro-electronic devices and technical translation. He also has a Honours Bachelor of Science in Computer Science from the University of Toronto. He works as a Systems Programmer/Administrator for the Department of Computer Science at the University of Toronto. The job primarily comprises programming various tools for automating systems administration and instructional assistance for Computer Science courses. According to Arcady, it is "the perfect mix of programming tasks, ranging from C, Python, Perl and PHP programming to keeping mail, DNS, web servers running to installing new software".

Arcady's home environment contains six computers: a FreeBSD firewall/server, two workstations (his is the Gentoo one, we won't talk about his girlfriend's), a gentoo-based diskless multimedia station, and two notebooks (his runs Debian). At work, he has some responsibility for about 200 workstations, 50 Sun Sparc Ultra5 and Ultra10 X terminals, and a double-handful of servers. His workstation runs Gentoo. He is a KDE user (largely because of the reliable keyboard switching between Cyrillic and Latin). He launches XMMS and Tkabber at startup, and does much of his work in XEmacs.

Arcady enjoys hiking, skiing, watching movies, music and reading. He is currently learning French and reading Words by Sartre. He is fond enough of one of e.e. cummings poems to include it in his .sig: guilt is the cause of more disauders; than history's most obscene marorders. When asked about Gentoo, he told us that "Gentoo Linux can be a very convenient tool in experienced hands; its main advantage is that it is very customizable: it is extremely easy to add new packages to it, or modify existing ones, including the packages of the base system".

3.  Gentoo Security

Summary

• GLSA: rsync.gentoo.org rotation server compromised
• GLSA: exploitable overflow in rsync
• GLSA: kernel
• New Security Bug Reports

GLSA: rsync.gentoo.org rotation server compromised

On December 2nd at approximately 03:45 UTC, one of the servers that makes up the rsync.gentoo.org rotation was compromised via a remote exploit. At this point, we are still performing forensic analysis. However, the compromised system had both an IDS and a file integrity checker installed and we have a very detailed forensic trail of what happened once the box was breached, so we are reasonably confident that the portage tree stored on that box wasunaffected.

The attacker appears to have installed a rootkit and modified/deleted some files to cover their tracks, but left the server otherwise untouched. The box was in a compromised state for approximately one hour before it was discovered and shut down. During this time, approximately 20 users synchronized against the portage mirror stored on this box. The method used to gain access to the box remotely is still under investigation. We will release more details once we have ascertained the cause of the remote exploit.

This box is not an official Gentoo infrastructure box and is instead donated by a sponsor. The box provides other services as well and the sponsor has requested that we not publicly identify the box at this time. Because the Gentoo part of this box appears to be unaffected by this exploit, we are currently honoring the sponsor's request. That said, if at any point, we determine that any file in the portage tree was modified in any way, we will release full details about the compromised server.

• Severity: Normal
• Rectification: emerge sync
• GLSA Announcement

GLSA: kernel

Lack of proper bounds checking exists in the do_brk() kernel function in Linux kernels prior to 2.4.23. This bug can be used to give a userland program or malicious service access to the full kernel address space and gain root privileges. This issue is known to be exploitable.

All kernel ebuilds in Portage have been bumped or patched and do not contain this vulnerability. The following is a list of recommended kernels.

• aa-sources-2.4.23_pre6-r3
• ck-sources-2.4.22-r3
• gentoo-sources-2.4.20-r9
• gentoo-sources-2.4.22-r1
• grsec-sources-2.4.22.1.9.12-r1
• grsec-sources-2.4.22.2.0_rc3-r1
• gs-sources-2.4.23_pre8-r1
• hardened-sources-2.4.22-r1
• hardened-sources-2.4.22-r1
• ia64-sources-2.4.22-r1
• mips-sources-2.4.22-r4
• mips-sources-2.4.22-r5
• openmosix-sources-2.4.22-r1
• ppc-sources-2.4.22-r3
• ppc-sources-benh-2.4.20-r9
• ppc-sources-benh-2.4.21-r2
• ppc-sources-benh-2.4.22-r3
• ppc-sources-crypto-2.4.20-r1
• selinux-sources-2.4.21-r5
• sparc-sources-2.4.23
• usermode-sources-2.4.22-r1
• wolk-sources-4.10_pre7-r1
• wolk-sources-4.9-r2
• xfs-sources-2.4.20-r4

• Severity: High
• Packages Affected: <2.4.22
• Rectification: emerge sync; emerge -pv [your preferred kernel sources]; emerge [your preferred kernel sources]; [update the /usr/src/linux symlink]; [compile and install your new kernel]; [emerge any necessary kernel module ebuilds]; [reboot];
• GLSA Announcement

GLSA: exploitable overflow in rsync

Rsync version 2.5.6 contains a vulnerability that can be used to run arbitrary code. The Gentoo infrastructure team has some reasonably good forensic evidence that this exploit may have been used in combination with the Linux kernel brk vulnerability (see GLSA 200312-02) to exploit a rsync.gentoo.org rotation server (see GLSA-200312-01.)

Please see http://lwn.net/Articles/61541/ for the security advisory released by the rsync development team.

• Severity: High
• Packages Affected: <2.5.6
• Rectification: emerge sync; emerge >=net-misc/rsync-2.5.7
• GLSA Announcement

New Security Bug Reports

The following new security bugs were posted this week:

• net-misc/rsync

4.  Heard in the Community

Compromised Rsync Forum Fallout

Well, yes, of course, the unfortunate attack on one of the servers in Gentoo's community-driven rsync round-robin server structure had its repercussions on the forums, too. Quick overview of the more eminent threads covering this mishap and the way it was dealt with:

• rsync.gentoo.org rotation server compromised (200312-01)
• zdnet - Hacked Gentoo Linux server taken offline
• rsync.gentoo.org compromesso(Italian)
• [OT] rsync-Server laut heise gehackt(German)

The GIMP

Growing demand for the unstable Gimp 1.3 development series has led to a number of threads last week, half of which ended up in the dups bin... Information on how to build the new Gimp, what works and what doesn't (the SANE scanner plugin, sadly, appears to be broken):

• upgrade to unstable gimp
• gimp & non-english characters

gentoo-user

Annoying Terminals

Frustrated with his Bash terminal window wrapping long lines of text into the same line, list member Helder asked for help. Read on for a great tip for keeping your terminal session updated on how large your text console or window size is.

More CFLAGS benchmarking

In the latest mailing list CFLAGS thread, the -O parameter is discussed. Check out what some other users thought as well as some test results here.

gentoo-dev

Kernel modules rebuilder.

Whenever you upgrade your kernel, there are always some packages that need rebuilding. Well here is a handy little program that finds all those packages for you, and rebuilds them for you as well! Also in the replies are some other options to do similar things.

5.  Gentoo International

Italy: Gentoo Day 29 November 2003

All too quietly, the Italian Linux Day in Venice organised by the Venezia Free Software Users Group passed us by on Saturday 29 November, particularly embarrassing because the GECHI (an acronym for "Gentoo CHannel Italy" also meaning "gecco" in Italian) hijacked the occasion to organise their first Gentoo Day! Gilberto de Faveri aka MyZelF held a presentation about Gentoo Linux, and the foto album illustrates some other things that happened in the course of the event. Now, had they wanted an announcement of the event before the scheduled date, they'd surely would have told us, wouldn't they...

Germany: Yet Another Oberhausen GLUM

Gentoo Linux User Meetings (GLUMs) seem to be particularly popular in Germany. Gentooists in Oberhausen, the unofficial heart of the Ruhrgebiet region, have scheduled a follow-up meeting to their first gathering two months ago, to be held at Gasthof Harlos in Oberhausen on 10 December 2003. Details are to be had via a mailing list (gentoo-treffen@etherkiller.de, subscribe by sending a message to gentoo-treffen-subscribe at the same TLD) or via this Forum thread.

6.  Bugzilla

Summary

• Statistics
• Closed Bug Ranking
• New Bug Rankings

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 28 November 2003 and 04 December 2003, activity on the site has resulted in:

• 429 new bugs during this period
• 215 bugs closed or resolved during this period
• 13 previously closed bugs were reopened this period

Of the 4328 currently open bugs: 91 are labeled 'blocker', 183 are labeled 'critical', and 321 are labeled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs during this period are:

• Gentoo Games, with 22 closed bugs
• Portage Team, with 16 closed bugs
• Seemant Kulleen, with 10 closed bugs
• Mike Frysinger, with 8 closed bugs
• Net-Mail Packages, with 8 closed bugs
• Gentoo KDE Team, with 8 closed bugs
• AMD64 Porting Team, with 8 closed bugs

New Bug Rankings

The developers and teams who have been assigned the most new bugs during this period are:

• Gentoo Sound Team, with 12 new bugs
• Gentoo Linux Gnome Desktop Team, with 8 new bugs
• Portage Team, with 8 new bugs
• x86 Kernel Team, with 7 new bugs
• Net-Mail Packages, with 7 new bugs

7.  Tips and Tricks

Backup up files with tar

This weeks tip demonstrates a quick way to back up files using tar.

One of the options for tar is -T which allows you to specify which files should go in the tar archive. So, create a file named backup.confand list all files or directories you want backed up in this file (one per line). Then run tar and specify -T backup.conf.

# cat >> /etc/backup.conf
# /etc/passwd
# /etc/shadow
# /etc/group
# /etc/make.conf
# /etc/postfix
# EOF

(Add more files/directories as necessary)
  

Now use tar to create a backup archive of your files.

# tar -cjf backup-`date +%Y-%m-%d`.tar.bz2` -T /etc/backup.conf
  

This will archive your files in a file named backup-YYYY-MM-DD.tar.bz2 (where YYYY is the year, MM is the month, and DD is the day).

8.  Moves, Adds, and Changes

Moves

The following developers recently left the Gentoo team:

• none this week

Adds

The following developers recently joined the Gentoo Linux team:

• none this week

Changes

The following developers recently changed roles within the Gentoo Linux project:

• none this week

9.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

10.  GWN Feedback

Please send us your feedback and help make the GWN better.

11.  GWN Subscription Information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

12.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:

• Dutch
• English
• German
• French
• Japanese
• Italian
• Polish
• Portuguese (Brazil)
• Portuguese (Portugal)
• Russian
• Spanish
• Turkish