Gentoo Logo

Gentoo Weekly Newsletter: January 31, 2005

Content:

1.  Gentoo News

Trusted Gentoo

Initially suggested by Joseph Pingenot, the members of Gentoo's crypto herd have set the goal of Trusted Computing Group (TCG - formerly known as Trusted Computing Platform Alliance or TCPA) support in Gentoo on the agenda for the year.

TCG is an open standard for hardware specification defining cryptographic functions (Trusted Platform Module - TPM) that keep private keys away from system memory. The hardware also provides trusted boot functions (TCG Software Stack - TSS) that ensure private keys cannot be used if the operating system changes to an untrusted one.

TSS applications of the TCG architectures that would be desireable for Gentoo are:

TPM allows storing of cryptographic keys in hardware rather than placing private keys on the filesystem. Examples include:

If you are interested in donating hardware or undertaking development in this area contact Henrik Brix Andersen or Peter Johanson. Developers will need to work largely independantly, and to have a good understanding of security architectures and C coding. A TPM emulator that may be of assistance is available.

Looking for EM64T developers, hardware, and AMD64 "Arch-testers"

The Gentoo/AMD64 team has issued a request for developers who could help extending support to Intel's x86-64 processors, the EM64T product line. The devs will need to bring their own hardware and mainly do kernel testing, since the chipsets on EM64T mainboards are different. Please contact Jason Huebel if you feel up to helping out with this.

In a separate announcement, AMD64 is also looking for "Arch-testers" or AT's, i.e. non-developers to help iron out bugs and mark applications stable for a variety of ebuilds already available.

Gentoo/PPC GameCD released

The PPC team has prototyped the first completely graphical LiveCD for the PowerPC platform featuring a 3D multiplayer OpenGL/SDL game called Cube. Designed for the PegasosPPC, a CD variant to run on Macintosh hardware is already in the works. While the 198 MB GameCD is already available for download from the mirrors (in the experimental/ppc/livecd directory), a whole cluster of ODWs running Cube will be part of the presentations in the Gentoo developer room at FOSDEM in Brussels, 26-27 February 2005.


Figure 1.1: Gentoo Linux GameCD for PPC artwork by Christian Hartmann

Fig. 1: CD cover

2.  Future Zone

Project goals for 2005

Continuing our coverage of goals set by projects inside Gentoo Linux, this week we look at the plans of the Hardened group:

Hardened

  • Review of current approach and policies
  • Improvement of CFLAGS filtering (especially "-fPIC" and "-fstack-protector"
  • Introduce AMD64/Sparc64/PPC64 stages, more hardware in the future as hardware is aquired
  • Improved Grsecurity2 documentation
  • Improved and extended SELinux support
  • Develop and document RSBAC policies
  • More and better documentation of everything
  • Assimilate new developers
  • Elect new Hardened Committee
  • Introduce a forensics and rescue LiveCD
  • Support and improve kernel patchsets
  • Promote the Gentoo Hardened Project outside of Gentoo and raise awareness within Gentoo

3.  Gentoo security

Konversation: Various vulnerabilities

Konversation contains multiple vulnerabilities that could lead to remote command execution or information leaks.

For more information, please see the GLSA Announcement

Evolution: Integer overflow in camel-lock-helper

An overflow in the camel-lock-helper application can be exploited by an attacker to execute arbitrary code with elevated privileges.

For more information, please see the GLSA Announcement

AWStats: Remote code execution

AWStats fails to validate certain input, which could lead to the remote execution of arbitrary code.

For more information, please see the GLSA Announcement

GraphicsMagick: PSD decoding heap overflow

GraphicsMagick is vulnerable to a heap overflow when decoding Photoshop Document (PSD) files, which could lead to arbitrary code execution.

For more information, please see the GLSA Announcement

Perl: rmtree and DBI tmpfile vulnerabilities

The Perl DBI library and File::Path::rmtree function are vulnerable to symlink attacks.

For more information, please see the GLSA Announcement

SquirrelMail: Multiple vulnerabilities

SquirrelMail fails to properly sanitize user input, which could lead to arbitrary code execution and compromise webmail accounts.

For more information, please see the GLSA Announcement

ngIRCd: Buffer overflow

ngIRCd is vulnerable to a buffer overflow that can be used to crash the daemon and possibly execute arbitrary code.

For more information, please see the GLSA Announcement

TikiWiki: Arbitrary command execution

A bug in TikiWiki allows certain users to upload and execute malicious PHP scripts.

For more information, please see the GLSA Announcement

VDR: Arbitrary file overwriting issue

VDR insecurely accesses files with elevated privileges, which may result in the overwriting of arbitrary files.

For more information, please see the GLSA Announcement

f2c: Insecure temporary file creation

f2c is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files.

For more information, please see the GLSA Announcement

ncpfs: Multiple vulnerabilities

The ncpfs utilities contain multiple flaws, potentially resulting in the remote execution of arbitrary code or local file access with elevated privileges.

For more information, please see the GLSA Announcement

4.  Heard in the community

Web forums

New old Portage utility

One of several Portage search utilities, portagedb, has been renamed to "Ebuild Index" or eix recently. Developer Pythonhead acknowledges that this alternative to esearch "gets better with every release" and lists eix in his meta-thread:

Is the beagle man's best friend?

Slow week in the English sections of the Forums, but the French had a go at a piece of software comparable to the much-hyped SpotLight that Apple wants to integrate into their Tiger release of Mac OS X. It appears that the Mono-based Beagle is not only a completely free Linux alternative to Apple's real time desktop search, it's also already usable, at least to a certain degree...

gentoo-dev

Reminder on the ebuild upgrade policy

Jason Wever sent out a reminder about ebuild upgrade policy: "Recently, there have been a lot of ebuild upgrades with arch keywords getting dropped completely. Please do not do this unless there is a specific reason for it (security bug, broken dependencies, see policy), and if there is a valid reason, please notify the affected arches as to why you have dropped their keywords."

[RFC] Versioned eclasses

Daniel Goller and Patrick Lauer started a thread asking for versioned eclasses. This proposal (which is a recurring topic every six months or so) was burnt to a crisp in one of the largest flamewars the gentoo-dev mailing list has seen in the last months, and remained unsolved.

Gentoo-dev seems to be hacked

Around the same time as the "versioned eclasses" flamewar a second high-traffic thread developed around signatures, identity and paranoia. The initial questions around possibly broken signatures got forgotten while devs and users discussed the problem of identity in mostly electronical communications and some other tangential questions.

BAS/c troubles

Ciaran McCreesh pointed out some problems with the new Buildtime and Statistics client BAS/c. The following thread has lots of good information for all the ebuild hackers among you how ebuilds should be written (and some good examples what not to do)

5.  Gentoo in the press

Gentoo/OpenSolaris media fallout

"Mixed feelings" best describe the open-source community's assessment of Sun's OpenSolaris release. Regardless whether they're critical of Sun's move or not, many authors tip their hats to Portaris and the Gentoo/OpenSolaris project as a very interesting aspect of it. Here's a list of press clippings covering both Sun's and Gentoo's announcements from around the world:

Mad Penguin (25 January 2005)

"Gentoo done right" is the title for a Mad Penguin article about Vidalinux, the Gentoo spinoff installing via RedHat's Anaconda and supplying binaries on a Gentoo core system. The Puerto-Rican distribution - "essentially a stage 3 install" - receives an enthusiastic review, and Author Adam Doxtater closes on recommending it "to anyone with a desire to give Gentoo Linux a try but who might not have the time to compile everything from scratch to get a basic system up and running."

Pro-Linux.de (25 January 2005)

The German online-only Linux magazine features the sales of Genesi's Open Desktop Workstations in an article on PegasosPPC-Workstations with Gentoo preinstalled. Pro-Linux quotes last week's GWN announcement and adds a few notes on the platform in general, identifying - among other things - the ODW as "an Amiga reincarnation."

6.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 23 January 2005 and 30 January 2005, activity on the site has resulted in:

  • 844 new bugs during this period
  • 516 bugs closed or resolved during this period
  • 29 previously closed bugs were reopened this period

Of the 7945 currently open bugs: 109 are labeled 'blocker', 240 are labeled 'critical', and 584 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

7.  Moves, adds, and changes

Moves

The following developers recently left the Gentoo team:

  • None this week

Adds

The following developers recently joined the Gentoo Linux team:

  • Fernando Serboncini (fserb) - Python
  • Kyle England (kengland) - Infrastructure

Changes

The following developers recently changed roles within the Gentoo Linux project:

  • John Davis (zhen) - Stepped down from Release Engineering Strategic Lead
  • Aaron Walker (ka0ttic) - Joined netmon
  • Daniel Black (dragonheart) - Left embedded - joined ppc and netmon
  • Otavio Rodolfo Piske (AngusYoung) - Joined netmon

8.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

9.  GWN feedback

Please send us your feedback and help make the GWN better.

10.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

11.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated January 31, 2005

Summary: This is the Gentoo Weekly Newsletter for the week of 31 January 2005.

Ulrich Plate
Editor

Daniel Black
Author

Danny van Dyk
Author

Patrick Lauer
Author

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.