Figure 1.1: Gentoo Linux GameCD for PPC artwork by Christian Hartmann
Initially suggested by Joseph Pingenot, the members of Gentoo's crypto herd have set the goal of Trusted Computing Group (TCG - formerly known as Trusted Computing Platform Alliance or TCPA) support in Gentoo on the agenda for the year.
TCG is an open standard for hardware specification defining cryptographic functions (Trusted Platform Module - TPM) that keep private keys away from system memory. The hardware also provides trusted boot functions (TCG Software Stack - TSS) that ensure private keys cannot be used if the operating system changes to an untrusted one.
TSS applications of the TCG architectures that would be desireable for Gentoo are:
TPM allows storing of cryptographic keys in hardware rather than placing private keys on the filesystem. Examples include:
If you are interested in donating hardware or undertaking development in this area contact Henrik Brix Andersen or Peter Johanson. Developers will need to work largely independantly, and to have a good understanding of security architectures and C coding. A TPM emulator that may be of assistance is available.
Looking for EM64T developers, hardware, and AMD64 "Arch-testers"
The Gentoo/AMD64 team has issued a request for developers who could help extending support to Intel's x86-64 processors, the EM64T product line. The devs will need to bring their own hardware and mainly do kernel testing, since the chipsets on EM64T mainboards are different. Please contact Jason Huebel if you feel up to helping out with this.
In a separate announcement, AMD64 is also looking for "Arch-testers" or AT's, i.e. non-developers to help iron out bugs and mark applications stable for a variety of ebuilds already available.
The PPC team has prototyped the first completely graphical LiveCD for the PowerPC platform featuring a 3D multiplayer OpenGL/SDL game called Cube. Designed for the PegasosPPC, a CD variant to run on Macintosh hardware is already in the works. While the 198 MB GameCD is already available for download from the mirrors (in the experimental/ppc/livecd directory), a whole cluster of ODWs running Cube will be part of the presentations in the Gentoo developer room at FOSDEM in Brussels, 26-27 February 2005.
Figure 1.1: Gentoo Linux GameCD for PPC artwork by Christian Hartmann |
|
Continuing our coverage of goals set by projects inside Gentoo Linux, this week we look at the plans of the Hardened group:
Hardened
Konversation: Various vulnerabilities
Konversation contains multiple vulnerabilities that could lead to remote command execution or information leaks.
For more information, please see the GLSA Announcement
Evolution: Integer overflow in camel-lock-helper
An overflow in the camel-lock-helper application can be exploited by an attacker to execute arbitrary code with elevated privileges.
For more information, please see the GLSA Announcement
AWStats: Remote code execution
AWStats fails to validate certain input, which could lead to the remote execution of arbitrary code.
For more information, please see the GLSA Announcement
GraphicsMagick: PSD decoding heap overflow
GraphicsMagick is vulnerable to a heap overflow when decoding Photoshop Document (PSD) files, which could lead to arbitrary code execution.
For more information, please see the GLSA Announcement
Perl: rmtree and DBI tmpfile vulnerabilities
The Perl DBI library and File::Path::rmtree function are vulnerable to symlink attacks.
For more information, please see the GLSA Announcement
SquirrelMail: Multiple vulnerabilities
SquirrelMail fails to properly sanitize user input, which could lead to arbitrary code execution and compromise webmail accounts.
For more information, please see the GLSA Announcement
ngIRCd is vulnerable to a buffer overflow that can be used to crash the daemon and possibly execute arbitrary code.
For more information, please see the GLSA Announcement
TikiWiki: Arbitrary command execution
A bug in TikiWiki allows certain users to upload and execute malicious PHP scripts.
For more information, please see the GLSA Announcement
VDR: Arbitrary file overwriting issue
VDR insecurely accesses files with elevated privileges, which may result in the overwriting of arbitrary files.
For more information, please see the GLSA Announcement
f2c: Insecure temporary file creation
f2c is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files.
For more information, please see the GLSA Announcement
ncpfs: Multiple vulnerabilities
The ncpfs utilities contain multiple flaws, potentially resulting in the remote execution of arbitrary code or local file access with elevated privileges.
For more information, please see the GLSA Announcement
New old Portage utility
One of several Portage search utilities, portagedb, has been renamed to "Ebuild Index" or eix recently. Developer Pythonhead acknowledges that this alternative to esearch "gets better with every release" and lists eix in his meta-thread:
Is the beagle man's best friend?
Slow week in the English sections of the Forums, but the French had a go at a piece of software comparable to the much-hyped SpotLight that Apple wants to integrate into their Tiger release of Mac OS X. It appears that the Mono-based Beagle is not only a completely free Linux alternative to Apple's real time desktop search, it's also already usable, at least to a certain degree...
Reminder on the ebuild upgrade policy
Jason Wever sent out a reminder about ebuild upgrade policy: "Recently, there have been a lot of ebuild upgrades with arch keywords getting dropped completely. Please do not do this unless there is a specific reason for it (security bug, broken dependencies, see policy), and if there is a valid reason, please notify the affected arches as to why you have dropped their keywords."
[RFC] Versioned eclasses
Daniel Goller and Patrick Lauer started a thread asking for versioned eclasses. This proposal (which is a recurring topic every six months or so) was burnt to a crisp in one of the largest flamewars the gentoo-dev mailing list has seen in the last months, and remained unsolved.
Gentoo-dev seems to be hacked
Around the same time as the "versioned eclasses" flamewar a second high-traffic thread developed around signatures, identity and paranoia. The initial questions around possibly broken signatures got forgotten while devs and users discussed the problem of identity in mostly electronical communications and some other tangential questions.
BAS/c troubles
Ciaran McCreesh pointed out some problems with the new Buildtime and Statistics client BAS/c. The following thread has lots of good information for all the ebuild hackers among you how ebuilds should be written (and some good examples what not to do)
Gentoo/OpenSolaris media fallout
"Mixed feelings" best describe the open-source community's assessment of Sun's OpenSolaris release. Regardless whether they're critical of Sun's move or not, many authors tip their hats to Portaris and the Gentoo/OpenSolaris project as a very interesting aspect of it. Here's a list of press clippings covering both Sun's and Gentoo's announcements from around the world:
"Gentoo done right" is the title for a Mad Penguin article about Vidalinux, the Gentoo spinoff installing via RedHat's Anaconda and supplying binaries on a Gentoo core system. The Puerto-Rican distribution - "essentially a stage 3 install" - receives an enthusiastic review, and Author Adam Doxtater closes on recommending it "to anyone with a desire to give Gentoo Linux a try but who might not have the time to compile everything from scratch to get a basic system up and running."
Pro-Linux.de (25 January 2005)
The German online-only Linux magazine features the sales of Genesi's Open Desktop Workstations in an article on PegasosPPC-Workstations with Gentoo preinstalled. Pro-Linux quotes last week's GWN announcement and adds a few notes on the platform in general, identifying - among other things - the ODW as "an Amiga reincarnation."
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 23 January 2005 and 30 January 2005, activity on the site has resulted in:
Of the 7945 currently open bugs: 109 are labeled 'blocker', 240 are labeled 'critical', and 584 are labeled 'major'.
The developers and teams who have closed the most bugs during this period are:
The developers and teams who have been assigned the most new bugs during this period are:
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo Linux team:
The following developers recently changed roles within the Gentoo Linux project:
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.
Please send us your feedback and help make the GWN better.
10. GWN subscription information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.
The Gentoo Weekly Newsletter is also available in the following languages: