Hey there friends, it’s October 6 2023 and this is the weekly Linux and Open Source news! We’ve got a lot to talk about this week so lets get right to it!
Welcome to this week’s video, glad to see you all! I’m Josh and this is the WL Tech Blog.
In the last few weeks we’ve had way too many security announcements, I’m going to briefly go over the big ones. Don’t put off those OS updates, any major distro will have patched these right away.
Libwebp and libvpx – This one is a big deal and affects a ton of software. A bug in Google’s libwebp and libvpx that provide support for their modern image format and video codec was uncovered after finding traces of it being exploited in the wild. A buffer overflow in the decompression routine would allow a specially crafted media to execute arbitrary code, and wouldn’t even necessarily require the user to open the file. Consider an application like a file manager that will automatically display thumbnails of images in a folder, in order to create that thumbnail image it would have passed through the exploitable code path. Now unfortunately, Google announced this as a bug in Chrome rather than as a bug in their libraries which is used by a ton of other software. New versions of chrome and chrome based browsers, firefox, thunderbird. These libraries are not only used in desktop software, but also used by things like gd which is used by many languages for image related functions, and ffmpeg which is the video encoder of choice nearly everywhere.
Xorg – Security researchers have disclosed several exploits against the Xorg system, some dating back as far as 1988. One is an exploit against the handler Xpm images, which is just as bad as the one for webp, although xpm is far more obscure. If you’re staying current with your distro, I highly recommend you try using Wayland instead of X11, and see if it works for you. Wayland is a full rewrite with the advantage of decades of hindsight, and emphasizes security and privilege separation as a top level goal. For these bugs you’ll want libx11 1.8.7 and 3.5.17
Glibc – I saved the best for last. GNU’s llibc is the basis of the majority of linux systems userland, and an exploit against their dynamic loader has been discovered that can result in privilege escalation. By setting a specially crafted environment variable, it’s possible to obtain root privileges by crashing glibc on a suid binary, such as su or sudo. The bug was introduced in 2021, and has been verified to work on basically all major linux distros. Fixed for this are being back ported into affected distributions so again make sure to update your systems to avoid being vulnerable.
RMS Has Cancer
Richard Stallman, the founder of the Free Software movement and the GNU Project, is undergoing cancer treatment. He has announced that he is suffering from a form of non-Hodgkin lymphoma, similar to the late Paul Allen. However unlike Allen, he is undergoing actual medical treatment and says his prognosis is good. Despite being the butt of many jokes, Stallman’s influence over the current computing landscape is massive. GNU forms the basis of nearly every Linux operating system, and parts of their software is included in almost every other operating system in use today. His sometimes quirky, always pedantic, and never compromising view of software freedom has made our world a better place and I hope you’ll join me and wish him a fast and full recovery.
FUTO, an organization devoted to software independence and decentralization, has released a voice to text app for Android devices. Unlike Google’s voice to text, which keeps a permanent recording of everything you’ve ever said when using the voice input method, the FUTO software runs entirely on your own device and respects your privacy. In my testing, the FUTO software was not only more accurate but also handles things like punctuation more naturally. The experience is a bit different though, you don’t start to get your text until you’ve stopped talking, but that’s not really a problem. FUTO Voice is of course open source software, and the developers ask for, but don’t enforce, a one time $10 payment. Link is in the description.
This week we saw a few other notable releases. Android open source project version 14 dropped, with the usual stream of updates. The ReactOS project has hired a developer to create a new installer, with the goal of making this open source windows compatible operating system easier to install and configure. Pipewire, the up and coming audio server for linux, has released their first release candidate, and expects to reach the 1.0 milestone later this year.
Editorial – Normalize Safe Languages
The 1960s were a simpler time. I mean sure we had the vietnam war and the civil rights act but this is a tech show so we’re talking more about computers and less about hippies and violent international conflict. Back then, computers were exotic, expensive, single task machines that were just starting to develop the ability to have multiple users running multiple programs at the same time. They were also silos, the way to get data from one computer to another involved carrying punch cards or magnetic tape from one to the other. Computer security was mostly having a lock on the door the computer was in. But this was also a time of rapid development in computing, where basically every computer brand had their own operating system and preferred development language. Of course you had COBOL and FORTRAN but those were languages for processing data, not for system level tasks. The base operating system and utilities were generally written in assembler, which gave you access to all the capability of the hardware but would need to be rewritten for every processor and hardware version you wanted to support.
In the early 1970s, Dennis Ritchie at bell labs was working on new programming languages with the goal of creating, in essence, a portable assembly language. He created the C language to be small yet powerful, and it was relatively easy to add new targets to the compiler. Having portability at this level would make C the language of choice for operating systems and system utilities, but it would also quickly surpass other languages for building applications. Through the 80s, 90s, and even the 2000s, basically everything was written in C. it had taken over.
C as a language was quite simple, but people tend to confuse being simple with being easy. Like assembly, you still need to manage things like memory allocations and boundaries manually. Some of the standard C library functions can be quite dangerous even when used correctly, but the reality is that programmers are people and people make mistakes.
Much of this episode was about security bugs found in software, and they share a common flaw: all of them are exploitable buffer overflows. When a program is loaded into memory, the code and data are all lumped together in the same space. A buffer overflow happens when you trigger a function that writes data, but the data is bigger than the space allocated for it, and like a cup of water when it gets full it overflows. If you can overflow into an area of code, you can overwrite part of the program with your own, and cause that program to do whatever you want. When that program runs with enhanced privileges, like a suid binary or a display server, that overflow becomes a privilege escalation and all bets are off, you’ve rooted the system.
Now you see stuff like this in other languages, but often they’re legitimately bad coding practices. PHP is an easy target because so many people were writing database queries, system exec calls, or evals as strings and putting unfiltered request data into them, which isn’t necessarily php’s fault but certainly they didn’t make it harder to do. When an actual PHP bug comes along, it’s usually because of a problem with the C code underneath.
The problems with C are pretty well known, and many languages have come along that largely addressed them… But C remained popular, because those other language were… well, slow. Languages like Perl, PHP, and Python were far slower than a C program and just didn’t make sense in a lot of spaces.
Java earned a reputation for being slow to start, wasteful of memory, and had an ecosystem of developers trying to out-pattern each other with things with abstraction factories. C++ was supposed to be a better C but somehow includes all the worst parts of C and just keeps adding all the worst parts of every other language. Of course it and Java are pretty popular in certain spaces.
Those languages continued to evolve and got better, or less bad, depending on your perspective, but people are still writing code that needs to be fast in C.
Two languages emerged around 2012 that would try to address these things, Go and Rust. They are often discussed together, but to be fair it’s mostly for convenience not because they aren’t natural competitors. Go came out of Google as a language intended to help moderately skilled programmers become productive quickly and safely, originally hoping to replace C++ but really more popular with folks coming from C or Python. Rust is targeted directly at C++, having come from Mozilla with the high level goal of rewriting their browser and related software, and is considered by many to be the best choice for system level code. Today we even see Rust code entering the lInux kernel and core libraries in Windows.
But we’re not here for a holy war of garbage collection or monads. These are both great languages. Either of them would surely have prevented the security holes we discussed earlier, because they are both system level languages that include safety features like bounds checking. You have to go out of your way to write unsafe code, using the unsafe keyword in Rust of the unsafe package in Go. In C, you don’t even have the concept of unsafe code, most exploits are simply copying strings around which should never be unsafe.
Huge chunks of the internet are powered by these languages, including web servers, databases, infrastructure management, and applications. On the desktop side they are picking up steam and you can generally write just about anything in either language. Not to mention other safe languages such as Python and Ruby when outright performance is less critical… But our systems are still dominated by C code.
Part of that is just legacy. Decades of work have gone into many of these core packages, covering hundreds or thousands of combinations of hardware and operating systems, replacing them is not trivial. But not everything has that problem.
In my field, I write a lot of Go code. I find it to be a great balance for the work I do letting me be extremely productive while also writing high performance code with modern traits. Other folks would say the same about Rust, I think its just a matter of the problem space you’re working in and preference here.
I believe that every developer should learn C, not so much to use but for the wisdom of knowing why they shouldn’t be using it. When a new language emerges, there’s always the meme of “rewrite everything in x” and a lot of programmers basically take on rewriting as a way to develop their language skills. But today I think those goals have become practical. It’s October 2023, and there is really no excuse for writing new software in unsafe languages. It’s frustrating to know that Wayland, the replacement for Xorg, is still written in C. As that project started in 2008, it’s hard to fault them for it.. But we’re going to be stuck with that decision for decades, big ships turn slowly. Let’s all try to support safe software and encourage developers to Stop Using C.
Well those are the highlights from this week. Did I miss something? Let me know in the comments! I’ll be posting these videos every Friday, if you’ve got a great project update that should be featured, put it down below and I’ll have a look. Also, If you’re a fan of tech projects, come check us out at discord, link below. Have a great week and we’ll see you next Friday!