Don’t know if Fedora has any similar easy way of tracking vulnerabilities
gayhitler420@lemm.ee
on 31 Jan 2024 19:08
collapse
12 and 13 have patches out in the security repo. Apt update && apt upgrade fixed it right up.
henfredemars@infosec.pub
on 31 Jan 2024 02:08
nextcollapse
For your convenience:
The researchers pointed out that the vulnerability cannot be exploited remotely. An attacker can trigger the issue by providing crafted inputs to applications that employ these [syslog] logging functions [in apps that allow the user to feed crafted data to those functions].
You still need some privileged process to exploit. Glibc code doesn’t get any higher privileges than the rest of the process. From kernel’s point of view, it’s just a part of the program like any other code.
So if triggering the bug in your own process was enough for privilege escalation, it would also be a critical security vulnerability in the kernel - it can’t allow you to execute a magic sequence of instructions in your process and become a root, that completely destroys any semblance of process / user isolation.
Security-critical C and memory safety bugs. Name a more iconic duo…
I’d have kinda preferred for public disclosure to have happened after the fix propagated to distros. Now we get to hurry the patch to end-users which isn’t always easily possible. Could we at least have a coordinated disclosure time each month? That’d be great.
clever_banana@lemmy.today
on 31 Jan 2024 12:04
collapse
Public disclosure is typically done 90 days after Deva are privately notified. That should be enough time for security-critical bugs.
They did follow that. You can read their disclosure timeline in their report.
Problem is that the devs of glibc aren’t the only people interested in getting glibc patched but us distro maintainers too.
What I would have preferred would be an early private disclosure to the upstream maintainers and then a public but intentionally unspecific disclosure with just the severity to give us distro people some time to prepare a swift rollout when the full disclosure happens and the patch becomes public.
Alternatively, what would be even better would have been to actually ship the patch in a release but not disclose its severity (or even try to hide it by making it seem like a refactor or non-security relevant bugfix) until a week or two later; ensuring that any half-decent distro release process and user upgrade cycle will have the patch before its severity is disclosed. That’s how the Linux kernel does it AFAIK and it’s the most reasonable approach I’ve seen.
melroy@kbin.melroy.org
on 31 Jan 2024 03:12
nextcollapse
Let's go Musl!
unreachable@lemmy.world
on 31 Jan 2024 04:10
nextcollapse
MonkderZweite@feddit.ch
on 31 Jan 2024 12:02
collapse
Doesn’t compile where musl does.
Rustmilian@lemmy.world
on 31 Jan 2024 22:00
collapse
While there may be challenges and specific configurations required, you absolutely can compile Rust on and targeting to a musl-based system.
MonkderZweite@feddit.ch
on 01 Feb 2024 13:06
collapse
I meant, Rust suppports vewer architectures.
Rustmilian@lemmy.world
on 01 Feb 2024 13:54
collapse
Rust actually supports most architectures(SPARC, AMD64/x86-64, ARM, PowerPC, RISC-V, and AMDGPU*).
The limitations are from LLVM not supporting some architects(Alpha, SuperH, and VAX) and some instruction sets(sse2, etc.); z/Architecture is a bit of an outlier that has major challenges to overcome for LLVM-Rust.
This is not going to be a problem when GCC-Rust is finished.
AMDGPU, *Not 100%, but works well enough to actually use in production and gets better all the time.
MonkderZweite@feddit.ch
on 01 Feb 2024 13:55
collapse
Thanks! My bad, sorry.
Rustmilian@lemmy.world
on 01 Feb 2024 14:00
collapse
Np. It’s a common point of confusion.
You can use rustup target list to see all available architectures and targets.
The vulnerability is on logs, and that has nothing related to the library. Even less with the language…
Quetzalcutlass@lemmy.world
on 31 Jan 2024 07:30
nextcollapse
The vulnerability is in the library’s logging function, which is coded in the C language. musl is also C (afaik), it’s just a more modern, safer rewrite of libc.
I’m not sure what you mean by a “vulnerability in the logs”. In a logger or parser, sure, but did you think text data at rest was able to reach out and attack your system?
True, the logging is part of the library, but it’s totally centered on what the developers are logging. It’s a bad practice to log sensitive information, which can be used by someone with access to the logs for sure, but that doesn’t mean the library is broken and has to be replaced. The library’s logs need to be audited, and this as true for glibc as it is for musl, no exception, and it’s not a one time thing, since as the libraries evolve, sensitive information can be introduced unintentionally (perhaps debugging something required it on some particular testing, and it was forgotten there).
BTW, what I meant with the language, is that no matter the language, you might unintentionally allow some sensitive information in the logs, because that’s not a syntactic error, and it’s not violating any compiling rules. It’s that something is logged that shouldn’t.
Also, the report indicates that the vulnerability can’t be exploited remotely, which reduces the risk for several systems…
IAm_A_Complete_Idiot@sh.itjust.works
on 31 Jan 2024 21:48
collapse
The vulnerability has nothing to do with accidentally logging sensitive information, but crafting a special payload to be logged which gets glibc to write memory it isn’t supposed to write into because it didn’t allocate memory properly. glibc goes too far outside of the scope of its allocation and writes into other memory regions, which an attacked could carefully hand craft to look how they want.
Other languages wouldn’t have this issue because
they wouldn’t willy nilly allocate a pointer directly like this, but rather make a safer abstraction type on top (like a C++ vector), and
they’d have bounds checking when the compiler can’t prove you can go outside of valid memory regions. (Manually calling .at() in C++, or even better - using a language like rust which makes bounds checks default and unchecked access be opt in with a special method).
Edit: C’s bad security is well known - it’s the primary motivator for introducing rust into the kernel. Google / Microsoft both report 70% of their security vulnerabilities come from C specific issues, curl maintainer talks about how they use different sanitizers and best practices and still run into the same issues, and even ubiquitous and security critical libraries and tools like sudo + polkit suffer from them regularly.
I see, I didn’t dig into the cause, being sort of a buffer overflow. Indeed that would be prevented by other languages, sorry for my misinterpretation. Other vulnerabilities unintentionally introduced by developers on logging what shouldn’t are not dependent on anything other than auditing them, but that was not the case then.
callyral@pawb.social
on 31 Jan 2024 13:09
collapse
Why? MIT is more liberal than GPL. Why is it a red flag?
Adanisi@lemmy.zip
on 01 Feb 2024 07:18
nextcollapse
At a time where proprietary software is becoming more and more nasty and prevalent, on top of what has always accompanied it, we shouldn’t be letting proprietary software developers take advantage of free code only to lock theirs away as proprietary. It advantages nobody except proprietary devs, who don’t have the users at heart.
The goal of the GPL is to fight that.
The problem with pushover licenses like MIT in this case is that a lot of this software is designed to displace copylefted code. And when it does, you lose the protection of copyleft in that particular area and all of a sudden proprietary software gets a leg up on us. It’s bad for software freedom and the users by extension, and good for proprietary software developers.
But the licence is chosen by the software author - unless that right to choose is taken away by a viral licence like the GPL, of course. In any case, I licence everything I write that I can as 3-clause BSD because I don’t give a fuck. I wrote the software for me, and it costs me nothing if it’s used by a shitty proprietary software stealer, or a noble OSS developer. Neither of them are paying me.
OSS should, is, and eventually will drive for-pay software to extinction, and it should do it through merit, not some legal trickery.
You’re missing the point. Yes, the license is chosen by the author, but if that pushover licensed software becomes favoured over copyleft software, then proprietary software has a leg up as I explained. That’s it.
GPL is also not a “viral” license, because that would imply that it seeks out and infects anything it can find. But developers choose which code they use, it doesn’t just appear in their own code without permission. So a better analogy would be “spiderplant” license, since you’re taking part of a GPL program (a spiderplant), and putting it in your own (where the GPLs influence “grows” to). That is completely the software developers decision and not like a virus at all.
It might not cost you anything personally if a proprietary developer usurps your code, but it does cost overall user freedom and increases proprietary dominance, where copyleft licenses would have done the opposite if your code was worth using. For that reason, I like strong copyleft. But by all means, keep using the license you want to, as long as it’s not proprietary I won’t judge. This is just my thoughts.
The point of free/open source licenses isn’t to remove money from software either, it’s perfectly possible to sell libre software. It’s about what the recipients of that software have the freedom to do with it, and not giving the developer control over their users. We should serve the community, not betray them.
Lastly, although free alternatives are often technically superior to their closed-source competitors, at the end of the day, if you have a slightly faster program which does nasty spying, locking of functionality, etc, and a slightly slower program which does not, I’d be inclined to say that the slower program should be preferred by virtue that it does not do nasty things to it’s users, and that then you won’t be supporting such behaviour.
Lastly, although free alternatives are often technically superior to their closed-source competitors, at the end of the day
I am 100% in agreement with you here. While I’m not by any means a Libertarian, I prefer MIT and BSD licenses because they are truely free. The GPL is not: it removes freedoms. Now, you argue that limiting freedom can be a net good - we limit the freedom to rape and murder, and that’s good. I don’t agree that the freedoms the GPL removes are equivalent, and can indeed be harmful.
We can agree to disagree on the freedom point. The only “freedom” I see being taken away with the GPL is the removing of the freedom of other people.
I don’t mind the MIT/BSD licenses, but I won’t use them. We can agree on that.
mariusafa@lemmy.sdf.org
on 04 Feb 2024 17:38
collapse
I get is more liberal which I understand why. But that means that changes to the software do not need to be shared. Which for normal users it really does not matter. But again we are giving to multi corporations so much in exchange of nothing. When again they don’t treat their users the same way.
MIT is a good licence as an idea. In reality, multi corporations are evil AF. The idea of free software in a sense is that free software can get so much better than privative one, eventually forcing privative companies to implement it them self on their programs.
If giving and taking was 1:1 in software community then again, MIT license is perfect. In reality it isn’t. For major programs that have a lot of implication on new programs I do not recommend MIT and similar. For feature like projects is totally okay IMO.
I respect your opinion on this, and will say only one more thing: having worked in the corporate software space for decades, you don’t want their software. Most of it is utter crap. It’s a consequence of finance having too much indirect influence, high turnover, a lot of really uninspired and mediocre developers, and a lack of the fundamentally evolutionary pressures that exist in OSS. The only thing corporations do better is marketting.
shadowintheday2@lemmy.world
on 31 Jan 2024 03:42
nextcollapse
"A qsort vulnerability is due to a missing bounds check and can lead to memory corruption. It has been present in all versions of glibc since 1992. "
This one amazes me. Imagine how many vulnerabilities future researchers will discover in ancient software that persisted/persist for decades.
PlexSheep@feddit.de
on 31 Jan 2024 07:14
nextcollapse
That’s not the main part of the article, just a footnote, for anyone wondering.
The flaw resides in the glibc’s syslog function, an attacker can exploit the flaw to gain root access through a privilege escalation.
The vulnerability was introduced in glibc 2.37 in August 2022.
You are probably confusing the glibc with gcc and g++. Glibc is an implementation of the C standard library, made by GNU (thats where the g in the name comes from).
If you were to look into it, it uses the syscalls to tell the underlying computer system what to do when you call functions, such as printf.
kaputt@sh.itjust.works
on 31 Jan 2024 08:45
nextcollapse
According to the link in the article, the qsort() bug can only be triggered with a non-transitive cmp() function. Would such a cmp function ever be useful?
Giooschi@lemmy.world
on 31 Jan 2024 13:16
collapse
You don’t necessarily have to write a non-transitive cmp() function willingly, it may happen that you write one without realizing due to some edge cases where it’s not transitive.
xlash123@sh.itjust.works
on 31 Jan 2024 13:32
collapse
C is just crazy. You accidentally forget to put the bounds in a sorting function, and now you are root.
Zucca@sopuli.xyz
on 31 Jan 2024 11:18
nextcollapse
Yikes.
I’d switch to musl on all of my boxes if it weren’t that nearly all precompiled software (closed source, games mainly) are compiled against glibc.
Pantherina@feddit.de
on 31 Jan 2024 12:36
nextcollapse
So this means you need either Alpine repos or compile everything yourself?
Zucca@sopuli.xyz
on 31 Jan 2024 12:56
nextcollapse
Void offers musl too. Unless they’ve discontinued it.
But
compile everything yourself?
I do (almost) exactly that. I run Gentoo almost everywhere.
The ‘almost’ is because Gentoo now offers an official bin repository too, so I can mix compiled and pre-compiled software. (Although you’ve always had the option to set up your own binary host).
Rustmilian@lemmy.world
on 31 Jan 2024 21:53
collapse
How are you going to run steam though?
Like at least alpine has wine, but there’s no way to recompile steam unfortunately.
Zucca@sopuli.xyz
on 01 Feb 2024 07:51
nextcollapse
Nope. I mainly get my games (curretly around 10 only) from gog.
Pantherina@feddit.de
on 01 Feb 2024 15:52
collapse
I was never into gaming really, and while I like the progress I dont really care tbh?
I’ve got separate offline backups and rescue disks, but I’m pretty confident that grub-btrfs will let me recover pretty quickly.
bruhduh@lemmy.world
on 01 Feb 2024 00:18
nextcollapse
grub-btrfs with timeshift didn’t helped me in my upgrade from fedora 38 to 39, when i rolled back with grub-btrfs, what loaded was weird mix of 38 and 39, that didn’t even let me browse my filesystem, got to disassemble laptop, get out ssd, use it as external, and even then half of the ssd was locked, ssd was new and chmod didn’t helped, even from live usb, had to copy files with testdisk and dd zero’s on whole disk for it to work again
atzanteol@sh.itjust.works
on 31 Jan 2024 13:01
nextcollapse
“GNU Library C?”
Rustmilian@lemmy.world
on 31 Jan 2024 22:17
nextcollapse
GNU C Library(glibc) as apposed to C Library (libc).
atzanteol@sh.itjust.works
on 31 Jan 2024 22:50
collapse
Who calls it “GNU Library C” though?
nintendiator@feddit.cl
on 01 Feb 2024 03:41
collapse
I’d just like to interject for a moment. What you call “GNU Library C” is actually GNU with Linux library C and some C++ for those nifty templates, or as we like to call it “GNU/Linux Library C/C++”. Which, to be honest, it’s more like “GNU/Linux Library C/C-with-Classes” the way they’re teaching it at school, oh well.
Carry on.
atzanteol@sh.itjust.works
on 01 Feb 2024 06:13
collapse
I was, it seems, too subtle. I don’t call it “GNU Library C”. Nobody does. I call it the “GNU C library”. It’s weird that the author calls it that.
nintendiator@feddit.cl
on 01 Feb 2024 14:06
collapse
Aaaaaand I somehow missed that.
Then again, wouldn’t have changed much. I’d just infodumped you on the GNU/Linux C Library, or as we sometimes call it the GNU plus Linux C library with macros.
atzanteol@sh.itjust.works
on 01 Feb 2024 15:44
collapse
Aaaaaand I somehow missed that.
Not the only one it seems - that’s on me.
GNU plus Linux C library with macros.
🤣
corsicanguppy@lemmy.ca
on 31 Jan 2024 15:59
nextcollapse
Unyieldingly@lemmy.world
on 01 Feb 2024 06:33
collapse
Ubuntu 22.04 LTS, Linux Mint etc as well. also this is a local one, so not many people care.
const_void@lemmy.ml
on 31 Jan 2024 16:22
nextcollapse
Glad I only run Alpine
mariusafa@lemmy.sdf.org
on 31 Jan 2024 17:55
nextcollapse
Imagine all the vulnerabilities that privative and low reviewed code has…
mariusafa@lemmy.sdf.org
on 31 Jan 2024 18:02
nextcollapse
glibc is great, but holy shit the source code is obscured into oblivion, so hard to understand, with hardcoded optimizations, and compiler optimizations. I understand how difficult is to find vulnerabilities. A bit sad that the only C lib truely free software is so hard to actually read its code or even contribute to it.
azvasKvklenko@sh.itjust.works
on 31 Jan 2024 20:31
nextcollapse
Eventually it’ll be easier to create a compatible drop-in replacement than maintain the decades old code, if it isn’t already
FooBarrington@lemmy.world
on 31 Jan 2024 22:18
nextcollapse
Unlikely, unless you drop backwards compatibility for undefined behaviour. Unless you write a complete specification on it, you’ll end up either breaking old stuff, or slowly rebuilding the same problems.
Octopus1348@lemy.lol
on 01 Feb 2024 07:36
collapse
Like what’s happening to X. Wayland is replacing it.
deadcream@sopuli.xyz
on 01 Feb 2024 14:00
collapse
Wayland is not a drop-in replacement tho. It’s like if glibc developers declared it obsolete and presented a “replacement” that has a completely different API and has 1/100 of glibc functionality and a plugin interface. And then all the dozens of Linux distros have to write all the plugins from scratch to add back missing functionality and do it together in perfect cooperation so that they remain compatible with each other.
leopold@lemmy.kde.social
on 01 Feb 2024 04:17
collapse
For what it’s worth, glibc is very much performance-critical, so this shouldn’t be a surprise. Any possible optimization is worth it.
There are a ton of free software libc implementations outside of glibc. I think most implementations of libc are free software at this point. There’s Bionic, the BSD libcs, musl, the Haiku libc, the OpenSolaris/OpenIndiana libc, Newlib, relibc, the ToaruOS libc, the SerenityOS libc and a bunch more. Pretty sure Wine/ReactOS also have free implementations of the Windows libc.
Drito@sh.itjust.works
on 01 Feb 2024 13:30
collapse
Glibc has extensions that fragment compatibility. If Glibc is replaced by another libc, some apps prints an error, or don’t work. I noticed that on Alpine.
gayhitler420@lemm.ee
on 31 Jan 2024 22:05
nextcollapse
I replied to another comment with this, but Debian 12(stable, bookworm) and 13(testing, trixie) are affected by this but 12(stable, bookworm) has a patch out in the security repo.
If you wanna know wether or not you’re affected,
apt list libc
will show your version and the one you want is 2.36-9+deb12u4
If you don’t have that,
apt update && apt upgrade
will straighten you out
13(testing, trixie) has 2.37, but it’s not fixed yet.
E: Edited to use apt list instead of apt show.
NGC2346@sh.itjust.works
on 01 Feb 2024 16:13
collapse
threaded - newest
Patch time
security-tracker.debian.org/…/CVE-2023-6246
Don’t know if Fedora has any similar easy way of tracking vulnerabilities
12 and 13 have patches out in the security repo. Apt update && apt upgrade fixed it right up.
For your convenience:
This is a privilege escalation.
The hero we need."; DROP TABLE “users”;
If it isn’t little Bobby Tables again.
This may be difficult to exploit in practice - I don’t think most user applications use syslog.
Unless you have user access to a system with gcc on it.
You still need some privileged process to exploit. Glibc code doesn’t get any higher privileges than the rest of the process. From kernel’s point of view, it’s just a part of the program like any other code.
So if triggering the bug in your own process was enough for privilege escalation, it would also be a critical security vulnerability in the kernel - it can’t allow you to execute a magic sequence of instructions in your process and become a root, that completely destroys any semblance of process / user isolation.
Security-critical C and memory safety bugs. Name a more iconic duo…
I’d have kinda preferred for public disclosure to have happened after the fix propagated to distros. Now we get to hurry the patch to end-users which isn’t always easily possible. Could we at least have a coordinated disclosure time each month? That’d be great.
Public disclosure is typically done 90 days after Deva are privately notified. That should be enough time for security-critical bugs.
They did follow that. You can read their disclosure timeline in their report.
Problem is that the devs of glibc aren’t the only people interested in getting glibc patched but us distro maintainers too.
What I would have preferred would be an early private disclosure to the upstream maintainers and then a public but intentionally unspecific disclosure with just the severity to give us distro people some time to prepare a swift rollout when the full disclosure happens and the patch becomes public.
Alternatively, what would be even better would have been to actually ship the patch in a release but not disclose its severity (or even try to hide it by making it seem like a refactor or non-security relevant bugfix) until a week or two later; ensuring that any half-decent distro release process and user upgrade cycle will have the patch before its severity is disclosed. That’s how the Linux kernel does it AFAIK and it’s the most reasonable approach I’ve seen.
Let's go Musl!
<img alt="" src="https://lemmy.world/pictrs/image/ab1534a8-5547-4ac4-9d11-456b4e600443.webm">
Doesn’t compile where musl does.
While there may be challenges and specific configurations required, you absolutely can compile Rust on and targeting to a musl-based system.
I meant, Rust suppports vewer architectures.
Rust actually supports most architectures(SPARC, AMD64/x86-64, ARM, PowerPC, RISC-V, and AMDGPU*). The limitations are from LLVM not supporting some architects(Alpha, SuperH, and VAX) and some instruction sets(sse2, etc.); z/Architecture is a bit of an outlier that has major challenges to overcome for LLVM-Rust. This is not going to be a problem when GCC-Rust is finished.
AMDGPU, *Not 100%, but works well enough to actually use in production and gets better all the time.
Thanks! My bad, sorry.
Np. It’s a common point of confusion.
You can use
rustup target list
to see all available architectures and targets.The vulnerability is on logs, and that has nothing related to the library. Even less with the language…
The vulnerability is in the library’s logging function, which is coded in the C language. musl is also C (afaik), it’s just a more modern, safer rewrite of libc.
I’m not sure what you mean by a “vulnerability in the logs”. In a logger or parser, sure, but did you think text data at rest was able to reach out and attack your system?
True, the logging is part of the library, but it’s totally centered on what the developers are logging. It’s a bad practice to log sensitive information, which can be used by someone with access to the logs for sure, but that doesn’t mean the library is broken and has to be replaced. The library’s logs need to be audited, and this as true for glibc as it is for musl, no exception, and it’s not a one time thing, since as the libraries evolve, sensitive information can be introduced unintentionally (perhaps debugging something required it on some particular testing, and it was forgotten there).
BTW, what I meant with the language, is that no matter the language, you might unintentionally allow some sensitive information in the logs, because that’s not a syntactic error, and it’s not violating any compiling rules. It’s that something is logged that shouldn’t.
Also, the report indicates that the vulnerability can’t be exploited remotely, which reduces the risk for several systems…
The vulnerability has nothing to do with accidentally logging sensitive information, but crafting a special payload to be logged which gets glibc to write memory it isn’t supposed to write into because it didn’t allocate memory properly. glibc goes too far outside of the scope of its allocation and writes into other memory regions, which an attacked could carefully hand craft to look how they want.
Other languages wouldn’t have this issue because
they wouldn’t willy nilly allocate a pointer directly like this, but rather make a safer abstraction type on top (like a C++ vector), and
they’d have bounds checking when the compiler can’t prove you can go outside of valid memory regions. (Manually calling .at() in C++, or even better - using a language like rust which makes bounds checks default and unchecked access be opt in with a special method).
Edit: C’s bad security is well known - it’s the primary motivator for introducing rust into the kernel. Google / Microsoft both report 70% of their security vulnerabilities come from C specific issues, curl maintainer talks about how they use different sanitizers and best practices and still run into the same issues, and even ubiquitous and security critical libraries and tools like sudo + polkit suffer from them regularly.
I see, I didn’t dig into the cause, being sort of a buffer overflow. Indeed that would be prevented by other languages, sorry for my misinterpretation. Other vulnerabilities unintentionally introduced by developers on logging what shouldn’t are not dependent on anything other than auditing them, but that was not the case then.
musl is not a programming language
That’s why I said library or language (someone else suggested rust).
Yeah Musl is pretty good to learn C libs but the main red flag is the MIT Licence
Why? MIT is more liberal than GPL. Why is it a red flag?
At a time where proprietary software is becoming more and more nasty and prevalent, on top of what has always accompanied it, we shouldn’t be letting proprietary software developers take advantage of free code only to lock theirs away as proprietary. It advantages nobody except proprietary devs, who don’t have the users at heart.
The goal of the GPL is to fight that.
The problem with pushover licenses like MIT in this case is that a lot of this software is designed to displace copylefted code. And when it does, you lose the protection of copyleft in that particular area and all of a sudden proprietary software gets a leg up on us. It’s bad for software freedom and the users by extension, and good for proprietary software developers.
But the licence is chosen by the software author - unless that right to choose is taken away by a viral licence like the GPL, of course. In any case, I licence everything I write that I can as 3-clause BSD because I don’t give a fuck. I wrote the software for me, and it costs me nothing if it’s used by a shitty proprietary software stealer, or a noble OSS developer. Neither of them are paying me.
OSS should, is, and eventually will drive for-pay software to extinction, and it should do it through merit, not some legal trickery.
You’re missing the point. Yes, the license is chosen by the author, but if that pushover licensed software becomes favoured over copyleft software, then proprietary software has a leg up as I explained. That’s it.
GPL is also not a “viral” license, because that would imply that it seeks out and infects anything it can find. But developers choose which code they use, it doesn’t just appear in their own code without permission. So a better analogy would be “spiderplant” license, since you’re taking part of a GPL program (a spiderplant), and putting it in your own (where the GPLs influence “grows” to). That is completely the software developers decision and not like a virus at all.
It might not cost you anything personally if a proprietary developer usurps your code, but it does cost overall user freedom and increases proprietary dominance, where copyleft licenses would have done the opposite if your code was worth using. For that reason, I like strong copyleft. But by all means, keep using the license you want to, as long as it’s not proprietary I won’t judge. This is just my thoughts.
The point of free/open source licenses isn’t to remove money from software either, it’s perfectly possible to sell libre software. It’s about what the recipients of that software have the freedom to do with it, and not giving the developer control over their users. We should serve the community, not betray them.
Lastly, although free alternatives are often technically superior to their closed-source competitors, at the end of the day, if you have a slightly faster program which does nasty spying, locking of functionality, etc, and a slightly slower program which does not, I’d be inclined to say that the slower program should be preferred by virtue that it does not do nasty things to it’s users, and that then you won’t be supporting such behaviour.
I am 100% in agreement with you here. While I’m not by any means a Libertarian, I prefer MIT and BSD licenses because they are truely free. The GPL is not: it removes freedoms. Now, you argue that limiting freedom can be a net good - we limit the freedom to rape and murder, and that’s good. I don’t agree that the freedoms the GPL removes are equivalent, and can indeed be harmful.
I don’t mind others using the GPL, but I won’t.
We can agree to disagree on the freedom point. The only “freedom” I see being taken away with the GPL is the removing of the freedom of other people.
I don’t mind the MIT/BSD licenses, but I won’t use them. We can agree on that.
I get is more liberal which I understand why. But that means that changes to the software do not need to be shared. Which for normal users it really does not matter. But again we are giving to multi corporations so much in exchange of nothing. When again they don’t treat their users the same way.
MIT is a good licence as an idea. In reality, multi corporations are evil AF. The idea of free software in a sense is that free software can get so much better than privative one, eventually forcing privative companies to implement it them self on their programs.
If giving and taking was 1:1 in software community then again, MIT license is perfect. In reality it isn’t. For major programs that have a lot of implication on new programs I do not recommend MIT and similar. For feature like projects is totally okay IMO.
I respect your opinion on this, and will say only one more thing: having worked in the corporate software space for decades, you don’t want their software. Most of it is utter crap. It’s a consequence of finance having too much indirect influence, high turnover, a lot of really uninspired and mediocre developers, and a lack of the fundamentally evolutionary pressures that exist in OSS. The only thing corporations do better is marketting.
"A qsort vulnerability is due to a missing bounds check and can lead to memory corruption. It has been present in all versions of glibc since 1992. "
This one amazes me. Imagine how many vulnerabilities future researchers will discover in ancient software that persisted/persist for decades.
That’s not the main part of the article, just a footnote, for anyone wondering.
So, it must be with the BSDs too?
Iirc bad does not use glibc, but I’m not very involved with BSD.
It wouldn’t make sense. Glibc is LGPL licensed, not really compatible with the BSD license…
BSDs use libc
Wait, why has a compiler system log functionlity?
glibc is a library, gcc is the compiler.
You are probably confusing the glibc with gcc and g++. Glibc is an implementation of the C standard library, made by GNU (thats where the g in the name comes from).
If you were to look into it, it uses the syscalls to tell the underlying computer system what to do when you call functions, such as
printf
.If you want to read more, see here
According to the link in the article, the qsort() bug can only be triggered with a non-transitive cmp() function. Would such a cmp function ever be useful?
You don’t necessarily have to write a non-transitive cmp() function willingly, it may happen that you write one without realizing due to some edge cases where it’s not transitive.
C is just crazy. You accidentally forget to put the bounds in a sorting function, and now you are root.
Yikes.
I’d switch to musl on all of my boxes if it weren’t that nearly all precompiled software (closed source, games mainly) are compiled against glibc.
So this means you need either Alpine repos or compile everything yourself?
Void offers musl too. Unless they’ve discontinued it.
But
I do (almost) exactly that. I run Gentoo almost everywhere. The ‘almost’ is because Gentoo now offers an official bin repository too, so I can mix compiled and pre-compiled software. (Although you’ve always had the option to set up your own binary host).
How are you going to run steam though? Like at least alpine has wine, but there’s no way to recompile steam unfortunately.
Nope. I mainly get my games (curretly around 10 only) from gog.
I was never into gaming really, and while I like the progress I dont really care tbh?
Don’t forget Chimera Linux ( not to be confused with Chimeraos)!
Just use flatpak and podman, in a punch you can proot into a different system / zfs data set / btrfs sublime
That’s why you need to rock and roll
(Arch btw.)
Try having
unattended-upgrades
with a rolling distro.I don’t want unattended upgrades >:/
Just don’t upgrade for a while and you become debian
It’s not like windows forcing you to reboot every Tuesday so Edge can come back
you shouldn’t be throwing boots through your windows
Man, I do this all the time. snapper and grub-btrfs has enabled all kinds of amazing things. I’m so close to just doing:
I’ve got separate offline backups and rescue disks, but I’m pretty confident that grub-btrfs will let me recover pretty quickly.
grub-btrfs with timeshift didn’t helped me in my upgrade from fedora 38 to 39, when i rolled back with grub-btrfs, what loaded was weird mix of 38 and 39, that didn’t even let me browse my filesystem, got to disassemble laptop, get out ssd, use it as external, and even then half of the ssd was locked, ssd was new and chmod didn’t helped, even from live usb, had to copy files with testdisk and dd zero’s on whole disk for it to work again
.
Databases are the definition of software dependancy hell. They exist in the zone of pain. I love Postgres; I hate administering Postgres.
<img alt="" src="https://cdn.devlead.io/public/images/Diagrams/ComponentStabilityDiagram-600.png">
“GNU Library C?”
GNU C Library(glibc) as apposed to C Library (libc).
Who calls it “GNU Library C” though?
I’d just like to interject for a moment. What you call “GNU Library C” is actually GNU with Linux library C and some C++ for those nifty templates, or as we like to call it “GNU/Linux Library C/C++”. Which, to be honest, it’s more like “GNU/Linux Library C/C-with-Classes” the way they’re teaching it at school, oh well.
Carry on.
I was, it seems, too subtle. I don’t call it “GNU Library C”. Nobody does. I call it the “GNU C library”. It’s weird that the author calls it that.
Aaaaaand I somehow missed that.
Then again, wouldn’t have changed much. I’d just infodumped you on the GNU/Linux C Library, or as we sometimes call it the GNU plus Linux C library with macros.
Not the only one it seems - that’s on me.
🤣
RedHat and related: access.redhat.com/security/cve/CVE-2023-6246
Not affected
Not affected
Not affected
etc.
Ubuntu 22.04 LTS, Linux Mint etc as well. also this is a local one, so not many people care.
Glad I only run Alpine
Imagine all the vulnerabilities that privative and low reviewed code has…
glibc is great, but holy shit the source code is obscured into oblivion, so hard to understand, with hardcoded optimizations, and compiler optimizations. I understand how difficult is to find vulnerabilities. A bit sad that the only C lib truely free software is so hard to actually read its code or even contribute to it.
Eventually it’ll be easier to create a compatible drop-in replacement than maintain the decades old code, if it isn’t already
Unlikely, unless you drop backwards compatibility for undefined behaviour. Unless you write a complete specification on it, you’ll end up either breaking old stuff, or slowly rebuilding the same problems.
Like what’s happening to X. Wayland is replacing it.
Wayland is not a drop-in replacement tho. It’s like if glibc developers declared it obsolete and presented a “replacement” that has a completely different API and has 1/100 of glibc functionality and a plugin interface. And then all the dozens of Linux distros have to write all the plugins from scratch to add back missing functionality and do it together in perfect cooperation so that they remain compatible with each other.
For what it’s worth, glibc is very much performance-critical, so this shouldn’t be a surprise. Any possible optimization is worth it.
There are a ton of free software libc implementations outside of glibc. I think most implementations of libc are free software at this point. There’s Bionic, the BSD libcs, musl, the Haiku libc, the OpenSolaris/OpenIndiana libc, Newlib, relibc, the ToaruOS libc, the SerenityOS libc and a bunch more. Pretty sure Wine/ReactOS also have free implementations of the Windows libc.
Glibc has extensions that fragment compatibility. If Glibc is replaced by another libc, some apps prints an error, or don’t work. I noticed that on Alpine.
I replied to another comment with this, but Debian 12(stable, bookworm) and 13(testing, trixie) are affected by this but 12(stable, bookworm) has a patch out in the security repo.
If you wanna know wether or not you’re affected,
apt list libc
will show your version and the one you want is 2.36-9+deb12u4
If you don’t have that,
apt update && apt upgrade
will straighten you out
13(testing, trixie) has 2.37, but it’s not fixed yet.
E: Edited to use apt list instead of apt show.
Important detail
as i said on reddit