Year: 2014

Mudlet 3 beta

A break from wordpress, I was trying to get the beta version of mudlet 3.0 compiling. On the surface the program looks a lot like the existing v2.0 that is currently within Debian. The developers have switched from qt4 to qt5 which means a lot of dependency fun for me but I got there in the end.

As it is only a beta and not their final release, the package is located within the Debian experimental release. Once 3.0 hits a final release, I’ll switch it to sid. If you do use the current mudlet, give 3.0 a try. I’d be interested to know what you think.

(more…)

December 22, 2014
WordPress 4.1 for Debian

Release 4.1 of WordPress came out on Friday so after some work to fit in with the Debian standards, the Debian package 4.1-1 of WordPress will be uploaded shortly. WordPress have also updated their themes with a 14-day early theme called twentyfifteen. This is the default theme for WordPress 4.1 on-wards.

(more…)

December 20, 2014
WordPress 4.0.1 fixes for Debian stable

Previously I posted a short article about the WordPress package for Debian and how that SID was getting the updated WordPress 4.0.1 which had some security fixes.

The question a lot of people were asking was: What about stable (or Wheezy). After way too much time due to other pressing issues, I have just uploaded the patched WordPress debian package for stable. The fixed version has the catchy number of 3.6.1~deb7u5. This package has all of the relevant patches that went in from WordPress 3.7.4 to 3.7.5 and there are even CVE IDs for this package (and 4.0.1 which all this stems from).

(more…)

December 3, 2014
WordPress 4.0.1 for Debian

WordPress recently released an update that had multiple security patches for their (then) current version 4.0. This release is 4.0.1 and includes important security fixes. The Debian packages got just uploaded, if you are running the Debian packaged wordpress, you should update to 4.0.1+dfsg-1 or later.

I am going to look at these patches and see if they can and need to be backported to wordpress 3.6.1. Unfortunately I believe they will be. I’m also asking it to be unblocked into Jessie as it is a security fix.

There was, at the time of writing, no CVE numbers.

November 22, 2014
IPv6 and bridges

I’ve reported a bug on bridge-utils, but perhaps someone has already seen this and has a fix. My virtual IPv6 machines often lose connectivity from time to time. Tracking this down, it seems that the router sends Neighbor Solicitations (IPv6 ARPs basically). The physical interface of the bridge group receives it, but the vnet0 one does not.

Using tshark I can see the pings on vnet0 but on br0 and eth1 I see the ping requests and the NS packets. So there is something odd going on with the bridge interface.

If I remove and add the vnet0 interface from the bridge group, the connectivity comes back.

October 1, 2014
How not to get Galaxy Tab into Safe Mode

For weeks my Galaxy Tab 10.1 has reasonably consistently gone into safe mode. Not booting into it but I’d use it fine then put it away and next time I looked at it, Safe Mode was there. It wasn’t every time, but averaged to be about every second time.

So the first thing was a bit of googling to see what this Safe Mode was. Most of the suggestions were around how to put it into safe mode during the boot process but my problem was opposite; it wasn’t during booting and I wanted something to stop safe mode, not put the device into it. The closest I got to it was there was some misbehaving program that kicked the thing into safe mode.

The problem was, I checked several times and there were no running programs. I really did start to worry I had a hardware fault or something wrong deep within the OS.

When you have problems in IT, you’re usually asked “What’s new? What’s changed?”. The answer is generally “Nothing” which gets a switch “No really, what did change”. The only answer I could come up with was a hardware keyboard. This slim aluminum uses bluetooth to communicate to the tablet and clips onto the front screen to protect it when not in use. Could this be the change I was looking for?

The clue was that sometimes when you boot Android, if you hold down some keys it boots into safemode. It seems that holding down some combination of keys (volume up/down, power) puts into safe mode. The keyboard can clip onto the tablet in two ways, one long edge has some raised edges while one doesn’t. If the raised edge was connected to the same side as the buttons, I’d get safe mode sometimes as the edge pushed some of those buttons. More importantly, putting the raised edge on the side with no buttons meant no more safe mode.

Not really a software or electrical fault, more one of just mechanics.

September 7, 2014
WordPress 4.0 for Debian
Yesterday WordPress released version 4.0 or “Benny” of WordPress. I have now downloaded it and packed up for Debian users. The files just hit the ftp-master a few minutes ago and will then be distributed out to the various Debian mirrors.

The upgrade should go smoothly but you will probably need to upgrade the twentytwelve/twentyfourteen themes if you have them installed. It seems release 4.0 they also updated these themes.

My next Debian task for wordpress is to re-examine the permissions and locations of wp-content to see if we can have something that permits online updates of the plugins and themes but is still FHS compliant. I’ve also had some people report they have some installation problems, mainly around configuration and directories so let’s see if that can get fixed too.

Related articles
- WordPress 4.0 “Benny” Has Launched – Here’s Everything You Need To Know (wpengine.com)
September 5, 2014
WordPress 3.9.2 for Debian
WordPress released today a security release 3.9.2 which they fix several security issues, including a denial of service issue around XML. The corresponding Debian package 3.9.2+dfsg-1 is currently being uploaded to the Debian ftp-master server as I write this and should be available on the mirrors soon.

Unfortunately at the time of writing, there are no CVE identifiers to match these problems up with, but refer to the wordpress page for details about these bugs.

Andrew Nacin from WordPress has kindly outlined what versions are susceptible and it looks like the Debian squeeze (3.6.1+dfsg-1~deb6u4) and wheezy (3.6.1+dfsg-1~deb7u3) are vulnerable to at least some of these bugs which means for me its patch reading and back-porting time

Related articles
- Post Status: WordPress and Drupal teams collaborate for simultaneous security releases (poststat.us)
- WordPress 3.9.2 Fixes Security Vulnerabilities, Users Strongly Encouraged To Update (wp-cron.com)
August 7, 2014
Linux Capabilities
I was recently updating some code that uses fping. Initially it used exec() that was redirected to a temporary file but I changed it to use popen. While it had been a while since I’ve done this sort of thing, I do recall there was an issue with running popen on setuid binary. A later found it is mainly around setuid scripts which are very problematic and there are good reasons why you don’t do this.

Anyhow, the program worked fine which surprised me. Was fping setuid root to get the raw socket?
```
$ ls -l /usr/bin/fping
-rwxr-xr-x 1 root root 31464 May  6 21:42 /usr/bin/fping
```
It wasn’t which at first all I thought “ok, so that’s why popen is happy”. The way that fping and other programs work is they bind to a raw socket. This socket sits below the normal type sockets such as the ones used for TCP and UDP and normal users cannot use them by default. So how did fping work it’s magic and get access to this socket? It used Capabilities.

Previously getting privileged features had a big problem; it was an all or nothing thing. You want access to a raw socket? Sure, be setuid but that means you also could, for example, read any file on the system or set passwords. Capabilites provide a way of giving programs some better level of access, but not a blank cheque.

The tool getcap is the way of determining what capabilities are found on a file. These capabilities are attributes on the file which, when the file is run, turn into capabilities or extra permissions. fping has the capability cap_net_raw+ep applied to it. This gives access to the RAW and PACKET sockets which is what fping needs. The +ep after the capability name means it is an Effective and Permitted capability, which describes what happens with child processes and dropping privileges.

I hadn’t seen these Capabilities before. They are a nice way to give your programs the access they need, but limiting the risk of something going wrong and having a rouge program running as root.

Related articles
- Lesser-known tool of the day: getcap, setcap and file capabilities (insecure.ws)
- Using File Capabilities Instead Of Setuid (wiki.archlinux.org)
- Safer suexec: from setuid to Linux capabilities (welldefinedbehaviour.wordpress.com)
- Kees Cook: easy example of filesystem capabilities (outflux.net)
July 31, 2014
PHP uniqid() not always a unique ID
For quite some time modern versions of JFFNMS have had a problem. In large installations hosts would randomly appear as down with the reachability interface going red. All other interface types worked, just this one.

Reachability interfaces are odd, because they call fping or fping6 do to the work. The reason is because to run a ping program you need to have root access to a socket and to do that is far too difficult and scary in PHP which is what JFFNMS is written in.

To capture the output of fping, the program is executed and the output captured to a temporary file. For my tiny setup this worked fine, for a lot of small setups this was also fine. For larger setups, it was not fine at all. Random failed interfaces and, most bizzarely of all, even though a file disappearing. The program checked for a file to exist and then ran stat in a loop to see if data was there. The file exist check worked but the stat said file not found.

At first I thought it was some odd load related problem, perhaps the filesystem not being happy and having a file there but not really there. That was, until someone said “Are these numbers supposed to be the same?”

The numbers he was referring to was the filename id of the temporary file. They were most DEFINITELY not supposed to be the same. They were supposed to be unique. Why were they always unique for me and not for large setups?

The problem is with the uniqid() function. It is basically a hex representation of the time. Large setups often have large numbers of child processes for polling devices. As the number of poller children increases, the chance that two child processes start the reachability poll at the same time and have the same uniqid increases. It’s why the problem happened, but not all the time.

The stat error was another symptom of this bug, what would happen was:
- Child 1 starts the poll, temp filename abc123
- Child 2 starts the poll in the same microsecond, temp filename is also abc123
- Child 1 and 2 wait poller starts, sees that the temp file exists and goes into a loop of stat and wait until there is a result
- Child 1 finishes, grabs the details, deletes the temporary file
- Child 2 loops, tries to run stat but finds no file
Who finishes first is entirely dependent on how quickly the fping returns and that is dependent on how quicky the remote host responds to pings, so its kind of random.

A minor patch to use tempnam() instead of uniqid() and adding the interface ID in the mix for good measure (no two children will poll the same interface, the parent’s scheduler makes sure of that.) The initial responses is that it is looking good.
July 24, 2014