But: what happens when looking for some devuan issue at dev1galaxy?
Today I have made some investigation to a long outstanding problem:
A) searching the dev1galaxy forum gives an URL like:
dev1galaxy.org/search.php?action=search … earch+term
Without search restriction (this is the default!) there are many results!
TL;DR: A couple of times I have refined the search: Oh, there are still a lot of other interesting things. But I didn't find what I'm looking for.
B) using duckduckgo according to soren:
Cool. As of this writing duckduckgo provides an javascript free search interface! Append " site:dev1galaxy.org" or prepend "!dev1galaxy " to your search string (note the space before or after string).
duckduckgo.com/html?q=search+term+site:dev1galaxy.org
or with slightly different results:
duckduckgo.com/html?q=!dev1galaxy+search+term
C) Using startpage URL:
www.startpage.com/do/dsearch?q=mouse+fo … galaxy.org
Again: startpage is still my favorite engine for daily usage but not for devuan. The results are very bad, only few to nothing. And they don't look better on a terminal :-(
Summary: As of this writing I'm now starting to search the dev1galaxy with duckduckgo.com/html without javascript.
-- guuml
BTW: some times I like to view some sites with a www-browser like w3m IMHO, others may prefer lynx. Searching from the commandline for "search term" may look like:
www-browser "https://search.engine/options?query=search term"
+1 point for DDG: w3m displays the results in a fancy way.
Update:
Some time ago there was a thread … ah very long time ago … I remember only vaguely … one of the first posts I have read …
Before you ask your question, …
But there are other resources available that might help you to find an answer even before you ask here …
Sometimes I have to read the information twice
Update 2: (last of today:)
A search script may look like
#!/bin/sh -xv
# find-dev1galaxy - search in the officially official devuan forum
SEARCH_TERM=`echo "$* site:dev1galaxy.org" | tr ' ' '+'`
exec www-browser "https://duckduckgo.com/html?q=$SEARCH_TERM"
Or if you prefer functions in bashism:
find_dev1galaxy() {
w3m "https://duckduckgo.com/html?q=${*// /+}+site:dev1galaxy.org"
}
Ok, processing advanced search options isn't that good
Have a nice week --guuml
]]>Still, its mega buggy and for this reason, I will avoid it as long as possible.
I have been using wayland for over a year on Artix linux with s6 init. I've also been using Wayland since the release of Devuan Daedalus. I can say only one thing - if you use open source video card drivers, there will be no problems. Everything works fine. And I'll repeat it again - Wayland is independent of systemd....
]]>Just got this in my box.
Best,
A.
---
This release contains fixes for the issues reported in today's security
advisory: https://lists.x.org/archives/xorg/2024- … 61525.html
* CVE-2023-6816
* CVE-2024-0229
* CVE-2024-21885
* CVE-2024-21886
* CVE-2024-0408
* CVE-2024-0409
Additionally, it also contains several other fixes for glamor, libEI support,
and FreeBSD.
Jan Beich (2):
os: Use LOCAL_PEERCRED to determine local client PID on FreeBSD
os: Use KERN_PROC_ARGS to determine client command on DragonFly and FreeBSD
José Expósito (2):
Xi: do not keep linked list pointer during recursion
Bump version to 23.2.4
Michel Dänzer (3):
glamor: Don't override source alpha to 1.0 if it's used for blending
glamor: Make glamor_set_alu take a DrawablePtr
glamor: Fall back for mixed depth 24/32 in glamor_set_alu
Olivier Fourdan (3):
xwayland: Pass the correct oeffis device types
glx: Call XACE hooks on the GLX buffer
ephyr,xwayland: Use the proper private key for cursor
Peter Hutterer (10):
Xi: require a pointer and keyboard device for XIAttachToMaster
dix: don't allow for devices with 0 axes
xwayland: override the XTest sendEventsProc for all devices
dix: initialize the XTest sendEventsProc for all devices
dix: allocate enough space for logical button maps
dix: Allocate sufficient xEvents for our DeviceStateNotify
dix: fix DeviceStateNotify event calculation
Xi: when creating a new ButtonClass, set the number of buttons
Xi: flush hierarchy events after adding/removing master devices
dix: when disabling a master, float disabled slaved devices too
git tag: xwayland-23.2.4
https://xorg.freedesktop.org/archive/in … 2.4.tar.xz
SHA256: a99e159b6d0d33098b3b6ab22a88bfcece23c8b9d0ca72c535c55dcb0681b46b xwayland-23.2.4.tar.xz
SHA512: ac3ff208cbef5bbe4637c335cfda226489c93b0a3768f2f4fb0201c588485ede38262fbce77ef1425b3d2a0be61b6580df53341c7b95e6072c8b6371ad29d187 xwayland-23.2.4.tar.xz
PGP: https://xorg.freedesktop.org/archive/in … tar.xz.sig
---
Best,
A.
]]>Just got this in my box.
---
This release contains fixes for the issues reported in today's security
advisory: https://lists.x.org/archives/xorg/2024- … 61525.html
* CVE-2023-6816
* CVE-2024-0229
* CVE-2024-21885
* CVE-2024-21886
* CVE-2024-0408
* CVE-2024-0409
Additionally, it also contains a fix for XRandR to allow for multiple virtual
monitors on a physical display.
José Expósito (2):
Xi: do not keep linked list pointer during recursion
xserver 21.1.11
Michael Wyraz (1):
Removing the code that deletes an existing monitor in RRMonitorAdd
Olivier Fourdan (2):
glx: Call XACE hooks on the GLX buffer
ephyr,xwayland: Use the proper private key for cursor
Peter Hutterer (6):
dix: allocate enough space for logical button maps
dix: Allocate sufficient xEvents for our DeviceStateNotify
dix: fix DeviceStateNotify event calculation
Xi: when creating a new ButtonClass, set the number of buttons
Xi: flush hierarchy events after adding/removing master devices
dix: when disabling a master, float disabled slaved devices too
git tag: xorg-server-21.1.11
https://xorg.freedesktop.org/archive/in … .11.tar.gz
SHA256: 1aa0ee1adad0b2db7f291f3823a4ab240c7f4aea710e89f5ef4aa232b6833403 xorg-server-21.1.11.tar.gz
SHA512: e41bf71955691e66084a67fc20643632087f0326d5eddc31e6edd118d05005b8ab536738c181f4c352f331ec8fc8f23ae1b45f237592fa5d7eddbffe43638b08 xorg-server-21.1.11.tar.gz
PGP: https://xorg.freedesktop.org/archive/in … tar.gz.sig
---
Best,
A.
]]>Just got this in my box.
Good to see X.Org at work.
---
Issues in X.Org X server prior to 21.1.11 and Xwayland prior to 23.2.4
=====================================================
Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.11 and xwayland-23.2.4.
1) CVE-2023-6816 can be triggered by passing an invalid array index to DeviceFocusEvent or ProcXIQueryPointer.
2) CVE-2024-0229 can be triggered if a device has both a button and a key class and zero buttons.
3) CVE-2024-21885 can be triggered if a device with a given ID was removed and a new device with the same ID added both in the same operation.
4) CVE-2024-21886 can be triggered by disabling a master device with disabled slave devices.
5) CVE-2024-0409 can be triggered by enabling SELinux xserver_object_manager and running a client.
6) CVE-2024-0408 can be triggered by enabling SELinux xserver_object_manager and creating a GLX PBuffer.
------------------------------------------------------------------------
1) CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
Introduced in: xorg-server-1.13.0 (2012)
Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
Fix: https://gitlab.freedesktop.org/xorg/xse … 3c58a9e7e3
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
each logical button currently down. Buttons can be arbitrarily mapped to
any value up to 255 but the X.Org Server was only allocating space for the
device's number of buttons, leading to a heap overflow if a bigger value
was used.
xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue.
2) CVE-2024-0229: Reattaching to different master device may lead to out-of-bounds memory access
Introduced in: xorg-server-1.1.1 (2006)
Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
Fixes:
- https://gitlab.freedesktop.org/xorg/xse … 636109d6a5
- https://gitlab.freedesktop.org/xorg/xse … cde53553d5
- https://gitlab.freedesktop.org/xorg/xse … e0d5981b74
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
If a device has both a button class and a key class and numButtons is
zero, we can get an out-of-bounds write due to event under-allocation in
the DeliverStateNotifyEvent function.
xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue.
3) CVE-2024-21885: Heap buffer overflow in XISendDeviceHierarchyEvent
Introduced in: xorg-server-1.10.0 (2011)
Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
Fix: https://gitlab.freedesktop.org/xorg/xse … dce503cbd1
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The XISendDeviceHierarchyEvent() function allocates space to store up
to MAXDEVICES (256) xXIHierarchyInfo structures in info.
If a device with a given ID was removed and a new device with the same
ID added both in the same operation, the single device ID will lead to
two info structures being written to info.
Since this case can occur for every device ID at once, a total of two
times MAXDEVICES info structures might be written to the allocation,
leading to a heap buffer overflow.
xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue.
4) CVE-2024-21886: Heap buffer overflow in DisableDevice
Introduced in: xorg-server-1.13.0 (2012)
Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
Fixes:
- https://gitlab.freedesktop.org/xorg/xse … 54dd0ce36b
- https://gitlab.freedesktop.org/xorg/xse … 10cc07c3a8
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The DisableDevice() function is called whenever an enabled device
is disabled and it moves the device from the inputInfo.devices linked
list to the inputInfo.off_devices linked list.
However, its link/unlink operation has an issue during the recursive
call to DisableDevice() due to the prev pointer pointing to a
removed device.
This issue leads to a length mismatch between the total number of
devices and the number of device in the list, leading to a heap
overflow and, possibly, to local privilege escalation.
xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue.
5) CVE-2024-0409: SELinux context corruption
Introduced in: xorg-server-1.16.0 (2014)
Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
Fix: https://gitlab.freedesktop.org/xorg/xse … ea702c94f7
Found by: Olivier Fourdan
The Xserver uses the mechanism of "privates" to store additional data to its
own objects, each private has an associate "type". Each private is allocated
for the relevant size of memory that is declared at creation.
The cursor structure in the Xserver goes as far as having two keys, one for
the cursor itself and another one for the bits that make the cursor shape.
XSELINUX also uses privates but it's a bit of a special case because it uses
the same privates keys for all different objects.
What happens here is that the cursor code in both Xephyr and Xwayland uses the
wrong type of private at creation, using the cursor bits type with the cursor
private and when initiating the cursor, the overwrites the XSELINUX context.
xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue.
6) CVE-2024-0408: SELinux unlabeled GLX PBuffer
Introduced in: xorg-server-1.10.0 (2011)
Fixed in: xorg-server-21.1.11 and xwayland-23.2.4
Fix: https://gitlab.freedesktop.org/xorg/xse … fe5e15dac3
Found by: Olivier Fourdan and Donn Seeley
The XSELINUX code in the Xserver labels the X resources based on a hook. What
happens here is that the GLX PBuffer code does not call that XACE hook when
creating the buffer, so it remains unlabeled, and when the client issues
another request to access that resource (as here with a GetGeometry) or even
when it creates another resource which needs to access that buffer (such as a
GC), the XSELINUX code will try to use an object that was never labeled and
crash because the SID is NULL.
xorg-server-21.1.11 and xwayland-23.2.4 have been patched to fix this issue.
---
Best,
A.
]]>Old time favourite Memtest86+ has just released version 7.0.
https://www.theregister.com/2024/01/11/ … _released/
Version 7.0 has gained the ability to interrogate the integrated memory controller in Intel Core PCs (first to 14th generations) to find live memory timing information, as well as some preliminary support for obtaining error correction code (ECC) info on some models of AMD Ryzen.
Best,
A.
]]>Thanks to everyone who participated in the discussion that helped to get us there!!
]]>Just got this in my inbox.
Things 'X11' continue to roll along steadily. 8^)
Best,
A.
----
Announce: xterm-389 - 2024/01/01
Files:
https://invisible-island.net/archives/x … rm-389.tgz
https://invisible-island.net/archives/x … 89.tgz.asc
https://invisible-island.net/archives/x … 9.patch.gz
https://invisible-island.net/archives/x … tch.gz.asc
https://invisible-island.net/archives/x … rm-389.tgz
https://invisible-island.net/archives/x … 89.tgz.asc
Patch #389 - 2024/01/01
* interchange variables in subparameter parsing, fixing a bug where
subparameters after the first parameter could be misidentified
(patch by Adam Saponara).
* correct popping of icon/window titles in a case where only one was
pushed from patch #385 changes.
* add XTQMODKEYS response in DECRQSS, as alternative for vim.
* correct DECCIR encoded information on character set size, handle a
VT525 quirk, and add DECST8C (Windows Terminal #14984).
* improve DECRQCRA (prompted by discussion with James Holderness,
Windows Terminal #14974).
* add part of VT525 color controls:
+ DECAC, to update default foreground/background, respond to
DECRQSS
+ DECATC, to respond with DECRQSS
* prevent Unicode non-characters from being printed (prompted by
patch by Grady Martin).
* modify send_SGR() to avoid modifying colors 16 to 255 in printed
output (patch by Grady Martin).
* minor cleanup of miscellaneous error-codes with ERROR_MISC.
* remove legacy CSI 53 for locator status, corrected in patch #294.
* modify DECRQUPSS and DECAUPSS feature to support VT5xx character
sets (report by Thomas Wolff).
* improve configure script:
+ reduce configure-check compiler warnings (prompted by Florian
Weimer, Redhat #2251945)
+ improve usage messages in configure script to make it clearer
when an option value is optional.
* improve EWMH handling (report/analysis by Edward Rosten)
+ reset _NET_WM_STATE_HIDDEN flag from _NET_WM_STATE before
mapping the window to deiconify.
+ cache X properties to reduce latency (adapted from patch by
Edward Rosten).
----
]]>https://www.theregister.com/2023/12/27/ … post_open/
What comes after open source? Bruce Perens is working on it
Interview Bruce Perens, one of the founders of the Open Source movement, is ready for what comes next: the Post-Open Source movement.
"I've written papers about it, and I've tried to put together a prototype license," Perens explains in an interview with The Register. "Obviously, I need help from a lawyer. And then the next step is to go for grant money."
Perens says there are several pressing problems that the open source community needs to address.
"First of all, our licenses aren't working anymore," he said. "We've had enough time that businesses have found all of the loopholes and thus we need to do something new. The GPL is not acting the way the GPL should have done when one-third of all paid-for Linux systems are sold with a GPL circumvention. That's RHEL."
...
If 'Linux' does disappear down this route, at least I'm ready....
]]>Just got this in my inbox.
Good to see that things 'X11' are rolling along steadily.
Best,
A.
========================================================================
X.Org Security Advisory: December 13, 2023
Issues in X.Org X server prior to 21.1.10 and Xwayland prior to 23.2.3
========================================================================
Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.10 and xwayland-23.2.3.
1) CVE-2023-6377 can be triggered by forcing a logical device change on a device
with buttons which will result in an out-of-bounds memory write.
2) CVE-2023-6478 can be triggered by sending a specially crafted
request RRChangeProviderProperty or RRChangeOutputProperty. This will trigger
an integer overflow and lead to disclosure of information.
------------------------------------------------------------------------------------------------------------------------------
1) CVE-2023-6377: X.Org server: Out-of-bounds memory write in XKB button actions
Introduced in: xorg-server-1.6.0 (2009)
Fixed in: xorg-server-21.1.10 and xwayland-23.2.3
Fix: https://gitlab.freedesktop.org/xorg/xse … 4f93810afd
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
A device has XKB button actions for each button on the device. When a logical
device switch happens (e.g. moving from a touchpad to a mouse), the server
re-calculates the information available on the respective master device
(typically the Virtual Core Pointer). This re-calculation only allocated enough
memory for a single XKB action rather instead of enough for the newly active
physical device's number of button. As a result, querying or changing the XKB
button actions results in out-of-bounds memory reads and writes.
This may lead to local privilege escalation if the server is run as root or
remote code execution (e.g. x11 over ssh).
xorg-server-21.1.10 and xwayland-23.2.3 have been patched to fix this issue.
2) CVE-2023-6478: X.Org server: Out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty
Introduced in: xorg-server-1.4.0 (2007) and xorg-server-1.13.0 (2012), respectively
Fixed in: xorg-server-21.1.10 and xwayland-23.2.3
Fix: https://gitlab.freedesktop.org/xorg/xse … fff81ad632
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->nUnits bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
See also CVE-2022-46344 where this issue was fixed for other requests.
xorg-server-21.1.10 and xwayland-23.2.3 have been patched to fix this issue.
------------------------------------------------------------------------------------------------------------------------------
]]>uname -a
... 6.1.0-15-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.66-1 (2023-12-09) x86_64 GNU/Linux
Addendum: did this bug break anything for anyone? I can't see that anything is broken here.
Addendum 2: Is this perhaps different with Devuan because no systemd is used?
Leave it to GNOME to break things (again). Bad enough that they broke extensions for the umpteenth time, now they're also getting ready to push wayland-only in the future.
Link to the article:
https://news.itsfoss.com/gnome-wayland-xorg/Unless wayland gets it together with NVIDIA cards (Which is a startling number of PC's these days), I can see this ending badly for users of that brand. Then again, when was NVIDIA ever really kind towards Linux?....
Recently, they have been more kind, although that might not mean much.
Gnome on the other hand, those devs are poison and should be barred from adding their bloat to other communities. Just say no to bloat.
]]>