Harden Debian with PIE and bindnow!

pie-bindnow-debian Shipping Position Independent Executables and using read-only Global Offset Table was already possible for packages but needed package maintainers to opt-in for each package (see Hardening wiki) using the “pie” and “bindnow” Dpkg hardening flags.

Many critical packages enabled the extra flags but there are still way more left out according to Lintian hardening-no-bindnow and hardening-no-pie warnings.

Now we can change that. We can make those hardening flags the default for every package.
We already have the needed patches for GCC (#835148) and dpkg (#835146, #835149). We already have all packages rebuilt once to test which breaks (Thanks to Lucas Nussbaum!). The Release Team already asked porters if they feel their ports ready for enabling PIE and most ports tentatively opted-in (Thanks to Niels Thykier for pushing this!).

What is left is fixing the ~75 open bugs found during the test rebuilds and this is where You can help, too! Please check if your packages are affected or give a helping hand to other maintainers who need it. (See PIEByDefaultTransition wiki for hints on fixing the bugs.) Many thanks to those who already fixed their packages!

If we can get past those last bugs we can enable those badly needed security features and make Stretch the most secure release ever!

Progress report on hardened1-linux-amd64, a potential Debian port with PIE, ASAN, UBSAN and more

It was more that one and a half years ago when I proposed creating a new security &QA focused port for Debian and now I’m happy to share the first bits of it.

Last year I started the bootstrapping during the holidays and I now have the prototype in the form of cross built packages which can be installed next to amd64 packages using multiarch.

The aim of creating the port is still the same, letting people mix fast (amd64) and reasonably hardened (hardened1-linux-amd64) packages on the same system. (Only for QA purposes for now, see update 3.)

You can already try the cross-built packages in an amd64 unstable chroot, but be warned that the packages are not stable yet.

In the following session I tested curl which seems to be working OK, and groff, which seems to be too buggy even for debugging:

debootstrap --arch=amd64 unstable test-hardened1
# mount /proc for ASAN
mount --bind /proc test-hardened1/proc
chroot test-hardened1/
apt-get install debian-keyring
# this is my key, I'll create one dedicated release key later
gpg --keyring /usr/share/keyrings/debian-keyring.gpg -a --export 0x21E764DF | apt-key add -
echo "deb http://hardened1-debian.s3.amazonaws.com/debian-cross-built hardened1-unstable main" >> \
apt-get update
# update apt and dpkg to versions handling the new port
apt-get upgrade
apt-get update
dpkg --add-architecture hardened1-linux-amd64
apt-get update
apt-get install curl:hardened1-linux-amd64
curl -s https://www.debian.org | tail -n2
apt-get install -t hardened1-unstable groff:hardened1-linux-amd64
==20642==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f79cd84698a bp 0x619000006980 sp 0x7ffe89b3a930 T0)
==20642==AddressSanitizer: while reporting a bug found another one. Ignoring.

The next steps are finalizing the changes to apt, dpkg, GCC, glibc and other packages,  rebuilding all packages in hardened1-linux-amd64 sbuild chroots and building the rest of the archive.
Some of the patches are not submitted yet but they are available in a temporary fork of rebootstrap
I hope I’ll be back soon with the recompiled and finalized packages, but until then feel free to try the cross-compiled ones! Patches fixing crashes are always welcome! 🙂

update 1: Some packages like dpkg-dev are not installable, I’m working on them.

update 2: There is one similar project I know of which aims creating an address sanitized Gentoo variant and Hanno Böck will give a presentation about that at FOSDEM.

update 3: Note that using ASAN in its current form opens new attack surfaces thus it is not recommended for securing systems especially since it is incompatible with kernels with Grsecurity patches. The port is in current form allows detecting a lot of bugs thanks to ASAN, but as mentioned int thread at oss-security, but don’t use it on production machines. Experiments with the port might pave the way for an Address Sanitizer version which could be for improving system’s security without opening new ways of bypassing protection.

Wireshark 2.0 switched default UI to Qt in unstable

Wireshark With the latest release the Wireshark Project decided to make the Qt GUI the default interface. In line with Debian’s Policy the packages shipped by Debian also switched the default GUI to minimize the difference from upstream. The GTK+ interface which was the previous default is still available from the wireshark-gtk package.

You can read more about the new 2.0.0 release in the release notes or on the Wireshark Blog featuring some of the improvements.

Happy sniffing!

update: Wireshark 2.0.0 will be available from testing and jessie-backports in a week. Ubuntu users can already download binary packages from the Wireshark stable releases PPA maintained by the Wireshark Project (including me:-)).

FFmpeg and Kodi arrived to jessie-backports!

FFmpeg Kodi Debian JessieDebian has switched to FFmpeg in testing in July but the work on the package did not stop at that point. After careful testing we can now provide official packages for Jessie users through jessie-backports. See installation instructions here. FFmpeg becoming available in jessie-backports also enabled us to provide Kodi from Debian in the same official repository.

Thanks to everyone in the Debian Multimedia Maintainers team, especially Andreas Cadhalpun who is also upstream developer at the FFmpeg project, Reinhard Tartler who maintained FFmpeg then Libav then FFmpeg again in Debian for long years and everyone else I could not name here but helped making this possible!

Kernel oops collector is back in Debian!

oops-debian The Linux Kernel Oops website collects kernel errors from all over the World helping kernel developers finding issues occurring in the wild but they cannot help if no one sends reports to them.

The Kerneloops client used to be part of Debian releases but it has been removed from the archive due to not working with the new collector site.

When I started observing oopses on my machine I first thought of submitting a bug against the linux package in  BTS, but looking at the numerous bugs opened already I looked for a more automated solution which would also help others. Reviving the kerneloops package involved switching it to the new submission URL, fixing a few memory allocation bugs in C (this is the first package I found using Valgrind by default for running tests) and ensuring that upstream was still active.  The last step took the most of the time but finally Anton Arapov kindly accepted my patches and everything was set for the new upload.

The package is now available from unstable and if you feel so (especially if you experience oopses) please give it a try and report any problems you find. I’m also happy to receive success stories about oopses fixed after discovering and collecting them with the client. 🙂

Debian success stories: Automated signature verification

Debian was not generally seen as a bleeding-edge distribution, but it offered a perfect combination of stability and up-to-date software in our field when we chose the platform for our signature verification project. Having an active Debian Developer in the team also helped ensuring that packages which we use were in good shape when the freeze, then the release came and we can still rely on Jessie images with only a few extra packages to run our software stack.

Not having to worry about the platform, we could concentrate on the core project and I’m proud to announce that our start-up‘s algorithm won this year’s Signature Verification Competition for Online Skilled Forgeries (SigWIComp2015) . The more detailed story can be read already in the English business news and is also on index.hu, a leading Hungarian news site. We are also working on a solution for categorizing users based on cursor/finger movements for targeting content, offers and ads better. This is also covered in the articles.

László – a signature comparable in quality to the reference signatures

The verification task was not easy. The reference signatures were recorded at very low resolution and frequency and the forgers did a very good job in forging them creating a true challenge for everyone competing. At first glance it is hard to imagine that there is usable information in such small amount of recorded data, but our software is already better than me, for example in telling the difference between genuine and forged signatures. It feels like when the chess program beats the programmer again and again. 🙂

I would like to thank you all, who helped making Debian an awesome universal operating system and hope we can keep making every release better and better!

How to automount optical media on Debian Linux for Kodi – Reblogged from Ddumont’s blog


This problem has been bugging me for a while: how to setup my Kodi based home cinema to automatically mount an optical media ?

Turns out the solution is quite simple, now that Debian has switched for systemd. Just add the following line to /etc/fstab:

/dev/sr0 /media/bluray auto defaults,nofail,x-systemd.automount 0 2

continue reading …

Source: How to automount optical media on Debian Linux for Kodi

Debian is preparing the transition to FFmpeg!

Ending an era of shipping Libav as default the Debian Multimedia Team is working out the last details of switching to FFmpeg. If you would like to read more about the reasons please read the rationale behind the change on the dedicated wiki page. If you feel so be welcome to test the new ffmpeg packages or join the discussion starting here. (Warning, the thread is loooong!)


Hot upgrading Erlang applications using tools in Debian

Erlang lets you write applications supporting zero downtime by switching one live system to another running a different application version converting the application’s state on the fly to the new representation. Debian packages however can have only one installed version on a system which prevents using Erlang’s hot-upgrade feature easily.

Engineers at Yakaz (Jean-Sébastien Pédron) came up with a nice solution by creating separate directories for each application release and creating .deb packages for managing the transitions. I had to solve the same problem recently and found that the erlsvc Perl application they created needed a few patches to be usable with latest Erlang and other packages and with the changes it worked perfectly. Yakaz was not interested in accepting the patches and developing it further, but let me continue the maintenance. Please find the updated erlsvc application under my GitHub account and feel free to submit patches if you find something to fix in it.

I have also packaged erlsvc as an official Debian package and it is waiting in the NEW queue for being accepted. When it enters unstable you will have to make very little effort to make your applications hot-upgradeable on Debian!

update: The package has now been accepted to the archive. Thanks to the FTP Masters for their hard work!

Kodi from Debian

The well known XBMC Media Center has been renamed to Kodi with the 14.0 Helix release and following upstream’s decision the xbmc packages are renamed to kodi as well. Debian ships a slightly changed version of XBMC using the “XBMC from Debian” name and following that tradition ladies and gentlemen let me introduce you “Kodi from Debian”:

Kodi from Debian main screen

Kodi from Debian main screen

As of today Kodi from Debian uses the FFmpeg packages instead of the Libav ones which have been used by XBMC from Debian. The reason for the switch was upstream’s decision of dropping the Libav compatibility code and FFmpeg becoming available again packaged in Debian (thanks to Andreas Cadhalpun). It is worth noting that while upstream Kodi 14.0 downloads and builds FFmpeg 2.4.4 by default, Debian ships FFmpeg 2.5.1 already and FFmpeg under Kodi will be updated independently from Kodi thanks to the packaging mechanism.

The new kodi packages are uploaded to the NEW queue and are waiting for being accepted by the FTP Masters who are busy with preparing Jessie for the release (Many thanks to them for their hard work!), but in the meantime you can install kodi from https://people.debian.org/~rbalint/ppa/xbmc-ffmpeg/.

Happy recovery from the holidays! 🙂

update: I have updated the Kodi version to 14.2 in the xbmc-ffmpeg repository also updating FFmpeg to 2.6.1.
The packages can be used with Jessie, but unstable and experimental repositories also have to be enabled due to some dependencies missing from Jessie but present in unstable/experimental.

update 2: Dominique Dumont wrote a nice how-to about automounting optical media (CD/DVD) using Kodi on Debian.

update 3: Kodi is now available from jessie-backports, testing and unstable. Please use the packages from the official repositories instead of my temporary one which contains outdated packages and will be deleted.