Log in

No account? Create an account
Flock 2014 in Prague!
As i mentioned in my previous blog post, the Fedora project sponsored me to attend and talk in Flock this year in August in the beautiful city of Prague, here is a short report of how it went:

Day 1:
Flock started with a short welcome address by Fedora project leader Mathew Miller, followed by a keynote address from Gijs Hillenius, who is a journalist. He spoke about the adoption of Free and Open Source software in Europe. He also discussed the various hurdles faced in acceptance of open source software by various administrative agencies. After this i attended a talk on Fedora QA,  which ended with some information about what to do if any one was interested in joining. After lunch Mathias Clasen spoke about Wayland which is progressing quite well, it seems Fedora 21 would ship with Wayland, though not enabled by default, because a lot of work is still on-going. There were two kernel talks after that, one of them was by Josh Boyer.  I asked about including grsec patches into the kernel, and josh replied that it could very well end up in a copr repository, but not the main fedora kernel.

Day 2:
The second day started with a talk by Stephen Gallagar about the fedora server spin in upcoming fedora 21. I particularly like RoleKit. He also gave a demo about cockpit, sounds pretty interesting. Adam Williamson spoke about UEFI after that, i had a few question about secure boot, which Peter Jones answered. The Novena project spoke about building a laptop from scratch after that, though i was not particulary interested in knowing!. After lunch there was a Q&A session with FESCo, they tried to answer how it works on a day to day basis and how decisions are usually taken. The day ended with a session on docker.

Day 3:
The first talk on the third day was Arun SAG talking about Docker. Dennis Gilmore gave an excellent presentation about Fedora infrastructure. Second half of the day i looked at 3D printing and then ended up in the Package Review hackfest. Sadly almost everyone there was either a proven packager or a FPL member, there was no one who needed sponsorship. Though i spent that time in trying to update some of the packages i maintain to their newer upstream versions, so i did end up doing packaging during that time :)

Day 4:
I gave a talk on "Secure Programming Practices". It was well attended, though i feel i should have started a bit late, because most of the people were tired after dancing most of the night before that. There were some pretty good questions asked and i tried to answer the best i could, there is a youtube video available here. After that Michael spoke about Security Audit, he gave a few interesting examples how upstream failed to respond to him, untll he made the issue public. Kamil spoke about using static analyzers in Fedora. His csmock tool seems to be just a wrapper around some of the static analyzers available like cppcheck and clang, however he has some big plans of integrating it with bodhi and even making it available as a hosted solution in the near future. Should be really interesting to watch what happens. There were two fedora.next related workshops after that, i only briefly sat for them, but rather used that time to talk with other contributors and my fellow Red Hat collegaues whom i speak with on irc. It was nice to put faces on those irc nicks and email addresses!

All in all, flock was pretty good, my only complain the scheduling. There were multiple talks on Fedora next and people eventually lost interest. Some of the popular talks were full, if they were put in a bigger room, more people could take part.


Talking about Fedora Security at flock 2014 in Prague
I am going to talk about Security at Flock 2014 in Prague. My talk will start with a focus on developers and discuss common programming pitfalls in C code. Giving examples of actual security flaws found in opensource code, including the famous "heartbleed" and the ways these could be fixed and even avoided. I will them try to shift focus a bit and talk about how package maintainers, QE and even Fedora users can make a difference at the overall security of the operating system.

So if you are interested in how we keep fedora secure and are in prague on 9th August, drop by and say hello!

Masters in Open Source technology!
Some time back, i got an opportunity to teach Application Security, to an online Graduate level class in India. In my knowledge this is the first and perhaps the only course which teaches you open source technology. Topics in the course range from web languages, databases to even mobile and cloud. Classes are conducted online via web conferencing. Students can ask questions and gets their doubts cleared and the semesters end with a project. I would really recommend this course to any one in India who want to make a career in open source.
More details available at:

Blog on Transport Layer Security

I just wrote a blog post on TLS, details at:



Security Flaws i discovered!
I was thinking of writing this list down for some time, for various reasons including record-keeping.
(I took me some time to remember all of the flaws which i had found!)
For my $DAYJOB i work for the Red Hat Security Response Team. But i like to do some of my own
security research in my time off. All of the flaws listed here were reported ethically. They have been
found by using various techniques such as code auditing, fuzzing, static analysis etc.

ProductDateReferenceFlaw typeMore info
wireshark09-Feb-2011CVE-2011-0538Memory corruptionlink
wireshark03-March-2011CVE-2011-1139Memory corruptionlink
wireshark31-May-2011CVE-2011-1958Null pointer deref.link
wireshark31-May-2011CVE-2011-1959Memory corruptionlink
wireshark31-May-2011CVE-2011-2175Memory corruptionlink
flash-plugin21-Sept-2011CVE-2011-2428logic errorlink
libreoffice05-Oct-2011CVE-2011-2713Memory corruptionlink1 link2
wireshark01-Nov-2011CVE-2011-4102Memory corruptionlink
Openjpeg24-Aug-2012CVE-2012-3535Memory corruptionlink
libtiff07-July-2012CVE-2012-3401Memory corruptionlink


May the (FORTIFY_)SOURCE be with you!!!
A few days back while investigating a particular security flaw, i discovered something about glibc's FORTIFY_SOURCE format string protection which i did not know earlier.

Most developers (at least some of them), seem to think that if a program is compiled with fortify_source enabled, it was protected against, any format string flaw, This however is not completely true, a lot of glibc functions in fact are not protected. One example is the warn() function.

As per the man page:

The  err() and warn() family of functions display a formatted error message on the standard error output.  In all cases, the last component of the program name, a colon character, and a space are output.  If the fmt argument is not  NULL,  the  printf(3)-like formatted error message is output.  The output is terminated by a newline character.

Both err() and warn() and other functions described in that man page, take printf() like "formatted" data as its input. And since its not protected by FORTIFY_SOURCE, something like warn(message) could be exploited.

There may be other glibc functions which take formatted user-arguement, and are not protected as well. I leave finding this as an excercise for the reader :)

In the mean time the following bugs were filed:

1. glibc upstream
2. Red Hat Bugzilla

Speaking at FUDCon, Pune

Sorry for not blogging  for a long time now. I had promised to myself that i will blog regularly but just could not make it :(

Anyways, Myself and my colleague Eugene Teo are going to speak at the upcoming FUDCon in Pune about open-source security. We will cover the basics of how software security works, and how vendors like Red Hat go about fixing things.

Since the conference is going to be conducted in a college, we expect most of the audience to be students, hence the presentation is going to be pretty simple and straight forward, nothing too fancy :)

If you are really interested in learning something or just want to meet me or Eugene, then be there :)

going to fudcon pune 2011

Move v4l ioctl's from the kernel to userspace
For some days now i have been trying to port kernel code from linux-2.6/drivers/media/video/v4l1-compat.c to libv4l1 which is a part of v4l-utils.
Initially i thought this would be a manual process, just trying to copy paste stuff from one place to another and make sure things are indented correctly. But it turned out to be a whole new learning experience for me.
Firstly i learnt how things are differently handled in userspace and kernel space, like the kernel has limited stack size, so if you are using a struct, you declare that as a pointer and kmalloc memory for it, so that when its pushed on the stack, only the pointer is pushed. However userspace does not have that limitations.

So around 10/12 ioctl ports later, i finished doing it and now we are ready to do some testing and perhaps deprecate
v4l1-compat driver in the kernel.

As always thanks a lot to Hans de Goede for guiding and helping me on this.

gtk-v4l 0.3 packaged for fedora now
In continuation with my last post, i got gtk-v4l packaged for fedora. Well it was already there, i just upgraded it to version 0.3 in case any one wants to use it.

Fedora 13:

Fedora 12:

Would be great if people could give some feed back on it.

Announcing gtk-v4l version 0.3
First a bit of background,
This year mid January hans de Goede wrote a mail on fedora-devel list proposing an idea for a gtk Video4Linux preferences applet, which would allow people to control their v4l web cams.
His original intention was to provide it to his students to work on as a project. I also asked him to let me work on it and since none of his students were interested i started work.

So for the last 6 months i have been working on this in my spare time and its time to bring release 0.3 to general public. There has been a lot of changes from the earlier release 0.2 which is packaged for fedora as well as ubuntu.

Here are some of the new features:
- Hot plug support
- Ability to control write-only properties like pan and tilt.
- Completely re-factored code.

I am working on rawhide and F13 packages for the same, so keep tuned.

PS: Thanks to Hans de Goede for all his help in re-factoring the code.