I just did a system update and once again I see some high
vulnerabilities on libxml2. I am sure it could use some love.
It looks like a build with autoconf. I can do that!
https://gitlab.gnome.org/GNOME/libxml2
See if I can build this thing as a start.
Brian
libxml2 (2.9.10+dfsg-6.7+deb11u8) bullseye-security; urgency=high
* Non-maintainer upload by the LTS Team.
* Fix CVE-2024-34459: Heap buffer overflow with `xmllint --htmlout`
(Closes: #1071162).
* Fix CVE-2025-6021: Integer overflow issue in xmlBuildQName. (Closes:
#1107720).
* Fix CVE-2025-6170: Potential buffer overflows in the interactive shell
(Closes: #1107938).
* Fix CVE-2025-49794: Use-after-free issue in xmlSchematronReportOutput
(Closes: #1107755).
* Fix CVE-2025-49796: Type confusion issue in xmlSchematronReportOutput
(Closes: #1107755).
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
Somehow, my locale on one of my systems was changed to am_ET.uft8. I might not have noticed, actually. It only obviously broke a few farily minor things. But, I use xdotool scripts with "search --name" parameters and they stopped working. The target of these commands is my Firefox browser. It turns out that Firefox will default to it's "C" locale if it doesn't recognize the locale as set.
Everything looked the same, but was in fact different :)
After switching the locale back to en_US.utf8, my xdotool scripts worked just fine.
It seems to me that resetting the locale in this way could be used for all kinds of attacks. If an attacker could change my locale, I have two questions: How did they do it and what else did they change. It happened on one of my more secure systems where I don't visit weird sites.
I was stracing some stuff and used a few related programs and was playing with file descriptors. That may be the culprit too :) I'm going to move this activity to another system, which will be more cumbersome. But, I'd like to keep the affected system relatively secure
After forcing Google/Gemini to treat these changes as an attack, it gave me back some pretty generic advice but nothing about a specific attack other than some attacks look at the locale.
Just an FYI and seeing if anyone has any experience or thoughts. I found the insideous nature of the effects of the locale change interesting.
Next meeting is social at Kupros
Who: you
Time: 06:30 PM to 09:00 PM
Date: Tue August 19, 2025
Location: Kurpos
1217 21st Street
Sacramento, CA 95811
Topic:
We will return to Kupros for this meeting. It will be open
discussion. Bring your gadgets, questions, and projects that you may be
working on.
Brian
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
I did a little reading and I'd be interested in the whole ecosystem: Lucene, Solr, Elastic and how your project fits in and what it does. I'm definitely a "small ball" player at the opposite end of the spectrum from the enterprise folks, but I like to keep in touch :). Besides, I have a lot of files that I am still working on organizing and need to occasionally find. Finding isn't as easy as I would like and cam be stressful.
AFA weird sites: Noting that I linked to from another site, nothing where I don't have some kind of other relationship with the owner of the site outside of the internet, nothing used for software development of any kind.
Date: Mon, 28 Jul 2025 14:06:23 -0700
From: Kevin Brisson <kbrisso(a)gmail.com>
To: Gary <saclug(a)garymcglinn.com>
Cc: lug-nuts(a)bigbrie.com
Subject: Re: [Lug-nuts] Locale: Not that I'm Paranoid
Hi Gary-
That is very strange. (you might want to burn the computer) I guess that
local is Amharic (Ethiopia) . Tell me more about " visit weird sites. "
BTW my Github AI project has 40+ stars!
https://github.com/kbrisso/byte-vision
Anyone interested in a demo of local document analysis?
Kevin Brisson
On Mon, Jul 28, 2025 at 11:01 AM Gary <saclug(a)garymcglinn.com> wrote:
> Somehow, my locale on one of my systems was changed to am_ET.uft8. I
> might not have noticed, actually. It only obviously broke a few farily
> minor things. But, I use xdotool scripts with "search --name" parameters
> and they stopped working. The target of these commands is my Firefox
> browser. It turns out that Firefox will default to it's "C" locale if it
> doesn't recognize the locale as set.
>
> Everything looked the same, but was in fact different :)
>
> After switching the locale back to en_US.utf8, my xdotool scripts worked
> just fine.
>
> It seems to me that resetting the locale in this way could be used for all
> kinds of attacks. If an attacker could change my locale, I have two
> questions: How did they do it and what else did they change. It happened
> on one of my more secure systems where I don't visit weird sites.
>
> I was stracing some stuff and used a few related programs and was playing
> with file descriptors. That may be the culprit too :) I'm going to move
> this activity to another system, which will be more cumbersome. But, I'd
> like to keep the affected system relatively secure
>
> After forcing Google/Gemini to treat these changes as an attack, it gave
> me back some pretty generic advice but nothing about a specific attack
> other than some attacks look at the locale.
>
> Just an FYI and seeing if anyone has any experience or thoughts. I found
> the insideous nature of the effects of the locale change interesting.
> _______________________________________________
> Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
> To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com
>
----- End forwarded message -----
What is mead? It is honey wine! Tonight's meeting will be at Strad
Meadery.
2539 Mercantile Dr. Suite 1
Rancho Cordova, CA 95742
Tuesday, July 15, 2025
6:30 - 8:30pm
Topic
C# on GNU/Linux.
presented by Brian Lavender (me).
https://www.saclug.org/articles/2025/july-2025.html
Brian
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
We will discuss C# on GNU/Linux. Strad Meadery graciously provided their
facility to us for hosting the meeting.
July General Meeting
When: Tue July 15, 2025 06:30 PM to 08:30 PM
Speaker: Brian Lavender
Location: Strad Meadery
2539 Mercantile Dr. Suite 1
Rancho Cordova, CA 95742
Brian
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
Perhaps this is a testament to SPARK/Ada's focus on secure programming?
Ada jumps to number 11 from 25
https://www.tiobe.com/tiobe-index/
I gained new respect for the Pascal family of languages after I started
working with Delphi and later teaching introduction to programming. Much
of Ada is influenced by Pascal.
Brian
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
Back in the day, we used to love to hate Microsoft. I imagine that still
may be true with some.
Did you know that Dot net is open source / free software?
https://dotnet.microsoft.com/en-us/platform/open-source
I am thinking that next meeting, we do C# on Fedora.
I was just working through the following tutorial.
https://learn.microsoft.com/en-us/dotnet/csharp/tour-of-csharp/tutorials/tu…
Brian
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
Reminder for the SacLUG meetup tomorrow at Kupros on 21st St.
Time: 6:30 - 8:30
https://www.saclug.org/articles/2025/june-2025.html
I will bring a paper printout of the tux penguin and put it in the
holder on the table.
Brian
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
I don't know how many of you ever went to OSCON, yet I have fond memories
of attending it both in 2010 and 2014. I searched online and it seems
that Covid put the nail in the coffin for OSCON and stopped it for good.
https://www.oreilly.com/conferences/from-laura-baldwin.html
What a bummer deal.
I remember it was 1997 that I believe the first PERL conference started
and it eventually turned into OSCON. I am going to start sing "Glory
Days" by Bruce Springsteen.
On a side note, I spoke with Kyle Rankin, who has presented at various
conferences, and he presented at SCALE (Southern California Area Linux
Expo). He said that they have a good in person conference.
Brian
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
