Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[NEWS] Kernel security exploits: Upgrade ASAP
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
dberkholz
Developer
Developer


Joined: 18 Mar 2003
Posts: 1008
Location: Minneapolis, MN, USA

PostPosted: Wed Feb 13, 2008 8:31 pm    Post subject: [NEWS] Kernel security exploits: Upgrade ASAP Reply with quote

This forums thread is for discussion of the www.gentoo.org posting, "Kernel security exploits: Upgrade ASAP." Post your comments and suggestions here.

Quote:
Two major security flaws in the Linux kernel were reported last weekend. Both flaws have the same impact (root access for local users) and both exist within the vmsplice() system call, which was added to the kernel in 2.6.17. There is no configuration option to exclude vmsplice() so everyone is vulnerable.

One of the security issues existed for the entire lifetime of vmsplice(), so any kernel version from 2.6.17 onwards is vulnerable. This was fixed in 2.6.24.2, 2.6.23.16 and 2.6.22.18. It has been assigned the vulnerability identifier of CVE-2008-0600.

The other security issue first appeared in 2.6.23. It was fixed in 2.6.23.15 and 2.6.24.1. This vulnerability has been assigned CVE-2008-0009 and CVE-2008-0010.

gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 were added to the tree Monday and include fixes for both issues. Install the latest gentoo-sources as quickly as possible.

...
(more on gentoo.org)
Back to top
View user's profile Send private message
Kuja
n00b
n00b


Joined: 02 Oct 2006
Posts: 7

PostPosted: Wed Feb 13, 2008 9:44 pm    Post subject: Reply with quote

so hardened is affected too then?
or not?

edit: ignore that post, didn't saw that hardened was bumped on monday too, so it seems to be affected then :)
Back to top
View user's profile Send private message
hoffie
Retired Dev
Retired Dev


Joined: 30 Nov 2006
Posts: 24

PostPosted: Wed Feb 13, 2008 9:49 pm    Post subject: Reply with quote

Kuja wrote:
so hardened is affected too then?
or not?

Hardened kernels are vulnerable as well, but depending on the configuration there is a chance that it is not exploitable.

See https://bugs.gentoo.org/show_bug.cgi?id=209460#c14, https://bugs.gentoo.org/show_bug.cgi?id=209460#c35 and https://bugs.gentoo.org/show_bug.cgi?id=207393
Back to top
View user's profile Send private message
MrCanis
n00b
n00b


Joined: 02 Dec 2007
Posts: 61

PostPosted: Wed Feb 13, 2008 9:51 pm    Post subject: Re: [NEWS] Kernel security exploits: Upgrade ASAP Reply with quote

dberkholz wrote:
This forums thread is for discussion of the www.gentoo.org posting, "Kernel security exploits: Upgrade ASAP." Post your comments and suggestions here.

Quote:
Two major security flaws in the Linux kernel were reported last weekend. Both flaws have the same impact (root access for local users) and both exist within the vmsplice() system call, which was added to the kernel in 2.6.17. There is no configuration option to exclude vmsplice() so everyone is vulnerable.

One of the security issues existed for the entire lifetime of vmsplice(), so any kernel version from 2.6.17 onwards is vulnerable. This was fixed in 2.6.24.2, 2.6.23.16 and 2.6.22.18. It has been assigned the vulnerability identifier of CVE-2008-0600.

The other security issue first appeared in 2.6.23. It was fixed in 2.6.23.15 and 2.6.24.1. This vulnerability has been assigned CVE-2008-0009 and CVE-2008-0010.

gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 were added to the tree Monday and include fixes for both issues. Install the latest gentoo-sources as quickly as possible.

...
(more on gentoo.org)


Hello,
gentoo-sources-2.6.24-r2 are masked:
Code:
emerge -av '>=gentoo-sources-2.6.24-r2'

These are the packages that would be merged, in order:

Calculating dependencies |
!!! All ebuilds that could satisfy ">=gentoo-sources-2.6.24-r2" have been masked.
!!! One of the following masked packages is required to complete your request:
- sys-kernel/gentoo-sources-2.6.24-r2 (masked by: ~x86 keyword)

For more information, see MASKED PACKAGES section in the emerge man page or
refer to the Gentoo Handbook.

Is that version stable and someone has forgotten to unmask that package? Or is a mistake in the announcement (on www.gentoo.org).

Thanks in advance.

PS: I know how to unmask packages, but I don't want emerge a unstable kernel. :roll:
_________________
The 666 is behind the detail. ;)
Back to top
View user's profile Send private message
hoffie
Retired Dev
Retired Dev


Joined: 30 Nov 2006
Posts: 24

PostPosted: Wed Feb 13, 2008 10:09 pm    Post subject: Re: [NEWS] Kernel security exploits: Upgrade ASAP Reply with quote

MrCanis wrote:

Is that version stable and someone has forgotten to unmask that package? Or is a mistake in the announcement (on www.gentoo.org).

The announcement was inaccurate and has been updated by dberkholz by now. So, =gentoo-sources-2.6.23-r8 is the way to go on a stable system.
Back to top
View user's profile Send private message
MrCanis
n00b
n00b


Joined: 02 Dec 2007
Posts: 61

PostPosted: Wed Feb 13, 2008 10:47 pm    Post subject: Re: [NEWS] Kernel security exploits: Upgrade ASAP Reply with quote

hoffie wrote:
MrCanis wrote:

Is that version stable and someone has forgotten to unmask that package? Or is a mistake in the announcement (on www.gentoo.org).

The announcement was inaccurate and has been updated by dberkholz by now. So, =gentoo-sources-2.6.23-r8 is the way to go on a stable system.

Hello,
thanks for your quick response.

I use =gentoo-sources-2.6.23-r8, therefore I'm on the right site. :D
_________________
The 666 is behind the detail. ;)
Back to top
View user's profile Send private message
GenKreton
l33t
l33t


Joined: 20 Sep 2003
Posts: 828
Location: Cambridge, MA

PostPosted: Thu Feb 14, 2008 12:27 am    Post subject: Reply with quote

this is a local exploit only, correct?
Back to top
View user's profile Send private message
tokj
n00b
n00b


Joined: 17 May 2007
Posts: 15
Location: Delocalized

PostPosted: Thu Feb 14, 2008 1:04 am    Post subject: Reply with quote

GenKreton wrote:
this is a local exploit only, correct?


Yes, correct.
_________________
I think therefore I am. I think...
Back to top
View user's profile Send private message
dberkholz
Developer
Developer


Joined: 18 Mar 2003
Posts: 1008
Location: Minneapolis, MN, USA

PostPosted: Thu Feb 14, 2008 1:39 am    Post subject: Reply with quote

tokj wrote:
GenKreton wrote:
this is a local exploit only, correct?


Yes, correct.

Yes, but be careful. Someone could exploit a vulnerability in a service that gets them local user-only privileges, and combine that with this in a two-step remote root. It's happened to us before.
Back to top
View user's profile Send private message
sgao
Tux's lil' helper
Tux's lil' helper


Joined: 22 Apr 2006
Posts: 133

PostPosted: Thu Feb 14, 2008 4:38 am    Post subject: Reply with quote

What about xen-sources-2.6.20-r6 and xen-sources-2.6.18-r8? Is there any need to patch xen-sources kernels?

Simon
Back to top
View user's profile Send private message
MannyNix
n00b
n00b


Joined: 13 Jan 2008
Posts: 24

PostPosted: Thu Feb 14, 2008 6:25 am    Post subject: Reply with quote

Thanks, good job!
_________________
http://www.gentoo.org/proj/en/council/coc.xml
Back to top
View user's profile Send private message
SDenis
n00b
n00b


Joined: 14 Feb 2008
Posts: 2

PostPosted: Thu Feb 14, 2008 7:43 am    Post subject: Reply with quote

Code:

Linux localhost 2.6.20-xen-r6
~ $ ./a.out
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d95000 .. 0xb7dc7000
Segmentation fault

One question - why another Ubuntu, Debian, SuSe just patch kernel, but Gentoo-users need recomlile\reinstall sources?
_________________
Gentoo отличная система.
Back to top
View user's profile Send private message
mark_alec
Bodhisattva
Bodhisattva


Joined: 11 Sep 2004
Posts: 6066
Location: Melbourne, Australia

PostPosted: Thu Feb 14, 2008 8:07 am    Post subject: Reply with quote

SDenis wrote:
One question - why another Ubuntu, Debian, SuSe just patch kernel, but Gentoo-users need recomlile\reinstall sources?
Because those distributions provide an already compiled kernel.
_________________
www.gentoo.org.au || #gentoo-au
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 2414
Location: The Peanut Gallery

PostPosted: Thu Feb 14, 2008 10:53 am    Post subject: Reply with quote

See this thread for more info.
Back to top
View user's profile Send private message
kostja
Apprentice
Apprentice


Joined: 25 May 2004
Posts: 261
Location: D, 69239 Neckarsteinach

PostPosted: Thu Feb 14, 2008 11:16 am    Post subject: Reply with quote

Hello!

Anybody knows, which tuxonice sources are allready patched?

Konstantin
_________________
Registered Linux User #356484
Back to top
View user's profile Send private message
ma-ne
n00b
n00b


Joined: 13 Nov 2006
Posts: 1
Location: France - Lyon

PostPosted: Thu Feb 14, 2008 11:52 am    Post subject: Reply with quote

sgao wrote:
What about xen-sources-2.6.20-r6 and xen-sources-2.6.18-r8? Is there any need to patch xen-sources kernels?

Simon

Hello,

+1
Logic would say yes : 2.6.17 onwards is vulnerable
But am I right ?
ma-ne
Back to top
View user's profile Send private message
d2_racing
Moderator
Moderator


Joined: 25 Apr 2005
Posts: 13046
Location: Ste-Foy,Canada

PostPosted: Thu Feb 14, 2008 12:33 pm    Post subject: Reply with quote

ma-ne wrote:
Hello,
+1
Logic would say yes : 2.6.17 onwards is vulnerable
But am I right ?
ma-ne


Yes, the vmsplice is there since kernel 2.6.17.
_________________
Sysadmin of GentooQuébec.org
Wiki
Signature
IRC on Freenode : #gentoo-quebec
Back to top
View user's profile Send private message
kojiro
Apprentice
Apprentice


Joined: 20 Nov 2003
Posts: 245
Location: Rochester

PostPosted: Thu Feb 14, 2008 4:03 pm    Post subject: Kernel upgrade guide link Reply with quote

OK, so anyone with half a brain knows that to get a new kernel you have to not only emerge it, but also compile it, install it, and reboot to it (or kexec).

Still, the implication of the news item:
Quote:
On stable systems, do this
# emerge =gentoo-sources-2.6.23-r8

If you use ~arch keywords instead, do this
# emerge =gentoo-sources-2.6.24-r2


is that emerge =gentoo-sources-VERSION is all you have to do.

Can I talk someone into adding a link to http://gentoo.org/doc/en/kernel-upgrade.xml to the news item?
_________________
>>> Also, customizing emacs can be an exercise in black magic.
>> It's not black magic, it's Lisp.
>There is a difference? :P
Yes, black magic doesn't use parentheses.
--Linux Users' Group of Rochester mailing list
Back to top
View user's profile Send private message
`VL
n00b
n00b


Joined: 30 Apr 2004
Posts: 70
Location: Russia

PostPosted: Thu Feb 14, 2008 4:22 pm    Post subject: Reply with quote

Quote:
Gentoo isn't releasing GLSAs for kernels because of the huge amount of work to track them for all 18 of our available kernel sources and versions within each of those.


Are you serious??! Shocked to know this. Too much work?! All other software is OK, and kernel is not?
Maybe just declare on of kernels 'official' and provide GLSAs for it? I think latest avaliable gentoo-sources/genkernel are candidates.
_________________
Life is too short to be taken seriously.
Back to top
View user's profile Send private message
doppelgaenger
n00b
n00b


Joined: 14 Feb 2008
Posts: 1

PostPosted: Thu Feb 14, 2008 4:34 pm    Post subject: Reply with quote

I am running:

uname -a
Linux zoom 2.6.23-hardened-r4 on i686 and the local exploit works:

$ ./a.out
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] addr: 0xc041b17e
[+] root
gentoo ~ # whoami
root

When can we expect the hardened kernel update ?
Back to top
View user's profile Send private message
kallamej
Administrator
Administrator


Joined: 27 Jun 2003
Posts: 4831
Location: Gothenburg, Sweden

PostPosted: Thu Feb 14, 2008 6:31 pm    Post subject: Reply with quote

doppelgaenger wrote:
I am running:

uname -a
Linux zoom 2.6.23-hardened-r4 on i686 and the local exploit works:

$ ./a.out
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] addr: 0xc041b17e
[+] root
gentoo ~ # whoami
root

When can we expect the hardened kernel update ?

It's fixed in the latest testing version (-r7).
_________________
Please read our FAQ Forum, it answers many of your questions.
irc: #gentoo-forums on irc.freenode.net
Back to top
View user's profile Send private message
tanderson
Retired Dev
Retired Dev


Joined: 11 Apr 2007
Posts: 193

PostPosted: Thu Feb 14, 2008 7:38 pm    Post subject: Re: Kernel upgrade guide link Reply with quote

kojiro wrote:
OK, so anyone with half a brain knows that to get a new kernel you have to not only emerge it, but also compile it, install it, and reboot to it (or kexec).

Still, the implication of the news item:
Quote:
On stable systems, do this
# emerge =gentoo-sources-2.6.23-r8

If you use ~arch keywords instead, do this
# emerge =gentoo-sources-2.6.24-r2


is that emerge =gentoo-sources-VERSION is all you have to do.

Can I talk someone into adding a link to http://gentoo.org/doc/en/kernel-upgrade.xml to the news item?


I've heard about kexec before but never really understood it. Is it possible to upgrade your kernel without rebooting(as in unmounting and shutting down)?
_________________
No Man is Just a Number!

--The Prisoner
Back to top
View user's profile Send private message
dberkholz
Developer
Developer


Joined: 18 Mar 2003
Posts: 1008
Location: Minneapolis, MN, USA

PostPosted: Thu Feb 14, 2008 7:40 pm    Post subject: Reply with quote

`VL wrote:
Quote:
Gentoo isn't releasing GLSAs for kernels because of the huge amount of work to track them for all 18 of our available kernel sources and versions within each of those.


Are you serious??! Shocked to know this. Too much work?! All other software is OK, and kernel is not?
Maybe just declare on of kernels 'official' and provide GLSAs for it? I think latest avaliable gentoo-sources/genkernel are candidates.
What I've been told is that kernel developers do a spectacularly poor job of actually indicating which commits fix a given vulnerability, so it's a lot of work to find the patch. Every one also requires a minimum of 18 kernels to get stabilized by every architecture, some of which are poorly maintained and hard to get the maintainer to patch. The time that takes means by whenever we would actually be ready to release a GLSA, the next complete kernel version's probably already out.
Back to top
View user's profile Send private message
Voltago
Advocate
Advocate


Joined: 02 Sep 2003
Posts: 2547
Location: In the city of dreaming spires

PostPosted: Thu Feb 14, 2008 7:43 pm    Post subject: Re: Kernel upgrade guide link Reply with quote

gentoofan23 wrote:
I've heard about kexec before but never really understood it. Is it possible to upgrade your kernel without rebooting(as in unmounting and shutting down)?

Since linuxbios does that in a way, I guess the answer is yes. But if you loose all system state information in the process (I think you do) and have to go through the init process again, it's not much different from rebooting.
Back to top
View user's profile Send private message
tabanus
Guru
Guru


Joined: 11 Jun 2004
Posts: 580
Location: UK

PostPosted: Thu Feb 14, 2008 10:10 pm    Post subject: Reply with quote

dberkholz wrote:
What I've been told is that kernel developers do a spectacularly poor job of actually indicating which commits fix a given vulnerability, so it's a lot of work to find the patch. Every one also requires a minimum of 18 kernels to get stabilized by every architecture, some of which are poorly maintained and hard to get the maintainer to patch. The time that takes means by whenever we would actually be ready to release a GLSA, the next complete kernel version's probably already out.


I asked almost 18 months ago for a better way of informing us about kernel security updates. I read about this story on the register earlier today, and am glad to see this thread here. It doesn't reflect well on the Gentoo community (or Linux as a whole) that this isn't easier to keep track of.
_________________
Never underestimate a hamster.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum