View previous topic :: View next topic |
Author |
Message |
dberkholz Retired Dev
Joined: 18 Mar 2003 Posts: 1008 Location: Minneapolis, MN, USA
|
Posted: Wed Feb 13, 2008 8:31 pm Post subject: [NEWS] Kernel security exploits: Upgrade ASAP |
|
|
This forums thread is for discussion of the www.gentoo.org posting, "Kernel security exploits: Upgrade ASAP." Post your comments and suggestions here.
Quote: | Two major security flaws in the Linux kernel were reported last weekend. Both flaws have the same impact (root access for local users) and both exist within the vmsplice() system call, which was added to the kernel in 2.6.17. There is no configuration option to exclude vmsplice() so everyone is vulnerable.
One of the security issues existed for the entire lifetime of vmsplice(), so any kernel version from 2.6.17 onwards is vulnerable. This was fixed in 2.6.24.2, 2.6.23.16 and 2.6.22.18. It has been assigned the vulnerability identifier of CVE-2008-0600.
The other security issue first appeared in 2.6.23. It was fixed in 2.6.23.15 and 2.6.24.1. This vulnerability has been assigned CVE-2008-0009 and CVE-2008-0010.
gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 were added to the tree Monday and include fixes for both issues. Install the latest gentoo-sources as quickly as possible.
...
(more on gentoo.org) |
|
|
Back to top |
|
|
Kuja n00b
Joined: 02 Oct 2006 Posts: 7
|
Posted: Wed Feb 13, 2008 9:44 pm Post subject: |
|
|
so hardened is affected too then?
or not?
edit: ignore that post, didn't saw that hardened was bumped on monday too, so it seems to be affected then |
|
Back to top |
|
|
hoffie Retired Dev
Joined: 30 Nov 2006 Posts: 24
|
|
Back to top |
|
|
MrCanis n00b
Joined: 02 Dec 2007 Posts: 61
|
Posted: Wed Feb 13, 2008 9:51 pm Post subject: Re: [NEWS] Kernel security exploits: Upgrade ASAP |
|
|
dberkholz wrote: | This forums thread is for discussion of the www.gentoo.org posting, "Kernel security exploits: Upgrade ASAP." Post your comments and suggestions here.
Quote: | Two major security flaws in the Linux kernel were reported last weekend. Both flaws have the same impact (root access for local users) and both exist within the vmsplice() system call, which was added to the kernel in 2.6.17. There is no configuration option to exclude vmsplice() so everyone is vulnerable.
One of the security issues existed for the entire lifetime of vmsplice(), so any kernel version from 2.6.17 onwards is vulnerable. This was fixed in 2.6.24.2, 2.6.23.16 and 2.6.22.18. It has been assigned the vulnerability identifier of CVE-2008-0600.
The other security issue first appeared in 2.6.23. It was fixed in 2.6.23.15 and 2.6.24.1. This vulnerability has been assigned CVE-2008-0009 and CVE-2008-0010.
gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 were added to the tree Monday and include fixes for both issues. Install the latest gentoo-sources as quickly as possible.
...
(more on gentoo.org) |
|
Hello,
gentoo-sources-2.6.24-r2 are masked: Code: | emerge -av '>=gentoo-sources-2.6.24-r2'
These are the packages that would be merged, in order:
Calculating dependencies |
!!! All ebuilds that could satisfy ">=gentoo-sources-2.6.24-r2" have been masked.
!!! One of the following masked packages is required to complete your request:
- sys-kernel/gentoo-sources-2.6.24-r2 (masked by: ~x86 keyword)
For more information, see MASKED PACKAGES section in the emerge man page or
refer to the Gentoo Handbook. |
Is that version stable and someone has forgotten to unmask that package? Or is a mistake in the announcement (on www.gentoo.org).
Thanks in advance.
PS: I know how to unmask packages, but I don't want emerge a unstable kernel. _________________ The 666 is behind the detail. |
|
Back to top |
|
|
hoffie Retired Dev
Joined: 30 Nov 2006 Posts: 24
|
Posted: Wed Feb 13, 2008 10:09 pm Post subject: Re: [NEWS] Kernel security exploits: Upgrade ASAP |
|
|
MrCanis wrote: |
Is that version stable and someone has forgotten to unmask that package? Or is a mistake in the announcement (on www.gentoo.org). |
The announcement was inaccurate and has been updated by dberkholz by now. So, =gentoo-sources-2.6.23-r8 is the way to go on a stable system. |
|
Back to top |
|
|
MrCanis n00b
Joined: 02 Dec 2007 Posts: 61
|
Posted: Wed Feb 13, 2008 10:47 pm Post subject: Re: [NEWS] Kernel security exploits: Upgrade ASAP |
|
|
hoffie wrote: | MrCanis wrote: |
Is that version stable and someone has forgotten to unmask that package? Or is a mistake in the announcement (on www.gentoo.org). |
The announcement was inaccurate and has been updated by dberkholz by now. So, =gentoo-sources-2.6.23-r8 is the way to go on a stable system. |
Hello,
thanks for your quick response.
I use =gentoo-sources-2.6.23-r8, therefore I'm on the right site. _________________ The 666 is behind the detail. |
|
Back to top |
|
|
GenKreton l33t
Joined: 20 Sep 2003 Posts: 828 Location: Cambridge, MA
|
Posted: Thu Feb 14, 2008 12:27 am Post subject: |
|
|
this is a local exploit only, correct? |
|
Back to top |
|
|
tokj n00b
Joined: 17 May 2007 Posts: 15 Location: Delocalized
|
Posted: Thu Feb 14, 2008 1:04 am Post subject: |
|
|
GenKreton wrote: | this is a local exploit only, correct? |
Yes, correct. _________________ I think therefore I am. I think... |
|
Back to top |
|
|
dberkholz Retired Dev
Joined: 18 Mar 2003 Posts: 1008 Location: Minneapolis, MN, USA
|
Posted: Thu Feb 14, 2008 1:39 am Post subject: |
|
|
tokj wrote: | GenKreton wrote: | this is a local exploit only, correct? |
Yes, correct. |
Yes, but be careful. Someone could exploit a vulnerability in a service that gets them local user-only privileges, and combine that with this in a two-step remote root. It's happened to us before. |
|
Back to top |
|
|
sgao Tux's lil' helper
Joined: 22 Apr 2006 Posts: 149
|
Posted: Thu Feb 14, 2008 4:38 am Post subject: |
|
|
What about xen-sources-2.6.20-r6 and xen-sources-2.6.18-r8? Is there any need to patch xen-sources kernels?
Simon |
|
Back to top |
|
|
MannyNix n00b
Joined: 13 Jan 2008 Posts: 24
|
|
Back to top |
|
|
SDenis n00b
Joined: 14 Feb 2008 Posts: 2
|
Posted: Thu Feb 14, 2008 7:43 am Post subject: |
|
|
Code: |
Linux localhost 2.6.20-xen-r6
~ $ ./a.out
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7d95000 .. 0xb7dc7000
Segmentation fault
|
One question - why another Ubuntu, Debian, SuSe just patch kernel, but Gentoo-users need recomlile\reinstall sources? _________________ Gentoo отличная система. |
|
Back to top |
|
|
mark_alec Bodhisattva
Joined: 11 Sep 2004 Posts: 6066 Location: Melbourne, Australia
|
Posted: Thu Feb 14, 2008 8:07 am Post subject: |
|
|
SDenis wrote: | One question - why another Ubuntu, Debian, SuSe just patch kernel, but Gentoo-users need recomlile\reinstall sources? | Because those distributions provide an already compiled kernel. _________________ www.gentoo.org.au || #gentoo-au |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Thu Feb 14, 2008 10:53 am Post subject: |
|
|
See this thread for more info. |
|
Back to top |
|
|
kostja Apprentice
Joined: 25 May 2004 Posts: 261 Location: D, 69239 Neckarsteinach
|
Posted: Thu Feb 14, 2008 11:16 am Post subject: |
|
|
Hello!
Anybody knows, which tuxonice sources are allready patched?
Konstantin _________________ Registered Linux User #356484 |
|
Back to top |
|
|
ma-ne n00b
Joined: 13 Nov 2006 Posts: 1 Location: France - Lyon
|
Posted: Thu Feb 14, 2008 11:52 am Post subject: |
|
|
sgao wrote: | What about xen-sources-2.6.20-r6 and xen-sources-2.6.18-r8? Is there any need to patch xen-sources kernels?
Simon |
Hello,
+1
Logic would say yes : 2.6.17 onwards is vulnerable
But am I right ?
ma-ne |
|
Back to top |
|
|
d2_racing Bodhisattva
Joined: 25 Apr 2005 Posts: 13047 Location: Ste-Foy,Canada
|
Posted: Thu Feb 14, 2008 12:33 pm Post subject: |
|
|
ma-ne wrote: | Hello,
+1
Logic would say yes : 2.6.17 onwards is vulnerable
But am I right ?
ma-ne |
Yes, the vmsplice is there since kernel 2.6.17. |
|
Back to top |
|
|
kojiro Apprentice
Joined: 20 Nov 2003 Posts: 245 Location: Rochester
|
Posted: Thu Feb 14, 2008 4:03 pm Post subject: Kernel upgrade guide link |
|
|
OK, so anyone with half a brain knows that to get a new kernel you have to not only emerge it, but also compile it, install it, and reboot to it (or kexec).
Still, the implication of the news item:
Quote: | On stable systems, do this
# emerge =gentoo-sources-2.6.23-r8
If you use ~arch keywords instead, do this
# emerge =gentoo-sources-2.6.24-r2
|
is that emerge =gentoo-sources-VERSION is all you have to do.
Can I talk someone into adding a link to http://gentoo.org/doc/en/kernel-upgrade.xml to the news item? _________________ >>> Also, customizing emacs can be an exercise in black magic.
>> It's not black magic, it's Lisp.
>There is a difference?
Yes, black magic doesn't use parentheses.
--Linux Users' Group of Rochester mailing list |
|
Back to top |
|
|
`VL n00b
Joined: 30 Apr 2004 Posts: 71 Location: Russia
|
Posted: Thu Feb 14, 2008 4:22 pm Post subject: |
|
|
Quote: | Gentoo isn't releasing GLSAs for kernels because of the huge amount of work to track them for all 18 of our available kernel sources and versions within each of those. |
Are you serious??! Shocked to know this. Too much work?! All other software is OK, and kernel is not?
Maybe just declare on of kernels 'official' and provide GLSAs for it? I think latest avaliable gentoo-sources/genkernel are candidates. _________________ Life is too short to be taken seriously. |
|
Back to top |
|
|
doppelgaenger n00b
Joined: 14 Feb 2008 Posts: 1
|
Posted: Thu Feb 14, 2008 4:34 pm Post subject: |
|
|
I am running:
uname -a
Linux zoom 2.6.23-hardened-r4 on i686 and the local exploit works:
$ ./a.out
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] addr: 0xc041b17e
[+] root
gentoo ~ # whoami
root
When can we expect the hardened kernel update ? |
|
Back to top |
|
|
kallamej Administrator
Joined: 27 Jun 2003 Posts: 4975 Location: Gothenburg, Sweden
|
Posted: Thu Feb 14, 2008 6:31 pm Post subject: |
|
|
doppelgaenger wrote: | I am running:
uname -a
Linux zoom 2.6.23-hardened-r4 on i686 and the local exploit works:
$ ./a.out
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] addr: 0xc041b17e
[+] root
gentoo ~ # whoami
root
When can we expect the hardened kernel update ? |
It's fixed in the latest testing version (-r7). _________________ Please read our FAQ Forum, it answers many of your questions.
irc: #gentoo-forums on irc.libera.chat |
|
Back to top |
|
|
tanderson Retired Dev
Joined: 11 Apr 2007 Posts: 193
|
Posted: Thu Feb 14, 2008 7:38 pm Post subject: Re: Kernel upgrade guide link |
|
|
kojiro wrote: | OK, so anyone with half a brain knows that to get a new kernel you have to not only emerge it, but also compile it, install it, and reboot to it (or kexec).
Still, the implication of the news item:
Quote: | On stable systems, do this
# emerge =gentoo-sources-2.6.23-r8
If you use ~arch keywords instead, do this
# emerge =gentoo-sources-2.6.24-r2
|
is that emerge =gentoo-sources-VERSION is all you have to do.
Can I talk someone into adding a link to http://gentoo.org/doc/en/kernel-upgrade.xml to the news item? |
I've heard about kexec before but never really understood it. Is it possible to upgrade your kernel without rebooting(as in unmounting and shutting down)? _________________ No Man is Just a Number!
--The Prisoner |
|
Back to top |
|
|
dberkholz Retired Dev
Joined: 18 Mar 2003 Posts: 1008 Location: Minneapolis, MN, USA
|
Posted: Thu Feb 14, 2008 7:40 pm Post subject: |
|
|
`VL wrote: | Quote: | Gentoo isn't releasing GLSAs for kernels because of the huge amount of work to track them for all 18 of our available kernel sources and versions within each of those. |
Are you serious??! Shocked to know this. Too much work?! All other software is OK, and kernel is not?
Maybe just declare on of kernels 'official' and provide GLSAs for it? I think latest avaliable gentoo-sources/genkernel are candidates. | What I've been told is that kernel developers do a spectacularly poor job of actually indicating which commits fix a given vulnerability, so it's a lot of work to find the patch. Every one also requires a minimum of 18 kernels to get stabilized by every architecture, some of which are poorly maintained and hard to get the maintainer to patch. The time that takes means by whenever we would actually be ready to release a GLSA, the next complete kernel version's probably already out. |
|
Back to top |
|
|
Voltago Advocate
Joined: 02 Sep 2003 Posts: 2593 Location: userland
|
Posted: Thu Feb 14, 2008 7:43 pm Post subject: Re: Kernel upgrade guide link |
|
|
gentoofan23 wrote: | I've heard about kexec before but never really understood it. Is it possible to upgrade your kernel without rebooting(as in unmounting and shutting down)? |
Since linuxbios does that in a way, I guess the answer is yes. But if you loose all system state information in the process (I think you do) and have to go through the init process again, it's not much different from rebooting. |
|
Back to top |
|
|
tabanus l33t
Joined: 11 Jun 2004 Posts: 638 Location: UK
|
Posted: Thu Feb 14, 2008 10:10 pm Post subject: |
|
|
dberkholz wrote: | What I've been told is that kernel developers do a spectacularly poor job of actually indicating which commits fix a given vulnerability, so it's a lot of work to find the patch. Every one also requires a minimum of 18 kernels to get stabilized by every architecture, some of which are poorly maintained and hard to get the maintainer to patch. The time that takes means by whenever we would actually be ready to release a GLSA, the next complete kernel version's probably already out. |
I asked almost 18 months ago for a better way of informing us about kernel security updates. I read about this story on the register earlier today, and am glad to see this thread here. It doesn't reflect well on the Gentoo community (or Linux as a whole) that this isn't easier to keep track of. _________________ Things you might say if you never took Physics: "I'm overweight even though I don't overeat." - Neil deGrasse Tyson |
|
Back to top |
|
|
|