Gentoo Forums

Two major security flaws in the Linux kernel were reported last weekend. Both flaws have the same impact (root access for local users) and both exist within the vmsplice() system call, which was added to the kernel in 2.6.17. There is no configuration option to exclude vmsplice() so everyone is vulnerable.

One of the security issues existed for the entire lifetime of vmsplice(), so any kernel version from 2.6.17 onwards is vulnerable. This was fixed in 2.6.24.2, 2.6.23.16 and 2.6.22.18. It has been assigned the vulnerability identifier of CVE-2008-0600.

The other security issue first appeared in 2.6.23. It was fixed in 2.6.23.15 and 2.6.24.1. This vulnerability has been assigned CVE-2008-0009 and CVE-2008-0010.

gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 were added to the tree Monday and include fixes for both issues. Install the latest gentoo-sources as quickly as possible.

...
(more on gentoo.org)

Kuja wrote:so hardened is affected too then?
or not?

dberkholz wrote:This forums thread is for discussion of the www.gentoo.org posting, "Kernel security exploits: Upgrade ASAP." Post your comments and suggestions here.

Two major security flaws in the Linux kernel were reported last weekend. Both flaws have the same impact (root access for local users) and both exist within the vmsplice() system call, which was added to the kernel in 2.6.17. There is no configuration option to exclude vmsplice() so everyone is vulnerable.

One of the security issues existed for the entire lifetime of vmsplice(), so any kernel version from 2.6.17 onwards is vulnerable. This was fixed in 2.6.24.2, 2.6.23.16 and 2.6.22.18. It has been assigned the vulnerability identifier of CVE-2008-0600.

The other security issue first appeared in 2.6.23. It was fixed in 2.6.23.15 and 2.6.24.1. This vulnerability has been assigned CVE-2008-0009 and CVE-2008-0010.

gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 were added to the tree Monday and include fixes for both issues. Install the latest gentoo-sources as quickly as possible.

...
(more on gentoo.org)

emerge -av '>=gentoo-sources-2.6.24-r2'

These are the packages that would be merged, in order:

Calculating dependencies |
!!! All ebuilds that could satisfy ">=gentoo-sources-2.6.24-r2" have been masked.
!!! One of the following masked packages is required to complete your request:
- sys-kernel/gentoo-sources-2.6.24-r2 (masked by: ~x86 keyword)

For more information, see MASKED PACKAGES section in the emerge man page or 
refer to the Gentoo Handbook.

MrCanis wrote: Is that version stable and someone has forgotten to unmask that package? Or is a mistake in the announcement (on www.gentoo.org).

hoffie wrote:

MrCanis wrote: Is that version stable and someone has forgotten to unmask that package? Or is a mistake in the announcement (on www.gentoo.org).

The announcement was inaccurate and has been updated by dberkholz by now. So, =gentoo-sources-2.6.23-r8 is the way to go on a stable system.

GenKreton wrote:this is a local exploit only, correct?

tokj wrote:

GenKreton wrote:this is a local exploit only, correct?

Yes, correct.

SDenis wrote:One question - why another Ubuntu, Debian, SuSe just patch kernel, but Gentoo-users need recomlile\reinstall sources?

sgao wrote:What about xen-sources-2.6.20-r6 and xen-sources-2.6.18-r8? Is there any need to patch xen-sources kernels?

Simon

ma-ne wrote:Hello,
+1
Logic would say yes : 2.6.17 onwards is vulnerable
But am I right ?
ma-ne

On stable systems, do this
# emerge =gentoo-sources-2.6.23-r8

If you use ~arch keywords instead, do this
# emerge =gentoo-sources-2.6.24-r2

Gentoo isn't releasing GLSAs for kernels because of the huge amount of work to track them for all 18 of our available kernel sources and versions within each of those.

doppelgaenger wrote:I am running:

uname -a
Linux zoom 2.6.23-hardened-r4 on i686 and the local exploit works:

$ ./a.out
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] addr: 0xc041b17e
[+] root
gentoo ~ # whoami
root

When can we expect the hardened kernel update ?

kojiro wrote:OK, so anyone with half a brain knows that to get a new kernel you have to not only emerge it, but also compile it, install it, and reboot to it (or kexec).

Still, the implication of the news item:

On stable systems, do this
# emerge =gentoo-sources-2.6.23-r8

If you use ~arch keywords instead, do this
# emerge =gentoo-sources-2.6.24-r2

is that emerge =gentoo-sources-VERSION is all you have to do.

Can I talk someone into adding a link to http://gentoo.org/doc/en/kernel-upgrade.xml to the news item?

`VL wrote:

Gentoo isn't releasing GLSAs for kernels because of the huge amount of work to track them for all 18 of our available kernel sources and versions within each of those.

Are you serious??! Shocked to know this. Too much work?! All other software is OK, and kernel is not?
Maybe just declare on of kernels 'official' and provide GLSAs for it? I think latest avaliable gentoo-sources/genkernel are candidates.

gentoofan23 wrote:I've heard about kexec before but never really understood it. Is it possible to upgrade your kernel without rebooting(as in unmounting and shutting down)?

dberkholz wrote:What I've been told is that kernel developers do a spectacularly poor job of actually indicating which commits fix a given vulnerability, so it's a lot of work to find the patch. Every one also requires a minimum of 18 kernels to get stabilized by every architecture, some of which are poorly maintained and hard to get the maintainer to patch. The time that takes means by whenever we would actually be ready to release a GLSA, the next complete kernel version's probably already out.