Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

Security notice for hardened users.

  

 
Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


blueness at gentoo

Oct 22, 2010, 4:21 AM

Post #1 of 4 (561 views)
Permalink
Security notice for hardened users.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all hardened users.

On Oct. 19, a local privilege escalation exploit was found [1,2] that
affected hardened kernels on all architectures. For certain
configurations of the hardened kernel, it is possible for a local user
to obtain root privileges. The current Proof-Of-Concept code can be
frustrated by not providing symbol information via /proc/kallsyms or
System.map, but at this time it is unclear if other hardening
features such as CONFIG_PAX_MEMORY_UDEREF provide adequate protection
against variations of the POC which do not need symbols.

All users are encouraged to upgrade to hardened-sources-2.6.32-r22
which is currently marked stable on amd64 and x86. It is being fast
tracked on other archs. [3]

hardened-sources-2.6.35-r4 is also not vulnerable, but cannot be
stabilized yet because of a bug in dhcp which also affects
gentoo-sources-2.6.35-r4. [4] For those who want kernels > .32 and
can live with the minor bug, you can safely use
hardened-sources-2.6.35-r4.

Later this week, all ebuild for vulnerable kernels will be removed
from the tree, except for hardened-sources-2.6.34-r6
hardened-sources-2.6.32-r9 and hardened-sources-2.6.28-r9. These will
be kept for continuity.


Ref:

[1] http://www.vsecurity.com/resources/advisory/20101019-1/

[2] http://bugs.gentoo.org/show_bug.cgi?id=341801

[3] http://bugs.gentoo.org/show_bug.cgi?id=341915

[4] http://bugs.gentoo.org/show_bug.cgi?id=334341

- --
Anthony G. Basile, Ph.D.
Gentoo Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzBc6QACgkQl5yvQNBFVTW5ZACfYee41wo/CB227ZWrt2X5x4sG
vxoAoKGpVvtXB48Sl/urvqqPenjpiq3x
=P+g7
-----END PGP SIGNATURE-----


tom at whyscream

Oct 22, 2010, 5:39 AM

Post #2 of 4 (548 views)
Permalink
Re: Security notice for hardened users. [In reply to]
On 22/10/10 13:21, Anthony G. Basile wrote:
> Hi all hardened users.
>
> On Oct. 19, a local privilege escalation exploit was found [1,2] that
> affected hardened kernels on all architectures. For certain
> configurations of the hardened kernel, it is possible for a local user
> to obtain root privileges. The current Proof-Of-Concept code can be
> frustrated by not providing symbol information via /proc/kallsyms or
> System.map, but at this time it is unclear if other hardening
> features such as CONFIG_PAX_MEMORY_UDEREF provide adequate protection
> against variations of the POC which do not need symbols.
>
> All users are encouraged to upgrade to hardened-sources-2.6.32-r22
> which is currently marked stable on amd64 and x86. It is being fast
> tracked on other archs. [3]
>
> hardened-sources-2.6.35-r4 is also not vulnerable, but cannot be
> stabilized yet because of a bug in dhcp which also affects
> gentoo-sources-2.6.35-r4. [4] For those who want kernels > .32 and
> can live with the minor bug, you can safely use
> hardened-sources-2.6.35-r4.
>
> Later this week, all ebuild for vulnerable kernels will be removed
> from the tree, except for hardened-sources-2.6.34-r6
> hardened-sources-2.6.32-r9 and hardened-sources-2.6.28-r9. These will
> be kept for continuity.
>
>
> Ref:
>
> [1] http://www.vsecurity.com/resources/advisory/20101019-1/
>
> [2] http://bugs.gentoo.org/show_bug.cgi?id=341801
>
> [3] http://bugs.gentoo.org/show_bug.cgi?id=341915
>
> [4] http://bugs.gentoo.org/show_bug.cgi?id=334341
>

Just to verify: if I understand
https://bugs.gentoo.org/show_bug.cgi?id=341801 correctly, a secure
replacement for (stable) hardened-sources-2.6.34-r6 on amd64 will not be
stabilized within a month, as it is awaiting baselayout-2 stabilisation
(offtopic: w00t). Or I'd need to downgrade to 2.6.32.

For people running baselayout-2 already, there is no reason not to add
hardened-sources-2.6.35-r4 to package.keywords and upgrade?

--
Regards,
Tom
Attachments: signature.asc (0.26 KB)


mpagano at gentoo

Oct 22, 2010, 5:46 AM

Post #3 of 4 (562 views)
Permalink
Re: Security notice for hardened users. [In reply to]
On Friday, October 22, 2010 08:39:41 am Tom Hendrikx wrote:
> On 22/10/10 13:21, Anthony G. Basile wrote:
> > Hi all hardened users.
> >
> > On Oct. 19, a local privilege escalation exploit was found [1,2] that
> > be kept for continuity.
> >
> >
> >
>
> Just to verify: if I understand
> https://bugs.gentoo.org/show_bug.cgi?id=341801 correctly, a secure
> replacement for (stable) hardened-sources-2.6.34-r6 on amd64 will not be
> stabilized within a month, as it is awaiting baselayout-2 stabilisation
> (offtopic: w00t). Or I'd need to downgrade to 2.6.32.
>
> For people running baselayout-2 already, there is no reason not to add
> hardened-sources-2.6.35-r4 to package.keywords and upgrade?
>
> --
> Regards,
> Tom
>
>

FYI
Baselayout-1 stablization will also enable 2.6.35 kernels to be stablized. That bug should be able to be filed on Nov 3rd.


basile at opensource

Oct 22, 2010, 9:14 AM

Post #4 of 4 (543 views)
Permalink
Re: Security notice for hardened users. [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/22/2010 08:39 AM, Tom Hendrikx wrote:
> Just to verify: if I understand
> https://bugs.gentoo.org/show_bug.cgi?id=341801 correctly, a secure
> replacement for (stable) hardened-sources-2.6.34-r6 on amd64 will not be
> stabilized within a month, as it is awaiting baselayout-2 stabilisation
> (offtopic: w00t). Or I'd need to downgrade to 2.6.32.

That is correct. When 2.6.35-r4 is stabilized it will be stabilized for
all archs. 2.6.34-r6 was *only* fast track stabilized on amd64 for
another local root exploit bug [1].

>
> For people running baselayout-2 already, there is no reason not to add
> hardened-sources-2.6.35-r4 to package.keywords and upgrade?

Correct. Even if you are not using baselayout-2 you can try
h-s-2.6.35-r4 and see if you get bit by the dhcp bug. If you don't, I
see no reason not to just use it.

I didn't feel it was justifiable to fast track stabilization of two h-s
kernels. Fast track stabilization is dangerous and in fact, 2.6.34-r6
is an example. It has a bug that probably would have been caught if we
could have waiting the required 30 days [2].

PLEASE! Report any bugs in h-s-2.6.32-r22 or h-s-2.6.35-r4 asap so we
can address them. Ideally stabilized kernels should be bug free.


Ref.

[1] http://bugs.gentoo.org/show_bug.cgi?id=337645

[2] http://bugs.gentoo.org/show_bug.cgi?id=338572

- --
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzBuFYACgkQl5yvQNBFVTVDxgCgkzdK646BGMu8S7gwZ8n1yNen
IuUAnRwuBTXqZqN80DRNCmkE+IMtiaZ3
=ht5V
-----END PGP SIGNATURE-----

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.