Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Security

local root exploit for linux 2.4 and linux 2.6.

 

 

First page Previous page 1 2 3 Next page Last page  View All Gentoo security RSS feed   Index | Next | Previous | View Threaded


miguel.filipe at gmail

Jan 7, 2005, 10:21 PM

Post #1 of 65 (3055 views)
Permalink
local root exploit for linux 2.4 and linux 2.6.

Hi all,

Just to let you ppl know that there is a local root exploit for linux
2.4.x and linux 2.6.x..

full info:
http://isec.pl/vulnerabilities/isec-0021-uselib.txt

Its kind of strange that this kind of information pops up on slashdot
but doesn't appear in the gentoo-security ML.

greets to all!
--
Miguel Sousa Filipe

--
gentoo-security [at] gentoo mailing list


vapier at gentoo

Jan 7, 2005, 10:26 PM

Post #2 of 65 (2994 views)
Permalink
Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

On Saturday 08 January 2005 12:21 am, Miguel Filipe wrote:
> Its kind of strange that this kind of information pops up on slashdot
> but doesn't appear in the gentoo-security ML.

http://bugs.gentoo.org/show_bug.cgi?id=77025

we dont feel the need to file a bug *and* talk about it on the mailing list,
that's just stupid :P
-mike

--
gentoo-security [at] gentoo mailing list


lenroc at gmail

Jan 7, 2005, 10:37 PM

Post #3 of 65 (3024 views)
Permalink
Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

On Sat, 08 Jan 2005 00:26:19 -0500, Mike Frysinger wrote:

> http://bugs.gentoo.org/show_bug.cgi?id=77025
>
> we dont feel the need to file a bug *and* talk about it on the mailing list,

So, in order to be informed about security issues as they pertain to
Gentoo, it's not enough to monitor the Gentoo Security list?

> that's just stupid :P

I agree!

--
Lenroc


--
gentoo-security [at] gentoo mailing list


lenroc at gmail

Jan 7, 2005, 10:49 PM

Post #4 of 65 (3017 views)
Permalink
Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

On Fri, 07 Jan 2005 22:37:21 -0700, Lenroc wrote:

> So, in order to be informed about security issues as they pertain to
> Gentoo, it's not enough to monitor the Gentoo Security list?

Sorry, I didn't make it clear enough that this was humor.

Before anyone takes it the wrong way, I thought I'd clear that up.

--
Lenroc


--
gentoo-security [at] gentoo mailing list


vapier at gentoo

Jan 7, 2005, 10:55 PM

Post #5 of 65 (3002 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

On Saturday 08 January 2005 12:37 am, Lenroc wrote:
> So, in order to be informed about security issues as they pertain to
> Gentoo, it's not enough to monitor the Gentoo Security list?

sign up for a bugzilla account and add 'security [at] gentoo' to your watch
list

a ton of other people already do
-mike

--
gentoo-security [at] gentoo mailing list


vapier at gentoo

Jan 7, 2005, 11:05 PM

Post #6 of 65 (3023 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

On Saturday 08 January 2005 12:49 am, Lenroc wrote:
> Sorry, I didn't make it clear enough that this was humor.
>
> Before anyone takes it the wrong way, I thought I'd clear that up.

sarcastic humor ;)

my first reply was harsh only because original poster came off sounding like
an ass
-mike

--
gentoo-security [at] gentoo mailing list


kris at theendless

Jan 7, 2005, 11:27 PM

Post #7 of 65 (2990 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

Good point, but I'd have to say that it defeats the purpose of having this
list. This exploit was particularily dangerous, especially for people who
use linux (gentoo and other distros) as a platform to provide webhosting
and shell accounts.

I think this sort of *emergency* security notification should go out on
the list ASAP.

kris

On Sat, 8 Jan 2005, Mike Frysinger wrote:

> On Saturday 08 January 2005 12:37 am, Lenroc wrote:
>> So, in order to be informed about security issues as they pertain to
>> Gentoo, it's not enough to monitor the Gentoo Security list?
>
> sign up for a bugzilla account and add 'security [at] gentoo' to your watch
> list
>
> a ton of other people already do
> -mike
>
> --
> gentoo-security [at] gentoo mailing list
>

--
gentoo-security [at] gentoo mailing list


ixion at cfl

Jan 7, 2005, 11:33 PM

Post #8 of 65 (3015 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

I don't mean to be abrasive or anything, but isn't that what the community
is for? We all work together and as one discovers a security threat they
(as you have done) post it to the list (whether they found it on slashdot,
google, securityfocus, etc), and there it is.

There is the aforementioned bugs watch list, but I don't know how to
enable that (have logged in, but don't see a watch feature), although I
haven't looked more than a couple minutes into it.

Just my 2 cents, am I off base here?

> Good point, but I'd have to say that it defeats the purpose of having this
> list. This exploit was particularily dangerous, especially for people who
> use linux (gentoo and other distros) as a platform to provide webhosting
> and shell accounts.
>
> I think this sort of *emergency* security notification should go out on
> the list ASAP.
>
> kris
>
> On Sat, 8 Jan 2005, Mike Frysinger wrote:
>
>> On Saturday 08 January 2005 12:37 am, Lenroc wrote:
>>> So, in order to be informed about security issues as they pertain to
>>> Gentoo, it's not enough to monitor the Gentoo Security list?
>>
>> sign up for a bugzilla account and add 'security [at] gentoo' to your
>> watch
>> list
>>
>> a ton of other people already do
>> -mike
>>
>> --
>> gentoo-security [at] gentoo mailing list
>>
>
> --
> gentoo-security [at] gentoo mailing list
>
>



--
gentoo-security [at] gentoo mailing list


vapier at gentoo

Jan 7, 2005, 11:41 PM

Post #9 of 65 (3019 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

On Saturday 08 January 2005 01:33 am, Joey McCoy wrote:
> I don't mean to be abrasive or anything, but isn't that what the community
> is for? We all work together and as one discovers a security threat they
> (as you have done) post it to the list (whether they found it on slashdot,
> google, securityfocus, etc), and there it is.

thats fine, but acting like an ass doesnt mean you'll get a warm reception

if you guys want to know about linux vulns, you'd probably be interested in
the other 5 announced by grsec
http://bugs.gentoo.org/show_bug.cgi?id=77094
-mike

--
gentoo-security [at] gentoo mailing list


kris at theendless

Jan 7, 2005, 11:45 PM

Post #10 of 65 (3010 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

Sorry. I think I was coming off as too abrassive. That's actually a very
good point.

kris

On Sat, 8 Jan 2005, Joey McCoy wrote:

> I don't mean to be abrasive or anything, but isn't that what the community
> is for? We all work together and as one discovers a security threat they
> (as you have done) post it to the list (whether they found it on slashdot,
> google, securityfocus, etc), and there it is.
>
> There is the aforementioned bugs watch list, but I don't know how to
> enable that (have logged in, but don't see a watch feature), although I
> haven't looked more than a couple minutes into it.
>
> Just my 2 cents, am I off base here?
>
>> Good point, but I'd have to say that it defeats the purpose of having this
>> list. This exploit was particularily dangerous, especially for people who
>> use linux (gentoo and other distros) as a platform to provide webhosting
>> and shell accounts.
>>
>> I think this sort of *emergency* security notification should go out on
>> the list ASAP.
>>
>> kris
>>
>> On Sat, 8 Jan 2005, Mike Frysinger wrote:
>>
>>> On Saturday 08 January 2005 12:37 am, Lenroc wrote:
>>>> So, in order to be informed about security issues as they pertain to
>>>> Gentoo, it's not enough to monitor the Gentoo Security list?
>>>
>>> sign up for a bugzilla account and add 'security [at] gentoo' to your
>>> watch
>>> list
>>>
>>> a ton of other people already do
>>> -mike
>>>
>>> --
>>> gentoo-security [at] gentoo mailing list
>>>
>>
>> --
>> gentoo-security [at] gentoo mailing list
>>
>>
>
>
>
> --
> gentoo-security [at] gentoo mailing list
>
>

--
gentoo-security [at] gentoo mailing list


bart.braem at gmail

Jan 8, 2005, 2:40 AM

Post #11 of 65 (2994 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

On Sat, 8 Jan 2005 01:41:52 -0500, Mike Frysinger <vapier [at] gentoo> wrote:
> if you guys want to know about linux vulns, you'd probably be interested in
> the other 5 announced by grsec
> http://bugs.gentoo.org/show_bug.cgi?id=77094

Relax, these are not serious bugs. (They should have been prevented,
that's a larger problem):
<http://www.ussg.iu.edu/hypermail/linux/kernel/0501.0/1997.html>

--
"May the source be with you"

--
gentoo-security [at] gentoo mailing list


koon at gentoo

Jan 8, 2005, 3:23 AM

Post #12 of 65 (2986 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

Joey McCoy wrote:

> I don't mean to be abrasive or anything, but isn't that what the community
> is for? We all work together and as one discovers a security threat they
> (as you have done) post it to the list (whether they found it on slashdot,
> google, securityfocus, etc), and there it is.

Make our job easier, search for duplicates and if there aren't, file a
new security bug in Bugzilla. Procedure is all very detailed at
http://security.gentoo.org. We just can't follow all MLs and forums and
we also don't have much time to enter new bugs. That's where the
community can help.

> There is the aforementioned bugs watch list, but I don't know how to
> enable that (have logged in, but don't see a watch feature), although I
> haven't looked more than a couple minutes into it.
>
> Just my 2 cents, am I off base here?

As a Gentoo user, you either follow the GLSAs (gentoo-announce) or if
you find those not enough "reactive" you can subscribe to Bugzilla and
follow all our vuln-whacking progress by watching security [at] gentoo

Once logged in, Prefs/Email settings (or directly
http://bugs.gentoo.org/userprefs.cgi?tab=email) and enter
security [at] gentoo in "Users to watch".

--
Koon
Operational Manager, Gentoo Linux Security

--
gentoo-security [at] gentoo mailing list


r3pek at r3pek

Jan 8, 2005, 3:31 AM

Post #13 of 65 (3013 views)
Permalink
Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

> On Saturday 08 January 2005 12:21 am, Miguel Filipe wrote:
>> Its kind of strange that this kind of information pops up on slashdot
but doesn't appear in the gentoo-security ML.
> http://bugs.gentoo.org/show_bug.cgi?id=77025
> we dont feel the need to file a bug *and* talk about it on the mailing
list,
> that's just stupid :P
I don't think that. a local root exploit is something bad for sysadmins.
and sysadmins have more things to do that just watch every bug in
bugs.gentoo.org looking for root exploits or some other security flaws.
I think that the gentoo-security ML should "notify" us about this
problems.


Greetings,
Carlos Silva







--
gentoo-security [at] gentoo mailing list


r3pek at r3pek

Jan 8, 2005, 3:36 AM

Post #14 of 65 (2992 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

> Joey McCoy wrote:
>
>> I don't mean to be abrasive or anything, but isn't that what the
>> community
>> is for? We all work together and as one discovers a security threat
>> they
>> (as you have done) post it to the list (whether they found it on
>> slashdot,
>> google, securityfocus, etc), and there it is.
>
> Make our job easier, search for duplicates and if there aren't, file a
> new security bug in Bugzilla. Procedure is all very detailed at
> http://security.gentoo.org. We just can't follow all MLs and forums and
> we also don't have much time to enter new bugs. That's where the
> community can help.
>
>> There is the aforementioned bugs watch list, but I don't know how to
>> enable that (have logged in, but don't see a watch feature), although
>> I
>> haven't looked more than a couple minutes into it.
>>
>> Just my 2 cents, am I off base here?
>
> As a Gentoo user, you either follow the GLSAs (gentoo-announce) or if
> you find those not enough "reactive" you can subscribe to Bugzilla and
> follow all our vuln-whacking progress by watching security [at] gentoo
>
I agree with this. I think that sould be some separation of things.
There are security vulnerabilities thar aren't "serious" and others that
are critical. I think that all we want is to have the critical ones
(like root exploits) announced here so we can be notified faster.


--
gentoo-security [at] gentoo mailing list


raullluna at gmail

Jan 8, 2005, 6:24 AM

Post #15 of 65 (3018 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

Anyway the exploit does not work for me.
Tested against:
- 2.6.5-gentoo-r1
- 2.4.24-openmosix-r1
- 2.4.26-gentoo-r13
- 2.6.9-gentoo-r9

And it does not even compile against:
- 2.6.9-gentoo-r13, linux26-headers-2.6.8.1-r2, i686-pc-linux-gnu-3.3.4

gcc -O2 -fomit-frame-pointer elflbl.c -o elflbl
elflbl.c: In function `scan_mm_start':
elflbl.c:426: error: storage size of `l' isn't known
elflbl.c:426: error: storage size of `l' isn't known
elflbl.c: In function `check_vma_flags':
elflbl.c:545: warning: deprecated use of label at end of compound statement

--
gentoo-security [at] gentoo mailing list


miguel.filipe at gmail

Jan 8, 2005, 8:29 AM

Post #16 of 65 (3011 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

LoL, I came "sounding like an ass" ?
Why is that?
Because I talked about a LOCAL ROOT EXPLOIT ..that isn't mentioned in
the GENTOO SECURITY ML because its in the bugs repository?
So basically this list is good for flames about the portage system
(in)security but not good for informing gentoo users about a local
root exploit.. very nice!

I don't have your time, I subscribe to a security ML so I can be
informed about security issues..
If issues like a LOCAL ROOT EXPLOIT aren't mentioned here, WHY THE
HELL does this ML exist?

So, gentoo security ML is just for gentoo exclusive security issues
(aka portage system related issues)?
Or is it also for security issues that affects gentoo systems, like a
LOCAL ROOT exploit?

Taken from the gentoo website:
url: http://www.gentoo.org/main/en/lists.xml
"gentoo-security For the discussion of security issues and fixes"

I have no problems with following bugs.gentoo.org/security [at] gentoo
IF I KNEW that thats the place for security information... instead of
.. a... gentoo _security_ MAILING LIST.
Where is explained that those who want to follow security issues that
may affect thier systems should track bugs.gentoo.org ?


On Sat, 8 Jan 2005 01:05:12 -0500, Mike Frysinger <vapier [at] gentoo> wrote:
> On Saturday 08 January 2005 12:49 am, Lenroc wrote:
> > Sorry, I didn't make it clear enough that this was humor.
> >
> > Before anyone takes it the wrong way, I thought I'd clear that up.
>
> sarcastic humor ;)
>
> my first reply was harsh only because original poster came off sounding like
> an ass
> -mike
>


--
Miguel Sousa Filipe

--
gentoo-security [at] gentoo mailing list


carlo at gentoo

Jan 8, 2005, 8:52 AM

Post #17 of 65 (2993 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

On Saturday 08 January 2005 16:29, Miguel Filipe wrote:
> LoL, I came "sounding like an ass" ?
> Why is that?

It's because Mike likes to insult others. It's his problem, not yours.


Carsten


antoine at nagafix

Jan 8, 2005, 9:36 AM

Post #18 of 65 (2992 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

On Sat, 2005-01-08 at 10:36 +0000, Carlos Silva wrote:
> > Joey McCoy wrote:
> >
> >> I don't mean to be abrasive or anything, but isn't that what the
> >> community
> >> is for? We all work together and as one discovers a security threat
> >> they
> >> (as you have done) post it to the list (whether they found it on
> >> slashdot,
> >> google, securityfocus, etc), and there it is.
> >
> > Make our job easier, search for duplicates and if there aren't, file a
> > new security bug in Bugzilla. Procedure is all very detailed at
> > http://security.gentoo.org. We just can't follow all MLs and forums and
> > we also don't have much time to enter new bugs. That's where the
> > community can help.
> >
> >> There is the aforementioned bugs watch list, but I don't know how to
> >> enable that (have logged in, but don't see a watch feature), although
> >> I
> >> haven't looked more than a couple minutes into it.
> >>
> >> Just my 2 cents, am I off base here?
> >
> > As a Gentoo user, you either follow the GLSAs (gentoo-announce) or if
> > you find those not enough "reactive" you can subscribe to Bugzilla and
> > follow all our vuln-whacking progress by watching security [at] gentoo
> >
> I agree with this. I think that sould be some separation of things.
> There are security vulnerabilities thar aren't "serious" and others that
> are critical. I think that all we want is to have the critical ones
> (like root exploits) announced here so we can be notified faster.

I agree,
even if this one was hard to miss as it made headlines in slashdot
(amongst other places)
I would have thought that the gentoo-security list, was *the* place to
report such things (even if the report only points to other sources of
information or bugs.gentoo.org)


--
gentoo-security [at] gentoo mailing list


simons at cryp

Jan 8, 2005, 9:45 AM

Post #19 of 65 (3016 views)
Permalink
Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

Miguel Filipe writes:

> I came "sounding like an ass"? Why is that?

Because you criticized the Gentoo project. It works like
this: You bring up a security problem. In the replies you
get, though, your actual point is flat out dismissed or
never addressed at all. Instead, you and your behavior will
be discussed in a very provoking manner. Once you have been
thoroughly annoyed and insulted, you become defensive and
lose focus of what you were trying to say in the first
place! Thus, the discussion drifts away from the security
problem.


> Because I talked about a LOCAL ROOT EXPLOIT ..that isn't
> mentioned in the GENTOO SECURITY ML because its in the
> bugs repository?

The advantage of dealing with security problems _only_ in
the bug tracking system is that practically nobody follows
the bug tracking system -- whereas lots of people read the
mailing list. Thus, there is less transparency, which means
more freedom for the Gentoo core team to deal with security
problems in a way that doesn't interfere with internal
politics (read: egos).


> If issues like a LOCAL ROOT EXPLOIT aren't mentioned
> here, WHY THE HELL does this ML exist?

As it happens, I have a concrete proposal how to make this
list more useful! How about having the bug tracking system
forward all new security-related entries to this mailing
list automatically? This policy would (a) increase
transparency and (b) help finding volunteers from the
community who care enough about a problem to be willing to
dedicate time to fixing it. Thus: less work for the Gentoo
core team, more security for everybody.


> Where is explained that those who want to follow security
> issues that may affect thier systems should track
> bugs.gentoo.org?

I'd very much like to see an answer to this question. The
page <http://security.gentoo.org/> doesn't seem to say
anything about.

Peter


--
gentoo-security [at] gentoo mailing list


daniel.brandt at home

Jan 8, 2005, 11:02 AM

Post #20 of 65 (3015 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

On 00:55 Sat 08 Jan , Mike Frysinger wrote:
> On Saturday 08 January 2005 12:37 am, Lenroc wrote:
> > So, in order to be informed about security issues as they pertain to
> > Gentoo, it's not enough to monitor the Gentoo Security list?
>
> sign up for a bugzilla account and add 'security [at] gentoo' to your watch
> list
>
> a ton of other people already do
> -mike

This is suboptimal at best. There are tons of pure shit posted in
bugzilla, I know this since I actually tried. If you don't like
spending time sifting through everything related to security in
bugzilla when looking for fresh security bugs, I advice against
this.

Interesting to note is that as soon as anyone know of a new bug and
post about it here they are treated like idiots. This I also know
from personal experience.
See http://thread.gmane.org/gmane.linux.gentoo.security/598.

This mailing list really seem to be more about flaming than anything
else looking at the latest long threads.

So clearly a lot of people here doesn't want to know about possible
security issues in a timely manner. Also, unless you are really good
at communicating your exact intentions in so perfect english that no
possible ambiguities may arise, please refrain from posting if you
don't want to be called an ass.

Everytime I notice new mail in this folder I realize I forgot to
unsubscribe.. I think I just might take time to do it right now.

/ D


--
gentoo-security [at] gentoo mailing list


ramereth at gentoo

Jan 8, 2005, 11:18 AM

Post #21 of 65 (3021 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

Peter Simons wrote:
> Miguel Filipe writes:
>
> > I came "sounding like an ass"? Why is that?
>
> Because you criticized the Gentoo project. It works like
> this: You bring up a security problem. In the replies you
> get, though, your actual point is flat out dismissed or
> never addressed at all. Instead, you and your behavior will
> be discussed in a very provoking manner. Once you have been
> thoroughly annoyed and insulted, you become defensive and
> lose focus of what you were trying to say in the first
> place! Thus, the discussion drifts away from the security
> problem.

Peter, please don't start your rant again.

> > Because I talked about a LOCAL ROOT EXPLOIT ..that isn't
> > mentioned in the GENTOO SECURITY ML because its in the
> > bugs repository?
>
> The advantage of dealing with security problems _only_ in
> the bug tracking system is that practically nobody follows
> the bug tracking system -- whereas lots of people read the
> mailing list. Thus, there is less transparency, which means
> more freedom for the Gentoo core team to deal with security
> problems in a way that doesn't interfere with internal
> politics (read: egos).

The reason you haven't seen an email about it is because security
advisories get sent to gentoo-announce. It was decided a few years ago
to move those emails from here to there because there were a lot more
people on that list. The other reason you haven't seen any email about
this from us is because we go through a process to make sure all the
ebuilds are updated before we release an announcement (which is
documented on our site [1] ). Its not being ignored one bit, its just
not very visible unless you follow bugs.

> > If issues like a LOCAL ROOT EXPLOIT aren't mentioned
> > here, WHY THE HELL does this ML exist?
>
> As it happens, I have a concrete proposal how to make this
> list more useful! How about having the bug tracking system
> forward all new security-related entries to this mailing
> list automatically? This policy would (a) increase
> transparency and (b) help finding volunteers from the
> community who care enough about a problem to be willing to
> dedicate time to fixing it. Thus: less work for the Gentoo
> core team, more security for everybody.

Add a watch on the bugs site like was previously mentioned. Perhaps that
should be better documented so people like him can follow things like that.

> > Where is explained that those who want to follow security
> > issues that may affect thier systems should track
> > bugs.gentoo.org?
>
> I'd very much like to see an answer to this question. The
> page <http://security.gentoo.org/> doesn't seem to say
> anything about.

See above. If this needs to be added, make a bug about it.

[1] http://www.gentoo.org/security/en/vulnerability-policy.xml

-Lance


--
gentoo-security [at] gentoo mailing list


debeuk at gmail

Jan 8, 2005, 11:32 AM

Post #22 of 65 (2996 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

On Sat, 08 Jan 2005 12:18:22 -0600, Lance Albertson <ramereth [at] gentoo> wrote:
> Peter Simons wrote:
> > Miguel Filipe writes:
> >
> > > I came "sounding like an ass"? Why is that?
> >
> > Because you criticized the Gentoo project. It works like
> > this: You bring up a security problem. In the replies you
> > get, though, your actual point is flat out dismissed or
> > never addressed at all. Instead, you and your behavior will
> > be discussed in a very provoking manner. Once you have been
> > thoroughly annoyed and insulted, you become defensive and
> > lose focus of what you were trying to say in the first
> > place! Thus, the discussion drifts away from the security
> > problem.
>
> Peter, please don't start your rant again.
>
> > > Because I talked about a LOCAL ROOT EXPLOIT ..that isn't
> > > mentioned in the GENTOO SECURITY ML because its in the
> > > bugs repository?
> >
> > The advantage of dealing with security problems _only_ in
> > the bug tracking system is that practically nobody follows
> > the bug tracking system -- whereas lots of people read the
> > mailing list. Thus, there is less transparency, which means
> > more freedom for the Gentoo core team to deal with security
> > problems in a way that doesn't interfere with internal
> > politics (read: egos).
>
> The reason you haven't seen an email about it is because security
> advisories get sent to gentoo-announce. It was decided a few years ago
> to move those emails from here to there because there were a lot more
> people on that list. The other reason you haven't seen any email about
> this from us is because we go through a process to make sure all the
> ebuilds are updated before we release an announcement (which is
> documented on our site [1] ). Its not being ignored one bit, its just
> not very visible unless you follow bugs.

You send the _security_ advisories to _announce_ because more people
are subscribed to it?
You only announce problems _after_ a fix is made??? Did it occur to
any of you that people might want to disable vulnerable sevices or
even *gasp* help produce fixes for the problems?
We have to watch bugs.gentoo to get a total picture?

I couldn't agree more with Peter, this ML is about as usefull as a
bicycle is to a fish.

>
> > > If issues like a LOCAL ROOT EXPLOIT aren't mentioned
> > > here, WHY THE HELL does this ML exist?
> >
> > As it happens, I have a concrete proposal how to make this
> > list more useful! How about having the bug tracking system
> > forward all new security-related entries to this mailing
> > list automatically? This policy would (a) increase
> > transparency and (b) help finding volunteers from the
> > community who care enough about a problem to be willing to
> > dedicate time to fixing it. Thus: less work for the Gentoo
> > core team, more security for everybody.
>
> Add a watch on the bugs site like was previously mentioned. Perhaps that
> should be better documented so people like him can follow things like that.
>
> > > Where is explained that those who want to follow security
> > > issues that may affect thier systems should track
> > > bugs.gentoo.org?
> >
> > I'd very much like to see an answer to this question. The
> > page <http://security.gentoo.org/> doesn't seem to say
> > anything about.
>
> See above. If this needs to be added, make a bug about it.
>
> [1] http://www.gentoo.org/security/en/vulnerability-policy.xml
>
> -Lance
>
>
> --
> gentoo-security [at] gentoo mailing list
>
>
--

Why are the pretty ones always insane?
-- J.G. Thirlwell

--
gentoo-security [at] gentoo mailing list


ramereth at gentoo

Jan 8, 2005, 11:38 AM

Post #23 of 65 (3011 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

Sven Beukenex wrote:

> You send the _security_ advisories to _announce_ because more people
> are subscribed to it?
> You only announce problems _after_ a fix is made??? Did it occur to
> any of you that people might want to disable vulnerable sevices or
> even *gasp* help produce fixes for the problems?
> We have to watch bugs.gentoo to get a total picture?

Perhaps there should be another list or method for people like you to
know about things better. I'm not on the security team, so its not my
call. I wasn't around when they changed sending advisories from this
list to the other one, so I don't know the exact reasoning. I do see
your point, and it is valid, so perhaps we should come up with a
solution that works instead of flaming or yelling. Attitudes like that
just make us not want to help even more.

-Lance

--
gentoo-security [at] gentoo mailing list


simons at cryp

Jan 8, 2005, 11:45 AM

Post #24 of 65 (3022 views)
Permalink
Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

Lance Albertson writes:

>> It works like this: You bring up a security problem. In
>> the replies you get, though, your actual point is flat
>> out dismissed or never addressed at all. Instead, you
>> and your behavior will be discussed in a very provoking
>> manner. Once you have been thoroughly annoyed and
>> insulted, you become defensive and lose focus of what
>> you were trying to say in the first place! Thus, the
>> discussion drifts away from the security problem.

> Peter, please don't start your rant again.

Quod erat demonstrandum.


> The reason you haven't seen an email about it is because
> security advisories get sent to gentoo-announce. [...]

I am aware of that. However, I don't see how this relates to
the proposal of sending newly reported security problems to
_this_ list instead.


> It was decided a few years ago to move those emails from
> here to there because there were a lot more people on
> that list.

I think you are mixing up two different things, Lance. These
advisories you are talking about are issued when problems
are _fixed_ in Gentoo. We were talking about being advised
about problems once they are _known_. As you may recall,
there's occasionally a significant amount of time between
these two points.


> [A security problem is] not being ignored one bit, its
> just not very visible unless you follow bugs.

Exactly. Since hardly anybody follows the bugs, this means
that security problems are practically invisible to most
users until they are fixed in Gentoo, which, as you may
recall, takes a significant amount of time on the occasion.
To remedy this situation, I'd like to make the following
proposal:

| How about having the bug tracking system forward all new
| security-related entries to this mailing list
| automatically? This policy would (a) increase
| transparency and (b) help finding volunteers from the
| community who care enough about a problem to be willing
| to dedicate time to fixing it. Thus: less work for the
| Gentoo core team, more security for everybody.

If you look closely, you'll find that I originally said that
in the very e-mail you are replying to. Curious that you
didn't address that part at all, isn't it?


> Add a watch on the bugs site like was previously mentioned.
> Perhaps that should be better documented so people like him
> can follow things like that.

Perhaps it would be simpler to post the security related
problems to this mailing list instead, so that "people like
him" don't need to configure watches on the bug tracking
system in order to learn about them?

Peter


--
gentoo-security [at] gentoo mailing list


bryank at cs

Jan 8, 2005, 11:53 AM

Post #25 of 65 (3019 views)
Permalink
Re: Re: local root exploit for linux 2.4 and linux 2.6. [In reply to]

To get it to compile, change modify_ldt_ldt_s to user_desc. For me it
just segfaults then, but I don't know if that's because I have
CONFIG_DEBUG_STACKOVERFLOW=y set.

--Kevin

On Sat, Jan 08, 2005 at 02:24:34PM +0100, Raul Lluna wrote:

> Anyway the exploit does not work for me.
> Tested against:
> - 2.6.5-gentoo-r1
> - 2.4.24-openmosix-r1
> - 2.4.26-gentoo-r13
> - 2.6.9-gentoo-r9
>
> And it does not even compile against:
> - 2.6.9-gentoo-r13, linux26-headers-2.6.8.1-r2, i686-pc-linux-gnu-3.3.4
>
> gcc -O2 -fomit-frame-pointer elflbl.c -o elflbl
> elflbl.c: In function `scan_mm_start':
> elflbl.c:426: error: storage size of `l' isn't known
> elflbl.c:426: error: storage size of `l' isn't known
> elflbl.c: In function `check_vma_flags':
> elflbl.c:545: warning: deprecated use of label at end of compound statement
>
> --
> gentoo-security [at] gentoo mailing list

First page Previous page 1 2 3 Next page Last page  View All Gentoo security RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.