[gentoo-hardened] Security notice for hardened users.

[gentoo-hardened] Security notice for hardened users.

[Anthony G. Basile]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 Hi all hardened users.

On Oct. 19, a local privilege escalation exploit was found [1,2] that
affected hardened kernels on all architectures.  For certain
configurations of the hardened kernel, it is possible for a local user
to obtain root privileges.  The current Proof-Of-Concept code can be
frustrated by not providing symbol information via /proc/kallsyms or
System.map,  but at this time it is unclear if other hardening
features such as CONFIG_PAX_MEMORY_UDEREF provide adequate protection
against variations of the POC which do not need symbols.

All users are encouraged to upgrade to hardened-sources-2.6.32-r22
which is currently marked stable on amd64 and x86.  It is being fast
tracked on other archs. [3]

hardened-sources-2.6.35-r4 is also not vulnerable, but cannot be
stabilized yet because of a bug in dhcp which also affects
gentoo-sources-2.6.35-r4. [4]   For those who want kernels > .32 and
can live with the minor bug, you can safely use
hardened-sources-2.6.35-r4.

Later this week, all ebuild for vulnerable kernels will be removed
from the tree, except for hardened-sources-2.6.34-r6
hardened-sources-2.6.32-r9 and hardened-sources-2.6.28-r9.  These will
be kept for continuity.


Ref:

[1] http://www.vsecurity.com/resources/advisory/20101019-1/

[2] http://bugs.gentoo.org/show_bug.cgi?id=341801

[3] http://bugs.gentoo.org/show_bug.cgi?id=341915

[4] http://bugs.gentoo.org/show_bug.cgi?id=334341

- -- 
Anthony G. Basile, Ph.D.
Gentoo Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzBc6QACgkQl5yvQNBFVTW5ZACfYee41wo/CB227ZWrt2X5x4sG
vxoAoKGpVvtXB48Sl/urvqqPenjpiq3x
=P+g7
-----END PGP SIGNATURE-----

Re: [gentoo-hardened] Security notice for hardened users.

[Tom Hendrikx]

[-- Attachment #1: Type: text/plain, Size: 2048 bytes --]

On 22/10/10 13:21, Anthony G. Basile wrote:
>  Hi all hardened users.
> 
> On Oct. 19, a local privilege escalation exploit was found [1,2] that
> affected hardened kernels on all architectures.  For certain
> configurations of the hardened kernel, it is possible for a local user
> to obtain root privileges.  The current Proof-Of-Concept code can be
> frustrated by not providing symbol information via /proc/kallsyms or
> System.map,  but at this time it is unclear if other hardening
> features such as CONFIG_PAX_MEMORY_UDEREF provide adequate protection
> against variations of the POC which do not need symbols.
> 
> All users are encouraged to upgrade to hardened-sources-2.6.32-r22
> which is currently marked stable on amd64 and x86.  It is being fast
> tracked on other archs. [3]
> 
> hardened-sources-2.6.35-r4 is also not vulnerable, but cannot be
> stabilized yet because of a bug in dhcp which also affects
> gentoo-sources-2.6.35-r4. [4]   For those who want kernels > .32 and
> can live with the minor bug, you can safely use
> hardened-sources-2.6.35-r4.
> 
> Later this week, all ebuild for vulnerable kernels will be removed
> from the tree, except for hardened-sources-2.6.34-r6
> hardened-sources-2.6.32-r9 and hardened-sources-2.6.28-r9.  These will
> be kept for continuity.
> 
> 
> Ref:
> 
> [1] http://www.vsecurity.com/resources/advisory/20101019-1/
> 
> [2] http://bugs.gentoo.org/show_bug.cgi?id=341801
> 
> [3] http://bugs.gentoo.org/show_bug.cgi?id=341915
> 
> [4] http://bugs.gentoo.org/show_bug.cgi?id=334341
> 

Just to verify: if I understand
https://bugs.gentoo.org/show_bug.cgi?id=341801 correctly, a secure
replacement for (stable) hardened-sources-2.6.34-r6 on amd64 will not be
stabilized within a month, as it is awaiting baselayout-2 stabilisation
(offtopic: w00t). Or I'd need to downgrade to 2.6.32.

For people running baselayout-2 already, there is no reason not to add
hardened-sources-2.6.35-r4 to package.keywords and upgrade?

--
Regards,
	Tom


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-hardened] Security notice for hardened users.

[Mike Pagano]

On Friday, October 22, 2010 08:39:41 am Tom Hendrikx wrote:
> On 22/10/10 13:21, Anthony G. Basile wrote:
> >  Hi all hardened users.
> > 
> > On Oct. 19, a local privilege escalation exploit was found [1,2] that
> > be kept for continuity.
> > 
> > 
> > 
> 
> Just to verify: if I understand
> https://bugs.gentoo.org/show_bug.cgi?id=341801 correctly, a secure
> replacement for (stable) hardened-sources-2.6.34-r6 on amd64 will not be
> stabilized within a month, as it is awaiting baselayout-2 stabilisation
> (offtopic: w00t). Or I'd need to downgrade to 2.6.32.
> 
> For people running baselayout-2 already, there is no reason not to add
> hardened-sources-2.6.35-r4 to package.keywords and upgrade?
> 
> --
> Regards,
> 	Tom
> 
> 

FYI
Baselayout-1 stablization will also enable 2.6.35 kernels to be stablized. That bug should be able to be filed on Nov 3rd.

Re: [gentoo-hardened] Security notice for hardened users.

[Anthony G. Basile]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/22/2010 08:39 AM, Tom Hendrikx wrote:
> Just to verify: if I understand
> https://bugs.gentoo.org/show_bug.cgi?id=341801 correctly, a secure
> replacement for (stable) hardened-sources-2.6.34-r6 on amd64 will not be
> stabilized within a month, as it is awaiting baselayout-2 stabilisation
> (offtopic: w00t). Or I'd need to downgrade to 2.6.32.

That is correct.  When 2.6.35-r4 is stabilized it will be stabilized for
all archs.  2.6.34-r6 was *only* fast track stabilized on amd64 for
another local root exploit bug [1].

> 
> For people running baselayout-2 already, there is no reason not to add
> hardened-sources-2.6.35-r4 to package.keywords and upgrade?

Correct.  Even if you are not using baselayout-2 you can try
h-s-2.6.35-r4 and see if you get bit by the dhcp bug.  If you don't, I
see no reason not to just use it.

I didn't feel it was justifiable to fast track stabilization of two h-s
kernels.  Fast track stabilization is dangerous and in fact, 2.6.34-r6
is an example.  It has a bug that probably would have been caught if we
could have waiting the required 30 days [2].

PLEASE!  Report any bugs in h-s-2.6.32-r22 or h-s-2.6.35-r4 asap so we
can address them.  Ideally stabilized kernels should be bug free.


Ref.

[1] http://bugs.gentoo.org/show_bug.cgi?id=337645

[2] http://bugs.gentoo.org/show_bug.cgi?id=338572

- -- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzBuFYACgkQl5yvQNBFVTVDxgCgkzdK646BGMu8S7gwZ8n1yNen
IuUAnRwuBTXqZqN80DRNCmkE+IMtiaZ3
=ht5V
-----END PGP SIGNATURE-----