* [gentoo-hardened] Security notice regarding hardened-sources
@ 2010-09-16 21:15 Anthony G. Basile
2010-09-16 22:47 ` [gentoo-hardened] " 7v5w7go9ub0o
0 siblings, 1 reply; 6+ messages in thread
From: Anthony G. Basile @ 2010-09-16 21:15 UTC (permalink / raw
To: gentoo-hardened
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi everyone,
All kernels before Sept 14 are vulnerable to the "IA32 Syscall Entry
Point Privilege Escalation" and "IA32 Emulation Stack Underflow". See
http://bugs.gentoo.org/show_bug.cgi?id=337645
http://bugs.gentoo.org/show_bug.cgi?id=337659
Also see
https://bugs.gentoo.org/show_bug.cgi?id=326885#c10
As a result, certain configurations of hardened-sources are also
vulnerable. As a work around until I get the fix into the tree and fast
track stabilization, keep the following in mind:
1) Whether hardened or not, if you don't have CONFIG_IA32_EMULATION, the
exploits fail.
2) If you hide kernel symbols in /proc/kallsyms, the proof-of-concept
code won't work. You can do that by either not enabling CONFIG_KALLSYMS
on non-hardened kernels, or just set CONFIG_GRKERNSEC_HIDESYM=y on
hardened.
(However, there may still be ways of making the exploit work even
without symbol info.)
3) On hardened systems, if you enable CONFIG_PAX_MEMORY_UDEREF=y, the
exploits fail even with access to symbol info. If possible, I would
also recommend enabling CONFIG_PAX_KERNEXEC=y.
- --
Anthony G. Basile, Ph.D.
Gentoo Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkySiOIACgkQl5yvQNBFVTUZzQCeMolKjTKql6/ShNRtYSH/K1DM
thUAmwTJOrYbB1wJ4A+FlPDu78tc55AT
=xfQc
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 6+ messages in thread
* [gentoo-hardened] Re: Security notice regarding hardened-sources
2010-09-16 21:15 [gentoo-hardened] Security notice regarding hardened-sources Anthony G. Basile
@ 2010-09-16 22:47 ` 7v5w7go9ub0o
2010-09-17 0:21 ` Anthony G. Basile
2010-09-17 4:06 ` Magnus Granberg
0 siblings, 2 replies; 6+ messages in thread
From: 7v5w7go9ub0o @ 2010-09-16 22:47 UTC (permalink / raw
To: for hard list
On 09/16/10 17:15, Anthony G. Basile wrote:
[]
>
>
> As a result, certain configurations of hardened-sources are also
> vulnerable. As a work around until I get the fix into the tree and
> fast track stabilization, keep the following in mind:
[]
Thank you for this note, Anthony!
1. Will hardened-sources be distributed via the tree, or via an overlay?
(IIRC, I got 2.6.34-r5 via the overlay, then it disappeared)
2. Same question about gcc; will hardened gcc come to us via an overlay?
(I see an update to 4.4.4-r2; IIRC I got 4.4.4-r1 via overlay).
TIA
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-hardened] Re: Security notice regarding hardened-sources
2010-09-16 22:47 ` [gentoo-hardened] " 7v5w7go9ub0o
@ 2010-09-17 0:21 ` Anthony G. Basile
2010-09-17 16:40 ` "Tóth Attila"
2010-09-17 4:06 ` Magnus Granberg
1 sibling, 1 reply; 6+ messages in thread
From: Anthony G. Basile @ 2010-09-17 0:21 UTC (permalink / raw
To: gentoo-hardened
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/16/2010 06:47 PM, 7v5w7go9ub0o wrote:
> On 09/16/10 17:15, Anthony G. Basile wrote:
> []
>
>>
>>
>> As a result, certain configurations of hardened-sources are also
>> vulnerable. As a work around until I get the fix into the tree and
>> fast track stabilization, keep the following in mind:
>
> []
>
> Thank you for this note, Anthony!
>
> 1. Will hardened-sources be distributed via the tree, or via an overlay?
> (IIRC, I got 2.6.34-r5 via the overlay, then it disappeared)
>
> 2. Same question about gcc; will hardened gcc come to us via an overlay?
> (I see an update to 4.4.4-r2; IIRC I got 4.4.4-r1 via overlay).
>
> TIA
>
The overlay should not be used for anything anymore. Its around only
for reference. (Zorry and I may want to look back at stuff we did.)
In about a day or so you should see hardened-sources-2.6.32-r18.ebuild
and hardened-sources-2.6.34-r6.ebuild appear in portage. Use one of
those two.
- --
Anthony G. Basile, Ph.D.
Gentoo Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyStJIACgkQl5yvQNBFVTUnnACgg1lYVsSGM2k5SG6VSBeJTPOI
hhIAn0WTyGjbplsXD3JavTuBP6Xf2N5D
=08GV
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-hardened] Re: Security notice regarding hardened-sources
2010-09-17 0:21 ` Anthony G. Basile
@ 2010-09-17 16:40 ` "Tóth Attila"
0 siblings, 0 replies; 6+ messages in thread
From: "Tóth Attila" @ 2010-09-17 16:40 UTC (permalink / raw
To: gentoo-hardened
Thanks for the feedback about the sources.
What about the toolchain? What are the gcc, binutils and glibc versions
supported? What versions of the toolchain components advised for the brave
folk?
Thx:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist, +36-20-825-8057, +36-30-5962-962
2010.Szeptember 17.(P) 02:21 időpontban Anthony G. Basile ezt írta:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/16/2010 06:47 PM, 7v5w7go9ub0o wrote:
>> On 09/16/10 17:15, Anthony G. Basile wrote:
>> []
>>
>>>
>>>
>>> As a result, certain configurations of hardened-sources are also
>>> vulnerable. As a work around until I get the fix into the tree and
>>> fast track stabilization, keep the following in mind:
>>
>> []
>>
>> Thank you for this note, Anthony!
>>
>> 1. Will hardened-sources be distributed via the tree, or via an overlay?
>> (IIRC, I got 2.6.34-r5 via the overlay, then it disappeared)
>>
>> 2. Same question about gcc; will hardened gcc come to us via an overlay?
>> (I see an update to 4.4.4-r2; IIRC I got 4.4.4-r1 via overlay).
>>
>> TIA
>>
>
>
> The overlay should not be used for anything anymore. Its around only
> for reference. (Zorry and I may want to look back at stuff we did.)
>
> In about a day or so you should see hardened-sources-2.6.32-r18.ebuild
> and hardened-sources-2.6.34-r6.ebuild appear in portage. Use one of
> those two.
>
>
> - --
> Anthony G. Basile, Ph.D.
> Gentoo Developer
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkyStJIACgkQl5yvQNBFVTUnnACgg1lYVsSGM2k5SG6VSBeJTPOI
> hhIAn0WTyGjbplsXD3JavTuBP6Xf2N5D
> =08GV
> -----END PGP SIGNATURE-----
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-hardened] Re: Security notice regarding hardened-sources
2010-09-16 22:47 ` [gentoo-hardened] " 7v5w7go9ub0o
2010-09-17 0:21 ` Anthony G. Basile
@ 2010-09-17 4:06 ` Magnus Granberg
2010-09-17 23:12 ` 7v5w7go9ub0o
1 sibling, 1 reply; 6+ messages in thread
From: Magnus Granberg @ 2010-09-17 4:06 UTC (permalink / raw
To: gentoo-hardened
On Friday 17 September 2010 00.47.42 7v5w7go9ub0o wrote:
> On 09/16/10 17:15, Anthony G. Basile wrote:
> []
>
> > As a result, certain configurations of hardened-sources are also
> > vulnerable. As a work around until I get the fix into the tree and
>
> > fast track stabilization, keep the following in mind:
> []
>
> Thank you for this note, Anthony!
>
> 1. Will hardened-sources be distributed via the tree, or via an overlay?
> (IIRC, I got 2.6.34-r5 via the overlay, then it disappeared)
>
> 2. Same question about gcc; will hardened gcc come to us via an overlay?
> (I see an update to 4.4.4-r2; IIRC I got 4.4.4-r1 via overlay).
>
> TIA
All the hardened overlay work is in the tree now
/Magnus (Zorry)
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2010-09-18 0:02 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-16 21:15 [gentoo-hardened] Security notice regarding hardened-sources Anthony G. Basile
2010-09-16 22:47 ` [gentoo-hardened] " 7v5w7go9ub0o
2010-09-17 0:21 ` Anthony G. Basile
2010-09-17 16:40 ` "Tóth Attila"
2010-09-17 4:06 ` Magnus Granberg
2010-09-17 23:12 ` 7v5w7go9ub0o
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox