[gentoo-user] Spectre and Meltdown summary

[gentoo-user] Spectre and Meltdown summary

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 1074 bytes --]

No guarantees on accuracy...

Meltdown CVE-2017-5754 (Variant3) - userspace reads kernel memory. Intel
vulnerable, AMD not vulnerable. Issue is mitigated with KPTI (in kernel
4.14.11, Security Options -> Remove the kernel mapping in user mode
(CONFIG_PAGE_TABLE_ISOLATION), on by default for all archs in this version,
disabled by default for AMD CPUs in git 4.15). KPTI incurs a performance
hit.

Spectre CVE-2017-5753 (Variant1) and CVE-2017-5715 (Variant2) -
applications read other applications memory. Intel, AMD, ARM all
vulnerable.
Re Variant1, AMD says "Resolved by software / OS updates to be made
available by system vendors and manufacturers. Negligible performance
impact expected."
Re Variant2, AMD says "Differences in AMD architecture mean there is a near
zero risk of exploitation of this variant. Vulnerability to Variant 2 has
not been demonstrated on AMD processors to date."

Ref:
http://www.amd.com/en/corporate/speculative-execution
https://meltdownattack.com/
http://www.tomshardware.com/forum/id-3609004/cpu-security-vulnerabilities-information.html

[-- Attachment #2: Type: text/html, Size: 1380 bytes --]

[gentoo-user] Re: Spectre and Meltdown summary

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 617 bytes --]

Browser stuff

I'm guessing this relates to Variant1;
@hackerfantastic "Blackhats will be weaponizing spectre to steal session
cookies from additional websites opened in the browser, especially
financial sites. Enable site isolation in Chrome now.
https://support.google.com/chrome/answer/7623121?hl=en-GB"

Sounds like Mozilla will make some changes in Firefox 57 to make the
attacks more difficult;
"Our internal experiments confirm that it is possible to use similar
techniques from Web content to read private information"
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

[-- Attachment #2: Type: text/html, Size: 877 bytes --]

Re: [gentoo-user] Re: Spectre and Meltdown summary

[Andrey F.]

Thanks for the great summary! Having 2FA enabled for all accounts will
go a long way as well.

On Thu, Jan 4, 2018 at 4:21 AM, Adam Carter <adamcarter3@gmail.com> wrote:
> Browser stuff
>
> I'm guessing this relates to Variant1;
> @hackerfantastic "Blackhats will be weaponizing spectre to steal session
> cookies from additional websites opened in the browser, especially financial
> sites. Enable site isolation in Chrome now.
> https://support.google.com/chrome/answer/7623121?hl=en-GB"
>
> Sounds like Mozilla will make some changes in Firefox 57 to make the attacks
> more difficult;
> "Our internal experiments confirm that it is possible to use similar
> techniques from Web content to read private information"
> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
>

Re: [gentoo-user] Re: Spectre and Meltdown summary

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 138 bytes --]

Here's a nice non-expert explanation of Meltdown

https://medium.com/@pwnallthethings/time-travelling-exploits-with-meltdown-1189548f1e1d

[-- Attachment #2: Type: text/html, Size: 288 bytes --]

[gentoo-user] linux-gazette masked: The total pollution of the output :)

[tuxic]

Hi,

everytime I emerge something, a LOOOOOONG list 
of installed linux-gazettes is printed on my terminal, 
which warns me -- for each single gazette -- that it will
be masked.

To find the real output in all this mess is at least difficylt.

Is there a way to supress that output other than deinstalling 
the linux-gazettes ?

Cheers
Meino

Re: [gentoo-user] linux-gazette masked: The total pollution of the output :)

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 645 bytes --]

On Sun, 7 Jan 2018 19:08:59 +0100, tuxic@posteo.de wrote:

> everytime I emerge something, a LOOOOOONG list 
> of installed linux-gazettes is printed on my terminal, 
> which warns me -- for each single gazette -- that it will
> be masked.
> 
> To find the real output in all this mess is at least difficylt.
> 
> Is there a way to supress that output other than deinstalling 
> the linux-gazettes ?

Add the packages to /etc/portage/profile/package.unmask.

You'll also need to copy the ebuild directories to a local overlay before
they are removed fro the portage tree.


-- 
Neil Bothwick

A good pun is its own reword.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] linux-gazette masked: The total pollution of the output :)

[Marc Joliet]

[-- Attachment #1: Type: text/plain, Size: 1325 bytes --]

Am Sonntag, 7. Januar 2018, 19:31:52 CET schrieb Neil Bothwick:
> On Sun, 7 Jan 2018 19:08:59 +0100, tuxic@posteo.de wrote:
> > everytime I emerge something, a LOOOOOONG list
> > of installed linux-gazettes is printed on my terminal,
> > which warns me -- for each single gazette -- that it will
> > be masked.
> > 
> > To find the real output in all this mess is at least difficylt.
> > 
> > Is there a way to supress that output other than deinstalling
> > the linux-gazettes ?
> 
> Add the packages to /etc/portage/profile/package.unmask.
> 
> You'll also need to copy the ebuild directories to a local overlay before
> they are removed fro the portage tree.

I remember that the problem is that the distfiles can't be downloaded:

"Upstream deleted all files more than 6 years ago and is inactive.
 See also bug #628960
 Masked for removal on 2018-02-01"

(For the future: "eix linux-gazette -v -l" will show you the mask message, 
alternatively "grep -r linux-gazette /usr/portage/profiles/" will show you 
which file the mask is defined in.)

Point is, unmasking won't make the ebuilds work.  I would copy everything the 
linux-gazette ebuilds install somewhere else and then uninstall them.

HTH
-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] linux-gazette masked: The total pollution of the output :)

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1567 bytes --]

On Sun, 07 Jan 2018 22:25:55 +0100, Marc Joliet wrote:

> Am Sonntag, 7. Januar 2018, 19:31:52 CET schrieb Neil Bothwick:
> > On Sun, 7 Jan 2018 19:08:59 +0100, tuxic@posteo.de wrote:  
> > > everytime I emerge something, a LOOOOOONG list
> > > of installed linux-gazettes is printed on my terminal,
> > > which warns me -- for each single gazette -- that it will
> > > be masked.
> > > 
> > > To find the real output in all this mess is at least difficylt.
> > > 
> > > Is there a way to supress that output other than deinstalling
> > > the linux-gazettes ?  
> > 
> > Add the packages to /etc/portage/profile/package.unmask.
> > 
> > You'll also need to copy the ebuild directories to a local overlay
> > before they are removed fro the portage tree.  
> 
> I remember that the problem is that the distfiles can't be downloaded:
> 
> "Upstream deleted all files more than 6 years ago and is inactive.
>  See also bug #628960
>  Masked for removal on 2018-02-01"
> 
> (For the future: "eix linux-gazette -v -l" will show you the mask
> message, alternatively "grep -r linux-gazette /usr/portage/profiles/"
> will show you which file the mask is defined in.)
> 
> Point is, unmasking won't make the ebuilds work.

No, but that's not Meino's problem. He has the packages installed and
wants to get rid of the warnings about masking and removal. Unmasking
will get rid of those. Putting the distfiles in a safe place is a good
idea, in case there is ever the need to reinstall.


-- 
Neil Bothwick

ISDN: It Still Does Nothing

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]