| 1 |
On 22/10/10 13:21, Anthony G. Basile wrote: |
| 2 |
> Hi all hardened users. |
| 3 |
> |
| 4 |
> On Oct. 19, a local privilege escalation exploit was found [1,2] that |
| 5 |
> affected hardened kernels on all architectures. For certain |
| 6 |
> configurations of the hardened kernel, it is possible for a local user |
| 7 |
> to obtain root privileges. The current Proof-Of-Concept code can be |
| 8 |
> frustrated by not providing symbol information via /proc/kallsyms or |
| 9 |
> System.map, but at this time it is unclear if other hardening |
| 10 |
> features such as CONFIG_PAX_MEMORY_UDEREF provide adequate protection |
| 11 |
> against variations of the POC which do not need symbols. |
| 12 |
> |
| 13 |
> All users are encouraged to upgrade to hardened-sources-2.6.32-r22 |
| 14 |
> which is currently marked stable on amd64 and x86. It is being fast |
| 15 |
> tracked on other archs. [3] |
| 16 |
> |
| 17 |
> hardened-sources-2.6.35-r4 is also not vulnerable, but cannot be |
| 18 |
> stabilized yet because of a bug in dhcp which also affects |
| 19 |
> gentoo-sources-2.6.35-r4. [4] For those who want kernels > .32 and |
| 20 |
> can live with the minor bug, you can safely use |
| 21 |
> hardened-sources-2.6.35-r4. |
| 22 |
> |
| 23 |
> Later this week, all ebuild for vulnerable kernels will be removed |
| 24 |
> from the tree, except for hardened-sources-2.6.34-r6 |
| 25 |
> hardened-sources-2.6.32-r9 and hardened-sources-2.6.28-r9. These will |
| 26 |
> be kept for continuity. |
| 27 |
> |
| 28 |
> |
| 29 |
> Ref: |
| 30 |
> |
| 31 |
> [1] http://www.vsecurity.com/resources/advisory/20101019-1/ |
| 32 |
> |
| 33 |
> [2] http://bugs.gentoo.org/show_bug.cgi?id=341801 |
| 34 |
> |
| 35 |
> [3] http://bugs.gentoo.org/show_bug.cgi?id=341915 |
| 36 |
> |
| 37 |
> [4] http://bugs.gentoo.org/show_bug.cgi?id=334341 |
| 38 |
> |
| 39 |
|
| 40 |
Just to verify: if I understand |
| 41 |
https://bugs.gentoo.org/show_bug.cgi?id=341801 correctly, a secure |
| 42 |
replacement for (stable) hardened-sources-2.6.34-r6 on amd64 will not be |
| 43 |
stabilized within a month, as it is awaiting baselayout-2 stabilisation |
| 44 |
(offtopic: w00t). Or I'd need to downgrade to 2.6.32. |
| 45 |
|
| 46 |
For people running baselayout-2 already, there is no reason not to add |
| 47 |
hardened-sources-2.6.35-r4 to package.keywords and upgrade? |
| 48 |
|
| 49 |
-- |
| 50 |
Regards, |
| 51 |
Tom |
Archives