| 1 |
On 03/02/12 13:37, Tom Hendrikx wrote: |
| 2 |
> On 03/02/12 03:50, Brian Kroth wrote: |
| 3 |
>> Tom Hendrikx <tom@×××××××××.net> 2012-02-02 21:42: |
| 4 |
>>> On 27/01/12 14:37, Anthony G. Basile wrote: |
| 5 |
>>>> Hi everyone, |
| 6 |
>>>> |
| 7 |
>>>> I just added hardened-sources 2.6.32-r88 and 3.2.2 to the tree. They |
| 8 |
>>>> address CVE-2012-0056. I've tested and they do indeed resist the |
| 9 |
>>>> exploit. I will be stabilizing them within 24 hours. However, I feel |
| 10 |
>>>> very uncomfortable doing so because I don't want to trade one set of |
| 11 |
>>>> problems with another. If anyone has time to test, let me know if you |
| 12 |
>>>> encounter any issues. |
| 13 |
>>>> |
| 14 |
>>> |
| 15 |
>>> I am still using 2.6.* sources here on one machine pending resolution of |
| 16 |
>>> bug https://bugs.gentoo.org/show_bug.cgi?id=386721 (if it will ever |
| 17 |
>>> happen :/ ). |
| 18 |
>> |
| 19 |
>> Are those open-vm kernel modules still necessary? It was my |
| 20 |
>> understanding that most/all of the guest modules for more efficient |
| 21 |
>> virtual hardware support were included in the mainline kernel now: |
| 22 |
>> <http://kernelnewbies.org/Linux_2_6_33#head-b1a0ddbc804d228802ce8aebd37d9fd6513ccb01> |
| 23 |
>> |
| 24 |
> |
| 25 |
> I did some more investigation. None of the three in-tree |
| 26 |
> open-vm-tools-kmod ebuilds compile against 2.6.32-r89, building a |
| 27 |
> 3.2.2-r1 kernel now to test against that. |
| 28 |
|
| 29 |
The same goes for 3.2.2-r1: none of the -kmod packages build against it. |
| 30 |
this means that the state of the -kmod package is a security issue, |
| 31 |
since it cannot be used with a non-vulnerable -hardened kernel. I'll add |
| 32 |
this to the bug report. |
| 33 |
|
| 34 |
> |
| 35 |
> I thought that I needed the -kmod package to run open-vm-tools in the |
| 36 |
> guest, but after some more research this might only apply when you want |
| 37 |
> drag-and-drop support (useless for (headless) server). The open-vm-tools |
| 38 |
> ebuilds list the -kmod package as a hard RDEPEND though. I'll do some |
| 39 |
> tests later today/during the weekend. |
| 40 |
> |
| 41 |
|
| 42 |
Just booted a 3.2.2-r1-hardened kernel, and vmware-tools stuff seems to |
| 43 |
run fine with the in-kernel vmware support. Not sure about performance |
| 44 |
etc, but it boots, generates no errors and VSphere in the host reports |
| 45 |
no issues either. |
| 46 |
|
| 47 |
We might just need an updated open-vm-tools package that only depends on |
| 48 |
the in-kernel stuff, and no longer on the -kmod package. I'll try to |
| 49 |
followup with the vmware people, as this is getting OT here ;) |
| 50 |
|
| 51 |
-- |
| 52 |
Tom |
Archives