Gentoo Archives: gentoo-security

From: Chris Reffett <creffett@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] glksa-check Proof of Concept
Date: Sun, 19 Jan 2014 02:25:55
In Reply to: [gentoo-security] glksa-check Proof of Concept by Samuel Damashek
2 Hash: SHA1
4 On 01/17/2014 11:25 PM, Samuel Damashek wrote:
5 > At the request of creffett, I created a Proof of Concept for
6 > glksa-check, which allows for glksa XML files to define Kernel
7 > security vulnerabilities. Please realize that this is a Proof of
8 > Concept, and that the interface is not the most user-friendly. The
9 > code can definitely be improved as well. To test the program,
10 > untar the files and copy the glksa dir to /usr/portage/metadata/.
11 > At the moment, the script requires you to have /proc/config.gz
12 > enabled in your kernel to read your running config options.
13 >
14 > I have two XML files currently defined (still using the glsa.dtd
15 > schema); one that is an actual vulnerability and one that is simply
16 > a control that triggers on X86. To test the program, run it with
17 > the -l option.
18 >
19 > You can download the files at
20 > (not sure if the mailing
21 > lists let you attach tarballs). There is definitely a lot to be
22 > improved about the application; this is just an idea for how to
23 > handle notifying users about Kernel vulnerabilities that affect
24 > their system. They would be released just like glsas. What are the
25 > list's opinions on this?
26 >
27 > -- Samuel Damashek
28 >
29 @security team: yes, I asked sdamashek to look into kernel bug
30 handling since we really don't do anything with it right now, and
31 suggested that he make a tool to check whether a kernel is vulnerable
32 (since it's more configuration-specific than a standard GLSA). As a
33 first step, I like it. It will need some cleaning up, of course, and
34 we will need to set up the framework to publish these and the
35 necessary integration into gentoolkit, but thank you for starting work
36 on this. As far as the release process goes, I think this could be
37 fairly easily automated--dump the CVE into the description, have
38 someone fill in the affected versions, kernel options, and type,
39 commit and send, no real need for peer review. I'm undecided as to
40 whether this is worth a new dtd or if we can just hack around the
41 existing glsa dtd, I think it might be worth a new one just for
42 simplicity. Of course, I'd like to hear the opinions of the more
43 senior members of security on what is needed to actually get this
44 deployable.
46 Chris Reffett
48 Version: GnuPG v2.0.22 (GNU/Linux)
49 Comment: Using GnuPG with Thunderbird -
53 Nzk1QThBNDI2MTgzNTQACgkQ23laikJhg1TP6gCggp61cehAy0iursG8ZMIaOiGX
54 mswAni4Vr6JHpZCw92zCNQ+X5M6k4xJL
55 =8tqg
56 -----END PGP SIGNATURE-----