Gentoo Archives: gentoo-user

From: Nikos Chantziaras <realnc@×××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed
Date: Wed, 31 Jan 2018 09:16:57
Message-Id: p4s1cu$qjr$1@blaine.gmane.org
In Reply to: Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed by Rich Freeman
1 On 30/01/18 23:43, Rich Freeman wrote:
2 > If you had some program that listened on a socket and accepted a
3 > length and a string and then did a bounds check using the length, it
4 > might be exploitable if a local process could feed it data. Even if
5 > the process only listened for outside connections it might be
6 > vulnerable if a local process colluded with a remote host to make that
7 > connection.
8
9 Well, if you're running a local process that is trying to attack you,
10 you've been compromised already, imo.
11
12 Local processes are always trusted. If Spectre is a vulnerability that
13 can be exploited by trusted code, it's not really a vulnerability.
14 Trusted code is called "trusted" for a reason.
15
16 So, unless you're running some kind of server that offers execution time
17 to clients (the clients are untrusted then), there's not many instances
18 of Spectre actually being relevant. Amazon and Google etc might be
19 running around currently like headless chickens, but for desktop home
20 users, Spectre does not seem to have far reaching implications once
21 you've patched the kernel and the few packages that run untrusted code.

Replies

Subject Author
Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed "Taiidan@×××.com" <Taiidan@×××.com>
[gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed Martin Vaeth <martin@×××××.de>
Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed Rich Freeman <rich0@g.o>