Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Thank our Kernel Devs for Solid Security: CVE-2018-14634
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
DeadToRight
n00b
n00b


Joined: 28 Jun 2018
Posts: 22

PostPosted: Fri Sep 28, 2018 5:39 am    Post subject: Thank our Kernel Devs for Solid Security: CVE-2018-14634 Reply with quote

Those pre-compiled "stable" distros have a nasty security problem:
https://www.openwall.com/lists/oss-security/2018/09/25/4

And their fix involves using systemtap until they can get the real kernel fix, already in the 4.16 branch or later. The old patch that made things vulnerable was back in the 2.6 days.
https://access.redhat.com/security/cve/cve-2018-14634

Here's that commit.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4ed28639519c7bad5f518e70b3284c6e0763e650

=sys-kernel/gentoo-sources-4.14.65 needs this patch. And I'm willing to assume the 4.9 and 4.4 branches need this as well.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5854

PostPosted: Fri Sep 28, 2018 5:09 pm    Post subject: Reply with quote

If I'm reading this right, the exploit requires amd64, an old kernel, and at least 32GB of memory to work? Strange combination to panic about...
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4114
Location: Dallas area

PostPosted: Fri Sep 28, 2018 5:18 pm    Post subject: Reply with quote

From the 1st link
Quote:
Most Linux distributions backported commit da029c11e6b1 to their
long-term-supported kernels, but Red Hat Enterprise Linux and CentOS
(and Debian 8, the current "oldstable" version)
have not, and are
therefore vulnerable and exploitable.


It said most have fixed it, so no big brouhaha, AFAIK.
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
DeadToRight
n00b
n00b


Joined: 28 Jun 2018
Posts: 22

PostPosted: Fri Sep 28, 2018 11:40 pm    Post subject: Reply with quote

Anon-E-moose wrote:
From the 1st link
Quote:
Most Linux distributions backported commit da029c11e6b1 to their
long-term-supported kernels, but Red Hat Enterprise Linux and CentOS
(and Debian 8, the current "oldstable" version)
have not, and are
therefore vulnerable and exploitable.


It said most have fixed it, so no big brouhaha, AFAIK.

SImply trusting "most" to include yourself is generally a weak concept for security. Trust, but verify, amirite?

I downloaded the latest stable gentoo sources -4.14.65, and checked to see if this patch has been applied there. It has not.

Anyone running 32GB of ram or higher on 4.14 branch or earlier should
Quote:
patch -p1<this patch
into their kernel source code, or take on the more laborious task of migrating up to 4.18. This is actually a pretty serious flaw that, once an intruder has taken a process, can be used to elevate to root privileges. I'm running 4.18, so it is a non-issue for me.

An alternate solution:
Quote:

mkdir -r /etc/portage/patches/sys-kernel/gentoo-sources
mv <that-patch,unpacked>.patch /etc/portage/patches/sys-kernel/gentoo-sources/
emerge -av1 gentoo-sources

Cleaning out that patch-folder between minor versions (before your upgrade away from the 4.14 branch) is *highly* recommended.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum