LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 01-13-2014, 06:22 AM   #16
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,504

Rep: Reputation: 912Reputation: 912Reputation: 912Reputation: 912Reputation: 912Reputation: 912Reputation: 912Reputation: 912

(this is not a follow-up to to Dugan/corvid)
Quote:
Originally Posted by mancha View Post
libxfont
this is really amazing: a bug in the X code since 1991, fixed in libXfont-1.4.7 (alternate patch)
https://twitter.com/hackerfantastic/...104448/photo/1 (via sid77)
http://lists.x.org/archives/xorg-ann...ry/002389.html

Last edited by ponce; 01-13-2014 at 06:25 AM.
 
Old 01-13-2014, 12:19 PM   #17
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,542

Rep: Reputation: Disabled
I request the name of this thread be changed to something less likely to drive away Slackware users. These are NOT all security vulnerabilities, they are NOT all outstanding, and they are NOT critical.

In fact, I don't see why you don't submit these to Pat V. himself, if you believe they are so important. He might not even see them here.
 
Old 01-13-2014, 06:46 PM   #18
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,814
Blog Entries: 54

Rep: Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989
Quote:
Originally Posted by metaschima View Post
I request the name of this thread be changed to something less likely to drive away Slackware users.
Given previous contributions to this thread, as in evidence of slackers not being driven away, I decline to do so.
 
1 members found this post helpful.
Old 01-13-2014, 07:19 PM   #19
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,542

Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Given previous contributions to this thread, as in evidence of slackers not being driven away, I decline to do so.
If corvid posts again (that was his last post), then I'll believe it.
 
Old 01-13-2014, 08:58 PM   #20
mancha
Member
 
Registered: Aug 2012
Posts: 362

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by metaschima View Post
These are NOT all security vulnerabilities, they are NOT all outstanding, and they are NOT critical.
These vulnerabilities are outstanding as of 20140113 and have security implications of varying degree. Claiming otherwise, as you've done twice now, is confusing to readers who might inadvertently believe you.

Quote:
Originally Posted by metaschima View Post
In other words, don't let this thread chase you away from Slackware.
Quote:
Originally Posted by metaschima View Post
If corvid posts again (that was his last post), then I'll believe it.
It's clear corvid's comment has given you the jitters. I wish he'd not made it here because as a result the thread is now more noise than signal (BTW, he made a similar comment in January 2012).

But, you've got it backwards. Raising awareness, sharing information, and most importantly providing solutions for these issues, makes Slackware and its community stronger, not weaker.

--mancha
 
6 members found this post helpful.
Old 01-13-2014, 09:15 PM   #21
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,542

Rep: Reputation: Disabled
Have you submitted these to Pat V. ? If not, send him an e-mail.

I'm wondering where the other Slackware devs are, and what their comments on these issues are. I request at least that, otherwise this thread doesn't look right, and I don't like that. Slackware is a great distro and I don't like the image it is getting here in this thread. Maybe that wasn't the original intent, but that's what it is now.
 
Old 01-14-2014, 01:06 AM   #22
Thom1b
Member
 
Registered: Mar 2010
Posts: 73

Rep: Reputation: 32
bind-9.9.4_P2

bind-9.9.4_P2 has been released and is highly recommended to upgrade.

https://kb.isc.org/article/AA-01078
 
Old 01-14-2014, 04:34 AM   #23
guanx
Senior Member
 
Registered: Dec 2008
Posts: 1,014

Rep: Reputation: 147Reputation: 147
Quote:
Originally Posted by metaschima View Post
I request the name of this thread be changed to something less likely to drive away Slackware users.
...
I guess those who are smart enough to find and read this forum can't be driven away so easily. -- Just my guess.
 
Old 01-14-2014, 06:10 AM   #24
drmozes
Slackware Contributor
 
Registered: Apr 2008
Location: Surrey, England
Distribution: Slackware
Posts: 179

Rep: Reputation: 145Reputation: 145
Quote:
Originally Posted by mancha View Post
But, you've got it backwards. Raising awareness, sharing information, and most importantly providing solutions for these issues, makes Slackware and its community stronger, not weaker.
I can see both sides here - but ultimately I agree with mancha because as the user/maintainer of a system running Slackware, I'd rather be aware of the current potential security issues (whatever their severity) and decide what to do about them, whilst I am awaiting an update in the Slackware tree. After all, if I have to rebuild a system that was compromised, that's going to take me a *lot* longer than preparing a patch myself or a short term work-around.

Patrick has now released the updates.
 
5 members found this post helpful.
Old 01-14-2014, 12:49 PM   #25
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,542

Rep: Reputation: Disabled
These packages have been updated:
http://www.slackware.com/security/li...ecurity&y=2014
So take them off the list.

I also recommend that you post more information about each vulnerability instead of just " CVE-2013-4545 fixed.". Post what the fix does and how severe it is. I'm sure you want something that will benefit Slackware, so putting accurate, detailed information is much less likely to scare off users. At least post a link to the page that describes the problem and fix, and rate its severity.

Last edited by metaschima; 01-14-2014 at 12:50 PM.
 
Old 01-15-2014, 11:45 AM   #26
hpfeil
Member
 
Registered: Nov 2010
Location: Tucson, Arizona US
Distribution: Slackware Current, custom kernel, amd64, Beyond LinuxFromScratch
Posts: 130
Blog Entries: 1

Rep: Reputation: Disabled
Security of your system is your responsibility, not Master Volkerding's. Seasoned systems administrators are current with the entries in https://isc.sans.edu/diary.html, and probably have read at least a few of the security-related white papers at SANs. In fact, there is enough information on that site to become qualified as a security expert, but if that's your goal, sign up for classes at http://www.sans.edu/ Be proactive.

For more in-depth information on CERT advisories, follow the links at:
ftp://ftp.osuosl.org/pub/slackware/s.../ChangeLog.txt

Last edited by hpfeil; 01-15-2014 at 11:47 AM. Reason: added ChangeLog hint
 
2 members found this post helpful.
Old 01-29-2014, 06:01 PM   #27
mancha
Member
 
Registered: Aug 2012
Posts: 362

Original Poster
Rep: Reputation: Disabled
Update 20140129

For those wishing to address CVE-2013-6424 & CVE-2013-6425 by re-building xorg-server and pixman, I've placed patches at the vault:
  1. xorg-server-1.14.3_CVE-2013-6424.diff (sig)
  2. pixman-0.30.2_CVE-2013-6425.diff (sig)
Building xorg-server and pixman can get a little hairy so I've also made Slackware 14.1 32-bit and 64-bit packages available:
  1. Slackware-14.1-CVE-2013-6424+6425.tar (sig) [32-bit]
  2. Slackware64-14.1-CVE-2013-6424+6425.tar (sig) [64-bit]
Note: upgrading xorg-server packages will overwrite proprietary video drivers so if you use those you'll need to re-install them after the upgrade.

Finally, I am providing CVE-2013-6425.ods, a LibreOffice spreadsheet proof-of-concept thanks to Ubuntu, which shows the DoS against X. Make sure you've saved everything you're working on before doing this because it'll crash the X server:

Code:
$ scalc CVE-2013-6425.ods
--mancha

Last edited by mancha; 01-29-2014 at 06:46 PM.
 
6 members found this post helpful.
Old 01-30-2014, 12:21 PM   #28
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,542

Rep: Reputation: Disabled
Well, that's more like it. I can see now that you are actually trying to help Slackware users. Providing patches and packages to fix these issues, and even a proof-of-concept is a great thing.

I apologize for doubting your good intentions earlier. May I recommend that you make your intentions more clear in your initial posts by explaining a bit about what you are trying to achieve. Writing a short statement about your concern on outstanding vulnerabilities, links to explanations of the vulnerabilities, saying that you e-mailed Mr. Pat V with them, and saying that you wish to help users resolve these vulnerabilities would do wonders on how people interpret your thread. Like 2 sentences is all it takes, and there won't be any more confusion. Again, I understand now that your intentions are good, but only after this last post.

Lastly, just so people don't get me wrong, I would like to say that Slackware is a great distro, the best I've tried. I would like to help it out as much as I can, and I don't like to see its name tarnished. I reacted the way I did, because the intentions of the thread were unclear to me. Maybe they were clear to others. I guess maybe it is because I'm new here, and I don't know exactly how things are done.
 
Old 01-30-2014, 01:51 PM   #29
gnashley
Amigo developer
 
Registered: Dec 2003
Location: Germany
Distribution: Slackware
Posts: 4,776

Rep: Reputation: 481Reputation: 481Reputation: 481Reputation: 481Reputation: 481
I say let the 'man from Mancha' continue however he sees fit. He's been doing great work around here for a while now which is much appreciated.
 
1 members found this post helpful.
Old 01-30-2014, 03:57 PM   #30
hpfeil
Member
 
Registered: Nov 2010
Location: Tucson, Arizona US
Distribution: Slackware Current, custom kernel, amd64, Beyond LinuxFromScratch
Posts: 130
Blog Entries: 1

Rep: Reputation: Disabled
Er, the sky is not falling, yet.

"Integer underflow in the pixman_trapezoid_valid macro in pixman.h in Pixman before 0.32.0, as used in X.Org server and cairo, allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value."

We are already running 0.32.0. The vulnerable version was 0.30.0. BTW, who has the Intel Xorg driver installed? That isn't what Slackware distributed on November 8, 2013. We already have the fixed pixman.h in pixman and xorg. Here's the patch that was applied last October: http://lists.x.org/archives/xorg-dev...er/037996.html

https://cve.mitre.org has re-vamped their website. A lot of legacy incidents appear to be new, but upon further investigation, you'll find they were closed last year.

Just to be safe, though, I'm keeping my aluminum foil "Tin Woodman" hat within reach.
 
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 10:08 AM


All times are GMT -5. The time now is 09:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration