LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

ponce 01-13-2014 05:22 AM

(this is not a follow-up to to Dugan/corvid)
Quote:

Originally Posted by mancha (Post 5095121)
libxfont

this is really amazing: a bug in the X code since 1991, fixed in libXfont-1.4.7 (alternate patch)
https://twitter.com/hackerfantastic/...104448/photo/1 (via sid77)
http://lists.x.org/archives/xorg-ann...ry/002389.html

metaschima 01-13-2014 11:19 AM

I request the name of this thread be changed to something less likely to drive away Slackware users. These are NOT all security vulnerabilities, they are NOT all outstanding, and they are NOT critical.

In fact, I don't see why you don't submit these to Pat V. himself, if you believe they are so important. He might not even see them here.

unSpawn 01-13-2014 05:46 PM

Quote:

Originally Posted by metaschima (Post 5097269)
I request the name of this thread be changed to something less likely to drive away Slackware users.

Given previous contributions to this thread, as in evidence of slackers not being driven away, I decline to do so.

metaschima 01-13-2014 06:19 PM

Quote:

Originally Posted by unSpawn (Post 5097472)
Given previous contributions to this thread, as in evidence of slackers not being driven away, I decline to do so.

If corvid posts again (that was his last post), then I'll believe it.

mancha 01-13-2014 07:58 PM

Quote:

Originally Posted by metaschima (Post 5097269)
These are NOT all security vulnerabilities, they are NOT all outstanding, and they are NOT critical.

These vulnerabilities are outstanding as of 20140113 and have security implications of varying degree. Claiming otherwise, as you've done twice now, is confusing to readers who might inadvertently believe you.

Quote:

Originally Posted by metaschima (Post 5096739)
In other words, don't let this thread chase you away from Slackware.

Quote:

Originally Posted by metaschima (Post 5097488)
If corvid posts again (that was his last post), then I'll believe it.

It's clear corvid's comment has given you the jitters. I wish he'd not made it here because as a result the thread is now more noise than signal (BTW, he made a similar comment in January 2012).

But, you've got it backwards. Raising awareness, sharing information, and most importantly providing solutions for these issues, makes Slackware and its community stronger, not weaker.

--mancha

metaschima 01-13-2014 08:15 PM

Have you submitted these to Pat V. ? If not, send him an e-mail.

I'm wondering where the other Slackware devs are, and what their comments on these issues are. I request at least that, otherwise this thread doesn't look right, and I don't like that. Slackware is a great distro and I don't like the image it is getting here in this thread. Maybe that wasn't the original intent, but that's what it is now.

Thom1b 01-14-2014 12:06 AM

bind-9.9.4_P2
 
bind-9.9.4_P2 has been released and is highly recommended to upgrade.

https://kb.isc.org/article/AA-01078

guanx 01-14-2014 03:34 AM

Quote:

Originally Posted by metaschima (Post 5097269)
I request the name of this thread be changed to something less likely to drive away Slackware users.
...

I guess those who are smart enough to find and read this forum can't be driven away so easily. -- Just my guess.

drmozes 01-14-2014 05:10 AM

Quote:

Originally Posted by mancha (Post 5097521)
But, you've got it backwards. Raising awareness, sharing information, and most importantly providing solutions for these issues, makes Slackware and its community stronger, not weaker.

I can see both sides here - but ultimately I agree with mancha because as the user/maintainer of a system running Slackware, I'd rather be aware of the current potential security issues (whatever their severity) and decide what to do about them, whilst I am awaiting an update in the Slackware tree. After all, if I have to rebuild a system that was compromised, that's going to take me a *lot* longer than preparing a patch myself or a short term work-around.

Patrick has now released the updates.

metaschima 01-14-2014 11:49 AM

These packages have been updated:
http://www.slackware.com/security/li...ecurity&y=2014
So take them off the list.

I also recommend that you post more information about each vulnerability instead of just " CVE-2013-4545 fixed.". Post what the fix does and how severe it is. I'm sure you want something that will benefit Slackware, so putting accurate, detailed information is much less likely to scare off users. At least post a link to the page that describes the problem and fix, and rate its severity.

hpfeil 01-15-2014 10:45 AM

Security of your system is your responsibility, not Master Volkerding's. Seasoned systems administrators are current with the entries in https://isc.sans.edu/diary.html, and probably have read at least a few of the security-related white papers at SANs. In fact, there is enough information on that site to become qualified as a security expert, but if that's your goal, sign up for classes at http://www.sans.edu/ Be proactive.

For more in-depth information on CERT advisories, follow the links at:
ftp://ftp.osuosl.org/pub/slackware/s.../ChangeLog.txt

mancha 01-29-2014 05:01 PM

Update 20140129

For those wishing to address CVE-2013-6424 & CVE-2013-6425 by re-building xorg-server and pixman, I've placed patches at the vault:
  1. xorg-server-1.14.3_CVE-2013-6424.diff (sig)
  2. pixman-0.30.2_CVE-2013-6425.diff (sig)
Building xorg-server and pixman can get a little hairy so I've also made Slackware 14.1 32-bit and 64-bit packages available:
  1. Slackware-14.1-CVE-2013-6424+6425.tar (sig) [32-bit]
  2. Slackware64-14.1-CVE-2013-6424+6425.tar (sig) [64-bit]
Note: upgrading xorg-server packages will overwrite proprietary video drivers so if you use those you'll need to re-install them after the upgrade.

Finally, I am providing CVE-2013-6425.ods, a LibreOffice spreadsheet proof-of-concept thanks to Ubuntu, which shows the DoS against X. Make sure you've saved everything you're working on before doing this because it'll crash the X server:

Code:

$ scalc CVE-2013-6425.ods
--mancha

metaschima 01-30-2014 11:21 AM

Well, that's more like it. I can see now that you are actually trying to help Slackware users. Providing patches and packages to fix these issues, and even a proof-of-concept is a great thing.

I apologize for doubting your good intentions earlier. May I recommend that you make your intentions more clear in your initial posts by explaining a bit about what you are trying to achieve. Writing a short statement about your concern on outstanding vulnerabilities, links to explanations of the vulnerabilities, saying that you e-mailed Mr. Pat V with them, and saying that you wish to help users resolve these vulnerabilities would do wonders on how people interpret your thread. Like 2 sentences is all it takes, and there won't be any more confusion. Again, I understand now that your intentions are good, but only after this last post.

Lastly, just so people don't get me wrong, I would like to say that Slackware is a great distro, the best I've tried. I would like to help it out as much as I can, and I don't like to see its name tarnished. I reacted the way I did, because the intentions of the thread were unclear to me. Maybe they were clear to others. I guess maybe it is because I'm new here, and I don't know exactly how things are done.

gnashley 01-30-2014 12:51 PM

I say let the 'man from Mancha' continue however he sees fit. He's been doing great work around here for a while now which is much appreciated.

hpfeil 01-30-2014 02:57 PM

Er, the sky is not falling, yet.

"Integer underflow in the pixman_trapezoid_valid macro in pixman.h in Pixman before 0.32.0, as used in X.Org server and cairo, allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value."

We are already running 0.32.0. The vulnerable version was 0.30.0. BTW, who has the Intel Xorg driver installed? That isn't what Slackware distributed on November 8, 2013. We already have the fixed pixman.h in pixman and xorg. Here's the patch that was applied last October: http://lists.x.org/archives/xorg-dev...er/037996.html

https://cve.mitre.org has re-vamped their website. A lot of legacy incidents appear to be new, but upon further investigation, you'll find they were closed last year.

Just to be safe, though, I'm keeping my aluminum foil "Tin Woodman" hat within reach.


All times are GMT -5. The time now is 11:50 AM.