LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

brianL 02-03-2014 06:48 AM

Where do I put the nox32recvmmsg module, so that it's loaded permanently (survives reboot, etc) in /lib/modules/3.10.17? Which subdirectory?
EDIT
Doesn't seem to work.
Module loaded:
Code:

bash-4.2$ lsmod
Module                  Size  Used by
nox32recvmmsg          1201  1

Ran .poc:
Code:

bash-4.2$ ./slack64-14.1_CVE-2014-0038_poc
13 minutes to root
................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ praise bob!


The Golden Rule is of no use to you whatever unless you realize it
is your move.
                -- Frank Crane

root@slackdesk:~/temp#


mancha 02-03-2014 10:55 AM

Quote:

Originally Posted by brianL (Post 5110292)
Where do I put the nox32recvmmsg module, so that it's loaded permanently (survives reboot, etc) in /lib/modules/3.10.17? Which subdirectory?

To have the module load on boot, do the following:

Code:

# mkdir -p /lib/modules/$(uname -r)/misc
# cp nox32recvmmsg.ko /lib/modules/$(uname -r)/misc
# depmod -a

Then place an insmod (or modprobe) call in /etc/rc.d/rc.local or /etc/rc.d/rc.modules. i.e.

Code:

# echo "/sbin/modprobe nox32recvmmsg" >> /etc/rc.d/rc.local
Quote:

Originally Posted by brianL
EDIT
Doesn't seem to work.

Did you try the PoC first, then load the module, then try the PoC again by chance?

To be protected you must load the module on an untainted kernel. Reboot, insmod, and you should be OK. If that doesn't work let me know.

--mancha

brianL 02-03-2014 10:57 AM

Thanks, mancha. I'll do all you suggest.

metaschima 02-03-2014 10:59 AM

It looks like it does work, because you are root at the bottom, by the # sign.

brianL 02-03-2014 11:04 AM

Quote:

Originally Posted by metaschima (Post 5110470)
It looks like it does work, because you are root at the bottom, by the # sign.

mancha's module is to prevent that happening.

brianL 02-03-2014 11:36 AM

I think I've done everything right, the module is loaded, but I'm still getting:
Code:

bash-4.2$ cd temp
bash-4.2$ ./slack64-14.1_CVE-2014-0038_poc
13 minutes to root
................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ praise bob!


If you can't say anything good about someone, sit right here by me.
                -- Alice Roosevelt Longworth

root@slackdesk:~/temp#


mancha 02-03-2014 12:33 PM

OK, I think I know what is going on. Is there an "unable to handle kernel paging request" after the module is loaded (check /var/log/syslog).

If this is the case, I have uploaded a new module that accounts for protected-mode CPUs.

Please download and try it (note: it might take a minute or two to propagate to the SF servers). Check against hash below.

SHA256(nox32recvmmsg.tar.bz2)= 8c822d55a0a45f0fa994c73921701e2bb035bdaeb169c2355ed8d767414c4f73

--mancha

brianL 02-03-2014 12:47 PM

No, there's nothing in /var/log/syslog. I'll try the new module after I've eaten (never load modules on an empty stomach. :) ).

brianL 02-03-2014 01:31 PM

Yes!!! The new module works:
Code:

bash-4.2$ cd temp
bash-4.2$ ./slack64-14.1_CVE-2014-0038_poc
13 minutes to root
 doh!
bash-4.2$

Thanks, mancha. :hattip:

mancha 02-03-2014 01:50 PM

Quote:

Originally Posted by brianL (Post 5110604)
Yes!!! The new module works...Thanks, mancha.

You're welcome and thanks back to you for making me realize/remember I needed to deal with CR0.

--mancha

mancha 02-05-2014 01:16 PM

Update 20140205
  1. Mozilla various
    Firefox 27 (for current)
    Firefox ESR 24.3
    Thunderbird 24.3
    Seamonkey 2.24

    Fixed:
    CVE-2014-1477 CVE-2014-1478 CVE-2014-1479
    CVE-2014-1480 CVE-2014-1481 CVE-2014-1482
    CVE-2014-1483 CVE-2014-1484 CVE-2014-1485
    CVE-2014-1486 CVE-2014-1487 CVE-2014-1488
    CVE-2014-1489 CVE-2014-1490 CVE-2014-1491
--mancha

ponce 02-05-2014 03:22 PM

Quote:

Originally Posted by mancha (Post 5112229)
  1. Mozilla various
    Firefox 27 (for current)
    Firefox ESR 24.3
    Thunderbird 24.3
    Seamonkey 2.24

I was thinking that when one or more vulns hit the mozilla suite, to build the three on 12 different Slackware versions (13.0, 13.1, 13.37, 14.0, 14.1 and current, for i486 and x86_64) it's surely time-consuming...

mancha 02-05-2014 03:39 PM

Quote:

Originally Posted by ponce (Post 5112314)
I was thinking that when one or more vulns hit the mozilla suite, to build the three on 12 different Slackware versions (13.0, 13.1, 13.37, 14.0, 14.1 and current, for i486 and x86_64) it's surely time-consuming...

Surely serves as a good RAM/CPU stress tester. The good news for Pat is I think he's only updating FF and Tbird for 14.1+current and
Seamonkey for 14.0+14.1+current (right?).

--mancha

brianL 02-06-2014 05:04 AM

Got FF 27.0 using ruario's latest-firefox script.

angryfirelord 02-06-2014 08:36 AM

I apologize if this is slightly off topic and/or has been asked before, but is there a risk with running the 3.10.17 kernel when the latest upstream longterm release is 3.10.28? Are most of the fixes simply bug fixes or do the kernel security patches not really affect Slackware?


All times are GMT -5. The time now is 08:35 AM.