-   Slackware (
-   -   [Slackware security] vulnerabilities outstanding 20140101 (

ttk 05-03-2018 01:24 PM

Additional exploits published for Intel (et al?) processors:


All eight are essentially based on the same design problem that the "Meltdown and Specter for Dummies" section details - they are, so to speak, Specter Next Generation
The vulnerabilities aren't Meltdown and Specter, but stem from the same implementation flaws. They are unlikely to be the last.

abga 05-03-2018 01:33 PM


Originally Posted by ttk (Post 5850314)
Additional exploits published for Intel (et al?) processors:

The vulnerabilities aren't Meltdown and Specter, but stem from the same implementation flaws. They are unlikely to be the last.

I've read the original German article today when it appeared, meanwhile they published an official English translation:

It's all kept secret until on the 7th of May, that's the next patch day from Redmond.

P.S. There's a follow-up on the original article, which contains the official reaction (quoted) from Intel & AMD, ARM did not reply.
The original positions from Intel&AMD are to be found in English at the end of the article:

abga 05-07-2018 05:47 PM

A short update/follow-up on the Spectre-NG vulnerabilities:

The article is only available in German and you can use a translation service on it. At least for me German is a native language and I can help with a short summary on the main points:

It's reported that Intel had asked for a postponing of the release of the technical information & patches, for at least 2 weeks.
They're planning a coordinated release of technical information for at least two of the Spectre-NG vulnerabilities together with microcode updates on the 21th of May 2018.
But not even this new date is fixed, as Intel apparently asked for another extension until on the 10th of July 2018.
The amount of affected CPUs is "enormous", covering not only the Core-i CPUs and their Xeon derivatives, at least from when they first appeared (nehalem 2010), but also Atom/Pentium/Celeron CPUs released since 2013.
For the mitigation of the more dangerous Spectre-NG vulnerabilities, mainly related to VMs, Intel is planning additional patches in the form of microcode updates + software patches for the 14th of August 2018.

I'm wondering where Heise Online took all this info and why are they the only ones owning it, pretty much all the other tech publications cite them. Personally, I trust them, I consider them serious and following (one of my daily reads) them myself for a very long tine.

Thom1b 05-10-2018 12:51 AM


mariadb-10.0.35 is released with many security fixes.

Daedra 05-10-2018 07:08 PM

Freetype 2.9.1 is released, with fixes to some vulnerabilities.

volkerdi 05-10-2018 08:01 PM


Originally Posted by Daedra (Post 5853043)

Good luck compiling it without Windows.h.

Daedra 05-10-2018 10:16 PM


Originally Posted by volkerdi (Post 5853056)
Good luck compiling it without Windows.h.

Running make RC='' seems to be a usable workaround for now? I tested it and it builds.

Thom1b 05-16-2018 01:49 AM

curl-7.60.0 is released with security fixes.



curl might overflow a heap based memory buffer when closing down an FTP
connection with very long server command replies.

When doing FTP transfers, curl keeps a spare "closure handle" around
internally that will be used when an FTP connection gets shut down since the
original curl easy handle is then already removed.

FTP server response data that gets cached from the original transfer might
then be larger than the default buffer size (16 KB) allocated in the "closure
handle", which can lead to a buffer overwrite. The contents and size of that
overwrite is controllable by the server.

This situation was detected by an assert() in the code, but that was of course
only preventing bad stuff in debug builds. This bug is very unlikely to
trigger with non-malicious servers.

We are not aware of any exploit of this flaw.


This bug was introduced in April 2017 in [this
commit]( when we
introduced the use of increased buffer sizes for FTP.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-1000300 to this issue.

CWE-122: Heap-based Buffer Overflow


- Affected versions: curl 7.54.1 to and including curl 7.59.0
- Not affected versions: curl < 7.54.1 and curl >= 7.60.0



curl can be tricked into reading data beyond the end of a heap based buffer
used to store downloaded content.

When servers send RTSP responses back to curl, the data starts out with a set
of headers. curl parses that data to separate it into a number of headers to
deal with those appropriately and to find the end of the headers that signal
the start of the "body" part.

The function that splits up the response into headers is called
`Curl_http_readwrite_headers()` and in situations where it can't find a single
header in the buffer, it might end up leaving a pointer pointing into the
buffer instead of to the start of the buffer which then later on may lead to
an out of buffer read when code assumes that pointer points to a full buffer
size worth of memory to use.

This could potentially lead to information leakage but most likely a
crash/denial of service for applications if a server triggers this flaw.

We are not aware of any exploit of this flaw.


This bug was originally introduced in May 2003 in [this
commit]( but it didn't
become a problem until we added RTSP in January 2010 in [this

We have only proven this to trigger with RTSP traffic even though this is code
shared with HTTP. We believe this is not a problem for HTTP transfers.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-1000301 to this issue.

CWE-126: Buffer Over-read


- Affected versions: curl 7.20.0 to and including curl 7.59.0
- Not affected versions: curl < 7.20.0 and curl >= 7.60.0

abga 05-21-2018 09:34 PM

A short update on the "SpectreNG" vulnerabilities:
Variant 3 (CVE-2017-5754)
Subvariant 3a (CVE-2018-3640)
Variant 4 (CVE-2018-3639)

Intel's announcement:
Affected CPUs (Intel):
The German IT publication, the one that disclosed SpectreNG some weeks ago, states that Intel has already microcode updates available, but they are in beta-stage and these updates will be deployed through HW manufacturers (BIOS) as well as OS level images in the following months.(use some translation service):

ARM on the subject:
RedHat on Variant 4:

A comprehensive article in English:

ttk 05-22-2018 10:40 AM

Another vector demonstrated for exploiting the Rowhammer vulnerability:


the new Rowhammer attack technique, dubbed Nethammer, can be used to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing, which would be possible only with a fast network connection between the attacker and victim.

drgibbon 06-01-2018 07:26 AM

Git 2.17.1 fixes CVE-2018-11233 / CVE-2018-11235 (potential aribtrary code execution).

willysr 06-01-2018 07:30 AM

it has been pushed to current on May 31

Thom1b 06-13-2018 11:45 AM

libgcrypt 1.7.10 and 1.8.3 are released with security fixes :


The GnuPG Project is pleased to announce the availability of Libgcrypt
versions 1.8.3 and 1.7.10. These releases mitigate a novel side-channel
attack on ECDSA signatures and also bring fixes for a few other bugs.

Libgcrypt is a general purpose library of cryptographic building blocks.
It is originally based on code used by GnuPG. It does not provide any
implementation of OpenPGP or other protocols. Thorough understanding of
applied cryptography is required to use Libgcrypt.

Noteworthy changes in version 1.8.3

- Use blinding for ECDSA signing to mitigate a novel side-channel
attack. [#4011,CVE-2018-0495]

- Fix incorrect counter overflow handling for GCM when using an IV
size other than 96 bit. [#3764]

- Fix incorrect output of AES-keywrap mode for in-place encryption
on some platforms.

- Fix the gcry_mpi_ec_curve_point point validation function.

- Fix rare assertion failure in gcry_prime_check.

Release info at <>.

We also released a new version of the older 1.7 branch with similar

Comments on the attack

Details on CVE-2018-0495 can be found in the paper "Return of the Hidden
Number Problem" which can be downloaded from the advisory page
See <> for a timeline.

One user of Libgcrypt is GnuPG, thus a quick comment: GnuPG does not use
the vulenrable ECDSA signatures by default. Further, it is much harder
to mount such an attack against an offline protocol like OpenPGP than
against online protocols like TLS. Anyway, we also released a new
Windows installer for GnuPG 2.2.8 featuring the fixed Libgcrypt version.
That installer is linked from the usual download page and a new Gpg4win
version will be released soon.

abga 06-15-2018 12:11 AM

Another episode in the series of Intel CPU bugs - LazyFP vulnerability: Exploiting lazy FPU state switching, affecting apparently only Intel processors.
Intel SA-0014

More technical details:

Using GNU/Linux with kernel versions >= 3.7, this attack can be mitigated by adding “eagerfpu=on” to the kernel’s boot parameters. We are not aware of a workaround for older versions. For all other operating systems: install the official update(s) from the vendor.

Only x86 processors are vulnerable. ARM processors are not known to be
Only Intel Core based processors (from at least Nehalem onwards) are
potentially affected. Other processor designs (Intel Atom/Knights
range), and other manufacturers (AMD) are not known to be affected.

Other operating systems believed to be safe are any Linux version using the 2016's Linux 4.9 or newer kernel. The Linux kernel developers are patching older kernels
The Linux Kernel patch that defaults eagerfpu=on on all CPUs, thus mitigating this issue, is applied starting with the kernel version v4.6-rc1 :

ttk 06-16-2018 01:09 PM

linux-4.4.138 includes a fix for CVE-2018-3665: "x86/fpu: Disable AVX when eagerfpu is off"

I wouldn't mind an official 4.4.138 patch for 14.2 (which would likely also be applicable to 14.1 -- I've been updating my 14.1 systems with 14.2 kernels for a while now).

All times are GMT -5. The time now is 07:36 PM.