LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

abga 08-14-2018 02:55 PM

If you haven't had enough from the previous Intel CPU bugs, you might want to consider the following 3 fresh ones:
https://www.theregister.co.uk/2018/0...al_fault_bugs/
https://www.intel.com/content/www/us...-sa-00161.html
"
Recommendations:

Intel has worked with operating system vendors, equipment manufacturers, and other ecosystem partners to develop platform firmware and software updates that can help protect systems from these methods.
"
CVEs:
https://cve.mitre.org/cgi-bin/cvenam...=CVE-2018-3615
https://cve.mitre.org/cgi-bin/cvenam...=CVE-2018-3620
https://cve.mitre.org/cgi-bin/cvenam...=CVE-2018-3646

abga 08-15-2018 09:52 PM

I removed twice some details I provided originally in the previous post just because there was work in progress in understanding and mitigating the issues reported there. I considered keeping the post factual and informative.

Lately RedHat published some details about these vulnerabilities (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646) and are stating, without mentioning the exact CVE (sloppy work), that only CVE-2018-3615 - the one related solely to the Intel SGX - needs a microcode update:
https://access.redhat.com/security/vulnerabilities/L1TF
"There are three pieces to this vulnerability. The first affects only Intel “SGX” secure enclaves and is mitigated through microcode updates independently of the operating system. "
and:
"CVE-2018-3620 is the CVE identifier assigned to the operating system vulnerability for this issue. CVE-2018-3646 is the CVE identifier assigned to the virtualization aspect of the flaw. This issue is referred to as L1 Terminal Fault (L1TF) by the larger industry and as “Foreshadow” by the security researcher."
Which reads that only CVE-2018-3620 needs to be mitigated by the kernel ATM, CVE-2018-3646 being only the "virtualization aspect of the flaw".

Petri Kaukasoina 08-16-2018 12:29 AM

There is lots of information about L1 Terminal Fault available in the kernel sources: linux-4.18.1/Documentation/admin-guide/l1tf.rst or https://github.com/torvalds/linux/bl...guide/l1tf.rst

abga 08-16-2018 11:30 AM

Quote:

Originally Posted by Petri Kaukasoina (Post 5892202)
There is lots of information about L1 Terminal Fault available in the kernel sources: linux-4.18.1/Documentation/admin-guide/l1tf.rst or https://github.com/torvalds/linux/bl...guide/l1tf.rst

Thanks for the informative link that looks to be written (Aug 5, 2018) before the official disclosure on Aug 14, 2018. I wouldn't take all that is written there as 100% accurate, especially the affected processors section. You see, not even Intel, the manufacturer, knows which CPUs are affected, check the "Affected products:" section:
https://www.intel.com/content/www/us...-sa-00161.html
As for AMD and ARM, I'd keep an open mind:
https://foreshadowattack.eu/
" What about other processors (AMD/ARM)?

The original Foreshadow attack affects most SGX-enabled Intel processors. As SGX is currently present only in Intel CPUs, we are unaware of Foreshadow affecting other CPU vendors. To the best of our understanding, Foreshadow-NG only affects Intel processors. However, we are still working to better understand the implications of Foreshadow-NG and this answer might change as the situation develops. "

Regarding the microcode updates for the mitigation of CVE-2018-3615 and maybe other, older, Intel SGX related issues, Intel published some info and benchmarks. Again, without being specific, they mention the microcode updates released earlier this year as sufficient for the mitigation.
https://www.intel.com/content/www/us...logy/l1tf.html
"The microcode updates released earlier this year when coupled with operating system and hypervisor software available from our industry partners, ensure consumers, IT professionals and cloud service providers have access to the protections they need. Intel recommends people keep their systems up to date to protect against the evolving threat landscape."

drgibbon 08-23-2018 06:21 AM

Looks like serious problems with Ghostscript have been found, although no patches as yet (some mitigations here).

ecd102 08-30-2018 06:02 AM

According to https://www.kb.cert.org/vuls/id/332928 , the patches are available now.

As I tried to apply, we also need the following patch:
http://git.ghostscript.com/?p=ghostp...iff;h=0b6cd191

And we have to apply the patches in the following order:
http://git.ghostscript.com/?p=ghostp...ain;h=b326a716
http://git.ghostscript.com/?p=ghostp...ain;h=c3476dde
http://git.ghostscript.com/?p=ghostp...ain;h=0d390118
http://git.ghostscript.com/?p=ghostp...ain;h=a054156d
http://git.ghostscript.com/?p=ghostp...ain;h=0edd3d6c
http://git.ghostscript.com/?p=ghostp...ain;h=78911a01
http://git.ghostscript.com/?p=ghostp...ain;h=b575e1ec
http://git.ghostscript.com/?p=ghostp...ain;h=0b6cd191
http://git.ghostscript.com/?p=ghostp...ain;h=c432131c
http://git.ghostscript.com/?p=ghostp...ain;h=241d9111
http://git.ghostscript.com/?p=ghostp...ain;h=8e9ce501
http://git.ghostscript.com/?p=ghostp...ain;h=5516c614
http://git.ghostscript.com/?p=ghostp...ain;h=e01e77a3

abga 08-31-2018 02:44 PM

Quote:

Originally Posted by abga (Post 5891760)
If you haven't had enough from the previous Intel CPU bugs, you might want to consider the following 3 fresh ones:
https://www.theregister.co.uk/2018/0...al_fault_bugs/
https://www.intel.com/content/www/us...-sa-00161.html
"
Recommendations:

Intel has worked with operating system vendors, equipment manufacturers, and other ecosystem partners to develop platform firmware and software updates that can help protect systems from these methods.
"
CVEs:
https://cve.mitre.org/cgi-bin/cvenam...=CVE-2018-3615
https://cve.mitre.org/cgi-bin/cvenam...=CVE-2018-3620
https://cve.mitre.org/cgi-bin/cvenam...=CVE-2018-3646

The work at kernel.org related to these new vulnerabilities has come to some final results and the latest kernels provided by Slackware are containing the mitigations.
https://cdn.kernel.org/pub/linux/ker...ngeLog-4.4.153
https://github.com/torvalds/linux/co...2d2b416c87e011

The doc at kernel.org about the L1TF / Foreshadow mitigation an the related kernel boot parameters:
https://www.kernel.org/doc/html/late...lt-mitigations

Plus, some interesting benchmarks related to the L1TF fixes (and not only):
https://www.phoronix.com/scan.php?pa...rly-look&num=1
https://www.phoronix.com/scan.php?pa...dow-xeon&num=1
https://www.phoronix.com/scan.php?pa...igations&num=1
https://www.phoronix.com/scan.php?pa...icrocode&num=3

glorsplitz 08-31-2018 10:48 PM

Not sure what I'm not missing.
 
From Tue Aug 28 22:05:19 UTC 2018 Stable ChangeLog for x86_64
"To see the status of CPU vulnerability mitigations on your system, look at the files in: /sys/devices/system/cpu/vulnerabilities"

I did and found these files:
l1tf, meltdown, spec_store_bypass, spectre_v1, spectre_v2

spec_store_bypass says "Vulnerable"

magicm in this post ran spectre-meltdown-checker.sh, so I did and found

Checking for vulnerabilities on current system
Kernel is Linux 4.4.153 #1 SMP Tue Aug 28 16:08:22 CDT 2018 x86_64
CPU is Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability: NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface: NO (Vulnerable)
* Kernel supports speculation store bypass: YES (found in /proc/self/status)
> STATUS: VULNERABLE (Your CPU doesn't support SSBD)

I did SBo intel-microcode SlackBuild as magicm did but CVE-2018-3640 says same thing.

I see /lib/firmware/intel-ucode/, "intel-microcode (20180807)" SBo didn't address my cpu?

EDIT: SBo says "INITRD /boot/intel-ucode.cpio,/boot/initrd-generic.gz" is that when doing mkinitrd?

Looks like some CVE are handled by distribution as did slackware for l1tf and some CVE by end-user.

I don't know much about handling CVE, I'm trying to learn and understand now.

abga 09-01-2018 02:51 PM

It looks like you don't have the latest microcode for your CPU, thus no microcode mitigations for CVE-2018-3639, CVE-2018-3640 and maybe also none for the CVEs related to L1TF / Foreshadow.
Your older Ivy Bridge CPU is Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz should have the latest microcode 0x20, that's according to the latest Intel Microcode Revision Guidance - August 8 2018 - Page 10:
https://www.intel.com/content/dam/ww...e-guidance.pdf
Check what the Intel microcode updater is reporting in dmesg and let's move to this more appropriate thread:
https://www.linuxquestions.org/quest...4/#post5888824

glorsplitz 09-01-2018 07:21 PM

Thanks abga, unfortunately I'm a little busy right now, will get to other thread when I have time.

glorsplitz 09-02-2018 09:06 PM

I'm all set, followed what zakame did in this post.

abga 09-02-2018 09:17 PM

Quote:

Originally Posted by glorsplitz (Post 5899198)
I'm all set

... for now ...
https://www.blackhat.com/us-18/brief...x86-cpus-10194
https://www.youtube.com/watch?v=_eSAF_qT_FY

glorsplitz 09-02-2018 09:34 PM

There will always be security exploiter creators, how else do virus companies stay in business?

Thom1b 09-05-2018 01:17 AM

curl-7.61.1 is released with security fix.
https://curl.haxx.se/download/curl-7.61.1.tar.xz
https://curl.haxx.se/download/curl-7.61.1.tar.xz.asc

Quote:

NTLM password overflow via integer overflow
===========================================

Project curl Security Advisory, September 5th 2018 -
[Permalink](https://curl.haxx.se/docs/CVE-2018-14618.html)

VULNERABILITY
-------------

libcurl contains a buffer overrun in the NTLM authentication code.

The internal function `Curl_ntlm_core_mk_nt_hash` multiplies the `length` of
the password by two (SUM) to figure out how large temporary storage area to
allocate from the heap.

The `length` value is then subsequently used to iterate over the password and
generate output into the allocated storage buffer. On systems with a 32 bit
`size_t`, the math to calculate SUM triggers an integer overflow when the
password length exceeds 2GB (2^31 bytes). This integer overflow usually causes
a very small buffer to actually get allocated instead of the intended very
huge one, making the use of that buffer end up in a heap buffer overflow.

(This bug is almost identical to
[CVE-2017-8816](https://curl.haxx.se/docs/CVE-2017-8816.html).)

We are not aware of any exploit of this flaw.

INFO
----

This bug was introduced in commit
[be285cde3f](https://github.com/curl/curl/commit/be285cde3f), April 2006.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2018-14618 to this issue.

CWE-131: Incorrect Calculation of Buffer Size

AFFECTED VERSIONS
-----------------

This issue is only present on 32 bit systems. It also requires the password
field to use more than 2GB of memory, which should be rare.

- Affected versions: libcurl 7.15.4 to and including 7.61.0
- Not affected versions: libcurl < 7.15.4 and >= 7.61.1

curl is used by many applications, but not always advertised as such.

THE SOLUTION
------------

In libcurl version 7.61.1, the integer overflow is avoided.

A [patch for
CVE-2018-14618](https://github.com/curl/curl/commit/...b0418243.patch)
is available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

A - Upgrade curl to version 7.61.1

B - Apply the patch to your version and rebuild

C - Put length restrictions on the password you can pass to libcurl

bamunds 09-06-2018 04:13 PM

Ghostscript 9.24 breaks printing on Slackware 14.2
 
Quote:

Originally Posted by ecd102 (Post 5897909)
According to https://www.kb.cert.org/vuls/id/332928 , the patches are available now.

As I tried to apply, we also need the following patch:
http://git.ghostscript.com/?p=ghostp...iff;h=0b6cd191

And we have to apply the patches in the following order:
http://git.ghostscript.com/?p=ghostp...ain;h=b326a716
http://git.ghostscript.com/?p=ghostp...ain;h=c3476dde
http://git.ghostscript.com/?p=ghostp...ain;h=0d390118
http://git.ghostscript.com/?p=ghostp...ain;h=a054156d
http://git.ghostscript.com/?p=ghostp...ain;h=0edd3d6c
http://git.ghostscript.com/?p=ghostp...ain;h=78911a01
http://git.ghostscript.com/?p=ghostp...ain;h=b575e1ec
http://git.ghostscript.com/?p=ghostp...ain;h=0b6cd191
http://git.ghostscript.com/?p=ghostp...ain;h=c432131c
http://git.ghostscript.com/?p=ghostp...ain;h=241d9111
http://git.ghostscript.com/?p=ghostp...ain;h=8e9ce501
http://git.ghostscript.com/?p=ghostp...ain;h=5516c614
http://git.ghostscript.com/?p=ghostp...ain;h=e01e77a3

After applying the latest Ghostscript 9.24 with ghostscript-fonts-std-8.11-noarch-1 from PV I could no longer print from Waterfox 56.2.2 or from Chromium (AlienBob 68.0.3440.84). By backing out to 5.19 printing started again.

Is this a problem with the installation process or does it mean a rebuild of Waterfox and wait for AlienBob to rebuild Chromium? The interesting thing is that Konqueror had no problem with printing with the Ghostscript 9.24 in place.

System setting. Slackware 64 14.2 multilib and 4.14.67 kernel with HP Laserjet 3380 and HPLIP-3.16.5 version. Ghostscript 9.24 generates error from localhost:631 for print jobs is "Filter Failed".

Suggestions appreciated. Cheers, BrianA_MN

9-9-18 Upgraded to patched 9.24 from official patches and everything is back to working. Thanks PV.


All times are GMT -5. The time now is 08:11 AM.