LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 03-30-2018, 05:19 PM   #721
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 384

Rep: Reputation: 185Reputation: 185

As predicted, after the Meltdown&Spectre discovery and recent mitigations, some new practical side-channel attacks on the branch prediction algorithms are discovered and published, affecting Intel processors.
Fresh article describing BranchScope and Intel's response (end of the article):
https://arstechnica.com/gadgets/2018...ction-attacks/
The research paper itself:
http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf

There might be more firmware/kernel/compiler patching coming ahead.
 
2 members found this post helpful.
Old 04-09-2018, 01:05 PM   #722
Petri Kaukasoina
Member
 
Registered: Mar 2007
Posts: 317

Rep: Reputation: 173Reputation: 173
Slackware-current upgraded to openssh-7.7p1, with
  • Build and link with "retpoline" flags when available to mitigate the "branch target injection" style (variant 2) of the Spectre branch-prediction vulnerability.
Would it be a good idea to have it in 14.2, too?
 
Old Yesterday, 05:09 AM   #723
elcore
Member
 
Registered: Sep 2014
Distribution: Slackware
Posts: 439

Rep: Reputation: Disabled
I've seen on a news feed some gdk-pixbuf remote exploit.
Could be an affected version in 14.x
 
Old Yesterday, 06:49 AM   #724
drgibbon
Member
 
Registered: Nov 2014
Distribution: Slackware64 14.2
Posts: 360

Rep: Reputation: 213Reputation: 213Reputation: 213
Quote:
Originally Posted by elcore View Post
I've seen on a news feed some gdk-pixbuf remote exploit.
Could be an affected version in 14.x
The link you gave says the vulnerability exists in versions < 2.36.11 (CVE says <= 2.36.8), since Slackware has 2.32.3, then it should be affected.
 
Old Yesterday, 01:06 PM   #725
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 1,424

Rep: Reputation: 4062Reputation: 4062Reputation: 4062Reputation: 4062Reputation: 4062Reputation: 4062Reputation: 4062Reputation: 4062Reputation: 4062Reputation: 4062Reputation: 4062
Quote:
Originally Posted by elcore View Post
I've seen on a news feed some gdk-pixbuf remote exploit.
Could be an affected version in 14.x
This is a denial of service issue, occuring when gdk_pixbuf attempts to load a GIF in excess of 5G in size.

There's no patch available for the versions of gdk_pixbuf in Slackware 14.2 or earlier, and the patches created for the newest gdk_pixbuf use functions that are unavailable in earlier versions.

I'll consider applying working, tested patches if anyone has any. Incorrect patches, however, are likely to be more hazardous than this CVE.
 
3 members found this post helpful.
Old Today, 03:06 AM   #726
phenixia2003
Member
 
Registered: May 2006
Location: France
Distribution: Slackware
Posts: 790

Rep: Reputation: 623Reputation: 623Reputation: 623Reputation: 623Reputation: 623Reputation: 623
Hello,

Quote:
Originally Posted by volkerdi View Post
This is a denial of service issue, occuring when gdk_pixbuf attempts to load a GIF in excess of 5G in size.

There's no patch available for the versions of gdk_pixbuf in Slackware 14.2 or earlier, and the patches created for the newest gdk_pixbuf use functions that are unavailable in earlier versions.

I'll consider applying working, tested patches if anyone has any. Incorrect patches, however, are likely to be more hazardous than this CVE.
there's a backport of the patch for CVE-2017-1000422 available for debian jessie which comes with gdk-pixbuf-2.31. See here.


I've successfully rebuild gdk-pixbuf-2.32.3 (14.2) with this patch, but I didn't test it .

--
SeB
 
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 09:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 12:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration