LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-06-2021, 12:07 PM   #61
marav
Member
 
Registered: Sep 2018
Location: Paris, France
Distribution: Slackware
Posts: 345

Rep: Reputation: 197Reputation: 197

Quote:
Originally Posted by LuckyCyborg View Post
But, at least, it is a valid issue report (no matter how less critical it's) or it's just a false alarm?
suspense ...
 
1 members found this post helpful.
Old 05-06-2021, 01:54 PM   #62
nycace36
Member
 
Registered: Feb 2004
Location: SFBayArea, CA
Distribution: Debian-based, Slackware 10x+
Posts: 171

Rep: Reputation: 21
Question Vulneratbility - Slackware can be compromised - all versions affected

Has this misplaced "vulneratbility" CLICKBAIT posting by OP crts finally been marked as SOLVED?
 
Old 05-06-2021, 01:59 PM   #63
hitest
Guru
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Posts: 6,671

Rep: Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920
Quote:
Originally Posted by nycace36 View Post
Has this misplaced "vulneratbility" CLICKBAIT posting by OP crts finally been marked as SOLVED?
If it's a genuine vulnerabiity I assume the OP will mark it as solved when the vulnerability is fixed.
 
Old 05-07-2021, 10:13 AM   #64
Jan K.
Member
 
Registered: Apr 2019
Location: Esbjerg
Distribution: slackware...
Posts: 258

Rep: Reputation: 176Reputation: 176
Quote:
Originally Posted by Alien Bob View Post
It would have helped if crts would have contacted Pat instead of posting here first with all the drama. Then perhaps this whole thread would have not happened.
Yes. As I said above this is certainly *not* how found vulnerabilities should be handled. Only creates FUD and without any real value.

But at least we all learned you were on a blacklist!


Thanks for your dedication and have a nice weekend!
 
Old 05-07-2021, 11:30 AM   #65
enorbet
Senior Member
 
Registered: Jun 2003
Location: Virginia
Distribution: Slackware = Main OpSys
Posts: 3,619

Rep: Reputation: 3492Reputation: 3492Reputation: 3492Reputation: 3492Reputation: 3492Reputation: 3492Reputation: 3492Reputation: 3492Reputation: 3492Reputation: 3492Reputation: 3492
It will be interesting to me to see if OP ever posts here again given the (justified) negative responses. Not many people learn how to accept their own mistakes as important steps in a learning process, and admit to them. I'm not certain if that is more prevalent IRL where it's actually face-to-face with some you will see again or online where one can just fade away anonymously.

I hope if OP was actually serious and skilled enough to find even some minor vulnerability that he has the cajones and mental strength to just explain he was excited, overreacting, confused, or whatever led him to post in such a manner. Hopefully he learns that as Carl Sagan stated "Extraordinary claims require extraordinary evidence" so it should be a given that mere hints "the sky is falling" will be greeted by extreme skepticism.
 
1 members found this post helpful.
Old 05-07-2021, 11:54 AM   #66
GazL
LQ Veteran
 
Registered: May 2008
Posts: 5,921

Rep: Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896
Quote:
Originally Posted by enorbet View Post
It will be interesting to me to see if OP ever posts here again given the (justified) negative responses.
Setting aside whatever weird issues he apparently has with Eric, this thread should have been:
#1 "I think I've found a vulnerability... Who do I tell?"
#2 "Email Pat".
end-of-thread.

IMO the subsequent dog-piling was neither justified, nor helpful.
 
4 members found this post helpful.
Old 05-08-2021, 08:48 PM   #67
hitest
Guru
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Posts: 6,671

Rep: Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920Reputation: 2920
Quote:
Originally Posted by GazL View Post
Setting aside whatever weird issues he apparently has with Eric, this thread should have been:
#1 "I think I've found a vulnerability... Who do I tell?"
#2 "Email Pat".
end-of-thread.

IMO the subsequent dog-piling was neither justified, nor helpful.
True, but, the OP provoked the escalation by being critical of Eric in the first post. There was no need to do that. I'm glad that the team is in contact with the OP. I'm also grateful that the OP notified us about the potential vulnerability.
 
1 members found this post helpful.
Old 05-09-2021, 02:38 AM   #68
igadoter
Senior Member
 
Registered: Sep 2006
Location: wroclaw, poland
Distribution: many, primary Slackware
Posts: 2,234
Blog Entries: 1

Rep: Reputation: Disabled
That's bullshit. Instead of making big mysterious eyes OP should post what is about. Slackware by itself does not provide any advanced administration tools. The only place where vulnerability may appear are startup scripts, pkgtools, mkinitrd, slackpkg - probably I missed one or more. Besides that vulnerabilities come directly from application - so authors of application should be addressed - not Slackware. In other words these are only possible points where admin cannot address vulnerability by itself. I mean I can stop to slackpkg - but if it is deeper - how to stop to use pkgtools? Just build manually and
Code:
# make install
tools are made to help not to free from thinking (probably I should add here morons - but mod for sure will kick my ass- so I omit this one).

Edit: OP should state explicitly so people can do something by themselves instead of now sitting and trying to guess what is about - and wait for fix(?) If there is really vulnerability in Slackware - as well OP installation can be broken.

Last edited by igadoter; 05-09-2021 at 02:46 AM.
 
2 members found this post helpful.
Old 05-09-2021, 04:48 AM   #69
Martinus2u
Member
 
Registered: Apr 2010
Distribution: Slackware
Posts: 495

Rep: Reputation: 118Reputation: 118
Quote:
Originally Posted by igadoter View Post
The only place where vulnerability may appear are [arbitrary list]
This way of thinking makes a product vulnerable. The attacker thinks differently.
 
Old 05-09-2021, 05:06 AM   #70
igadoter
Senior Member
 
Registered: Sep 2006
Location: wroclaw, poland
Distribution: many, primary Slackware
Posts: 2,234
Blog Entries: 1

Rep: Reputation: Disabled
If vulnerability concerns only Slackware - then it must be only at points where Slackware differs from other Linuxes. And the first thing what OP does not understand is that telling that some accidental person found vulnerability is completely enough for most real hackers. It is as valuable as just straightforward describe what is it. Even worse - cause real hackers would have now great advantage - they would quickly find what is it about. But we are here sitting and trying to guess what is it. While hackers are working now. So this why all this is bullshit. From OP post it sounds like it was mistake - error - made by OP - but not being trapped by script - and causing some strange behavior. Bash functionality may cause troubles - bash has too many capabilities to be secure. File names may cause serious troubles. It sound like OP never really cared about to secure its installation. Now something broke down and Slackware is guilty. I really would be glad to hear from OP what she/he thinks is secure system.
 
1 members found this post helpful.
Old 05-09-2021, 05:24 AM   #71
GazL
LQ Veteran
 
Registered: May 2008
Posts: 5,921

Rep: Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896
The problem with "Full disclosure" is that not everyone has the skills to mitigate the problem until the fix arrives. Also, those that do have the skill might not become aware of the disclosure announcement.

The problem with 'responsible disclosure' is that those whom do have the skills to mitigate are left vulnerable for longer.

"Full" vs "Responsible" is an argument almost as old as folks have been talking about vulnerability announcements, and neither option is ideal.


BTW, I wouldn't worry about pkgtools: they're inherently insecure by design (doinst.sh run as root), so there's really no need for anyone to figure out sneaky ways to compromise them.

----
This is why one should always gpg verify your package signatures before use.
 
3 members found this post helpful.
Old 05-09-2021, 05:26 AM   #72
GazL
LQ Veteran
 
Registered: May 2008
Posts: 5,921

Rep: Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896Reputation: 3896
Quote:
Originally Posted by hitest View Post
True, but, the OP provoked the escalation by being critical of Eric in the first post.
Yes, that was unfortunate.
 
1 members found this post helpful.
Old 05-09-2021, 05:53 AM   #73
marav
Member
 
Registered: Sep 2018
Location: Paris, France
Distribution: Slackware
Posts: 345

Rep: Reputation: 197Reputation: 197
Quote:
Originally Posted by GazL View Post
Yes, that was unfortunate.

What is unfortunate is the post itself
- no one reports a vulnerability in this way
- no one chooses who should answer or not
- no one leaves a vulnerability report, however critical it is, without any update for 8 days
 
1 members found this post helpful.
Old 05-09-2021, 06:10 AM   #74
crts
Senior Member
 
Registered: Jan 2010
Posts: 2,020

Original Poster
Rep: Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757
A properly configured firewall will mitigate the issue. Do not leave any unnecessary ports open.
 
2 members found this post helpful.
Old 05-09-2021, 06:20 AM   #75
igadoter
Senior Member
 
Registered: Sep 2006
Location: wroclaw, poland
Distribution: many, primary Slackware
Posts: 2,234
Blog Entries: 1

Rep: Reputation: Disabled
My bet here is inetd.conf configuration problems.

Edit:
Code:
$ sudo netstat -tulpn  | grep LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1807/cupsd          
tcp        0      0 0.0.0.0:39799           0.0.0.0:*               LISTEN      1760/rpc.statd      
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1755/rpcbind        
tcp6       0      0 :::1716                 :::*                    LISTEN      27459/kdeconnectd   
tcp6       0      0 ::1:631                 :::*                    LISTEN      1807/cupsd          
tcp6       0      0 :::44619                :::*                    LISTEN      1760/rpc.statd      
tcp6       0      0 :::111                  :::*                    LISTEN      1755/rpcbind
just a common desktop (actually it is AlienBob Live Edition). Am I dead now?

Last edited by igadoter; 05-09-2021 at 06:30 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
gpg stalls key management, seahorse enigmail all affected galen Linux - Security 1 08-17-2019 03:00 PM
Slackware NOT affected: Memory corruption bug in systemd, no patches yet sombragris Slackware 61 03-16-2019 10:09 PM
Problem with copying files (not only Slackware affected) 3.1415... Slackware 37 06-22-2016 04:41 AM
What is glibc bug and who can get affected with it? BryanWalters Linux - Security 3 03-01-2016 10:41 PM
gcc versions compatibility with kernel versions.. mahesh_manthapuri SUSE / openSUSE 1 03-22-2006 12:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 03:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration