On Sun, 2008-02-10 at 23:41 +0200, pageexec@freemail.hu wrote:
> On 10 Feb 2008 at 22:32, Alex Howells wrote:
>
> > I wasn't sure we needed a special patch?
>
> it's a kernel bug so it obviously needs a patch, a fix is in the linus
> tree now, i guess it'll be backported quickly.
>
> > Every single box I've tried this exploit on ranging from
> > hardened-sources-2.6.17 through to hardened-sources-2.6.23, its been
> > nailed. Could just be my kernel configuration?
>
> UDEREF prevents exploitation for good, even KERNEXEC alone would
> prevent the kind of code execution that this exploit relies on.


FYI everybody... Look at that.. A properly configured host using PaX the
way the PaX Team suggests prevents this and may other types of bugs.

Anyway for those of you not using PaX the way it's suggested to use
(which also happens to be Hardened defaults) then you could/should
consider this patch if you have local users which are not trusted.
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edb fb804f49cbc44
After patching a user tried >10000 iterations of both exploits and
everything appeared to be fine.

For those of you looking for a quick work around for your production
servers and don't/can't reboot just quite yet.. Md of freenode offers
this runtime kernel module.

11:32 < Md> reminder: please do not hurry to reboot your linux servers,
http://www.linux.it/~md/software/novmsplice.tgz is a kernel module
which disables the system calls used by the exploit

The current exploit while not appearing to work can result in a DoS
The feature uderef catches it... but yesterday a user while in testing
executed the exploit many many times. At 943rd execution the system
froze.

We are told that while unfortunately when the bug is triggered, the
kernel holds locks and due to uderef catching it, and the kernel will
also kill the task. It would do so regardless of uderef if the ptr it
dereferences isn't mapped memory.


----------------

More FYI..
Hardened is nearly dead in respects to the
hardened-profile/hardened-toolchain/hardened-kernel.
It does not have to die but we are in a bit of a catch-22.
I'm the last dev really watching over those things. Everybody else has
retired and moved on in life. I'm starting to do the same. Weekend and
evening hobbies of other interest are starting to take priority. So the
catch-22 is that hardened needs more devs+proxies and or to be
re-evaluated.. The kicker is that I don't really have the spare time to
mentor new people. So... Any of you that want to help this project
continue. Please stop by #gentoo-hardened on freenode and offer whatever
help you can that fit within your skill traits (self motivated ppl++).


--
Ned Ludd <solar@gentoo.org>

--
gentoo-hardened@lists.gentoo.org mailing list


Mon Feb 11 02:30:17 2008
Return-path: <ubuntu-desktop-bounces@lists.ubuntu.com>
Envelope-to: tom@linux-archive.org
Delivery-date: Mon, 11 Feb 2008 02:29:21 -0600
Received: from chlorine.canonical.com ([91.189.94.204])
by server.java-tips.org with esmtp (Exim 4.68)
(envelope-from <ubuntu-desktop-bounces@lists.ubuntu.com>)
id 1JOU2P-0002C0-0A
for tom@linux-archive.org; Mon, 11 Feb 2008 02:29:17 -0600
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
by chlorine.canonical.com with esmtp (Exim 4.60)
(envelope-from <ubuntu-desktop-bounces@lists.ubuntu.com>)
id 1JOU2G-0004HT-61; Mon, 11 Feb 2008 08:29:08 +0000
Received: from fg-out-1718.google.com ([72.14.220.155])
by chlorine.canonical.com with esmtp (Exim 4.60)
(envelope-from <ubuntu@bugabundo.net>) id 1JOTwS-0003qM-7K
for ubuntu-desktop@lists.ubuntu.com; Mon, 11 Feb 2008 08:23:08 +0000
Received: by fg-out-1718.google.com with SMTP id d23so4642028fga.34
for <ubuntu-desktop@lists.ubuntu.com>;
Mon, 11 Feb 2008 00:23:08 -0800 (PST)
Received: by 10.86.58.3 with SMTP id g3mr14925829fga.1.1202718187868;
Mon, 11 Feb 2008 00:23:07 -0800 (PST)
Received: from rhino.local ( [194.79.72.220])
by mx.google.com with ESMTPS id 4sm28106347fgg.4.2008.02.11.00.23.06
(version=TLSv1/SSLv3 cipher=OTHER);
Mon, 11 Feb 2008 00:23:06 -0800 (PST)
Organization: http://BUGabundo.net
To: ubuntu-desktop@lists.ubuntu.com
Subject: Re: Standardized home directories (was: Use a general
~Downloads-folder for all applications.)
Date: Sat, 9 Feb 2008 11:44:53 +0000
User-Agent: KMail/1.9.6 (enterprise 0.20080118.763038)
References: <77ee53dc0802060249h43d9c447x71856c42c66440ee@mail .gmail.com>
In-Reply-To: <77ee53dc0802060249h43d9c447x71856c42c66440ee@mail .gmail.com>
MIME-Version: 1.0
Message-Id: <200802091145.04414.Ubuntu@bugabundo.net>
From: "(=?utf-8?q?=60=60-=5F-=C2=B4=C2=B4?=) -- Fernando"
<ubuntu@bugabundo.net>
X-BeenThere: ubuntu-desktop@lists.ubuntu.com
X-Mailman-Version: 2.1.8
Precedence: list
Reply-To: Ubuntu@bugabundo.net, Ubuntu-reply@bugabundo.net,
ubuntu-desktop@lists.ubuntu.com
List-Id: Desktop Team co-ordination and discussion
<ubuntu-desktop.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop>,
<mailto:ubuntu-desktop-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/ubuntu-desktop>
List-Post: <mailto:ubuntu-desktop@lists.ubuntu.com>
List-Help: <mailto:ubuntu-desktop-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop>,
<mailto:ubuntu-desktop-request@lists.ubuntu.com?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============9185695140244725477=="
Mime-version: 1.0
Sender: ubuntu-desktop-bounces@lists.ubuntu.com
Errors-To: ubuntu-desktop-bounces@lists.ubuntu.com

--===============9185695140244725477==
Content-Type: multipart/signed;
boundary="nextPart2615249.SFAGq69RUN";
protocol="application/pgp-signature";
micalg=pgp-sha1
Content-Transfer-Encoding: 7bit

--nextPart2615249.SFAGq69RUN
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Wednesday 06 February 2008 10:49:17 Bogdan Butnaru wrote:
> I'd like to see the mess in ~ organized by purpose. The structure I'm
> thinking of would have a (small) set of directories. Each application
> would create a file or a folder with its name in each folder it needs.

+1
Please, open a wiki, or bug, so I can track progress on this.

=2D-=20
BUGabundo )
(``-_-=C2=B4=C2=B4) http://Ubuntu.BUGabundo.net
Linux user #443786 GPG key 1024D/A1784EBB
My new micro-blog @ http://BUGabundo.net
ps. My emails tend to sound authority and aggressive. I'm sorry in advance.=
I'll try to be more assertive as time goes by...


--nextPart2615249.SFAGq69RUN
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBHrZJAcV4wzCrhCcoRAtPbAJ0ez4mjScGoxQ1WgPiH20/OJSU1rQCfdNcS
kfUscZDC3I7RsVTK+/M9EwA=
=vjm7
-----END PGP SIGNATURE-----

--nextPart2615249.SFAGq69RUN--


--===============9185695140244725477==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-desktop mailing list
ubuntu-desktop@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop

--===============9185695140244725477==--


Mon Feb 11 02:30:27 2008
Return-path: <ubuntu-desktop-bounces@lists.ubuntu.com>
Envelope-to: tom@linux-archive.org
Delivery-date: Mon, 11 Feb 2008 02:29:32 -0600
Received: from chlorine.canonical.com ([91.189.94.204])
by server.java-tips.org with esmtp (Exim 4.68)
(envelope-from <ubuntu-desktop-bounces@lists.ubuntu.com>)
id 1JOU2c-0002CH-3a
for tom@linux-archive.org; Mon, 11 Feb 2008 02:29:30 -0600
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
by chlorine.canonical.com with esmtp (Exim 4.60)
(envelope-from <ubuntu-desktop-bounces@lists.ubuntu.com>)
id 1JOU2S-0004Iy-3Z; Mon, 11 Feb 2008 08:29:20 +0000
Received: from fg-out-1718.google.com ([72.14.220.155])
by chlorine.canonical.com with esmtp (Exim 4.60)
(envelope-from <ubuntu@bugabundo.net>) id 1JOTwV-0003qM-LO
for ubuntu-desktop@lists.ubuntu.com; Mon, 11 Feb 2008 08:23:11 +0000
Received: by fg-out-1718.google.com with SMTP id d23so4642028fga.34
for <ubuntu-desktop@lists.ubuntu.com>;
Mon, 11 Feb 2008 00:23:11 -0800 (PST)
Received: by 10.86.25.17 with SMTP id 17mr14876820fgy.73.1202718191411;
Mon, 11 Feb 2008 00:23:11 -0800 (PST)
Received: from rhino.local ( [194.79.72.220])
by mx.google.com with ESMTPS id 4sm28106347fgg.4.2008.02.11.00.23.10
(version=TLSv1/SSLv3 cipher=OTHER);
Mon, 11 Feb 2008 00:23:10 -0800 (PST)
Organization: http://BUGabundo.net
To: ubuntu-desktop@lists.ubuntu.com
Subject: Re: Getting a usability patch into gnome-panel package?
Date: Sat, 9 Feb 2008 11:51:53 +0000
User-Agent: KMail/1.9.6 (enterprise 0.20080118.763038)
References: <1202328365.6960.40.camel@addiction>
<1202391562.6909.15.camel@addiction>
<1202408314.17529.36.camel@localhost>
In-Reply-To: <1202408314.17529.36.camel@localhost>
MIME-Version: 1.0
Message-Id: <200802091151.53603.Ubuntu@bugabundo.net>
From: "(=?utf-8?q?=60=60-=5F-=C2=B4=C2=B4?=) -- Fernando"
<ubuntu@bugabundo.net>
X-BeenThere: ubuntu-desktop@lists.ubuntu.com
X-Mailman-Version: 2.1.8
Precedence: list
Reply-To: Ubuntu@bugabundo.net, Ubuntu-reply@bugabundo.net,
ubuntu-desktop@lists.ubuntu.com
List-Id: Desktop Team co-ordination and discussion
<ubuntu-desktop.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop>,
<mailto:ubuntu-desktop-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/ubuntu-desktop>
List-Post: <mailto:ubuntu-desktop@lists.ubuntu.com>
List-Help: <mailto:ubuntu-desktop-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop>,
<mailto:ubuntu-desktop-request@lists.ubuntu.com?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============8233361495051496548=="
Mime-version: 1.0
Sender: ubuntu-desktop-bounces@lists.ubuntu.com
Errors-To: ubuntu-desktop-bounces@lists.ubuntu.com

--===============8233361495051496548==
Content-Type: multipart/signed;
boundary="nextPart2229507.CgSA4S2SFt";
protocol="application/pgp-signature";
micalg=pgp-sha1
Content-Transfer-Encoding: 7bit

--nextPart2229507.CgSA4S2SFt
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Thursday 07 February 2008 18:18:34 Jan Claeys wrote:
> Middle click + drag moves panel applets too (if they aren't locked).
> --=20
> Jan Claeys

Thanks for the tip, I didn't know about that.

=2D-=20
BUGabundo )
(``-_-=C2=B4=C2=B4) http://Ubuntu.BUGabundo.net
Linux user #443786 GPG key 1024D/A1784EBB
My new micro-blog @ http://BUGabundo.net
ps. My emails tend to sound authority and aggressive. I'm sorry in advance.=
I'll try to be more assertive as time goes by...


--nextPart2229507.CgSA4S2SFt
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBHrZPZcV4wzCrhCcoRAvGJAKC6nyVm8ChpmU3WSrkQtn lIYsEtRwCgrhLW
CvIcG4Ad9S+2QI6ucYrr0pg=
=hke2
-----END PGP SIGNATURE-----

--nextPart2229507.CgSA4S2SFt--


--===============8233361495051496548==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-desktop mailing list
ubuntu-desktop@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop

--===============8233361495051496548==--

On Sun, 2008-02-10 at 23:41 +0200, pageexec@freemail.hu wrote:
> On 10 Feb 2008 at 22:32, Alex Howells wrote:
>
> > I wasn't sure we needed a special patch?
>
> it's a kernel bug so it obviously needs a patch, a fix is in the linus
> tree now, i guess it'll be backported quickly.
>
> > Every single box I've tried this exploit on ranging from
> > hardened-sources-2.6.17 through to hardened-sources-2.6.23, its been
> > nailed. Could just be my kernel configuration?
>
> UDEREF prevents exploitation for good, even KERNEXEC alone would
> prevent the kind of code execution that this exploit relies on.

I tried the patch on various systems. The grsecurity patches does
protect this kind of issues.

This is is a real life example of why grsecurity is good for you.

Thanks!

-nc

--
gentoo-hardened@lists.gentoo.org mailing list

Ned Ludd kirjoitti:

On Sun, 2008-02-10 at 23:41 +0200, pageexec@freemail.hu wrote:

More FYI..
Hardened is nearly dead in respects to the
hardened-profile/hardened-toolchain/hardened-kernel.
It does not have to die but we are in a bit of a catch-22.

I'm the last dev really watching over those things. Everybody else has
retired and moved on in life. I'm starting to do the same. Weekend and
evening hobbies of other interest are starting to take priority. So the
catch-22 is that hardened needs more devs+proxies and or to be
re-evaluated.. The kicker is that I don't really have the spare time to
mentor new people. So... Any of you that want to help this project
continue. Please stop by #gentoo-hardened on freenode and offer whatever
help you can that fit within your skill traits (self motivated ppl++).




Finding mentors should not hold up things. Please contact recruiters if
you need someone to track down mentors for you.


Regards,
Petteri

On Monday 11 February 2008, Ned Ludd wrote:
> Thanks.. kerframil,PaX Team and all others.
I'd like to thank you Solar as well, you've done a lot of great work on
hardened over the years and I'm still using hardened-sources on most of my
boxes . Thanks.

In an ideal world I would also offer my help but atm I have more than enough
to do for the security team and not to mention RL.

Lastly I'd like to thank all helping carry hardened forward!

--
Sune Kloppenborg Jeppesen
Gentoo Linux Security Team
--
gentoo-hardened@lists.gentoo.org mailing list

Anyone, can send me compiled exploit? i tests my hardened hosts
my gcc cannot compile sources
--
gentoo-hardened@lists.gentoo.org mailing list

Hi!

On Tue, Feb 12, 2008 at 08:27:21AM +0100, Natanael Copa wrote:
> Attatched is a slightly modified version of the exploit that should
> compile for you. (uses sysconf(_SC_PAGE_SIZE) rather than PAGE_SIZE from
> asm/page.h)

Actually, such sort of mistakes in exploits exists just to prevent it
compiling by people who unable to fix it, so it isn't really good idea to
post fixed version in public maillist - at least you can send it using
private email.

Anyway, this exploit doesn't work as 'local root' on my
'2.6.20-hardened-r10 SMP' - but looks like it leak some kernel memory on
each execution, so running it in a `while :; do ...; done` will result in
hang in about a minute, so it at least 'local DoS' exploit.

Is there any plans to backport patch for this bug to .20 hardened kernel?
I'm not upgraded yet to .23 kernel because of few issues with PaX
mentioned in this maillist in last months...

--
WBR, Alex.
--
gentoo-hardened@lists.gentoo.org mailing list

On Tue, 2008-02-12 at 09:46 +0200, Alex Efros wrote:
> Hi!
>
> On Tue, Feb 12, 2008 at 08:27:21AM +0100, Natanael Copa wrote:
> > Attatched is a slightly modified version of the exploit that should
> > compile for you. (uses sysconf(_SC_PAGE_SIZE) rather than PAGE_SIZE from
> > asm/page.h)
>
> Actually, such sort of mistakes in exploits exists just to prevent it
> compiling by people who unable to fix it,

you mean ppl like you?
it could also be that this code is very old as explained in the comment
in the header and used to work.

> so it isn't really good idea to
> post fixed version in public maillist - at least you can send it using
> private email.

how do i know that you are not a "bad" guy that are "not supposed" to be
able to compile it?

> Anyway, this exploit doesn't work as 'local root' on my
> '2.6.20-hardened-r10 SMP' - but looks like it leak some kernel memory on
> each execution, so running it in a `while :; do ...; done` will result in
> hang in about a minute, so it at least 'local DoS' exploit.
>
> Is there any plans to backport patch for this bug to .20 hardened kernel?
> I'm not upgraded yet to .23 kernel because of few issues with PaX
> mentioned in this maillist in last months...

This one should apply or you can apply it manually.

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=712a30e63c8066ed84385b12edb fb804f49cbc44

> --
> WBR, Alex.

--
gentoo-hardened@lists.gentoo.org mailing list

On Tue, 2008-02-12 at 13:37 +0500, �лек�ей Ле�ов�кий wrote:
> I'am not root. I'am sure

so the hardened kernel protects you. congrats!

you might still want to apply the patch that fixes the problem.

-nc

--
gentoo-hardened@lists.gentoo.org mailing list