lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 17 May 2012 20:56:54 +0200
From: Adam Zabrocki <pi3@....com.pl>
To: valdis.kletnieks@...edu
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>, taviso@...xchg8b.com
Subject: Re: The story of the Linux kernel 3.x...

Dnia 2012-05-17, czw o godzinie 10:32 -0400, valdis.kletnieks@...edu
pisze:
> On Wed, 16 May 2012 23:49:40 +0200, Adam Zabrocki said:
> 
> > so the latest update has this fix but still official ISO has old kernel. Fix was applied
> > in March/April. So again _sock kernels_ have/had so simple mistake ;)
> 
> You're assuming it's a *mistake* rather than something intentional.
> 
> Remember that the distro does *not* know what you run on the kernel, so they
> need to build one that covers all the bases.  So they really need to make a
> choice.  Which is going to result in more nasty phone calls and e-mails:
> leaving COMPAT_VDSO set (which is probably the 12,934th most security crucial
> security setting in a distro), or turn it off and *know* this will break
> certain older binaries?
> 
> Remember that if you're a distro with a million users, even if only 0.1% of
> them still have old binaries, you just borked 1,000 user's machines.  Now
> compare that number to the number that will get hacked if you leave COMPAT_VDSO
> on (remember that the *only* thing it stops is exploits that hard-code certain
> addresses)

Sorry I can not agree with you. Suse 12.1 is very new/fresh distribution
so I don't see any point of delivering "old" binaries with new system.
Still there is an open question about 3rd party vendors applications.

But if you look carefully for our discussion you will realize that other
systems do not have problem with that so you are suggesting that only
Suse don't have problems with clients? Additionally Suse provided in
March/April patch for this issue which I pointed out in my previous
posts and you can find patch and discussion about that on Suse kernel
developers list:
http://lists.opensuse.org/opensuse-kernel/2012-03/msg00056.html

Additionally Marcus Meissner from the Suse team wrote interesting
sentence about problem with 'old' binaries:

"Nobody can actually point to an application that breaks."
and "openSUSE 12.2 will have it disabled."



Because many people are confused about this whole discussion I want to
summarize:

Suse 12.1 - by default has problem with mapping VDSO at fixed address
(kernel compiled with enabled CONFIG_COMPAT_VDSO option) - both x86 and
amd64 architectures. The newest kernel package has fix (March/April) for
this problem.

Ubuntu and other 64 bits systems allocate VSYSCALL at fixed memory
address but this is known issue which I didn't realize so my mistake for
confusing. More information about this case can be found here:

https://lkml.org/lkml/2011/8/9/274


Best regards,
Adam Zabrocki




Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ