CVE-2014-3153 Pinkie Pie discovered an issue in the futex subsystem that allows a local user to gain ring 0 control via the futex syscall. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. Reproducible: Always
I have update hardened sources these have the fix (4 patches, not 6 like posted here http://seclists.org/oss-sec/2014/q2/470 ) hardened-sources-3.14.5-r1.ebuild hardened-sources-3.14.4-r2.ebuild hardened-sources-3.13.10-r1.ebuild hardened-sources-3.13.6-r4.ebuild hardened-sources-3.13.2-r4.ebuild hardened-sources-3.11.7-r2.ebuild hardened-sources-3.2.59-r3.ebuild hardened-sources-3.2.55-r8.ebuild hardened-sources-3.2.54-r10.ebuild hardened-sources-3.2.53-r7.ebuild All other versions lower then this for M.m.p-r versions do not
(In reply to Matthew Thode ( prometheanfire ) from comment #1) > I have update hardened sources > > these have the fix (4 patches, not 6 like posted here > http://seclists.org/oss-sec/2014/q2/470 ) > > hardened-sources-3.14.5-r1.ebuild > hardened-sources-3.14.4-r2.ebuild > hardened-sources-3.13.10-r1.ebuild > hardened-sources-3.13.6-r4.ebuild > hardened-sources-3.13.2-r4.ebuild > hardened-sources-3.11.7-r2.ebuild > hardened-sources-3.2.59-r3.ebuild > hardened-sources-3.2.55-r8.ebuild > hardened-sources-3.2.54-r10.ebuild > hardened-sources-3.2.53-r7.ebuild > > All other versions lower then this for M.m.p-r versions do not In the future, please submit the patches to me for inclusion.
(In reply to Anthony Basile from comment #2) > (In reply to Matthew Thode ( prometheanfire ) from comment #1) > > I have update hardened sources > > > > these have the fix (4 patches, not 6 like posted here > > http://seclists.org/oss-sec/2014/q2/470 ) > > > > hardened-sources-3.14.5-r1.ebuild > > hardened-sources-3.14.4-r2.ebuild > > hardened-sources-3.13.10-r1.ebuild > > hardened-sources-3.13.6-r4.ebuild > > hardened-sources-3.13.2-r4.ebuild > > hardened-sources-3.11.7-r2.ebuild > > hardened-sources-3.2.59-r3.ebuild > > hardened-sources-3.2.55-r8.ebuild > > hardened-sources-3.2.54-r10.ebuild > > hardened-sources-3.2.53-r7.ebuild > > > > All other versions lower then this for M.m.p-r versions do not > > In the future, please submit the patches to me for inclusion. I'm going ot have to revert these because the rev bumps are recycled from previous ebuild that were taken off the tree. Give me a day to see what upstream grsec/pax is up to before we consider this addressed.
(In reply to Anthony Basile from comment #3) > > I'm going ot have to revert these because the rev bumps are recycled from > previous ebuild that were taken off the tree. Give me a day to see what > upstream grsec/pax is up to before we consider this addressed. hardened-sources-3.14.5-r2 and hardened-sources-3.2.59-r4 contain the correct fixes from grsec/pax upstream. I'll rapid stabilize these in a few days.
(In reply to Anthony Basile from comment #4) > hardened-sources-3.14.5-r2 and hardened-sources-3.2.59-r4 contain the > correct fixes from grsec/pax upstream. I'll rapid stabilize these in a few > days. does 3.14.5-r2 contain fix for CVE-2014-0196 (https://bugs.gentoo.org/show_bug.cgi?id=509840) ?
(In reply to Nick Soveiko from comment #5) > (In reply to Anthony Basile from comment #4) > > > hardened-sources-3.14.5-r2 and hardened-sources-3.2.59-r4 contain the > > correct fixes from grsec/pax upstream. I'll rapid stabilize these in a few > > days. > > does 3.14.5-r2 contain fix for CVE-2014-0196 > (https://bugs.gentoo.org/show_bug.cgi?id=509840) ? yes
(In reply to Anthony Basile from comment #6) > (In reply to Nick Soveiko from comment #5) > > (In reply to Anthony Basile from comment #4) > > > > > hardened-sources-3.14.5-r2 and hardened-sources-3.2.59-r4 contain the > > > correct fixes from grsec/pax upstream. I'll rapid stabilize these in a few > > > days. > > > > does 3.14.5-r2 contain fix for CVE-2014-0196 > > (https://bugs.gentoo.org/show_bug.cgi?id=509840) ? > > yes The current recommendation is to use hardened-sources-3.14.5-r2 or hardened-sources-3.2.59-r5 to cover both the pty race and futex syscall ring 0 exploit. However there is a known issue, so do not enable KSTACKOVERFLOW. See http://forums.grsecurity.net/viewtopic.php?f=3&t=3970.
This has been taken care of for most branches and arches in gentoo-sources; the only remaining vulnerable are those that need stabilization as per bug #510488. An overview of the patched versions if someone needs to know them: 3.2.58-r3, 3.4.91-r1, 3.10.41-r1 (stable), 3.12.21-r1 (stable), 3.14.5-r1 Any lower versions in each branch are vulnerable. Removal of old keywords and ebuilds, as well as masking of newer ebuilds is done; except for the above bug.
(In reply to Anthony Basile from comment #7) > The current recommendation is to use hardened-sources-3.14.5-r2 or > hardened-sources-3.2.59-r5 to cover both the pty race and futex syscall ring > 0 exploit. However there is a known issue, so do not enable KSTACKOVERFLOW. > See http://forums.grsecurity.net/viewtopic.php?f=3&t=3970. i see hardened-sources-3.14.5-r2 are stable now. has the issue with KSTACKOVERFLOW been resolved? is it safe to enable on a headless machine? on a KVM guest?
(In reply to Nick Soveiko from comment #9) This issue is still here. Please read the following thread: http://thread.gmane.org/gmane.linux.gentoo.hardened/6211
CVE-2014-3153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3153): The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.
All upstream LTS kernels are including the patch; All sys-kernel/gentoo-sources ebuilds excluding sys-kernel/gentoo-sources-3.4.x have stable ebuilds containing the fix. sys-kernel/gentoo-sources-3.4.x is currently being stabilized in bug 522930.
Unable to check for sanity: > no match for package: =sys-kernel/gentoo-sources-3.4.113
Resetting sanity check; package list is empty.
Fix in 3.15, https://github.com/torvalds/linux/commit/e9c243a5a6de0be8e584c604d353412584b592f8