Salix OS

hello everybody


i read laltely about an exploit for local linux kernel CVE 2013-1763

http://www.h-online.com/security/news/i ... 63892.html


they say that the bug affect :

The bug affects any kernel version between 2.6.37 and 3.8.9 that was compiled using the PERF_EVENTS option; apparently, this is the case with many distributions. Which exact distributions are affected will hopefully soon become clear when the relevant security


as my system salix od right now is on :

so my question ( as a noob and a beginner in this world ) are we safe ???

anything to do ? updates ? upgrades ?

zazlox wrote:are we safe ???

No.

zazlox wrote:anything to do ? updates ? upgrades ?

Other than building your own updated kernel (which isn't that hard, there should be a page in the wiki), you can wait for Pat Volkerding to update the kernel in slackware (when and if that happens).

You could try the GrSecurity kernel patchset, which does things to mitigate the impact of such kernel holes. It also comes with a MAC system, but doesn't have to be used with that. Note that if you go with GrSec, you might want to disable mprotect() restriction under PaX options, because that will make Firefox and Opera not work at all.

Otherwise I don't think much can be done to prevent kernel exploits. You could enable stack smashing protection at compile time maybe, not sure how much that's worth? Also make sure vm.mmap_min_addr is set to a reasonable value (65536 should do it on x86), and that address space layout randomization is not disabled (or that kernel.randomize_va_space is set to 2). ASLR can protect you from certain userspace exploits, and is NOT fully enabled by default on Salix for some reason.

That said, if you really think there's a danger of getting compromised, you might be better served by a distro that GPG-signs its packages and issues kernel regular kernel updates.

P.S. Use Noscript. Or at least enable click-to-play for all plugins, and disable Java plugin if possible. At the moment the main use of Java applets seems to be in writing cross-platform malware installers. Worse, most Java exploits are IIRC due to design flaws, not memory management issues, so GrSecurity and such will NOT protect from them. (Not without the MAC part anyway.)

FWIW the Slackware team just issued a kernel update, which should work on Salix too. It seems that Slackware does in fact issue kernel updates sometimes. Not bad.

Edit: for the record, slapt-get withholds kernel updates by default, so those who update will have to slapt-get -i the specific packages.

Edit: for the record, slapt-get withholds kernel updates by default, so those who update will have to slapt-get -i the specific packages.

There are one or two other things you'd need to do too, which is why those packages are excluded. Anyone who is unsure should look into the process carefully first, otherwise you will end up with a crippled system.

Umm yeah, you have to run LILO afterwards. Sorry I didn't mention that.

It's a kernel upgrade, and so only for those who know what they're doing. Quite what might be involved depends on each user's situation and knowledge. For the record: if in doubt, it's probably not worth it.

Hi, mimosa,

Thank you for the explanation. Those packages appeared as "Upgradeable" today, and I was wondering why ... When I noticed that they were all kernel-related and were excluded (displaying with the padlock icon), I backed off and decided I should do some more research before proceeding.

I'm willing to take the small risk of an exploit and leave things as they are.

I think GJones is probably right that the only concern is Lilo. If you have a multi-boot setup, though, depending on what else is on the machine (in particular, anything using a kernel other than the new Slackware 14.0 one), a bit of tinkering might be needed first; and the forum is full of posts from users who came unstuck in such situations. I don't know about grub.

If it was me though, I'd check carefully first that there is indeed nothing else to worry about apart from the bootloader. I'm scratching my head and wondering how all those packages in the repos that were built against the old kernel will run under the new one. Perhaps it's a patched version of the same kernel (same version number)?

I should say I'm not running Salix 14.0 (I used Slackel rather than upgrading the kernel to cope with some unsupported hardware) which is why I'm not being more specific!

mimosa wrote:I think GJones is probably right that the only concern is Lilo.

Depending on what you have installed on your system you may also have to rebuild kernel modules like nVidia proprietary and Virtualbox drivers. So don't forget to install the kernel source for the new kernel.