Welcome
Welcome to refracta

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

time until dirty cow patch?

Refracta Development, Scripts, etc.

time until dirty cow patch?

Postby figlfdev » Sat Nov 19, 2016 7:59 am

in the next 48-72 hours, i intend to release a version of fig os that patches the dirty cow vulnerability.

the guardian (on oct 21) says it was already patched in debian. you can check to see if your (32-bit) refracta kernel is vulnerable with this command:

uname -a | grep 8u2

if it gives you kernel info, youre good. if not, run uname -a and look for 3.16.36 (the above check only applies to people running the 3.16.0-4 kernel: if it says "+deb8u1" its vulnerable.)

basically, you can modify files even if they are on a partition mounted as read-only (/sys and /proc are immune becase they dont have copy-on-write: "cow" support) and non-root users can modify executables that only root is supposed to be able to write to.

this is what you want for i686 machines: https://packages.debian.org/stable/kern ... -4-686-pae

i would link to the deb but it probably has deps you want to install too. (i will take care of that for fig os, which only has a 32-bit version.)

this is what you want for amd64 machines: https://packages.debian.org/stable/kern ... .0-4-amd64

you may be able to upgrade the kernel from the jessie-security repo. however, i tried this and im not sure it downloaded the 8u2 version.

whether this is due to amprolla or something i did, i dont know.

youre not going to be affected by this unless the attacker can run code on your system already. however, it means that every user is basically root. its a race-condition, but its not too difficult to exploit.

i try to cater to people running live; since fixing this requires one of the following:

* an upgrade and reboot
* an upgrade and live kernel patching
* a fixed live image (a remaster with a newer kernel version)

fig os 2.4 will feature the latter of those. the current version of fig os is 2.3: https://archive.org/download/Puppy_Linu ... gos2.3.iso https://archive.org/download/Puppy_Linu ... s23.fig.gz

i have little-to-no doubt that the next version of refracta will also fix this; hence the question in the title. its certainly more "urgent" for live users than installed users.

obviously if someone can run code on your system even as non-root, you have serious problems already-- but this makes it even worse.

info: https://security-tracker.debian.org/tra ... -2016-5195
figlfdev
 
Posts: 116
Joined: Tue May 31, 2016 6:23 pm

Re: time until dirty cow patch?

Postby fsmithred » Sat Nov 19, 2016 6:29 pm

Unfortunately, the last images were made a few days before the patch was applied. I'll probably update the images soon after the first of the year. I don't see it as an important issue for a couple of reasons. The attacker must be at the computer, and I think most live sessions are started from a fresh boot, so the user is right there. If someone did get access to an unattended live session, they would only need to know the root password, and that's already published on the internet in several places. Once you install it, you can update and get the patched kernel. Then you could also make a new iso with the patched kernel and with a different password.

If you're running a live-usb with full persistence, you can get the security updates, but the updated kernel won't be the one you boot with. You would need to copy it to the appropriate live folder on the first partition of the usb. You could do that while running the live system only if you patched the initrd previously with refracta2usb, and then you'd have to make a new initrd and patch that one. The easier way would be to update/upgrade, copy the new kernel and initrd to some location that's accessible when the live system is not running, plug the stick into a different running system and copy the kernel and initrd to the live folder as vmlinuz and initrd.img (or whatever you call them in your boot menu.)

I ran update/upgrade on my main system a couple weeks ago, and I have the +deb8u2 update.
User avatar
fsmithred
 
Posts: 2093
Joined: Wed Mar 09, 2011 9:13 pm

Re: time until dirty cow patch?

Postby figlfdev » Sun Nov 20, 2016 9:31 am

fsmithred wrote:Unfortunately, the last images were made a few days before the patch was applied. I'll probably update the images soon after the first of the year.


cool. i was able to patch the kernel in the iso without a new initrd or even chroot:

-> wget http://security.debian.org/debian-secur ... 2_i386.deb

-> dpkg-deb -x linux-image-3.16.0-4-686-pae_3.16.36-1+deb8u2_i386.deb /path/to/squashfs-root/

-> cp /path/to/squashfs-root/boot/vmlinuz-3.16.0-4-686-pae /path/to/newiso/live/vmlinuz
figlfdev
 
Posts: 116
Joined: Tue May 31, 2016 6:23 pm


Return to Discuss

Who is online

Users browsing this forum: No registered users and 0 guests

cron
suspicion-preferred