[ meltown & spectre ] Puppy's kernel update ?

For discussions about security.
Message
Author
User avatar
fabrice_035
Posts: 765
Joined: Mon 28 Apr 2014, 17:54
Location: Bretagne / France

[ meltown & spectre ] Puppy's kernel update ?

#1 Post by fabrice_035 »

Hi,

Puppy's developper can u tell me if there are a hope to view a patch/update for Puppy's ? (like Tahrpup)

Regard.

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#2 Post by s243a »

Upgrade the kernal. Untill then just be carefull of what you install and stay away from untrusted web sites.

I don't believe that these attacks have been demonstrated from a browser script but if you are woried maybe turn off javascript or alternatively install a script blocker like noscript and only allow scripts from trusted sites.

Sailor Enceladus
Posts: 1543
Joined: Mon 22 Feb 2016, 19:43

#3 Post by Sailor Enceladus »

My impression, from compiling 4.4.110 in Puduan with kernel-kit and seeing no sign of the Meltdown Kaiser/KPTI patch being used, is that you have to add CONFIG_PAGE_TABLE_ISOLATION=y to the "Security options" part of the kernel config for it to work, so I'm building it again with that line added, this time in Slacko 5.7.1 woof-CE. Maybe I'll post the kernel here when it's done. :)

edit: Then again I compiled it as 32-bit nopae last time, and I read somewhere that the exploit can read RAM in the 4GB range, so maybe 32-bit nopae kernels are already exempt from the issue? The one I'm building this time is 4.4.110 32-bit pae though.

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#4 Post by belham2 »

s243a wrote:Upgrade the kernal. Untill then just be carefull of what you install and stay away from untrusted web sites.

I don't believe that these attacks have been demonstrated from a browser script but if you are woried maybe turn off javascript or alternatively install a script blocker like noscript and only allow scripts from trusted sites.


s243a,

So should we view "murga-linux" as a trusted site, given the bazillion of downloads of scripts it has in its memory banks? You know, all those "remove the fake.gz" and/or links to downloads....and all of it so thoughtfully done over http and not that stupid thing of https?

Beware of what lurks in our house :lol: :wink:

User avatar
fabrice_035
Posts: 765
Joined: Mon 28 Apr 2014, 17:54
Location: Bretagne / France

#5 Post by fabrice_035 »

@s243a
Upgrade the kernal
-> expert way <-
Off course, download original kernel, patch, recompil... i tried this :? it's too hard for me and same for many users i think :oops:

Share your experience plz.

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#6 Post by s243a »

belham2 wrote:
s243a wrote:Upgrade the kernal. Untill then just be carefull of what you install and stay away from untrusted web sites.

I don't believe that these attacks have been demonstrated from a browser script but if you are woried maybe turn off javascript or alternatively install a script blocker like noscript and only allow scripts from trusted sites.


s243a,

So should we view "murga-linux" as a trusted site, given the bazillion of downloads of scripts it has in its memory banks? You know, all those "remove the fake.gz" and/or links to downloads....and all of it so thoughtfully done over http and not that stupid thing of https?

Beware of what lurks in our house :lol: :wink:
If you don't trust those then you don't have to use them or alternativly review the source for security issues. One could also webscrape the forum and compile a list of checksums. The checksums could be stored somewhere more secure like freenet. If an old file changes its checksum then that is very suspecious.

Maybe Flash could pull this info from the forum monthly and publish the info to Freenet. I'm not singling out anyone elses house but puppy by nature of being a minimal distribution has security advantages.

If you really want to get relegious about this though then what you need is a pgp web of trust. Also note that there is nothing stopping people from sighning their downloads with a pgp signature and as an added bonus unlike SSL it doesn't rely on a central athority.

Also note that an attacker usually tries to maximize the number of people they can target with the least effort. Typically they would be more interested in targeting one of the most used linux distrubutions and getting a large percentage of the users rather then targeting ranked 10 or less on distro watch and only getting a few of the users. Also most attacks aren't sophisticated and rely on social engineering rather than exploiting an esotaric vaulnrability. There also is no indictation yet that any of the above attacks have been used in the wild.

But then again if the target is interesting enough to the right peoole (e.g. intellegence agencies) then I'm sure that these attacks will be tried.

ozsouth
Posts: 858
Joined: Fri 01 Jan 2010, 22:08
Location: S.E Australia

A list of apparently affected CPUs

#7 Post by ozsouth »

Note: Prefbar browser addon allows user to toggle javascript & flash on/off as required.

Apparently affected CPU list: https://www.techarp.com/guides/complete ... wn-spectre

EDIT: Corrected link - all apparently affected CPU list
Last edited by ozsouth on Tue 09 Jan 2018, 05:39, edited 1 time in total.

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

Re: A list of apparently affected CPUs

#8 Post by musher0 »

ozsouth wrote:Note: Prefbar browser addon allows user to toggle javascript & flash on/off as required.

Apparently affected CPU list: https://www.techarp.com/guides/complete ... spectre/4/
Hello ozsouth and all.

I can't seem to find a similar list for AMD CPUs.
Some articles say they are also affected.
Does anybody have a lead? TIA.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

ozsouth
Posts: 858
Joined: Fri 01 Jan 2010, 22:08
Location: S.E Australia

#9 Post by ozsouth »

see 2 posts up

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#10 Post by musher0 »

Ah. It's on another page of that article:
https://www.techarp.com/guides/complete ... ectre/#amd
Thanks, ozsouth.

Edit -- Phew. AMD "Turion line" CPUs are not affected.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

ozsouth
Posts: 858
Joined: Fri 01 Jan 2010, 22:08
Location: S.E Australia

My summary (as requested)

#11 Post by ozsouth »

Apparently affected CPU list - https://www.techarp.com/guides/complete ... wn-spectre

Intel support notes - https://www.intel.com/sa-00086-support

Prefbar mozilla addon toggles javascript & flash on/off.

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

Re: My summary (as requested)

#12 Post by s243a »

ozsouth wrote:
Intel support notes - https://www.intel.com/sa-00086-support

Prefbar mozilla addon toggles javascript & flash on/off.
I wonder what this means:

"The vulnerability identified in CVE-2017-5712 is exploitable remotely over the network in conjunction with a valid administrative Intel® Management Engine credential. The vulnerability is not exploitable if a valid administrative credential is unavailable."

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

Re: My summary (as requested)

#13 Post by belham2 »

[quote="ozsouth"]Apparently affected CPU list - https://www.techarp.com/guides/complete ... wn-spectre

Intel support notes - https://www.intel.com/sa-00086-support



Hi Ozsouth!

Thank you for that link...by far the most easy and understandable discussion of Spectre 1/2 & exactly which chips are affected.

After going thru the list, I am feeling a whole lot better. This is one time having a bit dated (but still working great) hardware & chips has paid off enormously. None---not one single one in my house---AMD desktop chips are on the list. Woohooo! I do have one Intel chip (in a laptop) on the list, but I took it completely out of commission 3 days ago & it will stay that way probably forever since Intel is passing-the-buck to the mftr of the laptop & saying it's them (and not Intel) that'll provide the BIOS update fixes. Of course, mftr's of older laptops with Intel affected chips are currently doing no such thing, and I've been told they've no plans to. From what I've hard, not HP, not Asus, not Sony, not Dell, a one of them are going to support/provide BIOS updates for affected Intel chips from 2010-2013. They are just saying they've dropped support for those, and you've got to buy a new laptop that is under support still. Geez, and they wonder why their customer ratings are near the non-existent.

Anyhow, thanks again for the links.

ozsouth
Posts: 858
Joined: Fri 01 Jan 2010, 22:08
Location: S.E Australia

My mitigation

#14 Post by ozsouth »

Re the OP's question, I don't expect Slacko64 k4.4 will be updated. Other pups may be. New pups based on patched kernels will eventually be released, so mitigate in the interim, if like me, you have processors in the 'twilight zone' - on the affected list, but not getting updates (5-8 years old).

Hence I have a full install for most work, with javascript & flash toggled off, & do my secure stuff quickly on a frugal install on that laptop, then reboot.

ac2011
Posts: 134
Joined: Wed 09 Feb 2011, 08:22

#15 Post by ac2011 »

musher0 wrote:Ah. It's on another page of that article:
https://www.techarp.com/guides/complete ... ectre/#amd
Thanks, ozsouth.

Edit -- Phew. AMD "Turion line" CPUs are not affected.
Or perhaps just too old to be listed? I have a couple of T7600 Intel Core 2 Duo machines that also aren't on that list. I don't see what, if anything, would make them invulnerable to Spectre, though. It may just be the case that these machines are too old for Intel/AMD to even bother testing.

Not trying to alarm you, just saying that absence of proof is not proof of absence. I would like to see a list of CPUs that have been tested as definitely *not* affected. That would be more useful.

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

Re: My summary (as requested)

#16 Post by belham2 »

ozsouth wrote:Apparently affected CPU list - https://www.techarp.com/guides/complete ... wn-spectre

Intel support notes - https://www.intel.com/sa-00086-support

Prefbar mozilla addon toggles javascript & flash on/off.

Hi Ozsouth,

Trying to access "techarp' today to show a few friends the lists, and am getting weird behavior from the techarp site. First, it keeps trying to reload our browsers (shut them down and restart them--and we are on different machines, and different lans). Even more weirdly, when we won't let it do that, it pops up the pic below. Gotta ask: do you use this site often? Are they legit? Had never heard of them until yest and now I am circumspect given this behavior their site is displaying. The scripts on the main page are aggressive in attempting to do things to each different browser we tried (Firefox, Palemoon, Chrome) but we have the browsers set up that javascript is disabled. Darn weird...didn't do this to me yesterday when I looked the 1st time.

(This pic below was snapped after a full 1-2 minutes passed)
Attachments
screenshot.jpg
(42.1 KiB) Downloaded 739 times

mostly_lurking
Posts: 328
Joined: Wed 25 Jun 2014, 20:31

#17 Post by mostly_lurking »

belham2 wrote:Trying to access "techarp' today to show a few friends the lists, and am getting weird behavior from the techarp site.
They are running some DDoS protection software. (I've seen that before on other sites.) Enable Javascript and cookies and you should be able to get in.
musher0 wrote:AMD "Turion line" CPUs are not affected.
ac2011 wrote:Or perhaps just too old to be listed? I have a couple of T7600 Intel Core 2 Duo machines that also aren't on that list. I don't see what, if anything, would make them invulnerable to Spectre, though. It may just be the case that these machines are too old for Intel/AMD to even bother testing.
The list contains AMD workstation processors going as far back as 2011, but desktop/mobile processors only for 2015-2017. Unless home PC CPUs didn't receive the features that made them vulnerable until 2015, It looks like a case of "didn't bother testing older ones".

User avatar
Marv
Posts: 1264
Joined: Wed 04 May 2005, 13:47
Location: SW Wisconsin

#18 Post by Marv »

Linux 32 bit kernels and 64 bit kernels handle memory spaces quite differently. Here is one reference https://lwn.net/Articles/738975/. There may be better. I haven't yet seen a 32 bit kernel with the kpti patches verifiably enabled and am trying to understand whether that is due to the greater pressure to patch the 64 bit ones or to the difference in memory handling affecting meltdown & spectre vulnerability. Any help in understanding this part of the issue?

Edit 11/01/2018: Having made no progress at all with 32 bit kernels, I extracted the 64b 4.14.12 from Fatdog64 721 Final (Thanks Kirk, James, SFR and step) and am running LxPupSc 18.01 +2T with it. kpti enabled, meltdown protected, but microcode not working yet on my i5 so still spectre vulnerable. Inch by inch... later, also running and meltdown protected in battleshooters xfce xenialpup64. My i5 is probably outside intels 5 year fix window hence the microcode not working. Confirmed that the latest ucode doesn't include the 2520 though intel claims it does. Microcode loading is working correctly on that kernel so I'll probably use it across the board for now.

Edited later on 11/01/2018 to add attachment and update microcode stuff.
Attachments
Screenshot.png
Grrrrrrr on intel
(46.52 KiB) Downloaded 190 times
Pups currently in kennel :D Older LxPupSc and X-slacko-4.4 for my users; LxPupSc, LxPupSc64 and upupEF for me. All good pups indeed, and all running savefiles for look'n'feel only. Browsers, etc. solely from SFS.

autumnleaves
Posts: 125
Joined: Sat 08 Jan 2011, 01:24

Kernel update?

#19 Post by autumnleaves »

Is there a kernel update for dummies file somewhere? Tahrpup 64 6.0.6

User avatar
souleau
Posts: 148
Joined: Sun 23 Oct 2016, 15:24

#20 Post by souleau »

Okay, so the situation with me is that I am running Puppy Precise 5.7.1 on an machine with an AMD Athlon 3000+ processor.

I am very happy with this setup since it has been tweaked to cater my preferences over a long period of time.

Now, patches for Ubuntu Precise are only available for Ubuntu Advantage customers with Extended Security Maintenance. So if I want security I should basically switch to another Puppy.

But I don't want to.

If I understand correctly, my cpu is only vulnerable to one form of the Spectre exploit, which in itself is the more difficult one to accomplish.
So the question really is, am I a wreckless idiot for thinking the risks are negligable if I don't do anything at all?

Post Reply