Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 19 Dec 2014, 11:20
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Kernel Exploit v2.6.37 ~ v3.8.9
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [11 Posts]  
Author Message
Q5sys


Joined: 11 Dec 2008
Posts: 1074

PostPosted: Thu 16 May 2013, 22:18    Post subject:  Kernel Exploit v2.6.37 ~ v3.8.9
Subject description: Public release date: 05/14/2013
 

This affects all Kernels from 2.6.37 through 3.8.9 if they were built with the PERF_EVENTS option.

Exploit report can be found here: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094

Quote:
The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.


Just an FYI. Shouldn't affect us much since we run as root anyway, but being aware is always beneficial.

_________________



Back to top
View user's profile Send private message Visit poster's website 
tytower

Joined: 24 Feb 2007
Posts: 440
Location: Green Island Cairns for the winter

PostPosted: Fri 17 May 2013, 23:16    Post subject:  

I don't think publishing such material is helpful to the general user .
I'm not a newbie but I have no idea how to use this to my advantage but I might go off and have a look if you post it here .

Secondly it will scare the average user into thinking about unknown security worries which all systems have but now this post focuses the worry unnecessarily on Puppy

I would suggest a separate area for such security issues might be more covert and access given on request rather than just being randomly published for all to read . What do you think ?

_________________
Neither my Family nor my Property are Government issues. Governments should do what they were designed to do Manage the larger issues best done by Governments
To stop corruption give them 3 times the penalty. Get their agreement on first employment.
Back to top
View user's profile Send private message 
Q5sys


Joined: 11 Dec 2008
Posts: 1074

PostPosted: Fri 17 May 2013, 23:33    Post subject:  

tytower wrote:
I don't think publishing such material is helpful to the general user .
I'm not a newbie but I have no idea how to use this to my advantage but I might go off and have a look if you post it here .

Whether a user takes advantage of this information is their personal choice. If they dont care, they can simply move along to another thread. If they do care, and they choose to look into this, that's their choice. If they has no care to educate himself/herself about this... that's their choice as well.

tytower wrote:
Secondly it will scare the average user into thinking about unknown security worries which all systems have but now this post focuses the worry unnecessarily on Puppy

Did you read the last line of my post? This is not intended to scare anyone. It's an FYI, so ifs something someone does care about they can look into it, and address that issue for themselves. This kernel issue effects ALL linux distros. So it's not focusing anything on puppy. And the security issue isnt unknown... its very known thats why its being publicly discussed. To raise awareness so people can (if they choose) address this problem.

tytower wrote:
II would suggest a separate area for such security issues might be more covert and access given on request rather than just being randomly published for all to read . What do you think ?


Uh... its in the Security forum. Besides, one of the strengths of Open Source Development is that when bugs and flaws are found they are openly discussed and talked about so that:

A.) they can be fixed and everyone can be aware that they NEED to fix it.
B.) So people can learn and hopefully not have to deal with the same problem again.

Keeping Flaws and bugs secret and private only works to the advantage of those who wish to exploit those flaws to exploit other peoples systems.

Besides... if this information was needed to be kept 'covert'... the US Government would NOT be publicly releasing it. And the Linux Kernel Developers would also not be publicly releasing it.

_________________



Back to top
View user's profile Send private message Visit poster's website 
tytower

Joined: 24 Feb 2007
Posts: 440
Location: Green Island Cairns for the winter

PostPosted: Sat 18 May 2013, 05:36    Post subject:  

Yes well when you are prepared to step back and have another read, the important part is not to scare Puppy users and you do .

It is hard enough getting people to try Puppy or any Linux distro without giving them a reason not to.

Don't you think my suggestion of a closed area with entry as needed is a sensible approach? After all, only the very experienced would know what you are talking about anyway.

_________________
Neither my Family nor my Property are Government issues. Governments should do what they were designed to do Manage the larger issues best done by Governments
To stop corruption give them 3 times the penalty. Get their agreement on first employment.
Back to top
View user's profile Send private message 
01micko


Joined: 11 Oct 2008
Posts: 7841
Location: qld

PostPosted: Sat 18 May 2013, 08:12    Post subject:  

Putting this in perspective, an attacker would have to be in your system anyway, so as long as you have the usual precautions in place then the is no need to panic! Smile
_________________
Woof Mailing List | keep the faith Cool |
Back to top
View user's profile Send private message Visit poster's website 
Q5sys


Joined: 11 Dec 2008
Posts: 1074

PostPosted: Sat 18 May 2013, 09:20    Post subject:  

tytower wrote:
Yes well when you are prepared to step back and have another read, the important part is not to scare Puppy users and you do .

I presented a simple factual statement. That statement in and of itself is not scary or threatening or anything else. How a person chooses to take that statement has nothing to do with me. It has everything to do with them. Since I have no control over the behavior of others, I see no reason to try to censor myself because it 'might' scare someone.


tytower wrote:
It is hard enough getting people to try Puppy or any Linux distro without giving them a reason not to.

If someone is concerned about Computer exploits... then they'd already be using linux since its more secure than Windows by orders of magnitude. Anyone who would choose not to use linux because of the few flaws or explots. Microsoft had 131 security exploits that were publicly confirmed in the last 3 months.
Since microsoft's code is closed source, its harder for exploits to be publicly found and fixed. This is why its so much more exploitable. The Linux Kernel on the other hand has thousands and thousands of people looking at it all the time. That's why problems are found and fixed so much quicker.
Between the Linux Kernel and the Windows Kernel... the Linux Kernel is far more secure and stable. Someone who wants a secure Operating System would not be scared of linux because an exploit every once in a while.
And if en exploit was enough to stop someone from trying an OS... well they might as well never use a computer ever again.

tytower wrote:
Don't you think my suggestion of a closed area with entry as needed is a sensible approach? After all, only the very experienced would know what you are talking about anyway.

No I dont think its a sensible approach. Knowledge deserves to be free for those that want to learn. Free access to information allows everyone to learn and grow. Closing it off so 'only certain people' have access is dangerous. It doesnt matter if only a few would know how to use it. If someone see this and doesnt understand it... they have the freedom to choose to either A.) Just go and read something else, or B.) Decide to try to learn what all this means and grow.

Stepping to the side for a moment, from your signature I thought you'd be sensible about not keeping information private. But perhaps you are one of those who believes the Government when they say they need to keep all their information and records secrets for 'our' good. Governments love to restrict access to information because they are aware that knowledge is power, and they want to limit the ability for anyone to use that information against them.

Linux is not a dictatorship where certain people control information. It's freely open to anyone who wants it.

01micko wrote:
Putting this in perspective, an attacker would have to be in your system anyway, so as long as you have the usual precautions in place then the is no need to panic! Smile

Agreed, no reason to panic. And as I said in my first post, since we run as root anyway, its usefulness is limited. However since there are developers here who are working to create more robust multi-user systems, this may be of interest to them when they are trying to build a new release and are thinking about what kernel version to use.
I'm wondering if the patch will get back ported to the LTS kernel.

_________________



Back to top
View user's profile Send private message Visit poster's website 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11180
Location: Arizona USA

PostPosted: Sat 18 May 2013, 09:35    Post subject:  

Since users of a shared OS are often the intended targets of attacks, the solution - provided by Puppy Smile - is to give each user his or her own multisession DVD and teach them how to use it. That way, any malware they may pick up while running as root is not shared by other users of the OS. It is either deleted if they shut down without saving, or saved in a session on the DVD where it can be isolated and examined.
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 5970
Location: Kentucky

PostPosted: Sat 18 May 2013, 10:03    Post subject:  

http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/

Quote:
The fix to the Linux kernel was published last month. Its documentation did not mention that the code patched a critical vulnerability that could jeopardize the security of organizations running Linux in highly sensitive environments. This lack of security advisories has been standard practice for years among Linus Torvalds and other developers of the Linux kernel—and has occasionally been the subject of intense criticism from some in security circles.

Now that a fix is available in the kernel, it will be folded into all of the affected stable kernel releases offered by kernel.org, which maintains the Linux core code. Individual distributions are expected to apply the fix to their kernels and publish security updates in the coming days.
Back to top
View user's profile Send private message 
Q5sys


Joined: 11 Dec 2008
Posts: 1074

PostPosted: Sat 18 May 2013, 12:28    Post subject:  

James C wrote:
http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/

Quote:
The fix to the Linux kernel was published last month. Its documentation did not mention that the code patched a critical vulnerability that could jeopardize the security of organizations running Linux in highly sensitive environments. This lack of security advisories has been standard practice for years among Linus Torvalds and other developers of the Linux kernel—and has occasionally been the subject of intense criticism from some in security circles.

Now that a fix is available in the kernel, it will be folded into all of the affected stable kernel releases offered by kernel.org, which maintains the Linux core code. Individual distributions are expected to apply the fix to their kernels and publish security updates in the coming days.



I swear ars has something against the linux community. Any chance they get to talk trash they do. Most Linux Kernel devs openly state that anything can be a vulnerability. (which is true). This tends to make some people feel like they dont focus enough on security. Linus has made countless comments about the 'security above everything else' mentality, and he disagrees with it. See: his google+ post.

Usually the Kernel devs dont make huge announcements about any patch period. It just gets patched and they move on. For some reason their lack of sensationalism about security patches are taken as a negative. Ironicly though M$ only puts out 1 notice a month about security fixes, and ars thinks thats just fine. Ars also thinks its fine when MS holds a critical security fix for another month simply because it didnt meet the merge window for release.
Sigh...

_________________



Back to top
View user's profile Send private message Visit poster's website 
Iguleder


Joined: 11 Aug 2009
Posts: 1927
Location: Israel, somewhere in the beautiful desert

PostPosted: Sat 18 May 2013, 14:49    Post subject:  

Guys, let's not forget that anyone runs code on Puppy (including hackers) is already running as root (or has many easy ways to become root).

This vulnerability exists in Puppy, but its impact on Puppy's overall security is minimal.

_________________
My homepage
My GitHub profile
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
ICQ Number 
Q5sys


Joined: 11 Dec 2008
Posts: 1074

PostPosted: Sat 18 May 2013, 15:56    Post subject:  

Iguleder wrote:
Guys, let's not forget that anyone runs code on Puppy (including hackers) is already running as root (or has many easy ways to become root).

This vulnerability exists in Puppy, but its impact on Puppy's overall security is minimal.



From my first post:
Q5sys wrote:
Just an FYI. Shouldn't affect us much since we run as root anyway, but being aware is always beneficial.

From my third post:
Q5sys wrote:
And as I said in my first post, since we run as root anyway, its usefulness is limited.


This really only affects puppy releases that are multi-user like FatDog64. And even in those situations it's only a minimal effect.

_________________



Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 1 of 1 [11 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0939s ][ Queries: 11 (0.0036s) ][ GZIP on ]