From cf390f30faf840911b2737c9046556c4858dc180 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Wed, 15 Nov 2023 20:01:25 +0100 Subject: [PATCH 1/5] Add microcode_ctl --- docs/index.md | 1 + docs/packages/microcode_ctl.md | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 docs/packages/microcode_ctl.md diff --git a/docs/index.md b/docs/index.md index c5127fa..8499ef5 100644 --- a/docs/index.md +++ b/docs/index.md @@ -46,6 +46,7 @@ Install the package with `rpm -U --nodeps`. The `--nodeps` option is needed to b ### Override packages (currently only for EL9) - [glibc](packages/glibc.md) (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package) +- [microcode_ctl](packages/microcode_ctl.md) (updates Intel CPU microcode to microcode-20231114, which fixes CVE-2023-23583) - [openssh](packages/openssh.md) (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality) The changes are described in more detail on the per-package wiki pages linked above, as well as in the package changelogs. diff --git a/docs/packages/microcode_ctl.md b/docs/packages/microcode_ctl.md new file mode 100644 index 0000000..b326d9e --- /dev/null +++ b/docs/packages/microcode_ctl.md @@ -0,0 +1,18 @@ +# Override package: microcode_ctl + +## EL9 + +- Version `4:20231114-1` +- Based on `4:20230808-2` + +### Changes summary + +- Update Intel CPU microcode to microcode-20231114 (fixes [CVE-2023-23583](https://www.openwall.com/lists/oss-security/2023/11/14/4)), temporarily dropping most documentation patches + +### Change log + +``` +* Tue Nov 14 2023 Solar Designer - 4:20231114-1 +- Update Intel CPU microcode to microcode-20231114 (fixes CVE-2023-23583), + temporarily dropping most documentation patches +``` From d0d1d444d46b6222627f41c422909033919bb159 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Wed, 15 Nov 2023 21:59:01 +0100 Subject: [PATCH 2/5] Re-point hardened_malloc link from external to local page --- docs/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index 8499ef5..90993ac 100644 --- a/docs/index.md +++ b/docs/index.md @@ -41,7 +41,7 @@ Install the package with `rpm -U --nodeps`. The `--nodeps` option is needed to b ### Extra packages (currently only for EL9) -- [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) (Security-focused memory allocator providing the malloc API, and a script to preload it into existing program binaries) +- [hardened_malloc](packages/hardened_malloc.md) (Security-focused memory allocator providing the malloc API, and a script to preload it into existing program binaries) ### Override packages (currently only for EL9) From 94e3e0ac16cb9ac6bdb64e6491cc0503199b6b41 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Wed, 15 Nov 2023 22:05:14 +0100 Subject: [PATCH 3/5] Document DNF_VAR_sigcontentdir=/pub/sig --- docs/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/index.md b/docs/index.md index 90993ac..ffd5b04 100644 --- a/docs/index.md +++ b/docs/index.md @@ -32,6 +32,8 @@ This isn't as secure as checking the package signature would be _if_ you previou Install the package with `rpm -U --nodeps`. The `--nodeps` option is needed to bypass the dependency check on our `rocky-release` package. In essense, you're manually confirming to `rpm` that you're installing on a compatible distro. +You'll normally install packages from the mirrors, which should just work. However, if there's any issue with the mirrors and you uncomment our `baseurl` line instead, then on non-Rocky you'll need to use `DNF_VAR_sigcontentdir=/pub/sig dnf` in place of simply `dnf`. + ## Packages ### Extra packages (for EL8 and EL9) From c4abc1b08efa217b42971a44b8cd5af616f243f1 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Wed, 15 Nov 2023 22:27:57 +0100 Subject: [PATCH 4/5] Add CVE-2023-4911 --- docs/issues/CVE-2023-4911.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 docs/issues/CVE-2023-4911.md diff --git a/docs/issues/CVE-2023-4911.md b/docs/issues/CVE-2023-4911.md new file mode 100644 index 0000000..574e5ba --- /dev/null +++ b/docs/issues/CVE-2023-4911.md @@ -0,0 +1,23 @@ +# CVE-2023-4911: glibc: Looney Tunables: buffer overflow in ld.so leading to privilege escalation + +## Summary + +As described by [Red Hat](https://access.redhat.com/security/cve/CVE-2023-4911) and in [CVE-2023-4911](https://www.cve.org/CVERecord?id=CVE-2023-4911): + +A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the `GLIBC_TUNABLES` environment variable. This issue could allow a local attacker to use maliciously crafted `GLIBC_TUNABLES` environment variables when launching binaries with SUID permission to execute code with elevated privileges. + +More detail is available in the [public disclosure](https://www.openwall.com/lists/oss-security/2023/10/03/2) by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so), the team who discovered the issue. + +Public disclosure date: October 3, 2023 + +## EL9 + +Mitigated in version: `2.34-60.el9_2.security.0.2` available October 3, 2023 +Fixed in version: `glibc-2.34-60.el9_2.7` available October 5, 2023 + +Besides the upstream fix, we also retained the mitigation in the [Security SIG package of glibc](packages/glibc.md). + +## EL8 + +Fixed in version: `glibc-0:2.28-225.el8_8.6` available October 5, 2023 +Errata: [RLSA-2023:5455](https://errata.rockylinux.org/RLSA-2023:5455) issued October 7, 2023 From 7030fdeccfe2d51a3bc17f33f4047b272c281021 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Wed, 15 Nov 2023 22:46:05 +0100 Subject: [PATCH 5/5] Add CVE-2023-23583 --- docs/issues/CVE-2023-23583.md | 25 +++++++++++++++++++++++++ docs/packages/microcode_ctl.md | 2 +- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 docs/issues/CVE-2023-23583.md diff --git a/docs/issues/CVE-2023-23583.md b/docs/issues/CVE-2023-23583.md new file mode 100644 index 0000000..9b2c9da --- /dev/null +++ b/docs/issues/CVE-2023-23583.md @@ -0,0 +1,25 @@ +# CVE-2023-23583: microcode_ctl: Intel CPUs: execution of MOVSB instructions with redundant REX prefix leads to unintended system behavior + +## Summary + +As described by [Intel](https://www.openwall.com/lists/oss-security/2023/11/14/4): + +Under certain microarchitectural conditions, Intel has identified cases where execution of an instruction (REP MOVSB) encoded with a redundant REX prefix may result in unpredictable system behavior resulting in a system crash/hang, or, in some limited scenarios, may allow escalation of privilege from CPL3 to CPL0. + +and by [Red Hat](https://access.redhat.com/security/cve/CVE-2023-23583): + +A security vulnerability was found in some Intel processors. Execution of REP MOVSB instructions with a redundant REX prefix may result in execution continuing at an incorrect EIP address after a micro-architectural event occurs, potentially allowing privilege escalation, information disclosure and/or a denial of service via local access. + +as well as in [CVE-2023-23583](https://www.cve.org/CVERecord?id=CVE-2023-23583). + +More detail is available via these [links to Intel's website](https://www.openwall.com/lists/oss-security/2023/11/14/7) and in the public disclosure by [Tavis Ormandy](https://lock.cmpxchg8b.com/reptar.html) from [Google](https://cloud.google.com/blog/products/identity-security/google-researchers-discover-reptar-a-new-cpu-vulnerability). + +Public disclosure date: November 14, 2023 + +## EL9 + +Fixed in version: `4:20231114-1.el9_2.security` available November 15, 2023 + +## EL8 + +Not fixed yet, will fix. diff --git a/docs/packages/microcode_ctl.md b/docs/packages/microcode_ctl.md index b326d9e..1f84b24 100644 --- a/docs/packages/microcode_ctl.md +++ b/docs/packages/microcode_ctl.md @@ -2,7 +2,7 @@ ## EL9 -- Version `4:20231114-1` +- Version `4:20231114-1.el9_2.security` - Based on `4:20230808-2` ### Changes summary