generated from sig_core/wiki-template
Merge pull request 'Add pages for microcode_ctl and two CVEs; edit a few things' (#10) from solardiz-patch-8 into main
All checks were successful
mkdocs build / build (push) Successful in 30s
All checks were successful
mkdocs build / build (push) Successful in 30s
Reviewed-on: #10 Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
commit
ef5faa348c
@ -32,6 +32,8 @@ This isn't as secure as checking the package signature would be _if_ you previou
|
||||
|
||||
Install the package with `rpm -U --nodeps`. The `--nodeps` option is needed to bypass the dependency check on our `rocky-release` package. In essense, you're manually confirming to `rpm` that you're installing on a compatible distro.
|
||||
|
||||
You'll normally install packages from the mirrors, which should just work. However, if there's any issue with the mirrors and you uncomment our `baseurl` line instead, then on non-Rocky you'll need to use `DNF_VAR_sigcontentdir=/pub/sig dnf` in place of simply `dnf`.
|
||||
|
||||
## Packages
|
||||
|
||||
### Extra packages (for EL8 and EL9)
|
||||
@ -41,11 +43,12 @@ Install the package with `rpm -U --nodeps`. The `--nodeps` option is needed to b
|
||||
|
||||
### Extra packages (currently only for EL9)
|
||||
|
||||
- [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc) (Security-focused memory allocator providing the malloc API, and a script to preload it into existing program binaries)
|
||||
- [hardened_malloc](packages/hardened_malloc.md) (Security-focused memory allocator providing the malloc API, and a script to preload it into existing program binaries)
|
||||
|
||||
### Override packages (currently only for EL9)
|
||||
|
||||
- [glibc](packages/glibc.md) (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package)
|
||||
- [microcode_ctl](packages/microcode_ctl.md) (updates Intel CPU microcode to microcode-20231114, which fixes CVE-2023-23583)
|
||||
- [openssh](packages/openssh.md) (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package's functionality)
|
||||
|
||||
The changes are described in more detail on the per-package wiki pages linked above, as well as in the package changelogs.
|
||||
|
25
docs/issues/CVE-2023-23583.md
Normal file
25
docs/issues/CVE-2023-23583.md
Normal file
@ -0,0 +1,25 @@
|
||||
# CVE-2023-23583: microcode_ctl: Intel CPUs: execution of MOVSB instructions with redundant REX prefix leads to unintended system behavior
|
||||
|
||||
## Summary
|
||||
|
||||
As described by [Intel](https://www.openwall.com/lists/oss-security/2023/11/14/4):
|
||||
|
||||
Under certain microarchitectural conditions, Intel has identified cases where execution of an instruction (REP MOVSB) encoded with a redundant REX prefix may result in unpredictable system behavior resulting in a system crash/hang, or, in some limited scenarios, may allow escalation of privilege from CPL3 to CPL0.
|
||||
|
||||
and by [Red Hat](https://access.redhat.com/security/cve/CVE-2023-23583):
|
||||
|
||||
A security vulnerability was found in some Intel processors. Execution of REP MOVSB instructions with a redundant REX prefix may result in execution continuing at an incorrect EIP address after a micro-architectural event occurs, potentially allowing privilege escalation, information disclosure and/or a denial of service via local access.
|
||||
|
||||
as well as in [CVE-2023-23583](https://www.cve.org/CVERecord?id=CVE-2023-23583).
|
||||
|
||||
More detail is available via these [links to Intel's website](https://www.openwall.com/lists/oss-security/2023/11/14/7) and in the public disclosure by [Tavis Ormandy](https://lock.cmpxchg8b.com/reptar.html) from [Google](https://cloud.google.com/blog/products/identity-security/google-researchers-discover-reptar-a-new-cpu-vulnerability).
|
||||
|
||||
Public disclosure date: November 14, 2023
|
||||
|
||||
## EL9
|
||||
|
||||
Fixed in version: `4:20231114-1.el9_2.security` available November 15, 2023
|
||||
|
||||
## EL8
|
||||
|
||||
Not fixed yet, will fix.
|
23
docs/issues/CVE-2023-4911.md
Normal file
23
docs/issues/CVE-2023-4911.md
Normal file
@ -0,0 +1,23 @@
|
||||
# CVE-2023-4911: glibc: Looney Tunables: buffer overflow in ld.so leading to privilege escalation
|
||||
|
||||
## Summary
|
||||
|
||||
As described by [Red Hat](https://access.redhat.com/security/cve/CVE-2023-4911) and in [CVE-2023-4911](https://www.cve.org/CVERecord?id=CVE-2023-4911):
|
||||
|
||||
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the `GLIBC_TUNABLES` environment variable. This issue could allow a local attacker to use maliciously crafted `GLIBC_TUNABLES` environment variables when launching binaries with SUID permission to execute code with elevated privileges.
|
||||
|
||||
More detail is available in the [public disclosure](https://www.openwall.com/lists/oss-security/2023/10/03/2) by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so), the team who discovered the issue.
|
||||
|
||||
Public disclosure date: October 3, 2023
|
||||
|
||||
## EL9
|
||||
|
||||
Mitigated in version: `2.34-60.el9_2.security.0.2` available October 3, 2023
|
||||
Fixed in version: `glibc-2.34-60.el9_2.7` available October 5, 2023
|
||||
|
||||
Besides the upstream fix, we also retained the mitigation in the [Security SIG package of glibc](packages/glibc.md).
|
||||
|
||||
## EL8
|
||||
|
||||
Fixed in version: `glibc-0:2.28-225.el8_8.6` available October 5, 2023
|
||||
Errata: [RLSA-2023:5455](https://errata.rockylinux.org/RLSA-2023:5455) issued October 7, 2023
|
18
docs/packages/microcode_ctl.md
Normal file
18
docs/packages/microcode_ctl.md
Normal file
@ -0,0 +1,18 @@
|
||||
# Override package: microcode_ctl
|
||||
|
||||
## EL9
|
||||
|
||||
- Version `4:20231114-1.el9_2.security`
|
||||
- Based on `4:20230808-2`
|
||||
|
||||
### Changes summary
|
||||
|
||||
- Update Intel CPU microcode to microcode-20231114 (fixes [CVE-2023-23583](https://www.openwall.com/lists/oss-security/2023/11/14/4)), temporarily dropping most documentation patches
|
||||
|
||||
### Change log
|
||||
|
||||
```
|
||||
* Tue Nov 14 2023 Solar Designer <solar@openwall.com> - 4:20231114-1
|
||||
- Update Intel CPU microcode to microcode-20231114 (fixes CVE-2023-23583),
|
||||
temporarily dropping most documentation patches
|
||||
```
|
Loading…
Reference in New Issue
Block a user