Mailing List Archive

"Brian G. Peterson" writes:
|
| The solution to this has already been discussed. This is a discussion list
| not a notification list. If you want notification, set up a watch that mee
| your requirements on Bugzilla. Bugzilla will email you, and those who want
| discussion list without extra notifications can still have one.


It seems to me:
* there is a want for such a list from a number of people
* it can be done via bugzilla

maybe im just lazy, but the next step doesnt seem to be
* (if new gentoo user who missed _this_ discussion) discover that
there is no announce for yet to be closed bugs
* individually set up bugzilla to do it.
* (repeat n hundred times)

the logical solution seems to be:
* set up a security-newly-discovered-start-to-panic@gentoo

I guess Im wondering what stops this happening again in 6 months with
all the people who have joined after this disussion finishes (given
that the list's function isnt clear) and then suddenly go 'hey....'.

And also if it is sane to have a number of gentoo users all perform
the same operation in the bugzilla when there seems to be a need for a
single list that:
* gets posts from bugzilla
* noone else can post to (suggestion, announce on the new list, any
discussion here)
* is an offical '@gentoo' list

In that way, we add a single new list with a clear reason for
existing, satisfy a lot of people and dont effect this group in
any way except maybe to get some more secuity discussion.


cheers,
cam

--
/ `Rev Dr' cam at darkqueen.org Roleplaying, virtual goth \
< http://darkqueen.org Poly, *nix, Python, C/C++, genetics, ATM >
\ [+61 3] 9809 1523[h] skeptic, Evil GM(tm). Sysadmin for hire /
---------- Random Quote ----------
Got Mole problems? Call Avogadro at 6.02 x 10^23.

--
gentoo-security@gentoo.org mailing list

> "Brian G. Peterson" writes:
>
> And also if it is sane to have a number of gentoo users all perform
> the same operation in the bugzilla when there seems to be a need for a
> single list that:
> * gets posts from bugzilla
> * noone else can post to (suggestion, announce on the new list, any
> discussion here)
> * is an offical '@gentoo' list
>
> In that way, we add a single new list with a clear reason for
> existing, satisfy a lot of people and dont effect this group in
> any way except maybe to get some more secuity discussion.

Completly agree.


--
gentoo-security@gentoo.org mailing list

On Monday 10 January 2005 02.13, Cameron Blackwood wrote:
> "Brian G. Peterson" writes:
> | The solution to this has already been discussed. This is a discussion
> | list not a notification list. If you want notification, set up a watch
> | that mee your requirements on Bugzilla. Bugzilla will email you, and
> | those who want discussion list without extra notifications can still
> | have one.
>
> It seems to me:
> * there is a want for such a list from a number of people
> * it can be done via bugzilla
>
> maybe im just lazy, but the next step doesnt seem to be
> * (if new gentoo user who missed _this_ discussion) discover that
> there is no announce for yet to be closed bugs
> * individually set up bugzilla to do it.
> * (repeat n hundred times)
>
> the logical solution seems to be:
> * set up a security-newly-discovered-start-to-panic@gentoo
>
> I guess Im wondering what stops this happening again in 6 months with
> all the people who have joined after this disussion finishes (given
> that the list's function isnt clear) and then suddenly go 'hey....'.
>
> And also if it is sane to have a number of gentoo users all perform
> the same operation in the bugzilla when there seems to be a need for a
> single list that:
> * gets posts from bugzilla
> * noone else can post to (suggestion, announce on the new list, any
> discussion here)
> * is an offical '@gentoo' list
>
> In that way, we add a single new list with a clear reason for
> existing, satisfy a lot of people and dont effect this group in
> any way except maybe to get some more secuity discussion.

I'm a fairly new gentoo-user, and I subscribed to this list thinking:
"Great, I'll be notified if something really serious, like a kernel root
exploit, happens!". I understand now that this is not the case, but that many
like me thought it was, or are wishing it were.

"security-newly-discovered-start-to-panic@gentoo" like Cameron describes it is
exactly what I was looking for. If technically possible, please create it!

Thanks,
/Johan

--
gentoo-security@gentoo.org mailing list

On Monday 10 January 2005 06:27, Johan Ekenberg wrote:>
> I'm a fairly new gentoo-user, and I subscribed to this list thinking:
> "Great, I'll be notified if something really serious, like a kernel root
> exploit, happens!". I understand now that this is not the case, but that
> many like me thought it was, or are wishing it were.
>
> "security-newly-discovered-start-to-panic@gentoo" like Cameron describes it
> is exactly what I was looking for. If technically possible, please create
> it!

I too was hoping that this list would cover _major_ vulns in the _major_
packages/components: apache, openssh, linux, bind, etc.
(I know what is a major package for one won't be applicable for others).

Obviously though, we wouldn't want this list flooded with notifications like
"some-php-webboard-0.01 has a xss flaw in it" (which is why I can't be
bothered, and don't have time to sift through the mess on Full Disclosure).

Anyway, we all know about it now, which is I suppose what matters most.

--
http://zapee.com/ - funky hosting for funky people

--
gentoo-security@gentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johan Ekenberg wrote:
| I'm a fairly new gentoo-user, and I subscribed to this list thinking:
| "Great, I'll be notified if something really serious, like a kernel root
| exploit, happens!". I understand now that this is not the case, but
that many
| like me thought it was, or are wishing it were.
|
| "security-newly-discovered-start-to-panic@gentoo" like Cameron
describes it is
| exactly what I was looking for. If technically possible, please create it!
|
| Thanks,
| /Johan

Hi!

I subscribed not only for that, but to see those bugs discussed, there
possible implications, workarounds, fixes or even alternatives to the
software with that critical security flaw. To add to that, we can also
discuss generic security issues. I don't thing bugzilla is the way to go
for that kind of interaction.

On the other hand, I wasn't expecting to have someone assigned to post
those messages. I was expecting to read emails from any user interested
in warning other users or discussing that exploit.



- --
Rui Covelo
http://ruicovelo.2ya.com









-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB4xWSfLPhlaxNQk0RApDnAJ4sW9lGMDJ7YD6Bjuoe+yoxQ6p3ZwCfQZW/
woX3ATty7dLd6aiHj02D29M=
=wDBh
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list

On Mon, 10 Jan 2005 12:13:02 +1100, Cameron Blackwood
<korg@darkqueen.org> wrote:
>
> the logical solution seems to be:
> * set up a security-newly-discovered-start-to-panic@gentoo
>

Call it something like gentoo-security-bugzilla@gentoo.org, and make
it obvious that it's an unfiltered stream of the new bugzilla entries.
It would let this list be what the policy appears to be, which is an
unmoderated security discussion list, even if it's rarely used for
that ;)

Mike

--
gentoo-security@gentoo.org mailing list

On Sat, 8 Jan 2005 13:53:13 -0500
bryank@cs.uri.edu wrote:

> To get it to compile, change modify_ldt_ldt_s to user_desc. For me it
> just segfaults then, but I don't know if that's because I have
> CONFIG_DEBUG_STACKOVERFLOW=y set.

For me (vanilla 2.6.10) it "brokenpiped" once and since then it only segfaults.

--
/~\ The ASCII Andrej "Ticho" Kacian <ticho at gentoo dot org>
\ / Ribbon Campaign GnuPG public key ID: 7CD93FE2 (pgp.mit.edu)
X Against HTML Key fingerprint:
/ \ Email! E87D 9DEF 2A23 6FFB 7AD9 542F 4253 3A46 7CD9 3FE2

On Sun, 9 Jan 2005, Peter Karlsson wrote:

> On Sun, 9 Jan 2005, Thierry Carrez wrote:
>
>> Just before I joined the security team there was someone that said he
>> would do that. He called them "GLVP" (for Gentoo Linux Pending
>> Vulnerabilities). He said he would post to gentoo-security each
>> Saturday. Guess what ? He posted one and never posted again. Proof
>> for the paranoid types out there :
>>
>> http://marc.theaimsgroup.com/?l=gentoo-security&w=2&r=1&s=GLVP&q=b
>>
>> Guess history keeps repeating itself. It's not that easy to regularly
>> commit free time to do work. It's easy to complain, it's not that
>> easy to be part of the solution.
>
> Ok, sorry for the "noob" remark/question here but can't this be
> automated somehow? Like if someone files a security-related bug on
> bugs.gentoo.org this could auto-dispatch an email to a relevant
> list... This way one would not be dependent upon "manual labour" (for
> this particular task anyway). Automate what can be automated I'd
> say[0]. :-)

Certainly. Here's how you do it:

Sign up an email account to Gentoo's bugzilla. Select prefs, select
email settings. Add security@gentoo.org to the watch list. Now, down
below, uncheck every box in Field/recipient options EXCEPT Assignee
options 'I'm added to or removed from this capacity', 'The bug is
resolved or verified', and 'The bug is in the unconfirmed state'.

If you want to turn this into a list which other people can join, have
the email address you sign up be such a mailing list.

If people are interested, I may be doing this sometime during the next
few weeks for myself, and I should be able to set up a list. That being
said, I do occasionally have connectivity issues, and I do anticipate
being down for three weeks in June. As such, there's probably better
candidates to achieve this.

> Best regards
>
> Peter K
>
> [0] If only there was a way to automate bug-hunting... ;-)

Actually, for a certain class of bugs, there has been automated
bug-hunting. This class is 'garbage in handling'. IIRC, there was a
group that did a certain amount of this a few years ago.

Of course, bug-fixing would be potentially even better. :)

Ed

--
gentoo-security@gentoo.org mailing list

On Sun, 16 Jan 2005, Ed Grimm wrote:

> Certainly. Here's how you do it:
>
> Sign up an email account to Gentoo's bugzilla. Select prefs, select
> email settings. Add security@gentoo.org to the watch list. Now, down
> below, uncheck every box in Field/recipient options EXCEPT Assignee
> options 'I'm added to or removed from this capacity', 'The bug is
> resolved or verified', and 'The bug is in the unconfirmed state'.
>
> If you want to turn this into a list which other people can join, have
> the email address you sign up be such a mailing list.
>
> If people are interested, I may be doing this sometime during the next
> few weeks for myself, and I should be able to set up a list. That being
> said, I do occasionally have connectivity issues, and I do anticipate
> being down for three weeks in June. As such, there's probably better
> candidates to achieve this.

I'm also intermittently connected and I don't know where I could set up an
email-list (for that you would need access to a server?). Anyway, thanks
for the info/tutorial.

> Actually, for a certain class of bugs, there has been automated
> bug-hunting. This class is 'garbage in handling'. IIRC, there was a
> group that did a certain amount of this a few years ago.

Well, I have been toying with the idea for a while. Would it be impossible
to create a tool that would go through some source file and look for
security-bugs & trojans, much like a anti-virus program does with
binaries? I realise that it would probably be quite complex to cover all
possible "scenarios" but surely there has to be some common "signature"
(sorry if this doesn't make sense, english is not my native lingo) and of
course it cannot be one tool but has to be several tools for each type of
code (i.e. C - linux-kernel, C++ - KDE, perl - ?, etc.) or at least a tool
with different types of backends like gcc.

> Of course, bug-fixing would be potentially even better. :)

Oh yeah...

Best regards

Peter K

--
We Can Put an End to Word Attachments:
http://www.fsf.org/philosophy/no-word-attachments.html

--
gentoo-security@gentoo.org mailing list

On Mon, Jan 17, 2005 at 02:58:23PM +0100, Peter Karlsson wrote:
> Well, I have been toying with the idea for a while. Would it be impossible
> to create a tool that would go through some source file and look for
> security-bugs & trojans, much like a anti-virus program does with
> binaries?

Yes. There are a number of automated vulnerability scanners; notable
open source ones include RATS, Flawfinder, and PSCAN, as well as others.
You can even run these upon emerging a package; solar demonstrated it
here: http://tinyurl.com/5jezq.

However, depending on who you ask, these tools range in effectiveness
from moderately useful to useless. In my limited experience with them,
they are good at finding very basic types of vulnerabilities--they
highlight instances of fixed-length buffers, improper use of
printf/sprintf/fprintf, and similar (untrusted input, for instance). But
they are far from perfect. An automated source code scanner is no
replacement for a safe language.

--
Dan Margolis
Gentoo Security/Audit

On Mon, 17 Jan 2005, Dan Margolis wrote:

> Yes. There are a number of automated vulnerability scanners; notable
> open source ones include RATS, Flawfinder, and PSCAN, as well as others.
> You can even run these upon emerging a package; solar demonstrated it
> here: http://tinyurl.com/5jezq.
>
> However, depending on who you ask, these tools range in effectiveness
> from moderately useful to useless. In my limited experience with them,
> they are good at finding very basic types of vulnerabilities--they
> highlight instances of fixed-length buffers, improper use of
> printf/sprintf/fprintf, and similar (untrusted input, for instance). But
> they are far from perfect. An automated source code scanner is no
> replacement for a safe language.

I guess they have to start somewhere... And they probably cannot
substitute good programming practices (for a foreseeable future). But I
would think that they would have to be tailormade for the application that
it scans, i.e. the linux kernel would need special treatment, X window
have other needs, etc.? Thanks for the info though, I've googled about
this before but probably didn't use the correct wording...

Best regards

Peter K

--
We Can Put an End to Word Attachments:
http://www.fsf.org/philosophy/no-word-attachments.html

--
gentoo-security@gentoo.org mailing list

A small update about kernel security.

As you may know, we no longer release GLSAs about kernel vulnerabilities
and are in the process of changing kernel vulnerabilities information to
a more live information system.

In the meantime, we'll post information about serious fixed
vulnerabilities on this list, so that you are informed of the safe
kernels you can use.

As of today only 4 Portage-provided kernel sources are free of serious
kernel vulnerabilities (serious being remote root, remote DoS or local
root) :

- gentoo-dev-sources [2.6]
- grsec-sources [2.4]
- hardened-dev-sources [2.6]
- hardened-sources [2.4]

Use of the latest version of one of these sources is highly recommended
in any security-sensitive setting.

Several others should be fixed soon, as they are currently only
vulnerable to one serious vulnerability (the i386 SMP page fault handler
privilege escalation, bug 77666) :

- gentoo-sources
- ac-sources
- ck-sources
- sparc-sources
- uclinux-sources
- usermode-sources
- win4lin-sources
- wolk-sources
- xbox-sources

--
Koon

Thierry Carrez wrote:
> A small update about kernel security.

Thanks ...

> As you may know, we no longer release GLSAs about kernel vulnerabilities
> and are in the process of changing kernel vulnerabilities information to
> a more live information system.
>
> In the meantime, we'll post information about serious fixed
> vulnerabilities on this list, so that you are informed of the safe
> kernels you can use.
>
> As of today only 4 Portage-provided kernel sources are free of serious
> kernel vulnerabilities (serious being remote root, remote DoS or local
> root) :
>
> - gentoo-dev-sources [2.6]
> - grsec-sources [2.4]
> - hardened-dev-sources [2.6]
> - hardened-sources [2.4]
>
> Use of the latest version of one of these sources is highly recommended
> in any security-sensitive setting.
>
> Several others should be fixed soon, as they are currently only
> vulnerable to one serious vulnerability (the i386 SMP page fault handler
> privilege escalation, bug 77666) :
>
> - gentoo-sources
> - ac-sources

Unless I'm very much mistaken, Alan Cox addressed the aformentioned bug
in 2.6.10-ac9. As the current ebuild in portage is ac-sources-2.6.10-r10
it shouldn't be vulnerable. Btw, a 2.6.10-ac11 is available but it's not
security critical. The changes are:

2.6.10-ac11
o First phase of HPT driver cleanups (Alan Cox)
| This is just clean ups: the actual changes to make HPT372N
| work well will happen elsewhere first for obvious reasons
o ACARD scsi driver updates
o netpoll fixes (Matt Mackall)
* Fix a bug that could cause corruption of large (Petr Vandrovec)
x86-64 apps when run mixed with x86-32 apps
* Fix oops with md over dm (Jens Axboe)
* Fix a tlb race that could machine check x86-64 (Andi Kleen)
* Fix the "can only burn one DVD" bug (Michal Schmidt)
* Fix a whole pile of pegasus driver bugs (David Brownell)
* Don't collapse multi-packet skb's (David Miller)
o Samsung SN-124 should not be on DMA blacklist (Alan Cox)
| Reported/tested by Amit Bhutani * Fix an ipv6 "badness" (Herbert Xu)
| (Split out for -ac by Pekka Pietikanien)
* Fix a couple of small merge errors I made in (Clear Zhang)
the ULi ethernet support patch

> - ck-sources

The current ebuild is ck-sources-2.6.10-r5 and, again, the aformentioned
bug should be addressed as Con now includes the -as2 patchset as a base
(http://www.acm.rpi.edu/~dilinger/patches/2.6.10/as2/) and this happens
to include the fix.

> - sparc-sources
> - uclinux-sources
> - usermode-sources
> - win4lin-sources
> - wolk-sources

The ebuild is pretty outdated - a wolk-4.17 is available. However, the
fix will only be in wolk-4.18 which is not yet "officially" available
(apparently because the author is still in the process of incorporating
grsec-2.1.1). However, an interim release is apparently available here,
presumably with the old grsec implementation
(md5:4c667edcc8245dc92d5bb87a63a9aaa1):

http://www.kernel.org/pub/linux/kernel/people/mcp/tmp/

Perhaps it could be implemented as is and the older ebuilds purged, or
the fix could be established for 4.17 by way of a diff in the case that
the "vanilla" 2.4 fix doesn't play ball with the patchset? Just a thought.

> - xbox-sources

Cheers,

--Kerin Francis Millar

--
gentoo-security@gentoo.org mailing list

On Saturday 08 January 2005 19:02, Daniel Brandt wrote:
> So clearly a lot of people here doesn't want to know about possible
> security issues in a timely manner. Also, unless you are really good
> at communicating your exact intentions in so perfect english that no
> possible ambiguities may arise, please refrain from posting if you
> don't want to be called an ass.

Why don't you try out bugtraq? Allmost all the bugs get there and they do
that very fast. Of course it's a high volume list, but it'll keep you on
top of things.

Paul

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net

On Saturday 08 January 2005 19:38, Lance Albertson wrote:
> Sven Beukenex wrote:
> > You send the _security_ advisories to _announce_ because more people
> > are subscribed to it?
> > You only announce problems _after_ a fix is made??? Did it occur to
> > any of you that people might want to disable vulnerable sevices or
> > even *gasp* help produce fixes for the problems?
> > We have to watch bugs.gentoo to get a total picture?
>
> Perhaps there should be another list or method for people like you to
> know about things better. I'm not on the security team, so its not my
> call. I wasn't around when they changed sending advisories from this
> list to the other one, so I don't know the exact reasoning. I do see
> your point, and it is valid, so perhaps we should come up with a
> solution that works instead of flaming or yelling. Attitudes like that
> just make us not want to help even more.

I was around when the policy changed, although I am not and have never
been member of the security team. The main reason to post security
announcements on announce is that the announce list is low traffic as it
is a readonly list. At that point the security list was downgraded to a
list for discussion about security on gentoo.

Paul

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net