so how do we check and correct this setting ?=" Users can test if they are vulnerable by checking if the CONFIG_X86_X32 variable is set in their kernel configuration. "
Code: Select all
grep CONFIG_X86_X32 /boot/config-$(uname -r)
Code: Select all
~ $ grep CONFIG_X86_X32 /boot/config-$(uname -r)
CONFIG_X86_X32=y
~ $
Something seems to be wrong with the dependencies. Installing linux-generic wants to remove grub and install a lot of other things, including brasero and apache. My "treat recommended packages as dependencies" isn't checked, by the way.xenopeek wrote:See karlchen's excellent post here on how to get Ubuntu kernel upgrades on Linux Mint 16: http://forums.linuxmint.com/viewtopic.p ... 61#p795316. Follow that if you want to install 3.11.0-15.25.
It doesn't seem to be. According to Synaptic, that's exactly the version number of the latest kernel from Ubuntu. But still:xenopeek wrote:The fix is in kernel 3.11.0-15.25
Code: Select all
$ grep CONFIG_X86_X32 /boot/config-3.11.0-15-generic
CONFIG_X86_X32=yalrighty, then!! please let us know if that's going to happen, or if we should consider moving to MINT 17.xenopeek wrote: {snip}
Edit: I see there is an exploit template available for this, so heading it up to Clem to possibly consider pushing the new kernel.
I doubt it; Linux Mint 15--and Ubuntu 13.04 that is its package base--is obsolete as of end of January and thus no longer gets security updates. Ubuntu is unlikely to patch the Ubuntu 13.04 kernel. You could install a patched kernel yourself, or upgrade to Linux Mint 16 and get the patch there. Linux Mint 17 won't be out till May/June this year.mike acker wrote:mine is MINT 15, with Kernel/Build 3.8.0-19
[...]
hopefully we'll see a correction shortly
Are you sure you have 3.11.0-15.25? You can check your version with:Zalbor wrote:It doesn't seem to be. According to Synaptic, that's exactly the version number of the latest kernel from Ubuntu. But still:xenopeek wrote:The fix is in kernel 3.11.0-15.25
Code: Select all
$ grep CONFIG_X86_X32 /boot/config-3.11.0-15-generic CONFIG_X86_X32=y
Code: Select all
dpkg -l linux-image-$(uname -r)Yes, that shows 3.11.0-15.25, just like Synaptic does.xenopeek wrote:Are you sure you have 3.11.0-15.25? You can check your version with:Code: Select all
dpkg -l linux-image-$(uname -r)
from the ZD Reportxenopeek wrote:mike acker wrote:mine is MINT 15, with Kernel/Build 3.8.0-19
[...]
hopefully we'll see a correction shortly{snip}I doubt it; Linux Mint 15--and Ubuntu 13.04 that is its package base--is obsolete as of end of January and thus no longer gets security updates. Ubuntu is unlikely to patch the Ubuntu 13.04 kernel. You could install a patched kernel yourself, or upgrade to Linux Mint 16 and get the patch there. Linux Mint 17 won't be out till May/June this year.
our biggest concern is a "drive by" from an infected web site . infected web sites contain un-imaginable garbage..... a bad flash object would be the most likey means of getting some sort of code to call this ABI service... i wonder how high the risk is....... right now I'm looking at options one of which is to start playing with the Debian based MINT. I'm thinking whether to order one of those Western Digital dives from NewEgg or maybe reformat the drive I have Ubuntu 12.04LTS on. I was planning to upgrade to the MINT17 LTS version when it appears. I've been on MINT 15 since Sept. of last year....The x32 ABI essentially allows 32-bit applications to take advantage of 64-bit x86 architectures.
http://www.zdnet.com/low-level-exploit- ... 000025872/
Correct, the test on earlier kernel versions is just to see if the functionality is included or not--not to confirm whether the patch has been applied. Kernel 3.11.0-15.25 has the patch for this security issue, but otherwise keeps the functionality enabled. If the functionality isn't enabled, such as on Linux Mint 14, you're not affected by this security issue.chemicalfan wrote:Just thought - you'll still see "CONFIG_X86_X32=y", but that part of the kernel has been patched, such that it is no longer vunerable. "CONFIG_X86_X32=y" refers to the functionality, not the vunerability.
I've been reading some more on X32 ABI today and I think the risk on your browser is negligible. For a browser to use X32 ABI, it would have had to been compiled to use the X32 version of system libraries (else there is no X32 ABImike acker wrote:our biggest concern is a "drive by" from an infected web site . infected web sites contain un-imaginable garbage..... a bad flash object would be the most likey means of getting some sort of code to call this ABI service... i wonder how high the risk is.......
). Those libraries aren't installed on Linux Mint 16. You can check with following command (no result = not installed):
Code: Select all
dpkg -l | egrep 'libx32|-x32'Code: Select all
ldd /usr/lib/firefox/firefox | egrep 'libx32|-x32'
the thing that has been a problem with flash is that it has been a vehicle by which hackers have been able to get code execution. If that happens, then if the X32 ABI service is available then the un-authorized code, running under the authority of the browser, might be able to link to the X32 ABI and obtain privilege escallationI'm not a security expert, but I doubt things like Flash and JavaScript can exploit this bug in the X32 ABI.
the kernel config means that "it increase the risk of security breach in your system". it doesn't mean that "your system will suddenly breached if you have this kernel config".the existence of the x32/abi is worrysome. an o/s which allows itself to be modified by an application program is a toy. a secure o/s would never countenance such an idea.
does Torvalds know about this? we would all be learning how to cuss in Finnish
I've been reading some more on X32 ABI today and I think the risk on your browser is negligible. For a browser to use X32 ABI, it would have had to been compiled to use the X32 version of system libraries (else there is no X32 ABI
...
To my understanding the risk is in downloading a Linux program that was specially crafted to exploit the privilege escalation weakness that is in the X32 ABI in certain kernels. Like detailed above, some kernels don't have X32 ABI enabled and those aren't susceptible. I'm not a security expert, but I doubt things like Flash and JavaScript can exploit this bug in the X32 ABI.
1) Every OS has security breaches. Important is only the delay between discovery and patches.mike acker wrote: the existence of the x32/abi is worrysome. an o/s which allows itself to be modified by an application program is a toy. a secure o/s would never countenance such an idea.
does Torvalds know about this? we would all be learning how to cuss in Finnish
referenceRed Hat has previously been paged by its users to enable x32 support in Fedora 18; however, it refused to include it, citing security concerns.
"It affects every user by potentially exposing them to as-yet-unfound security bugs for zero gain," Red Hat kernel developer Dave Jones said at the time.
....or compile your own kernel without that option, if it bothers you that much.mike acker wrote:alas, as a Mint15 system I'm an orphan. I'll have to wait for MINT17 or jump ship and go Debian.
Code: Select all
dpkg -l linux-image-$(uname -r)