[rsbac] Bugfixing the kernel uselib vulnerability

Murf murf at post.cz
Wed Jan 12 11:48:28 CET 2005 

Hello,

You can apply security patches from
http://www.grsecurity.org/grsecurity-2.1.0-2.6.10-200501081640.patch.

It works for me, kernel build is without problem. You have
to patch it after all the patches (pax and rsbac). It contain
also correction to use-lib bug (I didn't check it. It was
said to me by the author of that patch).

Also you can wait until there will be rsbac ebuild in Gentoo that
kang preparing. Other distribution hardly have prebuild
packages with rsbac.

Regards,

Murf

Andrea Pasquinucci wrote:
> On Mon, Jan 10, 2005 at 05:01:52PM +0100, Amon Ott wrote:
> * Several new vulnerabilities have been found for kernel 2.4.28, the 
> * most important one got known as uselib bug.
> * 
> * The more or less official bugfix, which also made its way into 
> * 2.4.29-rc1, does not apply cleanly to an RSBAC patched kernel. The 
> * attached patch is a modified version, which does apply without 
> * rejects. The fix should be correct, but please recheck yourself.
> * 
> * Please note that there have also been several vulnerabilities found in 
> * kernel 2.6.10 (as in almost any kernel in the 2.6 series so far). I 
> * strongly recommend to at least follow the -ac patches by Alan Cox, if 
> * you happen to use 2.6 kernels for production use.
> * 
> * The pre-patched RSBAC kernels do not contain third party fixes, it is 
> * impossible to maintain all these patches here!
> 
> I perfectly understand your point, but this creates sometimes a problem
> for people like me. Little explanation, I do not have the time right now
> to try to patch the kernel (2.6.10 or 2.4.28) with the security fixes,
> then try to patch it with rsbac and if succesfull try to compile and if
> succesful try it on a machine just to discover that it crashes (kernel
> panic on boot). Obviously I did something wrong... But I do not have the
> time right now to do anything else, so I have to decide if to keep a
> buggy kernel with rsbac or to use a patched vendor kernel without rsbac.
> Today I decided for the vendor kernel and to wait until there will be a
> patched rsbac kernel (hopefully with 2.6.11).
> 
> I suspect that there are many in my situation. So I have a suggestion,
> can we try to produce pre-patched RSBAC kernel with the main security
> fix ? If we are in at least a few in my situation is also silly that all
> of us do the same thing (try to apply the security fix) whereas by
> sharing the result we would help each other out.
> 
> Andrea
> 
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
> 
>

More information about the rsbac mailing list