<div dir="ltr">I'd check to see that the vector of attack is something that pertains to my system, before worrying to much about the vulnerability. Maybe the vector is the Preview Pane in Outlook, right?<div>Peter</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 21, 2017 at 11:55 AM, Kilian Cavalotti <span dir="ltr"><<a href="mailto:kilian.cavalotti.work@gmail.com" target="_blank">kilian.cavalotti.work@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Chris,<br>
<br>
Thanks for starting the discussion here.<br>
<br>
We're pretty much in the same boat (no changes made yet), as:<br>
1. we're still running some RHEL 6.x based clusters, with x < 9,<br>
meaning no patches for neither the kernel nor glibc,<br>
2. those kernel+glibc patches seem to just be "mitigations" and don't<br>
solve the underlying problem anyway<br>
(cf.<a href="https://access.redhat.com/security/vulnerabilities/stackguard#magicdomid15" rel="noreferrer" target="_blank">https://access.redhat.com/<wbr>security/vulnerabilities/<wbr>stackguard#magicdomid15</a>)<br>
<br>
As far as I understand this, the real fix will be to recompile all of<br>
your binaries using a properly working implementation of -fstack-check<br>
in gcc (which doesn't exist yet). So in terms of timeline, that means<br>
GCC needs to be fixed, system applications need to be recompiled,<br>
distribution need to repackage and distribute them, and then all the<br>
userland applications need to be recompiled. It's a multi-year<br>
process.<br>
<br>
So we're not really sure how to approach this, as recompiling<br>
everything seems really like the utopian dream of somebody who never<br>
managed any shared system. Plus, as you mentioned, even the<br>
mitigations are not innocuous, and may change applications' behavior.<br>
<br>
That sounds like a big bowl of mess right now.<br>
<br>
Oh, and containers...<br>
<br>
Cheers,<br>
<span class="HOEnZb"><font color="#888888">--<br>
Kilian<br>
</font></span><div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
Beowulf mailing list, <a href="mailto:Beowulf@beowulf.org">Beowulf@beowulf.org</a> sponsored by Penguin Computing<br>
To change your subscription (digest mode or unsubscribe) visit <a href="http://www.beowulf.org/mailman/listinfo/beowulf" rel="noreferrer" target="_blank">http://www.beowulf.org/<wbr>mailman/listinfo/beowulf</a><br>
</div></div></blockquote></div><br></div>