[Beowulf] Heads up - Stack-Clash local root vulnerability

Peter St. John peter.st.john at gmail.com
Wed Jun 21 08:59:13 PDT 2017


I'd check to see that the vector of attack is something that pertains to my
system, before worrying to much about the vulnerability. Maybe the vector
is the Preview Pane in Outlook, right?
Peter

On Wed, Jun 21, 2017 at 11:55 AM, Kilian Cavalotti <
kilian.cavalotti.work at gmail.com> wrote:

> Hi Chris,
>
> Thanks for starting the discussion here.
>
> We're pretty much in the same boat (no changes made yet), as:
> 1. we're still running some RHEL 6.x based clusters, with x < 9,
> meaning no patches for neither the kernel nor glibc,
> 2. those kernel+glibc patches seem to just be "mitigations" and don't
> solve the underlying problem anyway
> (cf.https://access.redhat.com/security/vulnerabilities/
> stackguard#magicdomid15)
>
> As far as I understand this, the real fix will be to recompile all of
> your binaries using a properly working implementation of -fstack-check
> in gcc (which doesn't exist yet). So in terms of timeline, that means
> GCC needs to be fixed, system applications need to be recompiled,
> distribution need to repackage and distribute them, and then all the
> userland applications need to be recompiled. It's a multi-year
> process.
>
> So we're not really sure how to approach this, as recompiling
> everything seems really like the utopian dream of somebody who never
> managed any shared system. Plus, as you mentioned, even the
> mitigations are not innocuous, and may change applications' behavior.
>
> That sounds like a big bowl of mess right now.
>
> Oh, and containers...
>
> Cheers,
> --
> Kilian
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit
> http://www.beowulf.org/mailman/listinfo/beowulf
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.beowulf.org/pipermail/beowulf/attachments/20170621/fdcff972/attachment.html>


More information about the Beowulf mailing list