ingestre wrote: ↑

Tue Mar 08, 2022 7:55 pm

My personal opinion is that this vulnerability is so serious that the Raspberry pi OS maintainers should be moving heaven and earth to get the fix out to the masses.
I guess you should lend your voice to this thread if you agree. Agreed!
The patch has hit the RPi 5.15.y branch: https://github.com/raspberrypi/linux/co ... 89bd209932
...but doesn't seem to have made it to 5.10.y yet.

I'm going to apologise beforehand for this suggestion, as I can predict some people around here may suffer from a rush of blood to the head, which could trigger a knee-jerk reaction: -
If kernel version 5.15.x isn't affected, happy days just run 'sudo rpi-update' and relax

"Never get out of the boat."
Absolutely goddamn right!
Unless you were goin' all the way...

Confirmed Kernel 5.15.26 is not affected by the vulnerability.
(I ran "sudo rpi-update" and the proof of concept code no longer works)
Of course this is a very risky thing to do as the kernel is not officially released and doing this puts you firmly in the role of "unpaid tester". ie: It's not really suitable for production machines - There are known big issues with this!
I'd advise waiting for the 5.10 fix.

ingestre wrote: ↑

Tue Mar 08, 2022 7:55 pm

Whilst Debian does have a fix for this in its "security" train of updates, (See https://www.debian.org/security/2022/dsa-5092 ), this has not yet been transferred over to the Raspberry pi OS update train.
My personal opinion is that this vulnerability is so serious that the Raspberry pi OS maintainers should be moving heaven and earth to get the fix out to the masses.
I guess you should lend your voice to this thread if you agree. I'm trusting that the powers that be don't need extra motivation nor need to gauge user demand to address something like this ASAP.

I can confirm that this vulnerability still exists on the current versions of both the 32-bit and 64-bit Pi kernels. My 32-bit version string is:
Linux version 5.10.92-v7+ (dom@buildbot) (arm-linux-gnueabihf-gcc-8 (Ubuntu/Linaro 8.4.0-3ubuntu1) 8.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #1514 SMP Mon Jan 17 17:36:39 GMT 2022
and on my 64-bit systems it's
Linux version 5.10.92-v8+ (dom@buildbot) (aarch64-linux-gnu-gcc-8 (Ubuntu/Linaro 8.4.0-3ubuntu1) 8.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #1514 SMP PREEMPT Mon Jan 17 17:39:38 GMT 2022
I am also anxiously awaiting an updated kernel. At least the Raspberry Pi, as popular as it is, is less likely to have mutually hostile users than a large Intel/AMD system.

ka9q wrote: ↑

Wed Mar 09, 2022 6:36 am

I am also anxiously awaiting an updated kernel. At least the Raspberry Pi, as popular as it is, is less likely to have mutually hostile users than a large Intel/AMD system. Get the latest development 5.15.26 kernel with sudo rpi-update; sudo reboot .

Languages using left-hand whitespace for syntax are ridiculous
DMs sent on https://twitter.com/DougieLawson or LinkedIn will be answered next month.
Fake doctors - are all on my foes list.
The use of crystal balls and mind reading is prohibited.

As above, if you need the fix right now, rpi-update, otherwise the kernels are being rebuilt for release as we speak, so will be available in apt pretty soon.
With regard to how we handle these things, we are on various mailing lists and receive updates from Debian with regard to CVE's and their fixes. We prioritise security over Pi specific functionality, so if we need Raspberry Pi specific patches on top of the CVE they take a bit longer to apply, but meanwhile you have the non-Pi specific but secure versions of software. So you may lose some Pi functionality, but you will have the security fixes.

Principal Software Engineer at Raspberry Pi Ltd.
Working in the Applications Team.

jamesh wrote: As above, if you need the fix right now, rpi-update, otherwise the kernels are being rebuilt for release as we speak, so will be available in apt pretty soon. Thank you for the update, and also for the explanation of how you monitor and triage such issues.

Linux raspberrypi 5.10.103-v8+ #1529 SMP PREEMPT Tue Mar 8 12:26:46 GMT 2022 aarch64 GNU/Linux
Updated on my pi400 this morning.

Raspberry PI 400 Raspberry Pi OS (Debian Sid) Kernel: 6.1.34-v8+ aarch64 DE: XFCE 4.18
Debian - "If you can't apt install something, it isn't useful or doesn't exist"

Pi tools:
Quickly and easily build customized exactly as-you-want SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure IPSEC/IKEV2 VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

An updated 32 bit kernel ( 5.10.103-v7l+ ) just dropped into apt.
Tested it - It stops the vulnerability.
Huge kudos to the repo maintainers.

jamesh wrote: ↑

Wed Mar 09, 2022 3:52 pm

Just about to post to say it's ready, but it's already been found! Couldn't sleep. Ran updates as usual around 6am central time and noticed the new kernel.
I was first

Raspberry PI 400 Raspberry Pi OS (Debian Sid) Kernel: 6.1.34-v8+ aarch64 DE: XFCE 4.18
Debian - "If you can't apt install something, it isn't useful or doesn't exist"

Yup. Fixed in both the 32-bit and 64-bit versions of the kernel. Geez, I maintain a lot of Pis. Some are on mountaintops that are snowed in until spring so I'm always a little reluctant to reboot...
Linux version 5.10.103-v8+ (dom@buildbot) (aarch64-linux-gnu-gcc-8 (Ubuntu/Linaro 8.4.0-3ubuntu1) 8.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #1530 SMP PREEMPT Tue Mar 8 13:06:35 GMT 2022
Linux version 5.10.103-v7+ (dom@buildbot) (arm-linux-gnueabihf-gcc-8 (Ubuntu/Linaro 8.4.0-3ubuntu1) 8.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #1530 SMP Tue Mar 8 13:02:44 GMT 2022

ka9q wrote: ↑

Wed Mar 09, 2022 7:16 pm

Yup. Fixed in both the 32-bit and 64-bit versions of the kernel. Geez, I maintain a lot of Pis. Some are on mountaintops that are snowed in until spring so I'm always a little reluctant to reboot...
Linux version 5.10.103-v8+ (dom@buildbot) (aarch64-linux-gnu-gcc-8 (Ubuntu/Linaro 8.4.0-3ubuntu1) 8.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #1530 SMP PREEMPT Tue Mar 8 13:06:35 GMT 2022
Linux version 5.10.103-v7+ (dom@buildbot) (arm-linux-gnueabihf-gcc-8 (Ubuntu/Linaro 8.4.0-3ubuntu1) 8.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #1530 SMP Tue Mar 8 13:02:44 GMT 2022 Is this a local privilege escalation or can it be leveraged remotely? If you didn't disable passwordless sudo, then local privilege escalations are irrelevant.

ejolson wrote: ↑

Wed Mar 09, 2022 7:35 pm

If you didn't disable passwordless sudo, then local privilege escalations are irrelevant. That's an immature and foolish attitude to take; please just accept that lots of really knowledgeable and experienced IT professionals consider this a very serious issue for reasons that you don't understand.

easytarget wrote: ↑

Thu Mar 10, 2022 9:44 am

ejolson wrote: ↑

Wed Mar 09, 2022 7:35 pm

If you didn't disable passwordless sudo, then local privilege escalations are irrelevant. That's an immature and foolish attitude to take; please just accept that lots of really knowledgeable and experienced IT professionals consider this a very serious issue for reasons that you don't understand. Bwahahahahahaha...

As it is apparently board policy to disallow any criticism of anything, as it appears to criticise something is to criticise all the users of that something, I will no longer be commenting in threads which are not directly relevant to my uses of the Pi.

easytarget wrote: ↑

Thu Mar 10, 2022 9:44 am

ejolson wrote: ↑

Wed Mar 09, 2022 7:35 pm

If you didn't disable passwordless sudo, then local privilege escalations are irrelevant. That's an immature and foolish attitude to take; please just accept that lots of really knowledgeable and experienced IT professionals consider this a very serious issue for reasons that you don't understand. And lots of other people - perhaps not hampered by knowledge and experience - can see that if you have left the front door wide open there is little point being concerned about whether the rear window could be forced open.
Alternatively, perhaps you could help them understand?