LWN.net's Journal
 
 [Most Recent Entries] [Calendar View]

Tuesday, May 3rd, 2016

    Time Event
    6:44a
    May Android security bulletin
    The Android
    security bulletin for May     is available. It lists 40 different CVE
    numbers addressed by the May over-the-air update; the bulk of those are at
    a severity level of "high" or above. "Partners were notified about
    the issues described in the bulletin on April 04, 2016 or earlier. Source
    code patches for these issues will be released to the Android Open Source
    Project (AOSP) repository over the next 48 hours. We will revise this
    bulletin with the AOSP links when they are available. The most severe of
    these issues is a Critical security vulnerability that could enable remote
    code execution on an affected device through multiple methods such as
    email, web browsing, and MMS when processing media files.    "
    4:08p
    Security advisories for Tuesday

    Debian-LTS has updated openjdk-7 (multiple vulnerabilities) and smarty3 (code execution).

    Fedora has updated php (F23: multiple vulnerabilities).

    Gentoo has updated git (multiple vulnerabilities).

    Oracle has updated mercurial (OL7: two vulnerabilities).

    Scientific Linux has updated mercurial (SL7: two vulnerabilities).

    Slackware has updated mercurial (code execution).

    Ubuntu has updated libtasn1-3, libtasn1-6 (15.10, 14.04, 12.04: denial of service), libtasn1-6 (16.04: denial of service), openssl (multiple vulnerabilities), poppler (15.10, 14.04, 12.04: multiple vulnerabilities), and firefox (12.04: denial of service).

    5:33p
    Linux Kernel BPF JIT Spraying (grsecurity forums)
    Over at the grsecurity forums, Brad Spengler writes about a recently released proof of concept attack on the kernel using JIT spraying. "What happened next was the hardening of the BPF interpreter in grsecurity to prevent such future abuse: the previously-abused arbitrary read/write from the interpreter was now restricted only to the interpreter buffer itself, and the previous warn on invalid BPF instructions was turned into a BUG() to terminate execution of the exploit. I also then developed GRKERNSEC_KSTACKOVERFLOW which killed off the stack overflow class of vulns on x64.

    A short time later, there was work being done upstream to extend the use of BPF in the kernel. This new version was called eBPF and it came with a vastly expanded JIT. I immediately saw problems with this new version and noticed that it would be much more difficult to protect -- verification was being done against a writable buffer and then translated into another writable buffer in the extended BPF language. This new language allowed not just arbitrary read and write, but arbitrary function calling.    "
    The protections in the grsecurity kernel will thus prevent this attack. In addition, the newly released RAP feature for grsecurity, which targets the elimination of return-oriented programming (ROP) vulnerabilities in the kernel, will also ensure that "the fear of JIT spraying goes away completely", he said.

    << Previous Day 2016/05/03
    [Calendar]     		Next Day >>

LWN.net   About LJ.Rossia.org