A critical vulnerability in PaX has been found

[Shapemaker]

Hi all!

While browsing the GRSecurity forums http://forums.grsecurity.net/index.php I came across the following very disturbing information:

[Rüpel]

wow. wtf.

btw: "This is a spectacular fuckup" - nice wording
_________________
:wq

[Shapemaker]

Really, don't the developers or security people have anything to say about this?

As I see it, the whole base on which hardened Gentoo has been built, is at least partially broken. IF that information is correct.

This should be patched ASAP! In the meantime the only likely fix is to disable SEGMEXEC and RANDEXEC options in the kernel .config, make && make modules_install, install new kernel and reboot. Or, as suggested in the bug report:

[colonel_dolphin]

I AM NOT THE AUTHOR .. just cross posting for your convenience:

A patch for Pax has been released. Implementation obviously requires recompiling.

Subject: [announce-l] Critical bug in PaX: All Adamantix kernels affected.
From: "Peter Busser" <busser@m-privacy.de>
Date: Mon, March 7, 2005 3:15 am
To: announce-l@lists.adamantix.org

Hi!

The following link points to an announcement on Full-Disclosure (a well known
security mailing list BTW):

http://lists.netsys.com/pipermail/full-disclosure/2005-March/032240.html

The bug described here can give easy root access when exploited locally.
Despite of what the announcement says, this bug dates back to September 2002.

PaX has and will be an important part of Adamantix. The stuff it handles is
rather complex, because of the many technical details involved. Humans are
not very good at handling complexity and therefore things like this happen.
There are fine examples of bugs of the same magnitude to be found in the
bugtracker of a competing kernel patch. Only those bugs have been
``camouflaged'' and have not been publicly announced.

Anyhow, for the PaX author, this was the final straw. And he will stop
developing PaX in April. Sometimes you figure out that the goals you set are
not going to be reached. In situations like that it is often best to get over
it and start doing something else. That is basically what happened here. I
have seen this coming for some time now and while it is sad, things like this
are sometimes inevitable.

PaX is not only important for Adamantix or other security related
distributions and security conscious individuals. Lots of people use it
because of its quality. Actually, despite of what some people claim, there is
nothing comparable to PaX at the moment. Therefore switching to something
else is not an option. It looks like there are a few of these people who use
PaX also have the required technical skills and they want to continue the PaX
project. However, it remains to be seen how this works out in practice.

Adamantix is still a 2.4 based distribution. And these line of kernels don't
change much. So the PaX patch as we know it will be usable for Adamantix for
quite some time. For 2.6 things are different. There are plans to include 2.6
in Adamantix. But since 2.6 is not stable enough for use in security
applications, this is not a high priority. The direct impact for Adamantix is
therefore limited. What the long-term impact will be is unclear at the
moment, it depends on how things work out. Given the importance of PaX, I am
quite confident that it works out well in the end.

Joerg Weber has been working on newer Adamantix kernels. He was almost ready
to upload them, when this bug showed up. After adding the patch for this bug,
they will be compiled and uploaded. However, this might take a few days.

Groetjes,
Peter.

[Shapemaker]

Ok, so there is a patch available (I've been out of work for awhile). When will it be incorporated in the hardened-dev-sources, or is it there already (sorry, cannot check it myself, I'm on a work trip)
_________________
"Intellectual Property" should be an affront to anyone capable of independent thought.

[at0mik]

Why it's not already released ? I think it's a critical patch.....