On Tue, Aug 10, 2021 at 5:04 AM Samuel Thibault <sthiba...@debian.org> wrote: > In the past months, Sergey Bugaev has been working on fixing some > Hurd security vulnerabilities.
Well I certainly wasn't doing it alone :) Samuel and me have been working together over the past few months to design and implement fixes for the several severe vulnerabilities in the Hurd. (How many of those vulnerabilities we have fixed is hard to quantify, but it's more than just the three I reported initially.) I worked on: - Actually finding the vulnerabilities and developing exploits for them - Coming up with potential ways we could work towards fixing them - Actually writing most of the code - Testing it in a subhurd Samuel helped with reviewing my changes and making design decisions; towards the end he got some time and joined in with testing, debugging, and writing code. None of the vulnerabilities were as simple as an off-by-one error or a missing check; they all had to do with certain mechanisms being structured in a way that makes them subtly insecure, which is why fixing them required a lot of design work. We ended up switching our approach several times; I believe our final version is much better than what we were trying to do initially. In the end, we managed to make the changes way less invasive than it seemed they had to be, and they complicate things much less than it initially appeared was necessary. Still, the changes touch most of the components of the Hurd. We were aiming to make it in time for the upcoming Debian release, to make sure it already contains the fixed versions. There were some troubles and a change of approach and new bugs discovered (and fixed) in the last few days, but apparently we did make it in time! I urge everybody to upgrade (and reboot!) their systems as soon as possible. I have already updated mine, and can confirm that all my exploits fail now. Sergey
