Re: [oss-security] Linux: Disabling network namespaces

2024-04-15 Thread Demi Marie Obenour
ncluding > distros) will start recommending this milder mitigation when sufficient. Is this still compatible with Firefox? IMO an ideal solution would be: 1. Provide a privileged helper daemon that sets up containers based on user requirements. 2. Port programs that use containers to use this

Re: [oss-security] Linux: Disabling network namespaces

2024-04-16 Thread Demi Marie Obenour
For containers, I'm not aware of a good solution right now. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] Linux: Disabling network namespaces

2024-04-23 Thread Demi Marie Obenour
from /.flatpak-info, instead of having the flatpak process that spawned the container pass the info to the dbus proxy along with the FD used to communicate with the container? -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] linux-distros application for CentOS Project's Hyperscale SIG

2024-07-10 Thread Demi Marie Obenour
ot affiliated with your distro > nor your organization, vouch for at least one of the people requesting > membership on behalf of your distro (then that one vouched-for person will be > able to vouch for others on your team, in case you'd like multiple people > subscribed) > &

Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch

2024-07-14 Thread Demi Marie Obenour
d have still worked, but was not actually exercising huge pages as > |intended.) > > The Linux commit messages are tremendous books that often leave me > stunning. I *never* get together such things in my own work > process. So thanks for spending additional time reiterating

Re: [oss-security] [SECURITY ADVISORY] curl: CVE-2024-6197: freeing stack buffer in utf8asn1str

2024-07-24 Thread Demi Marie Obenour
gt; distros@openwall on July 15, 2024. > > curl 8.9.0 was released on July 24 2024 around 06:00 UTC, coordinated with > the publication of this advisory. > > CREDITS > --- > > - Reported-by: z2_ > - Patched-by: z2_ > > Thanks a lot! > > -- > > / daniel.haxx.se > | Commercial curl support up to 24x7 is available! > | Private help, bug fixes, support, ports, new features > | https://curl.se/support.html -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1

2024-08-06 Thread Demi Marie Obenour
ated proxy. I would also be fine with dropping support for non-AEAD ciphers in TLS 1.2. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1

2024-08-06 Thread Demi Marie Obenour
there are still > machines outside that only offer such old versions. > Some of them can't be upgraded easily because the vendor doesn't > provide any new versions. Can those machines be put behind a proxy? -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1

2024-08-07 Thread Demi Marie Obenour
; (It's somewhat amazing how often Windows CE and Windows Mobile crop up > every now and again). > > Jeff Why does this prevent using a proxy in front of the device? I mean something like (patched) stunnel or another generic TLS reterminating proxy, not something specific to the device. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1

2024-08-08 Thread Demi Marie Obenour
ms, e.g. by a search > engine indexer, an asset enumeration tool, a security scanner, or during > a pentest. > > For both of these categories, it's desirable to have a maintained > library that supports this wide range of protocol versions. The proxy > solution that Demi Marie

Re: [oss-security] Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables

2024-11-12 Thread Demi Marie Obenour
im itself, only of the rest of the system. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses

2024-09-25 Thread Demi Marie Obenour
the SHA256 has is still bad. Instead, I would use a seeded PRF with a seed only known to the server, ensuring that the resulting value does not leak any information about the email. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so

2024-10-15 Thread Demi Marie Obenour
se to > take that route, though. > > Best Regards > > Matthias What about opening the path one portion at a time using openat() with O_NOFOLLOW (and, as applicable, O_DIRECTORY), ensuring that each portion is not "." or "..", does not contain "/", and is owned by either the target user or root? This solves all race conditions and does not require spawning another process. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] Linux: general protection fault in __vmx_vcpu_run with nested virtualization

2025-01-06 Thread Demi Marie Obenour
an > August of 2022) is just fine. > > Hopefully everyone here is running a kernel newer than August of 2022, > but hey, who knows! Is this exploitable for anything other than denial of service? -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] [SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close

2025-02-05 Thread Demi Marie Obenour
closing the same file descriptor multiple times, and Rust enforces this in the type system. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] AMD Microcode Signature Verification Vulnerability

2025-01-22 Thread Demi Marie Obenour
uld load arbitrary microcode, they could compromise SMM, SEV-SNP, and DRTM, so this is still pretty bad. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] CVE-2024-40896 Analysis: libxml2 XXE due to type confusion

2024-12-25 Thread Demi Marie Obenour
rary is realistic, SSRF would be a change of scope (right?), and the > worst impacts of all 3 kinds are quite possible. If SSRF is a scope change, shouldn't that mean that RCE is also a scope change? It's usable for SSRF after all. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] vulnerabilities in busybox tar and cpio tools

2025-04-24 Thread Demi Marie Obenour
not configured in a DMARC-compatible way. Specifically, the mailing list did not rewrite the From: header but did modify the message body, so the DKIM signature check failed. -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature

Re: [oss-security] vulnerabilities in busybox tar and cpio tools

2025-04-25 Thread Demi Marie Obenour
On 4/24/25 7:57 PM, Solar Designer wrote: > On Thu, Apr 24, 2025 at 07:09:44PM -0400, Demi Marie Obenour wrote: >> On 4/24/25 3:09 AM, Albert Veli wrote: >>> On Wed, Apr 23, 2025 at 10:51 PM Salvatore Bonaccorso >>> wrote: >>>> FTR, this one has assigned

Re: [oss-security] CVE-2024-50217: Linux kernel: btrfs: Use-after-free of block device file in __btrfs_free_extra_devids()

2025-04-10 Thread Demi Marie Obenour
6.12. Any reason this wasn’t backported to older kernel versions? Linux kernel patch backporting is best effort, sadly. -- Sincerely, Demi Marie Obenour (she/her/hers)

Re: [oss-security] Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through

2025-02-27 Thread Demi Marie Obenour
bility. > > > > Is disabling interrupt remapping another way of mitigating this > vulnerability (e.g iommu=no-intremap) ? No, as this allows other attacks that allow denial of service at the very least. See https://lore.kernel.org/xen-devel/19915.58644.191837.671...@mariner.uk.xensource.com/. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab signature.asc Description: PGP signature

Re: [oss-security] Linux kernel: HFS+ filesystem implementation issues, exposure in distros

2025-06-02 Thread Demi Marie Obenour
ng able to break them is without question worthy of a CVE. ChromeOS Security has confirmed that they do indeed consider "attacker corrupts writable storage to get code execution when the machine reboots" to be in scope for their threat model. The only way I can think of to fix this issue

Re: [oss-security] CVE-2024-47081: Netrc credential leak in PSF requests library

2025-06-03 Thread Demi Marie Obenour
7;s definitely better to reconstruct the URL from scheme, authority, path, and query before sending the request, but I am almost certain there are servers in the wild that do not do this. -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key

Re: [oss-security] Linux kernel: HFS+ filesystem implementation issues, exposure in distros

2025-06-11 Thread Demi Marie Obenour
ecurity to become a comaintainer of the relevant kernel code. It is clear that there are quite a few people who agree with you, but none of them are currently upstream filesystem maintainers, and they are the ones who Greg K-H asks when making decisions as to what is and is not a vulnerability. -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature

Re: [oss-security] Linux kernel: HFS+ filesystem implementation issues, exposure in distros

2025-06-11 Thread Demi Marie Obenour
On 6/5/25 23:02, Solar Designer wrote: > Re-added CC: Attila, Muhammed > > On Mon, Jun 02, 2025 at 11:38:30PM -0400, Demi Marie Obenour wrote: >> On 6/2/25 22:59, Solar Designer wrote: >>> The kernel security team ended up rejecting the CVE: >>> >>>

Re: [oss-security] Linux kernel: eBPF vulnerabilities

2025-08-03 Thread Demi Marie Obenour
e > (skipping today's disclosure or limiting it to even less info than was > on linux-distros), as doing so didn't seem to serve a useful purpose yet > it would keep further handling by linux-distros in limbo. Now we're > done handling this on linux-distros, and any further developments should > be added to this oss-security thread instead. Are these exploitable via *classic* BPF? The reason I ask is that this is nearly always available to unprivileged users in the form of seccomp, and no hardening guide will recommend disabling seccomp-BPF as that is one of the best tools userspace has to sandbox itself! -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature