SoylentNews is people
SoylentNews
from the deep-seated-insecurities-and-paranoia dept.
From TFA (the friendly article) at https://www.openwall.com/lists/oss-security/2019/01/09/3:
We discovered three vulnerabilities in systemd-journald (https://en.wikipedia.org/wiki/Systemd):
- CVE-2018-16864 and CVE-2018-16865, two memory corruptions (attacker-controlled alloca()s);
- CVE-2018-16866, an information leak (an out-of-bounds read).
CVE-2018-16864 was introduced in April 2013 (systemd v203) and became exploitable in February 2016 (systemd v230). We developed a proof of concept for CVE-2018-16864 that gains eip control on i386.
CVE-2018-16865 was introduced in December 2011 (systemd v38) and became exploitable in April 2013 (systemd v201). CVE-2018-16866 was introduced in June 2015 (systemd v221) and was inadvertently fixed in August 2018.
We developed an exploit for CVE-2018-16865 and CVE-2018-16866 that obtains a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average. We will publish our exploit in the near future.
To the best of our knowledge, all systemd-based Linux distributions are vulnerable, but SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not exploitable because their user space is compiled with GCC's -fstack-clash-protection.
This confirms https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php: "It should be clear that kernel-only attempts to solve [the Stack Clash] will necessarily always be incomplete, as the real issue lies in the lack of stack probing."
The article goes on with more detailed information on exploits.
<sarcasm>It's a good thing that systemd does not affect very many systems and no systems running anything important.</sarcasm>
(Score: 2, Insightful) by Anonymous Coward on Friday January 11 2019, @01:25PM (11 children)
Don't use any distro that fell for the systemd propaganda.
Use Slackware instead.
(Score: 1, Informative) by Anonymous Coward on Friday January 11 2019, @02:20PM (4 children)
Void Linux is another good one.
For crazy people (like me) there is also Gentoo and Exherbo. I think Exherbo was systemd by default, but when building an Exherbo system, it's trivial to change to OpenRC.
(Score: -1, Troll) by Ethanol-fueled on Friday January 11 2019, @03:53PM (1 child)
You sound like a nigger. Yes, niggers. And you will not speak against the niggers, for the niggers are of our people. "Hey, you...yes, you, what the fuck you starin' at, White boy?!"
Yes, the niggers.
(Score: 0) by Anonymous Coward on Saturday January 12 2019, @11:43AM
Okay, curious, where's the nigger reference in there?
(Score: 1, Interesting) by Anonymous Coward on Friday January 11 2019, @04:05PM (1 child)
I second VOID. This distro is quite solid. Though it is rolling release, which means you have to be careful about driver configuration, which can sometimes collide on new releases.
(Score: -1, Troll) by Anonymous Coward on Saturday January 12 2019, @11:45AM
"collide [duckduckgo.com]"?!?!? that doesn't sound good!
(Score: 5, Insightful) by cosurgi on Friday January 11 2019, @04:48PM
I prefer devuan :)
#
#\ @ ? [adom.de] Colonize Mars [kozicki.pl]
#
(Score: 2) by Freeman on Friday January 11 2019, @04:59PM
There's also MX Linux. https://distrowatch.com/table.php?distribution=mx [distrowatch.com] Which is pretty popular on distrowatch. That may not be a great metric to go by, but it's something.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by Magic Oddball on Saturday January 12 2019, @04:00AM
Or for those of us who prefer a more user-friendly/out-of-the-box distro with a big repo, PCLinuxOS.
(Score: 2) by turgid on Saturday January 12 2019, @03:24PM
The correct answer.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by DeVilla on Saturday January 12 2019, @05:38PM (1 child)
Dear lazy web, is Gentoo still a decent desktop without systemd?
(Score: 0) by Anonymous Coward on Thursday January 17 2019, @05:01AM
Supposedly so. But chatter on their forum suggests the person currently in charge of OpenRC maintenance is running a false flag operation has he keeps introduced systemd-isms into OpenRC.
(Score: 3, Informative) by julian67 on Friday January 11 2019, @01:58PM (20 children)
A better solution:
apply patches as and when they become available.
Bugs far more severe have been found in every layer, from the kernel upwards, of every general purpose operating system. They get fixed.
The idea that one should avoid or abandon software if bugs are found only makes sense if those bugs cannot be fixed. Otherwise it's an absurdist position.
(Score: 5, Insightful) by canopic jug on Friday January 11 2019, @02:03PM (4 children)
The bugs were around for around two years. They're also the result of a combination of known bad design and known bad programming practices. Mistakes cannot be avoided but bad design and bad practices can. Those alone are enough reason to eschew garbage like systemd. On top of that you have an enormous monolith of complex, sparsely documented code.
Money is not free speech. Elections should not be auctions.
(Score: 5, Insightful) by digitalaudiorock on Friday January 11 2019, @02:24PM
Never mind that these bugs are in their shit-for-brains systemd-journald and binary logging. None of that should have ever happened, and nobody with any sense wanted it. But yea...it's all good...as long as sysadmins whose companies fell for RHEL 7 start treating it the way they've treated Windows Server...which is about where this has gone. Good luck with all that. No systemd in my home or my company, and never will be...thank God.
(Score: 4, Interesting) by Thexalon on Friday January 11 2019, @08:20PM (2 children)
Also, can we stop letting Lennart be in charge of anything important, please? Between systemd's awfulness (including on occasion breaking the Linux kernel) and PulseAudio's awfulness (ditto), I'm trying to figure out why anyone thinks he should be doing coding without adult supervision.
The moment I knew how bad systemd truly was: shortly after I had installed it for the first time on a desktop, I decided to swap out my aging PS/2 mouse for a USB mouse, so I shut down the machine, switched the mice, turned it back on, and was greeted with a black screen with no feedback at all about what was going on, and nothing in the logs about what had gone wrong when I swapped the mice back. Whereas my sysvinit-based system, in the same situation, would have booted up just fine and at worst would have needed some config file changed and a relevant daemon restarted. Based on that, I was forced to conclude that either the systemd developers had either not even thought about the possibility of swapping out hardware while the machine was turned off, or didn't care enough of about that scenario to make their stuff work properly under those conditions.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2, Funny) by Anonymous Coward on Saturday January 12 2019, @11:48AM (1 child)
Thank you for your bug report. We here at systemD central think that you are a poopy head with a need for a brain swap.
Please soak your head in vinegar.
And Have A Nice Day.
(Score: 2) by Thexalon on Sunday January 13 2019, @03:01PM
You forgot to mark it as "WONTFIX".
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Friday January 11 2019, @02:03PM (2 children)
I think you need to work on your reading comprehension.
These bugs have been around for years and never patched...
(Score: 5, Funny) by DannyB on Friday January 11 2019, @03:11PM (1 child)
You are making an assumption that these vulnerabilities are bugs instead of features.
The lower I set my standards the more accomplishments I have.
(Score: 1, Touché) by Anonymous Coward on Saturday January 12 2019, @11:50AM
Oh, great, so this is Year Of The Linux Desktop where Linux is just like Windows
When do we get built in advertising?
(Score: 5, Insightful) by rleigh on Friday January 11 2019, @02:24PM (1 child)
The chickens are coming home to roost, as we knew they would.
"Bugs far more severe have been found" is to completely ignore that bad design, bad coding practices and a huge amount of hubris and egotism went into this software. If the design was solid, and good coding practices had been followed, bugs like this simply couldn't happen. Because programmers with a bit more self-awareness and humility would not have used alloca() to perform a needless micro-optimisation at the expense of system security. Processing strings in C using the most dangerously insecure strategy possible isn't even a bug, it's crass stupidity. As is not having a maximum message size in the first page.
Some bugs are the result of genuine mistakes or extremely subtle side-effects. None of these problems fall into these categories. They are the result of programmers who think they are so great that they can't make mistakes, and that the rules don't apply to them.
If I had to write functions like this, my choice would be to implement it using C++ with extern "C" and a static libstdc++. This would provide a C interface to string operations using std::string and std::string_view. Safer, faster and more maintainable than the C string equivalents, and from the point of view of the caller, totally transparent. If I wrote my code like what's in journald, I'd be fired for gross incompetence. It wouldn't even make it pass cursory code review. Where's the oversight for the systemd developers?
(Score: 2) by bob_super on Friday January 11 2019, @06:09PM
I'm glad to learn from your experience that such bad code will never ever be adopted by anyone for any serious distro, and we'll never have to worry about that "systemd" thingy leaving the confines of the whackjobs' computer...
Oh wait, it's fucking everywhere ! Tell me again how everyone in the industry is a certified moron.
(disclaimer: I know why systemd is problematic. Make your points without being so hyperbolic that you assert nobody else has a clue)
(Score: 2) by DannyB on Friday January 11 2019, @03:15PM (7 children)
From TFA . . .
Should other distributions do likewise?
The lower I set my standards the more accomplishments I have.
(Score: -1, Troll) by Ethanol-fueled on Friday January 11 2019, @03:39PM (2 children)
I like running Windows 7 because it just works, then run Ubuntu in a VM because that just works. It should be the other way around but Ubuntu Linux is for Niggers.
(Score: 4, Interesting) by DannyB on Friday January 11 2019, @04:04PM (1 child)
I run Windows 10 at work, not by choice, but because it's what we use.
And it "just works" because we have a competent IT department and layered defenses. Only some offices have direct internet access at border gateway points. All other US and Canada offices have private connections to those points for internet access. There are spam and phishing defenses. External emails are marked EXTERNAL in the subject line. Mail attachments and links are scanned. Several thousand users with about 1.75 times that many PCs to protect using active directory policies to install and control software. Yet developers are allowed local administrative control, thus I can locally install anything I want onto my PC.
So yeah, Window 10 "just works" if you spend enough money. And it works well. Rarely is there any kind of penetration, and it is very quickly contained and isolated.
As an avid Java, Linux and Open Source advocate, I'm in the interesting situation that all of the software I use at work is the same software I use at home on Linux. Other than corporate applications like Office, WebEx, etc. More and more corporate applications (bug tracking systems, human resources systems, expense reporting systems, etc, etc) are all web based -- which makes Windows less and less relevant every single day. Microsoft's nightmare come true. The reason Microsoft killed Netscape was the fear that web applications would make the OS irrelevant. And it has.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Thursday January 17 2019, @12:26PM
Have you seen the latest KBs for IE? Seriously? Even now, if you don't have the latest patch then a "specially crafted" web page can get system level access and take over the computer.
Even if you only miss some patches it can get user level.
It's nuts.
(Score: 2) by rleigh on Friday January 11 2019, @03:56PM (1 child)
"Not exploitable" does not mean bug-free. It means the process will segfault or abort. Slightly better than the alternative, but it's still far from ideal. It's a mitigation, rather than a solution. Better than nothing, but best not to place too much faith in it.
Also, the stack clash protection with a guard page still only provides protection with some caveats. It doesn't work on all platforms.
(Score: 2) by DannyB on Friday January 11 2019, @04:06PM
Bug free could still mean exploitable -- if the vulnerability were a feature rather than a bug. Or at least a feature in the eyes of whoever introduced the vulnerability into most Linux systems far and wide.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Saturday January 12 2019, @04:55AM (1 child)
-fstack-clash-protection is only available in gcc 8, which is way too new to be available in most stable distributions.
(Score: 0) by Anonymous Coward on Saturday January 12 2019, @11:53AM
What I hear you saying is that RedHat is unstable.
Now it's been sold, I have absolutely no doubt.
(Score: 5, Insightful) by crafoo on Friday January 11 2019, @06:50PM (1 child)
I think you've missed the point. Bugs get fixed? OK. That's quite an assumption. Can people find the bugs? How hard is it to do so? How many people are actually looking or working on the source code? Are they all at the same institution or work for the same company?
systemd is needlessly complex and monolithic. It's quickly becoming the achillies heal of linux. it's poorly designed. it has "features" no one asked for. It incorporates and subsumes systems that it should not.
(Score: 4, Funny) by aristarchus on Friday January 11 2019, @11:17PM
Achilleus' mom wants a word with you.
(Score: 5, Informative) by aim on Friday January 11 2019, @02:56PM (3 children)
See subject. No systemd, no worry, no cry. And all the former glorious Debian goodness.
(Score: 4, Informative) by RS3 on Friday January 11 2019, @03:17PM
These: http://without-systemd.org/wiki/index.php/Linux_distributions_without_systemd [without-systemd.org]
I'm running Alpine Xen on a server and love it. It's busybox based, but it's easy to install the real packages when needed. It's well maintained, and very easy to migrate to the next version. Having started on SlackWare (still my favorite & go-to) I have no problem being very hands-on.
"refracta" looks interesting- haven't tried it yet. Anyone tried it?
(Score: 2) by DannyB on Friday January 11 2019, @04:07PM (1 child)
Windows doesn't have systemd yet still have lots of cry cry.
The lower I set my standards the more accomplishments I have.
(Score: 5, Touché) by aim on Friday January 11 2019, @04:17PM
If you consider that systemd is basically copying the Windows way, you'll see where the crying comes from.
(Score: 3, Insightful) by Anonymous Coward on Friday January 11 2019, @03:22PM (4 children)
to immediately rip out hundreds of CentOS hosts and a dozen big-ass RHEL+Oracle hosts and replace them with Slackware and Postgres. No prob. Won't cost a thing. Oracle DBA's don't care at alll what DB they run.
Give me Theo De Raadt over Lennart any day, Both are jerks, but at least Theo consistently delivers the well-designed robust code.
(Score: 0, Flamebait) by Ethanol-fueled on Friday January 11 2019, @03:31PM (2 children)
You need to settle down and eat some broiled hog anus, fellow.
(Score: 3, Informative) by Anonymous Coward on Friday January 11 2019, @04:02PM
Sounds like somebody missed their meds again.
(Score: 0) by Anonymous Coward on Friday January 11 2019, @05:54PM
You sound particularly stupid today. Sup?
(Score: 2, Interesting) by Anonymous Coward on Friday January 11 2019, @11:03PM
Just wait until their first Oracle audit, then they'll want to ditch that shit
(Score: 4, Interesting) by Anonymous Coward on Friday January 11 2019, @04:26PM (1 child)
Anybody who saw the win32 ini files and didn't expect that, is just clueless. Red Hat ~ Redmond. These guys do things the MS way, and should be regarded accordingly. How this ended up being in Debian and other mainstream distro's I really can't fathom. Does anybody really know the history of this?
It just seemed that there was a flurry of "Our shit supports everything" propaganda for about a year, and all of a sudden half a dozen distros shifted to it. There had to be a commercial interest behind it considering how much drama there was out there. Three guess's who that was, and the first two don't count.
(Score: 3, Interesting) by HiThere on Friday January 11 2019, @05:10PM
No evidence, but I tend to suspect government interest rather than commercial. But something large, powerful, and secretive.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 5, Insightful) by Azuma Hazuki on Friday January 11 2019, @05:48PM (3 children)
...but I TOLD YOU SO! This is the proof I've been waiting for for a couple of years now as to why systemd is cancerous. I've been on Void and Artix for a good while, Funtoo with OpenRC previously, and have been watching this entire systemd debacle with a mix of amusement (diminishing) and horror (increasing).
This does not surprise me, and the reason it doesn't surprise me is that systemd does not have pure motives. It looks, more than anything else, like an attempt by the corporate arm of Linux development to have their own "Windows distro," complete with laying the framework for the equivalent of MSCE testing and similar "industry." It is not The Unix Way (TM), and while a lot of Linux isn't either, it at least tries, whereas systemd seems to be trying to be as deliberately Microsoft-like as possible. The whole thing smells like Windows.
Thank fuck for OpenRC, Runit, and if it comes to this, the BSDs.
I am "that girl" your mother warned you about...
(Score: 0) by Anonymous Coward on Saturday January 12 2019, @01:38PM (2 children)
Feel free to run old software if that floats your boat. Runit, OpenRC and SysVinit had their growing pains too.
https://nvd.nist.gov/vuln/detail/CVE-2017-18188 [nist.gov]
https://nvd.nist.gov/vuln/detail/CVE-1999-1327 [nist.gov]
https://nvd.nist.gov/vuln/detail/CVE-1999-1329 [nist.gov]
https://nvd.nist.gov/vuln/detail/CVE-2006-1319 [nist.gov]
(Score: 5, Informative) by digitalaudiorock on Saturday January 12 2019, @07:33PM
Holy shit. I stopped looking at those bug links after the first one. As it turns out, that issue with OpenRC is expressly because OpenRC is currently being managed by a pro-systemd developer who's been relentlessly screwing it up in an attempt to make it more like systemd. That's why I, and many other Gentoo users, are still using OpenRC 0.17 which works great and doesn't even use opentmpfiles at all...which is the cause of that bug! Talk about self-fulfilling prophecies. That's the systemd way after all...patting yourself on the back for fixing the shit you fuck up.
But yea..."newer" is "better"...got it...even if it means fucking Windows-like binary logging...which by the way is where all these systemd bugs are. Give...me...a...fucking...break.
(Score: 3, Insightful) by Azuma Hazuki on Saturday January 12 2019, @10:15PM
gb2/mom's basement, Poettering...
I am "that girl" your mother warned you about...
(Score: 2, Interesting) by hopdevil on Friday January 11 2019, @06:01PM (1 child)
To successfully exploit this issue on a 64bit machine, you will likely have to send ~2048 of *large* high severity log messages (LOG_CRIT), over the course of ~70 minutes (avg). And you have to be running locally already.
From an attacker's perspective, it is nice to have root and dig in. But realistically, would you want to use a blow horn to announce your presence before taking control? Most systems probably aren't monitored very well, but I'm still curious how much use this will get in the wild.
(Score: 3, Insightful) by crafoo on Friday January 11 2019, @06:55PM
That doesn't seem all that restrictive for all of the very casually monitored VPSes out there. Getting logged in with a local user shell on a linux VPS minecraft server isn't all that difficult, for instance.
(Score: 0) by Anonymous Coward on Friday January 11 2019, @08:28PM
http://without-systemd.org/wiki/index.php/Arguments_against_systemd [without-systemd.org]
(Score: -1, Troll) by Anonymous Coward on Friday January 11 2019, @09:07PM
Read that again. They purposefully designed and developed malware. I have long held a suspicion that all these zillions of 'viruses' - for Windows, Mac and now Linux) are purposefully developed by the 'security' people - with the explicit purpose to sell their 'anti-virus' software to us. They then 'distribute' their codebase to copy-kids and it proliferates.
My view, my 2c, ymmv.