2013-12-10 14:20:46 |
Philipp Kern |
bug |
|
|
added bug |
2013-12-10 14:21:04 |
Philipp Kern |
information type |
Private Security |
Public Security |
|
2013-12-10 14:30:09 |
Brad Figg |
linux (Ubuntu): status |
New |
Incomplete |
|
2013-12-10 14:33:41 |
Margarita Manterola |
linux (Ubuntu): status |
Incomplete |
Confirmed |
|
2013-12-10 14:35:10 |
Margarita Manterola |
description |
To enable kexec makes sense for a generic distro kernel. But if your users have root and you want to make it hard for them to run code in ring 0, you commonly disable further module loading and you also want to disable kexec[1]. Kees Cook wrote up a patch[2] that we'd like to see applied to the Ubuntu kernel to avoid recompilation of the distro kernel.
I'm marking this as a security issue on the ground that it's quite surprising that setting kernel.modules_disabled=1 as a hardening feature can be subverted by using kexec.
[1] http://mjg59.dreamwidth.org/28746.html
[2] https://lkml.org/lkml/2013/12/9/765 |
To enable kexec makes sense for a generic distro kernel. But if your users have root in their virtual machines, and you want to make it hard for them to run code in ring 0, you commonly disable further module loading and you also want to disable kexec[1]. Kees Cook wrote up a patch[2] that we'd like to see applied to the Ubuntu kernel to avoid recompilation of the distro kernel.
I'm marking this as a security issue on the ground that it's quite surprising that setting kernel.modules_disabled=1 as a hardening feature can be subverted by using kexec.
[1] http://mjg59.dreamwidth.org/28746.html
[2] https://lkml.org/lkml/2013/12/9/765 |
|
2013-12-10 14:37:29 |
Margarita Manterola |
bug |
|
|
added subscriber Goobuntu Team |
2013-12-10 14:52:15 |
Marc Deslauriers |
linux (Ubuntu): assignee |
|
Tyler Hicks (tyhicks) |
|
2013-12-10 14:52:29 |
Marc Deslauriers |
tags |
|
rls-t-incoming |
|
2013-12-10 14:55:25 |
Marc Deslauriers |
bug |
|
|
added subscriber Marc Deslauriers |
2013-12-10 17:49:48 |
Joseph Salisbury |
linux (Ubuntu): importance |
Undecided |
Medium |
|
2013-12-10 17:49:54 |
Joseph Salisbury |
tags |
rls-t-incoming |
rls-t-incoming trusty |
|
2013-12-11 15:39:58 |
Kees Cook |
bug |
|
|
added subscriber Kees Cook |
2013-12-11 18:08:07 |
Mark Russell |
bug |
|
|
added subscriber Canonical Support |
2013-12-11 18:35:11 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Precise |
|
2013-12-11 18:35:11 |
Marc Deslauriers |
bug task added |
|
linux (Ubuntu Precise) |
|
2013-12-11 18:35:11 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Quantal |
|
2013-12-11 18:35:11 |
Marc Deslauriers |
bug task added |
|
linux (Ubuntu Quantal) |
|
2013-12-11 18:35:11 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Trusty |
|
2013-12-11 18:35:11 |
Marc Deslauriers |
bug task added |
|
linux (Ubuntu Trusty) |
|
2013-12-11 18:35:11 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Raring |
|
2013-12-11 18:35:11 |
Marc Deslauriers |
bug task added |
|
linux (Ubuntu Raring) |
|
2013-12-11 18:35:11 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Saucy |
|
2013-12-11 18:35:11 |
Marc Deslauriers |
bug task added |
|
linux (Ubuntu Saucy) |
|
2013-12-11 18:35:27 |
Marc Deslauriers |
linux (Ubuntu Precise): status |
New |
Confirmed |
|
2013-12-11 18:35:30 |
Marc Deslauriers |
linux (Ubuntu Precise): importance |
Undecided |
Medium |
|
2013-12-11 18:35:36 |
Marc Deslauriers |
linux (Ubuntu Precise): assignee |
|
Tyler Hicks (tyhicks) |
|
2014-02-07 13:56:53 |
Andy Whitcroft |
linux (Ubuntu Trusty): assignee |
Tyler Hicks (tyhicks) |
Andy Whitcroft (apw) |
|
2014-02-07 13:56:56 |
Andy Whitcroft |
linux (Ubuntu Trusty): status |
Confirmed |
Fix Committed |
|
2014-02-07 14:39:36 |
Andy Whitcroft |
linux (Ubuntu Precise): assignee |
Tyler Hicks (tyhicks) |
|
|
2014-02-07 14:39:48 |
Andy Whitcroft |
linux (Ubuntu Precise): status |
Confirmed |
New |
|
2014-02-07 16:29:32 |
Andy Whitcroft |
linux (Ubuntu Precise): status |
New |
Won't Fix |
|
2014-02-07 16:29:35 |
Andy Whitcroft |
linux (Ubuntu Quantal): status |
New |
Won't Fix |
|
2014-02-07 16:29:38 |
Andy Whitcroft |
linux (Ubuntu Raring): status |
New |
Won't Fix |
|
2014-02-07 16:29:51 |
Andy Whitcroft |
linux (Ubuntu Saucy): status |
New |
In Progress |
|
2014-02-07 16:29:54 |
Andy Whitcroft |
linux (Ubuntu Saucy): importance |
Undecided |
Medium |
|
2014-02-07 16:29:57 |
Andy Whitcroft |
linux (Ubuntu Saucy): assignee |
|
Andy Whitcroft (apw) |
|
2014-02-07 16:30:07 |
Andy Whitcroft |
bug task added |
|
linux-lts-saucy (Ubuntu) |
|
2014-02-07 16:32:21 |
Andy Whitcroft |
linux-lts-saucy (Ubuntu Quantal): status |
New |
Invalid |
|
2014-02-07 16:32:25 |
Andy Whitcroft |
linux-lts-saucy (Ubuntu Trusty): status |
New |
Invalid |
|
2014-02-07 16:34:14 |
Andy Whitcroft |
linux-lts-saucy (Ubuntu Raring): status |
New |
Invalid |
|
2014-02-07 16:34:19 |
Andy Whitcroft |
linux-lts-saucy (Ubuntu Saucy): status |
New |
Invalid |
|
2014-02-07 16:34:23 |
Andy Whitcroft |
linux (Ubuntu Raring): status |
Won't Fix |
Invalid |
|
2014-02-07 16:34:38 |
Andy Whitcroft |
linux-lts-saucy (Ubuntu Precise): status |
New |
In Progress |
|
2014-02-07 16:34:38 |
Andy Whitcroft |
linux-lts-saucy (Ubuntu Precise): assignee |
|
Andy Whitcroft (apw) |
|
2014-02-07 16:35:31 |
Andy Whitcroft |
linux-lts-saucy (Ubuntu Precise): assignee |
Andy Whitcroft (apw) |
|
|
2014-02-10 09:59:19 |
Andy Whitcroft |
linux (Ubuntu Saucy): status |
In Progress |
Fix Committed |
|
2014-02-10 09:59:38 |
Andy Whitcroft |
linux-lts-saucy (Ubuntu Precise): status |
In Progress |
Fix Committed |
|
2014-02-13 00:00:01 |
Launchpad Janitor |
linux (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2014-02-13 00:00:01 |
Launchpad Janitor |
cve linked |
|
2014-1874 |
|
2014-02-24 15:27:42 |
Brad Figg |
tags |
rls-t-incoming trusty |
rls-t-incoming trusty verification-needed-saucy |
|
2014-02-24 17:37:44 |
Philipp Kern |
tags |
rls-t-incoming trusty verification-needed-saucy |
rls-t-incoming trusty verification-done-saucy |
|
2014-03-06 16:05:20 |
Launchpad Janitor |
linux-lts-saucy (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
2014-03-06 16:17:41 |
Launchpad Janitor |
linux (Ubuntu Saucy): status |
Fix Committed |
Fix Released |
|