[Beowulf] Heads up - Stack-Clash local root vulnerability

[mathog]

On Wed, 21 Jun 2017 08:55:36 -0700 Kilian Cavalotti wrote
> As far as I understand this, the real fix will be to recompile all of
> your binaries using a properly working implementation of -fstack-check
> in gcc (which doesn't exist yet). So in terms of timeline, that means
> GCC needs to be fixed, system applications need to be recompiled,
> distribution need to repackage and distribute them, and then all the
> userland applications need to be recompiled. It's a multi-year
> process.

It better not take years!

We have some  Centos 6.9 machines.  The OS supports gcc 4.4.7.  (We have 
devtoolset-4 installed to get gcc 5.3.1, because a lot of software will 
not build with 4.4.7.)  Presumably the gcc developers have pushed this 
up to the top of their to do list and RedHat will be leaning on them 
hard to make patches available for the older compilers in releases RH 
still supports (back to RHEL 5?).  RedHat will then have to recompile a 
lot of binaries and push those RPMs out, where it will eventually end up 
in Centos.

Let us all hope that nobody figures out how to exploit this issue 
remotely before then.

Most end user code would not need to be recompiled, since it does not 
run with privileges.

One problem I can easily imagine - a glitch in the automatic yum 
installation when it suddenly sees 150 rpm updates.  A couple of weeks 
back we lost ftp servers because of an rpcbind update, it took hours to 
figure that out.  Much harder to diagnose and recover when the logs show 
that the entire system was just updated.  Rolling back that many RPMs is 
not something I would want to try on a production system.

Regards,

David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech