Vulneratbility - Slackware can be compromised - all versions affected
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Vulneratbility - Slackware can be compromised - all versions affected
A few weeks ago I found ways to infiltrate/compromise a Slackware system. I was not actively looking for weaknesses but stumbled upon it, by chance. I know you are all eagerly awaiting 15 to release but this issue should be addressed ASAP.
I am not going to disclose any details, yet, in order to minimize chances of exploitation of the vulnerability. I am, however, willing to work with anyone closely involved in the development of Slackware (except AlienBob) and provide instructions on how to confirm the vulnerability.
I am also willing to cooperate with any maintainer of a derivative of Slackware and check if those systems are affected, too.
I have patches ready for Slackware 14.2. With minor adjustments they should also work for other versions.
Is this a Slackware vulnerability or a vulnerability upstream that exists on Slackware?
But if you want to talk directly to Pat, his email is available on the installation media (as well as the email sent to root upon install -- login as root and run mail, open up the "Welcome to Linux (Slackware 14.2)!" email, then scroll to the bottom for Pat's email).
This'll only cause panic, and for what? Which package's affected?
Agreed. I don't see the point of the first post.
If there is a real vulnerability in all versions of Slackware then the OP should privately disclose the vulnerability to our maintainer, Mr. Volkerding. Mr. Volkerding is best qualified to determine if the threat requires action on his part.
P.S. The criticism leveled at Eric H. is completely unnecessary and unprofessional. Eric is one of our trusted, senior developers.
Last edited by hitest; 05-01-2021 at 12:02 PM.
Reason: Addition, added later
Is this a Slackware vulnerability or a vulnerability upstream that exists on Slackware?
That's not relevant until the component is specified, it makes huge difference if it's the roof or the base that is compromised.
In construction, these sort of reports go through the contractors' office and straight to chief architect's desk.
One does not put a sign on the street saying the building has cracked and the whole block's affected, prior to that.
I am, however, willing to work with anyone closely involved in the development of Slackware (except AlienBob) and provide instructions on how to confirm the vulnerability.
LMAO... OP is acting like an Immature Crybaby! Just file a bug report and let the Adults figure out your "so called" Vulnerability..
Well, if we think sober, the Slackware (even the -current) uses suid root for the Xorg program - meaning that we run always as root a program which is historically known as full of security issues like a Swiss cheese is of holes.
Also, the suid root binary of Xorg was historically a fancy way to "get root" - then for local privilege escalation exploits.
So, honestly, I do not exclude that could be on the wild an unpatched X11 (or Xorg) flaw which can affect all versions of Slackware since 1.0 and ending with -current. Heck, happened that they fixed a security issue on Xorg after 17 years, if I remember right.
BUT, at least in the Slackware-current and the future 15.0 we can cover definitively (on a preventive way) this pit hole by building the Xorg without suid root but with logind support, like the systemd based distributions do - but we will need an elogind patch for.
The fact that systemd based distributions (which are almost any other major distro) may be largely not affected (because they do not use that suid root for the Xorg program) may be an explanation why people do not bother so much about it, but it can affect badly us.
Last edited by LuckyCyborg; 05-01-2021 at 03:24 PM.
I am not going to disclose any details, yet, in order to minimize chances of exploitation of the vulnerability. I am, however, willing to work with anyone closely involved in the development of Slackware (except AlienBob) and provide instructions on how to confirm the vulnerability.
I am also willing to cooperate with any maintainer of a derivative of Slackware and check if those systems are affected, too.
I don't even know you, so I guess I offended one of your friends? Anyway, I don't feel offended if you don't work with me; the remark is a tad childish don't you think?
Anyway, if you want to report a critical vulnerability, the thing not to do is announce it in a post like you just made.
You have not reached out to any Slackware team member including Patrick Volkerding. It's not like Pat's email address is completely unknown.
Good job Alien Bob!!! Me and you exchanged some harsh words in the past and had some misunderstandings but we've passed that. Not the type to hold grudges and you don't seem to either. I respect and appreciate your contributions. Hope whatever it is gets fix immediately.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.