2022-01-01 16:45:52 ikke: we use it at work, it's one of the better choices if you need a good API and integration with e.g. gitlab 2022-01-01 16:49:09 Yes, we use it as well 2022-01-01 18:56:04 !29060 !29061 2022-01-01 18:56:23 how do I know what need to be rebuilt? 2022-01-01 18:56:57 play it safe and rebuild everything with makedepends go? 2022-01-01 18:56:57 Not easily 2022-01-01 18:56:59 Yes 2022-01-01 21:08:24 ikke: i don't have any experience with vault, but i've been told it is alright 2022-01-01 21:19:13 ok 2022-01-01 21:19:30 My idea was to have a dedicated vps using the file storage backend 2022-01-01 21:53:39 that should be fine as long it's somewhat isolated network wise and has as little attack surface as possible 2022-01-01 21:53:40 the docs are good 2022-01-02 09:15:07 https://gitlab.alpinelinux.org/alpine/aports/-/issues/13368 2022-01-02 09:15:21 Should we file a CVE for this? (service running as root instead of user) 2022-01-02 10:25:19 no, its in testing only 2022-01-02 10:26:08 no, it's in community 2022-01-02 10:26:19 The one in testing is a custom verison 2022-01-02 10:26:21 version* 2022-01-02 21:05:58 hi, sorry to be off-topic. I am urgently trying to get hold of Ariadne (3+ hours of downtime) and do not have a phone number or anything. Can anyone ping her somehow? I tried IRC and email a few hours ago. 2022-01-03 01:10:34 ikke: in that case, yes, let’s file for a CVE 2022-01-03 11:40:20 Ok, submitted one 2022-01-03 14:38:01 I don't think I can give !29060 and !29061 much more time right now 2022-01-03 14:38:18 I got there just trying to upgrade vault ing !29059 2022-01-04 17:58:26 FYI: https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.17-Devtmpfs-Change 2022-01-04 17:58:53 Looking at /etc/init.d/devfs I see it mounts devtmpfs with nosuid but not with noexec 2022-01-04 19:29:08 where do I find "Bug #92921" then? 2022-01-04 19:30:41 ah https://bugs.gentoo.org/92921 2022-01-04 19:31:33 you just beat me to it :-) 2022-01-04 19:32:17 2005-era issue 2022-01-04 19:34:13 yeah.. so make it noexec and see who notices? =) 2022-01-04 19:34:24 I'll add an fstab entry and see if I run into anything 2022-01-04 19:50:19 no issues so far, but this is an X free system (with sway/wayland) 2022-01-06 05:35:15 CVE-2022-22704 has been assigned for the zabbix-agent2 package 2022-01-07 06:00:01 Ariadne: how comes 3.14 and edge are marked as 'fixed', but not 3.15? (there are no secfixes in the APKBUILD) https://security.alpinelinux.org/vuln/CVE-2018-1000874 2022-01-07 12:02:03 not sure. 2022-01-08 08:27:48 https://github.com/tern-tools/tern 2022-01-08 08:28:24 SBoM collection tools for containers 2022-01-15 15:27:22 https://security.alpinelinux.org/vuln/CVE-2022-22704 euhm, CPE is fore alpinelinux in general, lol 2022-01-15 16:26:49 well 2022-01-15 16:26:56 not much i can do about that :P 2022-01-15 16:27:12 Can we ask for a correction? 2022-01-15 16:31:06 yes 2022-01-15 16:31:38 https://nvd.nist.gov/info/contact-form 2022-01-15 16:31:51 CPE should probably be alpinelinux:zabbix2 2022-01-15 16:33:18 zabbix-agent2 2022-01-15 16:38:09 do you want me to do it 2022-01-15 16:38:43 If you want. Don't mind it to do it myself though 2022-01-15 16:45:54 done 2022-01-15 16:46:04 thanks 2022-01-15 17:53:14 great news: rustc on s390x got to stage1 2022-01-15 17:53:20 which means it will probably get to stage2 2022-01-15 17:53:38 0ncie 2022-01-15 17:53:40 nice* 2022-01-15 18:33:27 narrator: it did not get to stage2 but i think i found a solution 2022-01-15 18:35:37 Nice that the narrator comes with the solution 2022-01-18 11:19:36 https://gitlab.alpinelinux.org/alpine/aports/-/issues/13448 2022-01-18 11:20:28 Aqua CSP flags apk-tools being vulnerable for the zabbix-agent2 CVE 2022-01-18 11:54:27 :D :D :D :D :D :D :D 2022-01-18 18:56:43 LOLO 2022-01-18 18:56:45 https://nvd.nist.gov/vuln/detail/CVE-2022-22704 2022-01-18 18:56:52 Now zabbix is affected :D :D :D :D :D :D 2022-01-18 18:57:46 cpe:2.3:a:zabbix:zabbiz-agent2:*:*:*:*:*:*:*:* 2022-01-18 18:57:56 Including a typo 2022-01-18 19:00:56 amazing 2022-01-18 19:04:23 https://usercontent.irccloud-cdn.com/file/Sl1FMuvD/Screen%20Shot%202022-01-18%20at%201.04.18%20PM.png 2022-01-18 19:04:26 oh this seems reasonable 2022-01-18 19:04:50 cpe:2.3⭕ 2022-01-18 19:04:58 cpe:2.3⭕alpinelinux 2022-01-18 19:05:00 is fine 2022-01-18 19:05:04 wtf irccloud 2022-01-18 19:14:03 Oh, running on alpine 2022-01-18 19:14:11 But the typo is still there 2022-01-18 19:15:07 And it does not include -r1 as fixed 2022-01-18 19:15:22 Seems like 5.4.9-r0 is fixed as well, doesn't it? 2022-01-18 19:16:07 yes, that would match 5.4.9-r0 2022-01-18 19:16:07 lol 2022-01-18 19:16:15 whatever :D 2022-01-18 20:19:19 now they deleted them all 2022-01-18 20:19:46 oh, no, just a loading erro 2022-01-18 20:19:48 error 2022-01-25 17:52:41 the latest upstream kernel releases take care of CVE-2022-0185, right? 2022-01-25 17:56:13 so 3.12-stable should be bumped to 5.4.173, 3.13-stable and 3.14-stable to 5.10.93 and 3.15-stable to 5.15.16 (as edge is at) 2022-01-25 17:58:47 omni: could you create an issue for it? 2022-01-25 17:59:00 sure 2022-01-25 18:04:44 #13475 2022-01-25 18:10:37 omni: thanks 2022-01-26 07:18:30 I'm wondering. Is anything using pkexec in alpine? Could we split it into a aubpackage ore completely remove it? 2022-01-26 11:28:05 :D 2022-01-26 11:28:16 ikke: i think lots of things use pkexec 2022-01-26 11:28:21 on desktop 2022-01-26 11:28:35 worst case we could try splitting it in edge 2022-01-26 11:28:38 and see what happens 2022-01-26 11:59:13 do we consider the polkit issue sever enough to backport it even further? 2022-01-26 11:59:17 severe* 2022-01-26 12:02:17 no 2022-01-26 12:02:28 if you have polkit on your system, you already elected to install a rootkit 2022-01-26 12:02:50 :) 2022-01-26 12:03:02 one scoped to the entirety of freedesktop dot org 2022-01-26 12:03:07 Apparently there is quite a lot that pulls it in though 2022-01-26 12:03:19 https://tpaste.us/bVBZ 2022-01-26 12:03:32 (either directly or indirectly) 2022-01-26 12:05:28 the canonical security team is useless as usual 2022-01-26 15:56:49 ikke: not sure that list is accurate, I've got fwupd installed but not lolkit-common 2022-01-26 15:59:47 I have polkit-libs though, required by fwupd 2022-01-26 17:43:55 yes 2022-01-26 17:44:00 lets rename polkit to lolkit 2022-01-26 17:44:04 i love it 2022-01-26 17:44:07 +1 2022-01-26 18:07:42 ncopa, ikke: pwnkit kernel mitigation (because there are assuredly other vulnerable SUID programs, and I want to fix this *once* and be done with it) dropping soon 2022-01-26 18:08:11 this is honestly the fastest i've ever iterated on something with LKML :) 2022-01-26 18:12:46 Heh, Toasty Eggshell 2022-01-26 18:16:02 we're looking into {NULL, NULL} injection atm 2022-01-26 18:18:58 i think claiming argc==1 with {"", NULL} is safer 2022-01-26 18:23:25 Would make sense to me 2022-01-26 18:23:47 then using argv[0] is safe 2022-01-26 18:24:04 using it blindly* 2022-01-26 18:33:12 well, it is safe if it is NULL too in most cases 2022-01-26 18:33:21 because printf translates NULL to (null) 2022-01-26 18:35:14 but something like strlen would fail I believe 2022-01-26 18:35:23 Not sure if it makes sense to do that 2022-01-26 18:36:38 or strcmp 2022-01-26 18:40:39 consensus seems to be heading in the direction of {"", NULL} 2022-01-26 20:26:40 Ariadne: it's unfortunatelt still UB and compilers can re-arrange printf() calls to puts() ones which will segfault :/ I really hate that 2022-01-26 20:27:08 ACTION has been hit by this "bug" 2022-01-26 20:53:09 doas bumped to 6.8.2, drew pinged me about it but i didn't get to it until now 2022-01-27 05:35:10 nice, kees cook acked your v3 2022-01-27 15:33:28 yeah, which means spender is probably going to mail a pipebomb to my house 2022-01-27 15:35:12 come to .eu ♥ 2022-01-27 15:45:55 Ariadne: he'll write a tweet how grsecurity has had a similar patch for the past 2 years 2022-01-27 16:12:51 I think i saw the hunk from grsecurity fixing this on twitter yesterday. I cannot find it now 2022-01-27 16:13:45 ncopa: its because of TPE 2022-01-27 16:13:48 https://twitter.com/grsecurity/status/1486372249649426437 2022-01-27 16:13:56 i might revive my tpe-lkm project and upstream it as an LSM 2022-01-27 16:14:25 i stopped working on it because $twojobsago got a site license to use grsecurity on all of their customers' servers 2022-01-27 16:14:54 the grsecurity fix only solved it for suid binaries IIRC 2022-01-27 16:15:05 yes, its part of TPE 2022-01-27 16:15:12 i'm very familiar with the feature 2022-01-27 16:15:21 i'm just also familiar with the fact that spender is unhinged 2022-01-27 16:15:30 :) 2022-01-27 16:15:32 and so i prefer to not interact with him 2022-01-27 16:15:37 fair enough 2022-01-27 16:15:54 big spender 2022-01-27 16:15:59 but i am thinking about resurrecting tpe-lkm 2022-01-27 16:16:09 except actually upstreaming it via KSPP 2022-01-27 16:17:13 i want grsecurity features back, just, without spender 2022-01-27 16:17:26 What is tpe-lkm? 2022-01-27 16:17:35 trusted path execution linux kernel module 2022-01-27 16:17:45 the way it worked was by hooking the kernel 2022-01-27 16:17:57 Ariadne: it's not mitigated in grsec via TPE 2022-01-27 16:18:00 to prohibit untrusted paths from executing :P 2022-01-27 16:18:09 jvoisin: yes/no, it uses a lot of the TPE code to do it 2022-01-27 16:18:47 it's its own option, but it uses the TPE infrastructure to do it 2022-01-27 16:18:50 TPE was really nice indeed. 2022-01-28 12:54:23 how to report that this is different software than we ship? https://security.alpinelinux.org/vuln/CVE-2015-2987 2022-01-28 12:54:37 'ed' is not same 'ed' as we ship 2022-01-28 12:55:52 ncopa: I think that pushing to here https://gitlab.alpinelinux.org/ariadne/security-rejections 2022-01-28 12:58:00 hm, In fact it's already there 2022-01-28 12:58:03 ed: 2022-01-28 12:58:04 # Not related to GNU ed. 2022-01-28 12:58:06 - CVE-2015-2987 2022-01-28 15:12:59 hmm weird i’ll look into why that is reporting unfixed on 3.15 branch 2022-01-29 20:07:06 Ariadne: opinion on https://gitlab.alpinelinux.org/alpine/infra/infra/-/issues/1846? 2022-01-29 20:07:42 i mean, we have basically done that (other than the emailing part) 2022-01-29 20:07:50 the emailing part is on my eventual to-do 2022-01-29 20:07:51 Can probably mention we have @team/security now, and that security issues can be reported as confidential issues 2022-01-29 20:07:54 ok 2022-01-29 20:07:55 yes 2022-01-29 20:08:39 It's trivial to create security@lists.alpinelinux.org, with public archive / subscribing disabled 2022-01-30 17:15:47 ah, spender has gone back to blocking me 2022-01-30 17:15:56 a christmas miracle 2022-01-30 17:16:00 in... January! 2022-01-30 17:16:32 it's ok 2022-01-30 17:21:15 he's just mad that i worked with kees on something 2022-01-30 17:22:11 well, if you want to upstream security-related things, kees is usually the right person to talk to 2022-01-30 17:22:31 Ariadne: I hope you didn't interpret my tweet as being aimed towards you :p 2022-01-30 17:22:40 (Also congratz on your new job) 2022-01-30 17:23:57 you mean my job educating docker people how to do this stuff correctly? :p 2022-01-30 17:24:23 for my next achievement, "apk3 solves world hunger" 2022-01-30 17:24:34 I don't think the container aspect of sigstore is the most exciting part, really :p 2022-01-30 17:24:46 oh, i'm not working on sigstore 2022-01-30 17:25:20 i'm working on "distroless done right" 2022-01-30 17:25:31 UuuUUUuu 2022-01-30 17:25:40 That sounds great, frankly 2022-01-30 17:25:55 powered by apk3 2022-01-30 17:26:32 Glad to see chainguard investing in things like that :) 2022-01-30 17:26:50 they want to provide the full ecosystem, use the parts you want 2022-01-30 17:29:31 Foxboron: though, i think sigstore is cool 2022-01-30 17:29:58 artifact signing that "just works" is useful 2022-01-30 17:32:48 Ariadne: And having a common transparency log for build artefacts so you don't need your own tlog setup :) 2022-01-30 17:33:00 (it's all partially based on my master thesis :p) 2022-01-30 17:33:19 (the tlog stuff that is) 2022-01-30 17:39:16 i see, well, i am not a cryptographer :P 2022-01-30 17:40:33 Neither am I, actually :D But that is a testament to how easy and usefull Transparency Logs are :) 2022-01-31 20:12:25 Wondering why https://security.alpinelinux.org/vuln/CVE-2022-22816 does not list older releases 2022-01-31 20:12:39 It only shows the versions where we fixed things 2022-01-31 20:12:48 but not the releases that were vulnderable 2022-01-31 20:12:52 vulnerable 2022-01-31 20:14:33 https://tpaste.us/WEjZ