2023-01-17 18:25:26 <minimal> https://seclists.org/oss-sec/2023/q1/22
2023-01-17 18:25:35 <minimal> doesn't appear to be fixed in 6.1.6 kernel
2023-01-17 18:33:44 <psykose> zzz drama
2023-01-17 18:37:38 <minimal> virtual (lan) drama? ;-)
2023-01-17 18:37:43 <psykose> :)
2023-01-18 15:49:09 <jvoisin> https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf more sudo lol.
2023-01-18 15:50:14 <psykose> poggers
2023-01-18 15:51:25 <Foxboron> Ah, clever
2023-01-18 15:53:27 <psykose> patched
2023-01-18 15:53:29 <psykose> jvoisin: thanks
2023-01-18 15:53:57 <Foxboron> Nice, it works on Arch. Hillarious
2023-01-18 15:54:24 <psykose> release for it is already out, for once it's easy :-)
2023-01-18 15:54:25 <ikke> Hah
2023-01-18 15:54:46 <ikke> And since it's community we no longer have to back port it
2023-01-18 15:55:04 <ikke> 
ACTION waits for the security reports

2023-01-18 15:55:07 <psykose> to more than 3.17 sure
2023-01-18 15:55:13 <ikke> Yes 
2023-01-18 15:55:31 <psykose> ah nvm
2023-01-18 15:55:34 <psykose> 3.15/3.14 still count
2023-01-18 15:55:38 <ikke> Oh 
2023-01-18 15:55:38 <psykose> xD
2023-01-18 15:55:43 <psykose> sure more work for me
2023-01-18 15:55:45 <ikke> Drats
2023-01-18 15:55:52 <psykose> algitbot: ping
2023-01-18 15:57:41 <jvoisin> now that there is activity in this chan, where would be the best place to start a conversation on the current state of security-related compiler flags used in Alpine?
2023-01-18 16:01:07 <psykose> «tumbleweeds roll in»
2023-01-18 16:01:50 <psykose> probably writing out a proposal and filing a tsc issue
2023-01-18 16:02:47 <psykose> i remember you asking about CET? i'm not sure what needs to even work correctly
2023-01-18 16:21:42 <jvoisin> <3
2023-01-18 16:23:24 <ikke> So it required CPU support?
2023-01-18 16:23:32 <psykose> ssp/pie are already default so all i can really think of is -Werror=format-security
2023-01-18 16:32:19 <jvoisin> ikke: nope, CET opcodes are considered as NOP on onsupported CPU
2023-01-18 16:32:26 <ikke> ah ok
2023-01-18 16:32:42 <jvoisin> Ubuntu had CET support since years now
2023-01-18 16:32:54 <jvoisin> psykose: FORTIFY_SOURCE=3
2023-01-18 16:33:03 <psykose> that's not implemented in musl
2023-01-18 16:34:03 <psykose> fortify entirely is a libc/header implementation, so all alpine has is https://git.2f30.org/fortify-headers/ which is always equivalent to =2
2023-01-18 16:34:29 <psykose> =3 is the new runtime check stuff so it would need a libc implementation
2023-01-18 16:34:39 <psykose> not sure if dalias would be interested or not but you could ask
2023-01-18 16:34:51 <jvoisin> it would anyway be a great way to start the conversation
2023-01-18 16:35:01 <jvoisin> (couldn't =3 be implemented in a header as well?)
2023-01-18 16:35:20 <psykose> is there a formal definition of what it even means?
2023-01-18 16:35:32 <jvoisin> I don't think so, no
2023-01-18 16:36:11 <psykose> well, then all of them are the same
2023-01-18 16:36:21 <psykose> just so happens glibc added runtime checks for =3
2023-01-18 16:36:37 <psykose> so the request is "more fortify" :p
2023-01-18 16:36:53 <jvoisin> pretty much, yeah :D
2023-01-18 16:37:19 <psykose> and so to be equivalent in meaning, =3 would also imply runtime checks
2023-01-18 16:37:27 <psykose> on that front =2 is missing wrappers for some functions i guess
2023-01-18 16:37:40 <psykose> the fortify-headers upstream is not exactly existent presently :)
2023-01-18 16:37:58 <psykose> but all of that is a bit unrelated to alpine cflags
2023-01-18 16:38:24 <psykose> more related to "improve fortify upstream, implement more fortify in musl, .."
2023-01-18 16:38:32 <psykose> maybe a bit pedantic but the framing is different
2023-01-18 16:38:36 <jvoisin> it's also about "how do we keep track of compilers' flags in Alpine"
2023-01-18 16:39:04 <ikke> basically whatever is in abuild.conf
2023-01-18 16:39:07 <psykose> that is just https://github.com/alpinelinux/abuild/blob/master/abuild.conf , and gcc has --enable-default-pie / ssp
2023-01-18 16:39:30 <psykose> i do think this .conf needs a bit of expanding to be per carch i guess
2023-01-18 16:40:09 <jvoisin> no relro and immediate bindings?
2023-01-18 16:40:30 <psykose> and clang has the same defaults https://git.alpinelinux.org/aports/tree/main/clang15/30-Enable-stack-protector-by-default-for-Alpine-Linux.patch
2023-01-18 16:40:37 <jvoisin> nor stack-protector?
2023-01-18 16:41:00 <psykose> -z relro/now are also default iirc
2023-01-18 16:42:10 <psykose> --enable-relro on binutils makes it default
2023-01-18 16:42:37 <psykose> i am not sure if -z now is but i forget how to check
2023-01-18 16:42:46 <psykose> musl has some special semantics there too
2023-01-18 16:42:46 <jvoisin> ^ my point exactly :D
2023-01-18 16:45:30 <psykose> yeah -z now is also set but i'm not sure from where :p
2023-01-18 16:46:09 <psykose> binutils also has no default execstack or textrels since i toggled them
2023-01-18 16:46:40 <psykose> stack protector is just the ssp default unless you're referring to some other one
2023-01-18 16:46:56 <psykose> so everything is covered, albeit undocumented in one place
2023-01-18 16:47:23 <psykose> cfi aside
2023-01-18 16:49:02 <psykose> personally, i don't find the cet/cfi/etc things very interesting
2023-01-18 16:50:09 <psykose> i wish we approached security from other angles than endless new innovations that slow everything down another 10+% every year
2023-01-18 16:50:39 <psykose> soon an `echo 1` will spend 95% cpu time in security checks and 5% printing things to the console i bet
2023-01-18 16:50:45 <jvoisin> CFI solves arbitrary-code execution, it's pretty neat
2023-01-18 16:51:12 <jvoisin> especially with FineIBT and hardware support, it's fast-ish
2023-01-18 16:51:26 <psykose> and hardware support is always fun, because no hardware ever has it
2023-01-18 16:52:23 <jvoisin> https://en.wikipedia.org/wiki/Tiger_Lake
2023-01-18 16:52:27 <jvoisin> released in 2020
2023-01-18 16:52:42 <psykose> so that's what, 0.03% of x86_64 devices in the wild?
2023-01-18 16:52:58 <psykose> probably less actually
2023-01-18 16:53:41 <psykose> armv8.0 is 10 years old, and even v7 is still relevant. new innovations are quite meh
2023-01-18 16:54:14 <psykose> it's the same for x86_64, with millions of cpus still being skylake and older
2023-01-18 16:56:29 <jvoisin> do you have any data on this?
2023-01-18 16:57:13 <psykose> data to prove what, that everyone isn't on the newest silicon all the time?
2023-01-18 16:57:50 <jvoisin> "new" as in 3 years old :)
2023-01-18 16:58:02 <psykose> 3 years old is newer than new
2023-01-18 16:58:40 <psykose> i'm sure rich people buy a new macbook every 2 years but i think you're overestimating a bit with thinking 3 years old isn't "new" anymore
2023-01-18 16:58:53 <minimal> <looks around at my old N-series Celerons boxes, J-series Pentium boxes, AMD Phenon boxes, etc> :-)
2023-01-18 16:59:14 <jvoisin> yeah, I have old stuff as well
2023-01-18 16:59:23 <jvoisin> but Cloud Providers™ have fancy gear
2023-01-18 16:59:57 <minimal> they virtually do ;-)
2023-01-18 17:00:31 <psykose> just checked my vm cpu and it's skylake
2023-01-18 17:00:45 <psykose> :p
2023-01-18 17:00:58 <minimal> mine is a Sempron ;-)
2023-01-18 17:02:32 <psykose> in any case i'm not opposed to any flag being toggled
2023-01-18 17:02:48 <psykose> just don't remember if it even actually worked with musl
2023-01-18 17:03:03 <psykose> and that aside it will benefit a whole subpercent of people, hurray
2023-01-18 17:04:02 <psykose> but do write it up, do the research, etc, and make the suggestion :) no issues there
2023-01-20 20:06:06 <jvoisin> https://gitlab.alpinelinux.org/alpine/tsc/-/issues/64 here we go
2023-01-20 21:26:38 <sam_> jvoisin: what about GLIBCXX_ASSERTIONS?
2023-01-20 21:27:35 <psykose> that shit be slow as hell
2023-01-20 21:28:34 <sam_> pussy lol
2023-01-20 21:28:36 <sam_> interestingly fedora uses it for everything, which took me by surprise
2023-01-20 21:30:57 <jvoisin> we're using it at work for fuzzing, isn't not that slow
2023-01-20 21:31:24 <sam_> it is not as slow in reality as I thought it'd be, but I wouldn't use it for everything (in gentoo, it's only for hardened, for example)
2023-01-20 21:35:36 <psykose> > come up with new random security flag
2023-01-20 21:35:42 <psykose> > test only some new cpus
2023-01-20 21:35:50 <psykose> > "eh, like 5% perf diff, prolly ok
2023-01-20 21:35:53 <psykose> > release into wild
2023-01-20 21:36:06 <psykose> > random joe schmo with actual 8 year old cpu gets a 50% performance regression
2023-01-20 21:36:08 <psykose> could be you!
2023-01-20 21:36:36 <sam_> just buy more money lol
2023-01-20 21:37:06 <psykose> i'm reminded of the random person on the alpine mailing list with some core2duoesque cpu getting like a 1000% performance difference with mitigations=off on newer kernels
2023-01-20 21:37:29 <psykose> i don't think i even typo'd that
2023-01-21 01:51:20 <minimal> https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq
2023-01-21 02:20:31 <sam_> oh my
2023-01-21 05:16:05 <omni> 
ACTION walks in with their Core 2 Duo

2023-01-27 17:04:19 <ikke> "Data operand dependent timing on Intel and Arm CPUs" https://www.openwall.com/lists/oss-security/2023/01/25/3
2023-01-27 17:05:30 <ikke> impacts code that assumes constant-time properties of certain instructions
2023-01-27 18:36:31 <psykose> i.e. all the code
2023-01-27 18:36:51 <ikke> :)
2023-01-30 12:00:59 <omni> main/avahi: I saw that we're discouraged from using this number https://cve.circl.lu/cve/CVE-2021-36217
2023-01-30 12:04:21 <psykose> sure, renamed
2023-01-30 12:04:26 <psykose> but i don't think it makes any difference