Re: Hurd Security vulnerabilities, please upgrade!

[Sergey Bugaev]

On Tue, Aug 10, 2021 at 5:04 AM Samuel Thibault <sthibault@debian.org> wrote:
> In the past months, Sergey Bugaev has been working on fixing some
> Hurd security vulnerabilities.

Well I certainly wasn't doing it alone :)

Samuel and me have been working together over the past few months to
design and implement fixes for the several severe vulnerabilities in
the Hurd. (How many of those vulnerabilities we have fixed is hard to
quantify, but it's more than just the three I reported initially.)

I worked on:
- Actually finding the vulnerabilities and developing exploits for them
- Coming up with potential ways we could work towards fixing them
- Actually writing most of the code
- Testing it in a subhurd

Samuel helped with reviewing my changes and making design decisions;
towards the end he got some time and joined in with testing,
debugging, and writing code.

None of the vulnerabilities were as simple as an off-by-one error or a
missing check; they all had to do with certain mechanisms being
structured in a way that makes them subtly insecure, which is why
fixing them required a lot of design work. We ended up switching our
approach several times; I believe our final version is much better
than what we were trying to do initially. In the end, we managed to
make the changes way less invasive than it seemed they had to be, and
they complicate things much less than it initially appeared was
necessary. Still, the changes touch most of the components of the
Hurd.

We were aiming to make it in time for the upcoming Debian release, to
make sure it already contains the fixed versions. There were some
troubles and a change of approach and new bugs discovered (and fixed)
in the last few days, but apparently we did make it in time!

I urge everybody to upgrade (and reboot!) their systems as soon as
possible. I have already updated mine, and can confirm that all my
exploits fail now.

Sergey