Your message dated Mon, 10 Sep 2012 23:18:02 +0000
with message-id <[email protected]>
and subject line Bug#282583: fixed in microcode.ctl 1.18~0+nmu1
has caused the Debian Bug report #282583,
regarding microcode.ctl: patches the CPU with microcode downloaded over plain
HTTP
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
282583: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=282583
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: microcode.ctl
Version: 1.11-1
Severity: critical
Justification: root security hole
Tags: security patch
Hi.
The postinst script wgets a microcode from
http://people.debian.org/~cate/files/microcode/microcode.dat
and loads it into the CPU, without any checking for authenticity, or
integrity. And without ever asking the user! Thenafter, the microcode
is loaded by /etc/rcS.d/S80microcode.ctl start . On every reboot (warm
too?), the microcode is lost.
The attack vectors are obvious. Although I am not particularly verbose
in malicious microcode writing, I am sure there are people enjoying this
kind of sadomasochism.
Two alternative patches are included:
(1) The first one attempts to quickly fix the problem by disabling the
postinst downloading the microcode and telling the user to download by
hand.
(2) The second patch suggests employing SHA-1 signatures on the
microcode image. Please verify the signature value before applying this
patch. The hash would be hardcoded in the postinst script. This is a
kludge, of course. A public-key cryptography should be employed,
possibly with Intel signing their microcode updates? But kludgey as it
is, it solves the problems-at-hand.
Please release a new version with either (1) or (2) applied ASAP.
The postinst should be rewritten not to have the latest version
hardcoded before Sarge freezes.
Cheers,
Jan
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (700, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-jan
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2
Versions of packages microcode.ctl depends on:
ii libc6 2.3.2.ds1-18 GNU C Library: Shared libraries an
ii makedev 2.3.1-75 Creates device files in /dev
ii modutils 2.4.26-1.1 Linux module utilities
ii openssl 0.9.7d-5 Secure Socket Layer (SSL) binary a
-- no debconf information
diff -urN microcode.ctl-1.11-ORIG/debian/postinst
microcode.ctl-1.11/debian/postinst
--- microcode.ctl-1.11-ORIG/debian/postinst 2004-11-23 06:28:38.000000000
+0100
+++ microcode.ctl-1.11/debian/postinst 2004-11-23 06:43:37.000000000 +0100
@@ -50,43 +50,8 @@
NEW_VERSION="yes"
fi
if [ "$NEW_VERSION" = "yes" ]; then
- echo "Trying to download an new version of microcode."
-# if [ -x /bin/ping ]; then
-# if ! ping -q -c 1 -i 1 $MC_HOST > /dev/null 2>&1; then
-# echo "Network not accessible."
-# echo "Install microcode manually. (See
/usr/shar/doc/microcode.ctl/README.Debian)"
-# fi
-# fi
- if [ -x /usr/bin/wget ]; then
- echo "Now attempting to download microcode."
- if [ -x /usr/bin/bunzip2 ]; then
- if wget -t 2 -T 20 -q -P /usr/share/misc
"$MICROCODE_URL".bz2 ; then
- bunzip2 -f /usr/share/misc/microcode.dat.bz2
- echo "microcode downloaded sucessfully"
- else
- echo "microcode not on web server."
- echo "Install microcode manually. (See
/usr/share/doc/microcode.ctl/README.Debian)"
- fi
- elif [ -x /bin/gunzip ]; then
- if wget -t 2 -T 20 -q -P /usr/share/misc
"$MICROCODE_URL".gz ; then
- gunzip -f /usr/share/misc/microcode.dat.gz
- echo "microcode downloaded sucessfully"
- else
- echo "microcode not on web server."
- echo "Install microcode manually. (See
/usr/share/doc/microcode.ctl/README.Debian)"
- fi
- elif wget -t 2 -T 20 -q -P /usr/share/misc "$MICROCODE_URL" ;
then
- echo "microcode downloaded sucessfully"
- else
- echo "microcode not on web server."
- echo "Install microcode manually. (See
/usr/share/doc/microcode.ctl/README.Debian)"
- fi
- else
- echo "wget not found.";
echo "Install microcode manually. (See
/usr/share/doc/microcode.ctl/README.Debian)"
- fi
fi
-
;;
abort-upgrade|abort-remove|abort-deconfigure)
diff -urN microcode.ctl-1.11-ORIG/debian/control
microcode.ctl-1.11/debian/control
--- microcode.ctl-1.11-ORIG/debian/control 2004-11-23 06:28:38.000000000
+0100
+++ microcode.ctl-1.11/debian/control 2004-11-23 07:45:07.000000000 +0100
@@ -8,6 +8,7 @@
Package: microcode.ctl
Architecture: i386
Depends: modutils | module-init-tools, makedev (>> 2.3.1-52),
${shlibs:Depends}
+Pre-Depends: openssl
Suggests: wget, bzip2
Replaces: microcode-ctl
Description: Intel IA32 CPU Microcode Utility
diff -urN microcode.ctl-1.11-ORIG/debian/postinst
microcode.ctl-1.11/debian/postinst
--- microcode.ctl-1.11-ORIG/debian/postinst 2004-11-23 06:28:38.000000000
+0100
+++ microcode.ctl-1.11/debian/postinst 2004-11-23 07:39:20.000000000 +0100
@@ -3,13 +3,17 @@
#
# see: dh_installdeb(1)
+set -e
+
# Last know microcode
MC_ID="Tue Oct 12 18:34:19 PDT 2004"
+MC_SHA1="32ea36ec0f293463477a76456f2576299fcd6f5f"
+MC_LOCAL_PATH="/usr/share/misc/microcode.dat"
# Where to find the microcode
MICROCODE_URL="http://people.debian.org/~cate/files/microcode/microcode.dat";
-set -e
+MC_TEMP_DIR="`mktemp -d`"
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
@@ -20,6 +24,27 @@
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
#
+
+# This is a kludge: The script should be rewritten so that the .bz2, .gz, and
+# no compression are coded just once, not separately for each. Then this can
+# be in-lined, as it should be.
+check_signature(){
+ extension="$1"
+
+ if [ "$(openssl sha1 < "$MC_TEMP_DIR"/microcode.dat)" = "$MC_SHA1" ];
then
+ mv "$MC_TEMP_DIR"/microcode.dat "$MC_LOCAL_PATH"
+ else
+ {
+ echo "Invalid signature. We downloaded the microcode.dat from"
+ echo " $MICROCODE_URL$extension"
+ echo "but the internally stored signature didn't match the echo
downloaded data."
+ echo "This could mean someone is attempting to crack into your
system, trying to make"
+ echo "you run a malicious microcode version."
+ } >&2
+ return 1 # And the set -e above will take care of exit-ing
+ fi
+}
+
case "$1" in
configure)
#
@@ -60,22 +85,25 @@
if [ -x /usr/bin/wget ]; then
echo "Now attempting to download microcode."
if [ -x /usr/bin/bunzip2 ]; then
- if wget -t 2 -T 20 -q -P /usr/share/misc
"$MICROCODE_URL".bz2 ; then
- bunzip2 -f /usr/share/misc/microcode.dat.bz2
+ if wget -t 2 -T 20 -q -P "$MC_TEMP_DIR"
"$MICROCODE_URL".bz2 ; then
+ bunzip2 -f "$MC_TEMP_DIR"/microcode.dat.bz2
+ check_signature .bz2
echo "microcode downloaded sucessfully"
else
echo "microcode not on web server."
echo "Install microcode manually. (See
/usr/share/doc/microcode.ctl/README.Debian)"
fi
elif [ -x /bin/gunzip ]; then
- if wget -t 2 -T 20 -q -P /usr/share/misc
"$MICROCODE_URL".gz ; then
- gunzip -f /usr/share/misc/microcode.dat.gz
+ if wget -t 2 -T 20 -q -P "$MC_TEMP_DIR" "$MICROCODE_URL".gz
; then
+ gunzip -f "$MC_TEMP_DIR"/microcode.dat.gz
+ check_signature .gz
echo "microcode downloaded sucessfully"
else
echo "microcode not on web server."
echo "Install microcode manually. (See
/usr/share/doc/microcode.ctl/README.Debian)"
fi
- elif wget -t 2 -T 20 -q -P /usr/share/misc "$MICROCODE_URL" ;
then
+ elif wget -t 2 -T 20 -q -P "$MC_TEMP_DIR" "$MICROCODE_URL" ;
then
+ check_signature
echo "microcode downloaded sucessfully"
else
echo "microcode not on web server."
pgpsxUSY5msj0.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: microcode.ctl
Source-Version: 1.18~0+nmu1
We believe that the bug you reported is fixed in the latest version of
microcode.ctl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh <[email protected]> (supplier of updated
microcode.ctl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 02 Sep 2012 16:14:26 -0300
Source: microcode.ctl
Binary: microcode.ctl
Architecture: source amd64
Version: 1.18~0+nmu1
Distribution: unstable
Urgency: low
Maintainer: Giacomo Catenazzi <[email protected]>
Changed-By: Henrique de Moraes Holschuh <[email protected]>
Description:
microcode.ctl - Intel IA32/IA64 CPU Microcode Utility (transitional package)
Closes: 282583 500802 563910 571408 593845 597039 608675 627261 660121 663360
664492 674667 684104
Changes:
microcode.ctl (1.18~0+nmu1) unstable; urgency=low
.
* Non-maintainer upload.
* Replace microcode.ctl with a transitional package, to migrate
systems to the new intel-microcode package
+ Change to empty native package, debhelper compat level 7
+ debian/copyright: update
+ Move to contrib/oldlibs, priority extra
+ Remove replaces of a package not seen in the last decade
+ Change description to that of a transitional package
+ Depend on intel-microcode (>> 1) which superseded installing
microcode updates, and on iucode-tool, which superseded
the processing of microcode directly downloaded from Intel
+ Conflict with intel-microcode (<< 1) to be able to remove
/usr/share/misc/intel-microcode.dat which might have been
installed either by microcode.ctl's update-intel-microcode
script or by intel-microcode (<< 1).
+ Use dpkg-maintscript-helper to remove the initscript
+ Remove /usr/share/misc/intel-microcode.dat if still present when
configuring, and regenerates the initramfs in that case. This
avoids left-over cruft microcode in the initramfs for the case
where update-intel-microcode was used, and we're being configured
together with intel-microcode (>> 1)
* This upload effectively removes microcode.ctl from Debian. Close all
open bugs against microcode.ctl:
+ closes: #282583, #500802, #563910, #571408, #593845, #597039, #608675
+ closes: #627261, #660121, #663360, #664492, #674667, #684104
Checksums-Sha1:
fc6ab0dfe0d3b0953a35f27b6abf3a25e6c2baa8 1117 microcode.ctl_1.18~0+nmu1.dsc
e16899469464a1e4578c63f7d26883c04dfe9789 7758 microcode.ctl_1.18~0+nmu1.tar.gz
19dee116f1c638bede7834a238997ffda509f1f1 8500
microcode.ctl_1.18~0+nmu1_amd64.deb
Checksums-Sha256:
10e643ed6a924c9ded6afd23a7ac03826a8a195e7e1e94da37b4eec6a6eca8b2 1117
microcode.ctl_1.18~0+nmu1.dsc
110aeffbd5cd5456fab7a6202e2963306d713e38d3642a601a555c414ce7ea7d 7758
microcode.ctl_1.18~0+nmu1.tar.gz
fa872c164c5606f06a52b604fcc20579d4b7eaf46bdbca0b48517a1541056ccf 8500
microcode.ctl_1.18~0+nmu1_amd64.deb
Files:
c7725d9d6a1790f9214634e5453b8685 1117 contrib/oldlibs extra
microcode.ctl_1.18~0+nmu1.dsc
15e69ee8589485926fd29c24c2fed045 7758 contrib/oldlibs extra
microcode.ctl_1.18~0+nmu1.tar.gz
dfb96e1b2ad3c1d0f370da9a1ef9b70c 8500 contrib/oldlibs extra
microcode.ctl_1.18~0+nmu1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCgAGBQJQRqa9AAoJEBZRjutISTEtBHUIAM2M5kYE4WA21/6iP8SOld8N
pxat4qsXaOf9nF9UWlmg/0/mS1ge1Gxr8s2bnvcn0oJlHrnnhYR0VcjE8mGStQqm
3V5KGM6uuT/pqo4c04gdOA6pzzDRVKLzSQVUCoZ3AujFbr3hlMCp/SQVppy59fhU
YgbjcKXE+IS4Vzy2EXUogj3HfZ8J+zTC6XSaDGpedlDz1PKi74TZpR617PlHbgfD
4M21Oe2jKPuNV9aV9ci3RSEfaOmDpPnKaPfdg90/wGuJr2xbN/P8PiZKMQMPivcP
b2qO9TJPZjul24QKEFW9X3ijiwavRAyuchxhRpmZCHgh38IbHL0dhxCWAYSC9Tk=
=YE8X
-----END PGP SIGNATURE-----
--- End Message ---
