[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Question on CVE-2017-5754 on Debian 8.9



On 24 January 2018 at 22:32, Michael Lange <klappnase@freenet.de> wrote:
Hi,

On Wed, 24 Jan 2018 20:07:07 +0000
Michael Fothergill <michael.fothergill@gmail.com> wrote:

(...)
> > ​I tried installing the headers file and it says I have dependency
> > problems:​
> >
> >
> > root@mikef-PC:/home/mikef/Downloads# dpkg -i
> > linux-headers-4.15.0-rc8-all- amd64_4.15~rc8-1~exp1_amd64.deb
> > Selecting previously unselected package linux-headers-4.15.0-rc8-all-
> > amd64.
> > (Reading database ... 222960 files and directories currently
> > installed.) Preparing to unpack linux-headers-4.15.0-rc8-all-
> > amd64_4.15~rc8-1~exp1_amd64.deb ...
> > Unpacking linux-headers-4.15.0-rc8-all-amd64 (4.15~rc8-1~exp1) ...
> > dpkg: dependency problems prevent configuration of
> > linux-headers-4.15.0-rc8-all-amd64:
> >  linux-headers-4.15.0-rc8-all-amd64 depends on
> > linux-headers-4.15.0-rc8-amd64 (= 4.15~rc8-1~exp1); however:
> >   Package linux-headers-4.15.0-rc8-amd64 is not installed.
> >
> > ​It almost sounds like some kind of rehab is required here.

no, I don't think so ;)
You just need to do what the error message from dpkg tells you and
download the linux-headers-4.15.0-rc8-amd64 package from
https://packages.debian.org/experimental/linux-headers-4.15.0-rc8-amd64
and install it along with
linux-headers-4.15.0-rc8-all-amd64_4.15~rc8-1~exp1_amd64.deb

Maybe you stumbled over the similarity between those two packages' names?


​OK,  I installed buster and the other dependencies and gcc 7.2.

When I upgraded then kernel 4.15.0 was installed.

I ran the patch checker:

root@mikef-PC:/home/mikef/spectre-meltdown-checker# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities on current system
Kernel is Linux 4.15.0-rc8-amd64 #1 SMP Debian 4.15~rc8-1~exp1 (2018-01-15) x86_64
CPU is AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  NO

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports minimal retpoline compilation)
  * Retpoline enabled:  YES
> STATUS:  VULNERABLE  (Vulnerable: Minimal AMD ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that your CPU is unaffected)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  NO
* Running under Xen PV (64 bits):  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer
root@mikef-PC:/home/mikef/spectre-meltdown-checker#


I have the same problem as in Gentoo.

In order to install gcc 7.3 rc2 I think I would need to be sid.


I don't think I want to be sid at present.

Cheers

MF




 

Regards

Michael


.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

War isn't a good life, but it's life.
                -- Kirk, "A Private Little War", stardate 4211.8


Reply to: