[PLUG] Meltdown, Spectre and Debian

shirish शिरीष shirishag75 at gmail.com
Fri Jan 5 23:02:56 IST 2018


Dear all,

While I don't want to be the paranoid one here, the situation here
seems to demand it.

3 Days back the Register broke the story of a chip vulnerability -

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

While it seeked to paint only Intel, it is now learnt that the issue
is across the board, i.e. Intel, AMD, ARM all have the same
vulnerability

It defeats or compromises KASLR which itself is just 4 years old technology.

AFAIK it would need two solutions, one is the appropriate microcode
for your chip architecture, I know Intel and AMD have the respective
intel-microcode and amd64-microcode

% aptitude search microcode
p   amd64-microcode
             - Processor microcode firmware for AMD CPUs
i   intel-microcode
             - Processor microcode firmware for Intel CPUs
p   microcode.ctl
             - Intel IA32/IA64 CPU Microcode Utility (transitional
package)

% apt-cache policy intel-microcode
intel-microcode:
  Installed: 3.20171215.1
  Candidate: 3.20171215.1
  Version table:
 *** 3.20171215.1 100
          1 http://httpredir.debian.org/debian unstable/non-free amd64 Packages
        100 /var/lib/dpkg/status
     3.20171117.1 900
        900 http://httpredir.debian.org/debian buster/non-free amd64 Packages


According to Henrique it would take another week to have the whole
thing on the microcode side of the things -

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367

On top of that you would need a newer kernel which mitigates some more
of the effects.

Techcrunch did a detailed blog post on the subject alongwith some idea
of the timeline

https://techcrunch.com/2018/01/03/kernel-panic-what-are-meltdown-and-spectre-the-bugs-affecting-nearly-every-computer-and-device/

The only good thing is that it doesn't increase any remote attack
vector than before but it does mean that people should be more
circumspect about any software they download at least till the next
couple of weeks when kernel updates and cpu-microcodes should take
some of the steam off.

The bad news is that it will take some of the performance of the table
but that is to be expected.

An interesting side-story which has developed also talks about the
current Intel CEO's doings

https://techcrunch.com/2018/01/04/after-meltdown-and-spectre-revelation-questions-arise-about-timing-of-intel-ceos-stock-sales/

Hope everybody does the right thing, get the latest microcodes and
update your kernel as fast as you can.

-- 
          Regards,
          Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8


More information about the plug-mail mailing list