Bug #12280: Protect against CVE-2017-6074 in Tails 2.11

Bug #12280

Protect against CVE-2017-6074 in Tails 2.11

Added by intrigeri 2017-03-03 08:21:10 . Updated 2017-03-09 13:56:51 .

Status:

Resolved

Priority:

High

Assignee:

Category:

Target version:

Tails_2.11

Start date:

2017-03-03

Due date:

% Done:

100%

Feature Branch:

bugfix/12280-blacklist-dccp

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

It looks like upgrading to Linux 4.9 (~~Feature #12122~~) won’t be an option for 2.11, so we need another solution. anonym mentioned somewhere else that we could blacklist the corresponding module, or something similar.

Subtasks

Related issues

Related to Tails - Feature #6457: Blocklist rare network protocols

Confirmed

History

#1 Updated by intrigeri 2017-03-03 08:21:35

related to Feature #6457: Blocklist rare network protocols added

#2 Updated by anonym 2017-03-03 11:00:36

intrigeri wrote:
> anonym mentioned somewhere else that we could blacklist the corresponding module, or something similar.

You are referring to my comment Feature #6457#note-19. Indeed, blacklisting the dccp module is enough. It is normally mentioned among a few other modules to blacklist in various Linux hardening guides, e.g. CIS in the “4.6 Uncommon Network Protocols” chapter suggests this:

install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true

So we might as well work on our CIS compliance and do all of that, as an initial step towards Feature #6457, and fixing this CVE in particular.

#3 Updated by anonym 2017-03-03 12:31:20

Status changed from Confirmed to In Progress

Applied in changeset commit:aba3923d149b8c1041fdebf0f369e6f87bfaf339.

#4 Updated by anonym 2017-03-04 11:23:56

Assignee changed from anonym to intrigeri
% Done changed from 0 to 50
QA Check set to Ready for QA
Feature Branch set to bugfix/12280-blacklist-dccp

There has been two successful test runs on Jenkins. Please review’n’merge!

#5 Updated by anonym 2017-03-04 12:40:33

Also, I locally tested successfully all of mac_spoofing.feature due to commit:442a293d896076a1a8242d8d4f3320dc016495bb.

#6 Updated by intrigeri 2017-03-05 10:06:59

Assignee changed from intrigeri to anonym
% Done changed from 50 to 60
QA Check changed from Ready for QA to Info Needed

I’ve verified that none of the newly blacklisted modules appear in any WhisperBack report since the beginning of 2014 (Feature #6457#note-22). Code review passes, and based on your test results I’m gonna merge this branch. Thanks!

[Snipped discussion moved to ~~Bug #12266~~]

#7 Updated by intrigeri 2017-03-05 10:11:20

Ooops, sorry. Will move this discussion to ~~Bug #12266~~ right now.

#8 Updated by intrigeri 2017-03-05 10:11:40

Status changed from In Progress to Fix committed
% Done changed from 60 to 100

Applied in changeset commit:b446df9ca5a97b2858ad0bf3f1dbcc15843e7d0d.

#9 Updated by intrigeri 2017-03-05 10:13:40

Assignee deleted (~~anonym~~)
QA Check deleted (~~Info Needed~~)

#10 Updated by anonym 2017-03-09 13:56:51

Status changed from Fix committed to Resolved