Flatpaks for Fedora 27

Posted Jul 28, 2017 20:27 UTC (Fri) by epa (subscriber, #39769)
In reply to: Flatpaks for Fedora 27 by lsl
Parent article: Flatpaks for Fedora 27

An interesting point for security fixes is that even if the system keeps running fine across the update, you probably need to reboot to be certain the vulnerable code is not still running somewhere. Let's say bash has a security hole, for example. A new package updates /bin/bash and everything stays up. Existing bash processes stay running. But that's the very problem the package update was intended to fix -- a vulnerable older version is still executing.

The unhappy conclusion (unless you want to contemplate some global software-tracking tentacular thingummy that can tell you exactly which current processes were started from which versions of which files) is that in many cases software updates require a reboot on Linux just as much as on other systems.

Flatpaks for Fedora 27

Posted Jul 29, 2017 1:32 UTC (Sat) by lsl (subscriber, #86508) [Link] (2 responses)

That global software-tracking tentacular thingummy isn't far-fetched at all. You can get a reasonable approximation by looking at running processes that have files mapped that no longer exist in the file system (because RPM/dpkg renamed the new version over it). Basically look for DEL in the output of lsof(1) and filter on the paths your programs and libraries tend to live.

Things like DNFs tracer plugin integrate a slightly more advanced play on this into the package management, telling you what (and for many things, how exactly) you need to restart following the transaction.

Flatpaks for Fedora 27

Posted Jul 29, 2017 11:31 UTC (Sat) by pabs (subscriber, #43278) [Link] (1 responses)

There are better running process options than just open file tracking; for eg needrestart goes further than just open file tracking by also inspecting programs written in Python/Perl and determining if they have any libraries that were upgraded loaded.

The DNF tracer plugin sounds interesting, do you have a link?

Flatpaks for Fedora 27

Posted Jul 29, 2017 23:45 UTC (Sat) by lsl (subscriber, #86508) [Link]

Sure: https://dnf-plugins-extras.readthedocs.io/en/latest/trace.... There's also a link to the underlying tracer program which is not specific to DNF/Fedora.

Install the python3-dnf-plugin-tracer package to enable it on recent Fedora.

Flatpaks for Fedora 27

Posted Jul 29, 2017 11:28 UTC (Sat) by nix (subscriber, #2304) [Link]

What you say is true for a lot of things that are directly or indirectly network-exposed, but in the bash case you're probably fine, since nearly all bash-related vulnerabilities involve the attacker doing something that spawns a new shell with unexpected capabilities (e.g., in the most famous case, shell functions that should not be there). So in bash's case, unless the hole relates to readline doing something unexpected when faced with hostile input *and* it's paired with a terminal emulator bug that lets the attacker force keyboard input via hostile output, you're probably fairly safe, as these things go. (And even in that case I'd say the terminal emulator bug is the really bad one. If someone can type arbitrary stuff into your shell, they can do bad things even if readline etc are bug-free.)