The Linux vs Meltdown and Spectre battle continues
The Linux developers has made a lot of progress in dealing with the Meltdown and Spectre. That's good, but there's a lot of work left to be done.
Security
First, a brief refresher.
Meltdown is a CPU vulnerability. It works by using modern processors' out-of-order execution to read arbitrary kernel-memory location. This can include personal data and passwords. This functionality has been an important performance feature. It's present in many modern processors, most noticeably in 2010 and later Intel processors. By breaking down the wall between user applications and operating system's memory allocations, it can potentially be used to spy on the memory of other programs and the operating systems.
Spectre breaks down the barriers between different applications. You could theoretically use it to trick applications into accessing arbitrary program, but not kernel, memory locations. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate, and it attacks even more chip architectures than Meltdown does. For now, there are no universal Spectre patches.
Linux developers are not happy about either problem. They were not kept in the loop, and they had to rush patches out to mitigate the security holes. As Greg Kroah-Hartman, maintainer of the Linux stable branch wrote, this is [sic] "a textbook example of how not to interact with the Linux kernel community properly. The people and companies involved know what happened, and I'm sure it will all come out eventually, but right now we need to focus on fixing the issues involved, and not pointing blame, no matter how much we want to."
So, where are we with fixing the problems? Work is continuing, but the latest update of the stable Linux kernel, 4.14.2, has the current patches. Some people may experience boot problems with this release, but 4.14.13 will be out in a few days.
Patches have also been added to the 4.4 and 4.9 stable kernel trees. But, as Kroah-Hartman added, "This backport is very different from the mainline version that is in 4.14 and 4.15, there are different bugs happening." Still, he said, "Those are the minority at the moment, and should not stop you from upgrading."
If you're running Linux distribution with an older Linux kernel, stop. No patches for you!
Why not? Kroah-Hartman said, "Lack of patches to resolve the Meltdown problem is so minor compared to the hundreds of other known exploits and bugs that your kernel version currently contains." He continued, "Yell at the people who forced you to run an obsoleted and insecure kernel version, they are the ones that need to learn that doing so is a totally reckless act."
If you're running ARM64 processors, the patches, while ready to lock and load, aren't out yet. They'll be available in 4.15 in a few weeks. The patches are, however, available in the Android Common Kernel tree. The ARM64 fixes are available in the 3.18, 4.4, and 4.9 branches
All these patches address the Meltdown problem. Spectre is a different story. There are no Spectre patches available yet. That's because, as Kroah-Hartman explained, "Spectre issues were the last to be addressed by the kernel developers. All of us were working on the Meltdown issue, and we had no real information on exactly what the Spectre problem was at all, and what patches were floating around were in even worse shape than what have been publicly posted."
Therefore, it will take the kernel developers several weeks to "resolve these issues and get them merged upstream." Is this ideal? No. But, Kroah-Hartman shrugged. "It's not the best news, I know, but it's reality. If it's any consolation, it does not seem that any other operating system has full solutions for these issues either, the whole industry is in the same boat right now, and we just need to wait and let the developers solve the problem as quickly as they can," he said.
If you're not running Linux on x86 or ARM64, be careful out there. There are no patches for other processor types for now. We know that x86 (AMD and Intel chipsets), POWER 8, POWER 9, System z, and SPARC are also vulnerable.
As for specific distributions, Red Hat and SUSE have released their patches.
Debian has addressed one of the three known Meltdown attack vectors, CVE-2017-5754 for some, but not all, its versions. As for the other two, CVE-2017-5715 and CVE-2017-5753, Debian is still open for attack.
Canonical's Dustin Kirkland, VP of Ubuntu product development, announced that candidate kernels for all three problems are now available: "Barring any blocking issues identified in these candidates, we expect to GA these kernels into Ubuntu's security archives by January 9, 2018."
So, those problems that can be fixed will be fixed in the main Linux lines shortly. But this is only the beginning. Meltdown and Spectre variants will be with us for years. As Kroah-Hartman concluded, "This is going to be an area of lots of research over the next years to come up with ways to mitigate the potential problems."