So you may have seen this security update for CVE-2023-20593. If you
don't have that chip or AMD at all do you skip it? Any good reason to
take it?

I'm inclined not to. Still using 14.2 as my "will definitely still play
DVDs well on this 12 year old laptop" item in the boot menu so am
inclined to go minimal on the updates, particularly to the kernel or
firmware. But I suppose this wouldn't even be loaded.

On Mon, 24 Jul 2023 21:12:14 -0400, Mike Small wrote:

> So you may have seen this security update for CVE-2023-20593. If you
> don't have that chip or AMD at all do you skip it? Any good reason to
> take it?

Usually, I install all security patches routinely after some basic
testing that they do not break anything. However, there are some patches
that I do not install:

1) Packages which I have removed, installing a CUPS package would break
by LPRng installation.

2) Updates which I really don't need and maybe earlier have been prone to
break something. An example of such a package is glibc-zoneinfo.

So what about the kernel-firmware package? I will not update any 14.2
system, not only because I don't have any AMD CPU, but mostly because the
kernel-firmware package has become kind of bloated since I initially
installed 14.2. Since a few years back the later kernel-firmware packages
overfills the limited amont of space on my rather small root partitions.

On my Slackware 15.0 systems I have bigger root partitions and plan to
evaluate the update even though I do not have any AMD CPUs now. If I
would get an AMD CPU it would be good to have an up to date system.

Unfortunately the kernel firmware package needs to be evaluated as
upstream providers only provide one such package and during the years
that latest package has turned out to break support for different
hardware with different kernel versions. Maybe they would need to make
the package even more bloated to support all still supported kernel
versions. Maybe they would need to branch off different firmware package
versions for different kernel versions.

I am now on vacation, so I will not be able to evaluate the package for
my 15.0 installations until a few weeks.

regards Henrik

Mike Small <smallm@panix.com> wrote:
>
> So you may have seen this security update for CVE-2023-20593. If you
> don't have that chip or AMD at all do you skip it? Any good reason to
> take it?

From what I have read, no need unless you have one of the AMD
CPUs listed here:

https://lock.cmpxchg8b.com/zenbleed.html

But this also means you may not have the latest firmware
for you chip. I believe, eventually another firmware
update will come through and you will get these fixes
anyway :)

<snip>

John

--
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars

John McCue <jmccue@magnetar.jmcunx.com> wrote:

> From what I have read, no need unless you have one of the AMD
> CPUs listed here:
>
> https://lock.cmpxchg8b.com/zenbleed.html

Wrong link, this is the correct one:

https://www.tomshardware.com/news/zenbleed-bug-allows-data-theft-from-amds-zen-2-processors-patches-released

John

--
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars

On 7/25/23 18:10, John McCue wrote:
> John McCue <jmccue@magnetar.jmcunx.com> wrote:
>
>> From what I have read, no need unless you have one of the AMD
>> CPUs listed here:
>>
>> https://lock.cmpxchg8b.com/zenbleed.html
>
> Wrong link, this is the correct one:
>
> https://www.tomshardware.com/news/zenbleed-bug-allows-data-theft-from-amds-zen-2-processors-patches-released
>
> John
>

Mon Jul 24 22:07:56 UTC 2023
patches/packages/kernel-firmware-20230724_59fbffa-noarch-1.txz: Upgraded.
AMD microcode updated to fix a use-after-free in AMD Zen2 processors.
From Tavis Ormandy's annoucement of the issue:
"The practical result here is that you can spy on the registers of
other
processes. No system calls or privileges are required.
It works across virtual machines and affects all operating systems.
I have written a poc for this issue that's fast enough to reconstruct
keys and passwords as users log in."
For more information, see:
https://seclists.org/oss-sec/2023/q3/59
https://www.cve.org/CVERecord?id=CVE-2023-20593
(* Security fix *)

On 2023-07-25 at 21:11 ADT, User <user@example.net> wrote:
> On 7/25/23 18:10, John McCue wrote:
>> John McCue <jmccue@magnetar.jmcunx.com> wrote:
>>
>>> From what I have read, no need unless you have one of the AMD
>>> CPUs listed here:
>>>
>>> https://lock.cmpxchg8b.com/zenbleed.html
>>
>> Wrong link, this is the correct one:
>>
>> https://www.tomshardware.com/news/zenbleed-bug-allows-data-theft-from-amds-zen-2-processors-patches-released
>>
>> John
>>
>
> Mon Jul 24 22:07:56 UTC 2023
> patches/packages/kernel-firmware-20230724_59fbffa-noarch-1.txz: Upgraded.
> AMD microcode updated to fix a use-after-free in AMD Zen2 processors.
> From Tavis Ormandy's annoucement of the issue:
> "The practical result here is that you can spy on the registers of
> other
> processes. No system calls or privileges are required.
> It works across virtual machines and affects all operating systems.
> I have written a poc for this issue that's fast enough to reconstruct
> keys and passwords as users log in."
> For more information, see:
> https://seclists.org/oss-sec/2023/q3/59
> https://www.cve.org/CVERecord?id=CVE-2023-20593
> (* Security fix *)

For those concerned about this...

The firmware update doesn't help most Zen2 processors. On the other hand,
the 6.4.7 kernel (and maybe some lower-numbered ones) has a patch which
mitigates this bug, at a possible performance cost.

I have this kernel running on a Ryzen 7 4700U processor (S64-15.0), and
running the program which demonstrates the problem under this kernel
indicates the kernel work-around seems to work with no other
configuration.

Running
# dmesg | grep -i zen
(as root/sudo/su...) outputs (for me)
[ 0.142704] Zenbleed: please update your microcode for the most optimal fix
(as well as some other stuff).

I haven't noticed any performance degradation, but nor have I run any
performance benchmarks.

Cheers.
Jim