Bug#887348: steam:i386: execmod access is requested, security issue

Mon Jan 15 13:13:32 UTC 2018

> Impact: am I right in thinking that this is not in itself a security
> vulnerability, but that if there is a separate security vulnerability
> somewhere in Valve's binaries, having execmod access makes it
> significantly easier for an attacker to turn that vulnerability into
> arbitrary code execution, similar to an absence of the hardening measures
> (stack protecter, PIC, etc.) that we're encouraged to use in packages
> that are built from source?

Yes.

> Am I right in saying that replacing some or all of the i386 binaries
> with x86_64 binaries would be sufficient? Or is there some simple thing
> Valve could do with a general-purpose compiler (I think they use gcc/g++)
> to get i386 binaries with the right magic flags?

Replacing with AMD64 doesn't inherently solve the problem.  But as AMD64 has 
no shortage of registers the assembler tricks used for performance on i386 
aren't used and this solves the problem.

They could just not use the assembler.  I really don't think that they are 
doing anything performance intensive in this regard.  When I maintained my own 
fork of those packages to address this issue (when i386 on the desktop was 
useful) I didn't have any performance problems with programs like mplayer.

> (I don't know whether Valve would be willing to require x86_64 for Steam
> - a lot of older games are only available as i386 binaries, and having
> steam be an i386 package makes it a lot easier to pull in i386 multiarch
> graphics drivers and other necessary libraries from the host system -
> but it's worth asking.)

If they had "steam" as an amd64-only package it would mean that you couldn't 
install Steam games on an i386 system.  I really doubt that anyone wants to do 
that nowadays given that quad core amd64 systems can be found as rubbish 
nowadays.  So if they entirely dropped support for running games on i386 it 
wouldn't be a problem and the i386 compiled games once installed would run 
fine.  Of course i386 games might have the same issue, but that would only 
affect people who run those particular games while the current issue affects 
everyone who uses steam.

Can't an amd64 package have dependencies on i386 packages?  Surely a better 
solution to depending on multiarch graphics drivers would be for a steam:amd64 
package to recommend steam-graphics:i386 which depends on the graphics 
packages in question.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/