SKELETONKEY

leviathan/SKELETONKEY

Fork 0

Commit Graph

Author	SHA1	Message	Date
leviathan	8ac041a295	release v0.9.1: VM verification sweep 22 → 27 release / build (arm64) (push) Waiting to run Details release / build (x86_64) (push) Waiting to run Details release / build (x86_64-static / musl) (push) Waiting to run Details release / build (arm64-static / musl) (push) Waiting to run Details release / release (push) Blocked by required conditions Details Five more CVEs empirically confirmed end-to-end against real Linux VMs: - CVE-2019-14287 sudo_runas_neg1 (Ubuntu 18.04 + sudoers grant) - CVE-2020-29661 tioscpgrp (Ubuntu 20.04 pinned to 5.4.0-26) - CVE-2024-26581 nft_pipapo (Ubuntu 22.04 + mainline 5.15.5) - CVE-2025-32463 sudo_chwoot (Ubuntu 22.04 + sudo 1.9.16p1 from source) - CVE-2025-6019 udisks_libblockdev (Debian 12 + udisks2 + polkit rule) Required real plumbing work: - Per-module provisioner hook (tools/verify-vm/provisioners/<module>.sh) - Two-phase provision in verify.sh (prep → reboot if needed → verify) fixes silent-fail where new kernel installed but VM never rebooted - GRUB_DEFAULT pinning in both pin-kernel and pin-mainline blocks (kernel downgrades like 5.4.0-169 → 5.4.0-26 now actually boot the target) - Old-mainline URL fallback in pin-mainline (≤ 4.15 debs at /v$KVER/ not /amd64/) mutagen_astronomy marked manual: true — mainline 4.14.70 kernel-panics on Ubuntu 18.04's rootfs ('Failed to execute /init (error -8)' — kernel config mismatch). Genuinely needs a CentOS 6 / Debian 7 image.	2026-05-23 23:35:02 -04:00
leviathan	270ddc1681	verify-vm: per-module provisioner hook + old-mainline URL fallback Adds tools/verify-vm/provisioners/<module>.sh hook so per-module setup (build vulnerable sudo from source, drop polkit allow rule, add sudoers grant) lives in checked-in scripts rather than manual VM steps. Vagrantfile runs the script as root before build-and-verify if it exists. Also fixes mainline kernel fetch to fall back from /v${KVER}/amd64/ to /v${KVER}/ for old kernels (≤ ~4.15) where debs aren't under the amd64 subdir, and accepts both 'linux-image-' (old) and 'linux-image-unsigned-' (new) deb names. Wires up 4 previously-deferred targets to expect VULNERABLE: - sudo_chwoot: builds sudo 1.9.16p1 from upstream into /usr/local - udisks_libblockdev: installs udisks2 + polkit rule for vagrant user - mutagen_astronomy: pins mainline 4.14.70 (one below the .71 fix) - sudo_runas_neg1: adds (ALL,!root) sudoers grant	2026-05-23 22:36:02 -04:00

Author

SHA1

Message

Date

leviathan

8ac041a295

release v0.9.1: VM verification sweep 22 → 27

release / build (arm64) (push) Waiting to run

Details

release / build (x86_64) (push) Waiting to run

Details

release / build (x86_64-static / musl) (push) Waiting to run

Details

release / build (arm64-static / musl) (push) Waiting to run

Details

release / release (push) Blocked by required conditions

Details

Five more CVEs empirically confirmed end-to-end against real Linux VMs:
- CVE-2019-14287 sudo_runas_neg1 (Ubuntu 18.04 + sudoers grant)
- CVE-2020-29661 tioscpgrp        (Ubuntu 20.04 pinned to 5.4.0-26)
- CVE-2024-26581 nft_pipapo       (Ubuntu 22.04 + mainline 5.15.5)
- CVE-2025-32463 sudo_chwoot      (Ubuntu 22.04 + sudo 1.9.16p1 from source)
- CVE-2025-6019  udisks_libblockdev (Debian 12 + udisks2 + polkit rule)

Required real plumbing work:
- Per-module provisioner hook (tools/verify-vm/provisioners/<module>.sh)
- Two-phase provision in verify.sh (prep → reboot if needed → verify)
  fixes silent-fail where new kernel installed but VM never rebooted
- GRUB_DEFAULT pinning in both pin-kernel and pin-mainline blocks
  (kernel downgrades like 5.4.0-169 → 5.4.0-26 now actually boot the target)
- Old-mainline URL fallback in pin-mainline (≤ 4.15 debs at /v$KVER/ not /amd64/)

mutagen_astronomy marked manual: true — mainline 4.14.70 kernel-panics on
Ubuntu 18.04's rootfs ('Failed to execute /init (error -8)' — kernel config
mismatch). Genuinely needs a CentOS 6 / Debian 7 image.

2026-05-23 23:35:02 -04:00

leviathan

270ddc1681

verify-vm: per-module provisioner hook + old-mainline URL fallback

Adds tools/verify-vm/provisioners/<module>.sh hook so per-module setup
(build vulnerable sudo from source, drop polkit allow rule, add sudoers
grant) lives in checked-in scripts rather than manual VM steps. Vagrantfile
runs the script as root before build-and-verify if it exists.

Also fixes mainline kernel fetch to fall back from /v${KVER}/amd64/ to
/v${KVER}/ for old kernels (≤ ~4.15) where debs aren't under the amd64
subdir, and accepts both 'linux-image-' (old) and 'linux-image-unsigned-'
(new) deb names.

Wires up 4 previously-deferred targets to expect VULNERABLE:
- sudo_chwoot: builds sudo 1.9.16p1 from upstream into /usr/local
- udisks_libblockdev: installs udisks2 + polkit rule for vagrant user
- mutagen_astronomy: pins mainline 4.14.70 (one below the .71 fix)
- sudo_runas_neg1: adds (ALL,!root) sudoers grant

2026-05-23 22:36:02 -04:00

2 Commits