- 1 Read Me First
- 2 Read Me Second :SLEEP mode in Debian/testing kernel 3.2.0
- 3 Installation
- 3.1 Before Starting
- 3.2 Installing from Debian Repository
- 3.3 Installing Manually
- 3.4 Jessie AKA STABLE
- 4 Post Install
- 5 Hardware Video Decode Acceleration (EXPERIMENTAL)
- 6 Updating Catalyst/fglrx
- 7 Removing Catalyst/fglrx
- 8 Debian Squeeze x86_64 and AMD A Series
Read Me First
Which cards are no longer supported by ATI Catalyst? The ATI Radeon 9500-9800, Xpress200-1250, 690G, 740G, X300-X2500 (including Mobility RadeonHD 2300, since it is really a DirectX 9 part). See the complete list here. If your card is on that list, you are limited to open-source drivers on Debian Squeeze/6.0 (and later). If you really need the proprietary Catalyst/fglrx driver, you will have to use Debian Lenny/5.0.x and install Catalyst 9-3.
|ATTENTION RADEON USERS|
|NOTE: If you enter your card information on AMD/ATI’s driver page, it will offer you the Catalyst 9-3 driver to download. However, the Catalyst 9-3 driver doesn’t support X servers past 1.5, and it will not work with Debian versions later than Lenny/5.0.x! !!!SO BE CAREFUL!!! If you tried to install Catalyst on a system with one of these cards, see the ‘Removing the Driver’ section to restore the default/pre-installed drivers.|
Read Me Second :SLEEP mode in Debian/testing kernel 3.2.0
amd-driver-installer-catalyst-12.10-x86.x86_64.run breaks sleeping mode(notebook hangs up after awaking and reboot without logging anything ). I suppose it is because atievetsd not working correctly. So i first install last fglrx-atieventsd packet and over it amd-driver-installer-catalyst-12.10-x86.x86_64.run. ( Or first amd-driver-installer-catalyst-12.10-x86.x86_64.run and then manualy copy rest conf files from fglrx-atieventsd without overwriting.) Then start atieventsd : « service fglrx-atieventsd restart » and put this command in autorun files.
Next step – check /var/syslog if there would be « atieventsd: Unable to bind control socket to /var/run/atieventsd.socket: Permission denied » – then it need be run by root.
After this sleeping mode become work correctly but only sometimes. Research is to be continued. Good news is that many 3d games are well playing with sound on wine-1.5.6.
UPDATE: It seems it works correctly. Clean install amd-driver-installer-catalyst-12.10-x86.x86_64.run on Debian/testing kernel 3.2.0 i386. But after upgrading libxi6 to stable version (apt-get install -t stable libxi6). Old version have made problems with wine games , something like « malloc() corruption memory » and segfault. New version amd-driver-installer-catalyst-13.1-linux-x86.x86_64.run and fglrx-driver_12-6+point-1_i386.deb i havenot test.
UPDATE new poster
13.4 is in the Debian testing repo for 5000 and above cards, 13.1 is also in the Debian repo for older cards
fglrx-driver_12-6+point-1_i386.deb is shipped with Debian stable/Wheezy and works perfectly.
The open-source ati/radeon driver should already be installed and used as the default. See Debian Open Source Drivers. This guide focuses on installing the proprietary ATI driver (fglrx/Catalyst).
If you have previously attempted installing Catalyst, remove any leftover files by following the Removing the Driver section.
Installing from Debian Repository
NOTE the note is no longer valid info Wheezy is the stable Debian now. NOTE: This no longer works on Wheezy/testing or Sid after upgrade to Xserver 1.12. Unfortunately fglrx/Catalyst trigger segfaults in Xorg newer than 1.11.x, and the driver was removed from Wheezy and Sid.
Fglrx is non-free software, so it is located in the non-free repository. If you do not have non-free enabled, you can do so like this: http://serverfault.com/questions/240920/how-do-i-enable-non-free-packages-on-debian
$ sudo apt-get remove --purge xserver-xorg-video-radeon $ sudo apt-get install fglrx-driver fglrx-control libgl1-fglrx-glx fglrx-atieventsd fglrx-modules-dkms
If you are using 64-bit Debian, install the 32-bit fglrx libraries for use with 32-bit programs.
$ sudo apt-get install libgl1-fglrx-glx:i386
This can not work at all. please refer the Discussion for details….
This method uses the latest Catalyst driver downloaded from AMD/ATI’s site.
Install the prerequisite packages (names are based on Debian sid, older Debians may be different):
$ sudo apt-get install build-essential cdbs fakeroot dh-make debhelper debconf libstdc++6 dkms libqtgui4 wget execstack libelfg0 module-assistant dh-modaliases
If you are using the x86_64 architecture (64 bit), be sure to install « ia32-libs » before proceeding!
$ sudo apt-get install ia32-libs
Download the latest Catalyst package.
This package contains both the 32-bit and 64-bit driver.
$ cd ~/; mkdir catalyst15.12; cd catalyst15.12/ $ wget --referer=http://www2.ati.com http://www2.ati.com/drivers/linux/amd-15-12-linux-x86.x86_64.zip $ unzip amd-15-12-linux-x86.x86_64.zip $ chmod +x amd-15-12-linux-x86.x86_64.run
Create .deb packages.
You can run
to get a list of all the potential packages
For Debian systems, <package> will be one of the following: Debian/sid Debian/unstable Debian/etch Debian/stable Debian/lenny Debian/testing Debian/experimental
$ fakeroot sh amd-15-12-linux-x86.x86_64.run --buildpkg <package>
$ sudo dpkg -i fglrx*.deb
Jessie AKA STABLE
Jessie AKA STABLE Installation (November 10 2013)
current working driver in repo, that could change Jessie is testing jan 2014
fglrx was removed from the jessie repository due to incompatibilities with X.org 1.14. However you can manually install the 13.11 beta 6 version.
[Note: As of 2016-02-27, fglrx packages appear in Jessie repos.]
mkdir ati cd ati apt-get build-dep fglrx-driver apt-get -b source fglrx-driver dpkg -i *.deb
you must have the proper repo set in /etc/apt/sources
It is possible that appears dependency problems (for example, it expects to find xorg-video-abi-18 but the system only has xorg-video-abi-19). In this case you must execute:
mkdir ati cd ati sudo apt-get build-dep fglrx-driver sudo apt-get source fglrx-driver cd fglrx-driver-*
Edit file `debian/rules.defs` and adds 19 into XORG_ABI_LIST list.
sudo dpkg-buildpackage -us -uc cd .. dpkg -i *.deb
Wheezy AKA OLDSTABLE Installation (current as of May 3, 2013)
Why someone posted this I do not have any idea 12.6 was shipped with Wheezy from day one,there is nothing to downgrade or change if you stay on the stable repo ,it just works DEBIAN IS NOT UBUNTU and those directions will not work on debian, they just confuse people so if you dont use DEBIAN dont post< Everything below this was way before may of 2013 when Wheezy was the testing distro and Squeeze was stable current as of may 2013 and your first comment is about 2012 are you new to Linux that makes the info stone aged. I find it odd this all got added after Wheezy was released with 12.6,because I was here and posted the info,and this post wasnt here, Do you work for Nvidia? Wheezy upgraded from xserver 1.11 to 1.12 on May 20, 2012.< you posted about something a year before LMAO<nvidia pay you for that> AMD has not updated their driver to work with this version of xserver. So, you have two options:
1) Downgrade from xserver 1.12 (Tested, and works on Debian Wheezy kernel 3.2.0-4-amd64<shipped with Wheezy from day one (05/03/13)<was testing at the time Squeeze was stable and on Debian Wheezy kernel 3.2.0-1-amd64 (6/22/12) )
Link to instructions (this should be copied over to this wiki for posterity):
Note 1: In the linked directions they use fglrx version 12.4. At the time of making this edit beta version 12.6 also works just fine. If you want to run the bleeding edge, it can be found here: http://support.amd.com/us/gpudownload/linux/Pages/radeon_linux.aspx?type=2.4.1&product=220.127.116.11.42&lang=English With the 12.6 beta version you will get a watermark in the lower right hand corner. After you have everything working properly run this script: http://www.areyoueye.net/scripts/watermark_nix.sh It will get rid of that water mark.
Note 2: fglrx version 13.4 works just fine except changing the brighntess because it stays full all the time. Installing this driver will not show up the watermark
2) Patch libpciaccess (I have no first hand knowledge of this working but others swear by it)
This will get you the latest and greatest xserver and fglrx working together.
Read this: http://ati.cchtml.com/show_bug.cgi?id=522 Apply this patch: http://pastebin.com/swpDj4FD I find it odd this all got added after Wheezy was released with 12.6,because I was here and posted the info,and this post wasnt here, Do you work for Nvidia?
Generate a new /etc/X11/xorg.conf file
Unfortunately, there is no sure way to generate the ATI version of the Xorg.conf file. It is entirely dependent on your configuration. The following subsections will attempt to address possible (and tested) variations for their respective configurations.
This will work for most people:
$ sudo aticonfig --initial -f
If you are using dual head, that is to say, two _different_ desktops on two monitors, do this:
$ sudo aticonfig --initial=dual-head -f
Most people with two or more monitors will want instead one large desktop; to do this you may have to specify your monitors individually in the xorg.conf file and tell the driver to use a larger desktop size (big enough to contain both monitors) then use xrandr to configure the monitor arrangement.
A very basic /etc/X11/xorg.conf file might be what you need if you have a new card that’s not fully supported by amdconfig. Here follows the entirety of a minimal xorg.conf file for the Radeon 6870:
Section "Device" Identifier "ATI radeon 6870" Driver "fglrx" EndSection
X2/Dual GPU Cards
If you have an X2 card (e.g. 4870X2 or 5970), use… !!Do not use for two separate cards in crossfire!!
$ sudo aticonfig --initial -f --adapter=all
A post at http://phoronix.com/forums/showthread.php?t=18553 suggested to do the following to use a dual monitor display (also known as « Big Desktop »):
$ sudo aticonfig --initial -f $ sudo aticonfig --set-pcs-str="DDX,EnableRandR12,FALSE"
However the information is dated 2009 and now believed to be obsolete.
For multiple monitors, instead try specifying all monitors in your xorg.conf file. Use the following as a starting point:
Section "ServerLayout" Identifier "amdconfig Layout" Screen 0 "amdconfig-Screen-0" 0 0 EndSection Section "Module" EndSection Section "Monitor" Identifier "0-DFP6" Option "DPMS" "true" Option "PreferredMode" "1920x1080" EndSection Section "Monitor" Identifier "0-CRT1" Option "DPMS" "true" Option "PreferredMode" "1280x1024" EndSection Section "Device" Identifier "amdconfig-Device-0" Driver "fglrx" BusID "PCI:1:0:0" Option "Monitor-DFP6" "0-DFP6" Option "Monitor-CRT1" "0-CRT1" EndSection Section "Screen" Identifier "amdconfig-Screen-0" Device "amdconfig-Device-0" Monitor "0-DFP6" DefaultDepth 24 SubSection "Display" Viewport 0 0 Depth 24 # Big Desktop: 1920+1280=3200, max(1080,1024)=1080 Virtual 3200 1080 EndSubSection EndSection
After starting X successfully, use xrandr to check the maximum screen size is large enough for your combined desktop:
$ xrandr Screen 0: minimum 320 x 200, current 3200 x 1080, maximum 3200 x 1080
And positioning of connected monitors:
DFP1 disconnected (normal left inverted right x axis y axis) DFP2 disconnected (normal left inverted right x axis y axis) DFP3 disconnected (normal left inverted right x axis y axis) DFP4 disconnected (normal left inverted right x axis y axis) DFP5 disconnected (normal left inverted right x axis y axis) DFP6 connected 1920x1080+0+0 (normal left inverted right x axis y axis) 531mm x 299mm [modes elided] CRT1 connected 1280x1024+1920+56 (normal left inverted right x axis y axis) 338mm x 270mm
Use xrandr (or in KDE, krandrtray) to reposition your monitors within your screen.
Force use of the new xorg.conf (if necessary)
Some people find that changes to xorg.conf don’t get used by the driver. To force the ATI driver to adopt changes made to xorg.conf, use the following command:
$ sudo aticonfig --input=/etc/X11/xorg.conf --tls=1
Test your installation
NOTE: if you don’t reboot first, fglrxinfo gives an error message. Reboot the computer and type
into the terminal. If the vendor string contains ATI, you have installed the driver successfully. Using fglrxinfo on a system with Catalyst 11-4 and a RadeonHD 4250 returns:
display: :0.0 screen: 0 OpenGL vendor string: ATI Technologies Inc. OpenGL renderer string: ATI Radeon HD 4200 Series (This line may be different depending on what graphics card you are using.) OpenGL version string: 3.3.10665 Compatibility Profile Context (This line may be different depending on what graphics card and Catalyst version you are using.)
If you experience issues or a hang, you may need to disable fast TLS.
$ sudo aticonfig --tls=0
Hardware Video Decode Acceleration (EXPERIMENTAL)
This is confirmed to work for newer RadeonHD GPU’s (those with UVD2). If you have a RadeonHD 4000 series or newer, you have UVD2. To see the complete list: http://en.wikipedia.org/wiki/Unified_Video_Decoder#UVD_enabled_GPUs
Debian wheezy/7.0 and Later
$ sudo apt-get install xvba-va-driver
Be very carefull when doing this, I wasn’t paying much attention and all of a sudden aptitude decided that this package required a bunch of packages to be uninstalled(for instance a lot of tex packages, but more inconveniently GDM3…)
DO NOT try to install a new version over an old one. Follow the Removing the Driver section below to remove your existing driver.
The uninstall script in the first command will only exist if you downloaded the drivers and installed them directly (rather than building packages as this guide does). Skip the first command if it does not exist.
$ sudo sh /usr/share/ati/fglrx-uninstall.sh $ sudo apt-get remove --purge fglrx fglrx_* fglrx-amdcccle* fglrx-dev* xorg-driver-fglrx
If you plan on using open-source drivers, you will need to reinstall some packages because Catalyst overwrites or diverts some key 3D libraries with proprietary versions. For more information on this issue, see this Ubuntu wiki page
$ sudo apt-get remove --purge xserver-xorg-video-ati xserver-xorg-video-radeon $ sudo apt-get install xserver-xorg-video-ati $ sudo apt-get install --reinstall libgl1-mesa-glx libgl1-mesa-dri xserver-xorg-core $ sudo mv /etc/X11/xorg.conf /etc/X11/xorg.conf.backup
Debian Squeeze x86_64 and AMD A Series
First install Kernel 3.2 from squeeze-backports. Add backports to your sources.list Add this line
deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free
to your sources.list (or add a new file to /etc/apt/sources.list.d/)
$ sudo apt-get update $ sudo apt-get -t squeeze-backports install linux-image-3.2.0-0.bpo.4-amd64
$ sudo reboot
$ sudo apt-get remove --purge xserver-xorg-video-radeon $ sudo apt-get -t squeeze-backports install fglrx-driver fglrx-control fglrx-glx fglrx-atieventsd fglrx-modules-dkms
If you are using 64-bit Debian, install the 32-bit fglrx libraries for use with 32-bit programs.
$ sudo apt-get -t squeeze-backports install fglrx-glx-ia32
Problems with multiple cards and multiple monitors
When encountering problems under the following circumstances:
1. Multiple monitors on one card AND a monitor attached to VGA port. 2. More than one card.
…you may encounter problems that the resolution of the first monitor on the first card (usually identified as « CRT-1 ») may (a) not be recognized by manufacturer/model and instead the « Default Monitor » setting be used, and (b) therefore the resolution be set to a different resolution (e.g. 1600×1200) no matter what the xorg.conf file says.
If this happens, check if the log file /var/log/Xorg.0.log contains an entry like this one:
(II) fglrx(0): Cannot get EDID information for CRT1
…which may be followed later with:
(II) fglrx(0): Output CRT1 connected
(II) fglrx(0): Using user preference for initial modes
(II) fglrx(0): Output CRT1 using initial mode 1600×1200
The reason for this behavior seems to be either a timing problem during Xorg initialization (EDID info for CRT-1 not received quickly enough) or a problem with a dcc probe itself. A possible work-around is to not use the VGA connector (CRT-1) on the first card at all and use only the DVI and HDMI port (possibly with a HDMI-to-DVI adapter cable) and the problem disappears immediately (monitor gets recognized immediately and correct resolution is being used).
To avoid confusion with the Xorg configuration, you may want to delete /etc/X11/xorg.conf file and use the following command to have it generated (assuming 2 monitors per card):
prompt$ aticonfig –initial –adapter=all –heads=2
This will create a complete and correct configuration file (you may want to change layout later) even if a VGA monitor is attached to the first card but that VGA monitor will not be recognized upon reboot.
|Full title||MySQL / MariaDB / PerconaDB 5.5.52 / 5.6.33 / 5.7.15 – Code Execution / Privilege Escalation|
Security Risk High
- Discovered by: Dawid Golunski
- dawid (at) legalhackers.com
- Release date: 12.09.2016
- Severity: Critical
|Full title||CryptWare CryptoPro Secure Disk For Bitlocker 18.104.22.16874 Manipulation|
Security Risk High
CryptWare CryptoPro Secure Disk for Bitlocker version 22.214.171.12474 suffers from flaws that allows a malicious party to attack the boot process and backdoor the system to steal login credentials, the private 802.1x certificate, and the associated password.
title: Manipulation of pre-boot authentication
product: CryptWare CryptoPro Secure Disk for Bitlocker
vulnerable version: 126.96.36.19974
fixed version: 5.2.1
CVE number: -
by: R. Freingruber (Office Vienna)
M. von Dach (Office Zurich)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
"CryptoPro Secure Disk for BitLocker enhances the functionality of
Microsoft BitLocker to have an own PreBoot Authentification (PBA)
and enables BitLocker to use established and existing authentication
methods like UID/Password and Smartcard/PIN. The encryption
of the hard disk, as well as the recovery mechanism are realized with
Microsoft BitLocker while the user Authentication and Help-Desk
mechanism are handled by CryptoPro Secure Disk for Bitlocker.
This ideal combination of both technologies allows customers to
establish an ease of use and cost effective solution, even without
have to use TPM authentication and administration. Our centralized
encryption management with different roles of administration and
multi-client-capability delivers new opportunities for customers and
third party service providers."
By using the vulnerabilities documented in this advisory an attacker
can attack the boot process and backdoor the system to steal
login credentials, the private 802.1x certificate and the associated
SEC Consult recommends not to use this software until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.
1) Terminal access not blocked at login mask
After installing CryptoPro Secure Disk an additional partition (ext3) is
added to the system. This partition contains a small linux operating system
and gets directly started after booting the system (before bitlocker code
gets executed). Via an init script the login application is started.
An attacker can use a keyboard shortcut to open the first terminal.
This spawns an invisible root shell for the attacker (commands can be
executed, however, the output is not directly visible).
The other terminals (terminal two to six) are blocked via commands
inside the /etc/inittab file. The associated line for terminal one is
uncommented and therefore not active.
2) Inadequate software manipulation verification
After starting the system the following application gets started:
/usr/SUPERSHEEP/bin/app_launcher -a ./ss_gui
The app_launcher application carries out checks and finally
starts the graphical user interface with the login mask (ss_gui).
These checks first verify the hashsum of the file
and afterwards execute the script. The script calculates the hashsum
of nearly all files on the system and compares them with a preconfigured
list (which is stored inside an encrypted block special file).
If the hash of the script is wrong or the script reports invalid hashes,
the boot process is stopped and an error is displayed to the user.
The script contains a design / logical error which allows an attacker
to bypass the hash verification. By exploiting this flaw an attacker
can modify all files on the system (e.g. add a backdoor).
Proof of concept:
1) Terminal access not blocked at login mask
An attacker can use the keyboard shortcut ctrl+alt+f1 to open an
invisible root shell. A simple proof-of-concept is to type the
command "reboot". This results in a beep-sound and a reboot of the
Another proof-of-concept is that an attacker connects the victim
system with a DHCP server to assign an IP address and then start the
/usr/bin/netcat -lvvp 8197 -e /bin/sh
This command must be typed with a german keyboard layout. It
binds a root shell to the port 8197. Afterwards the attacker can
connect to port 8197 to issue commands and receive the output of it.
2) Inadequate software manipulation verification
The script /usr/SUPERSHEEP/bin/verify_checksums.sh
executes the following command to calculate the number of files with
/tmp/sha256sum -c $CS_FILE > $CS_FILE.out
Later the wc (word count) utility is used to count the number of
errors. This is done by the following code:
NUM_FAILED=`wc -l $CS_FILE.error | cut -d " " -f 1`
The script uses the wc program and expects that wc was not
modified and the output of it is correct. However, an attacker
can modify it to always return zero which means that zero errors
The problem is that the script verify_checksums.sh verifies the
hashsum of the wc utility but during verification it already uses
this utilitiy for this verification check.
For a proof-of-concept the wc file was replaced with the following content:
echo a0 xa
After that all scripts and binaries can be modified.
For example, the following script from CryptoPro Secure Disk can be used to
backdoor the system to save private keys (802.1x) together with the
Vulnerable / tested versions:
The version 188.8.131.5274 was found to be vulnerable which was the latest version
at the time of discovery.
Vendor contact timeline:
2016-08-01: Contacting vendor through email@example.com
2016-08-02: CryptWare was able to reproduce the vulnerabilities
2016-08-10: Release of CryptoPro Secure Disk 5.2.1 which
according to the vendor fixes the vulnerabilities.
2016-08-31: Coordinated release of security advisory
Upgrade to CryptoPro Secure Disk 5.2.1. The patch is provided
by the vendor directly.
# 0day.today [2016-09-01] #