subject:"No need for 2.4.23 \(re compromise\)"

Re: No need for 2.4.23 (re compromise)

2003-12-06 Thread Andreas Goesele

Mark C [EMAIL PROTECTED] writes:

 same here from the debian sources, but with a few added patches, 
 there is no need to download a new kernel, just get the source you have
 for the currently running kernel, apply this patch:
 
 -- cut -
 --- 1.31/mm/mmap.c  Fri Sep 12 06:44:06 2003
 +++ 1.32/mm/mmap.c  Thu Oct  2 01:18:19 2003
 @@ -1041,6 +1041,9 @@
 if (!len)
 return addr;
   
 +   if ((addr + len)  TASK_SIZE || (addr + len)  addr)
 +   return -EINVAL;
 +
 /*
  * mlock MCL_FUTURE?
  */
 -- cut -
 
 and recompile, this was taken originally from, Debian Planet.

With 2.4.21 I get:

$ patch -p1  mm.patch
patching file mm/mmap.c
Hunk #1 FAILED at 1041.
1 out of 1 hunk FAILED -- saving rejects to file mm/mmap.c.rej

In mmap.c.rej I find:


**
*** 1041,1046 
 if (!len)
 return addr;

 /*
  * mlock MCL_FUTURE?
  */
--- 1041,1049 
 if (!len)
 return addr;

+if ((addr + len)  TASK_SIZE || (addr + len)  addr)
+return -EINVAL;
+
 /*
  * mlock MCL_FUTURE?
  */

What am I doing wrong?

Andreas Goesele

-- 
Omnis enim res, quae dando non deficit, dum habetur et non datur,
nondum habetur, quomodo habenda est.
  Augustinus, De doctrina christiana


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

No need for 2.4.23 (re compromise)

2003-12-05 Thread Christian Schnobrich

Hello,

I'm quite behind on reading this list, so maybe someone else has already
pointed this out, and anyway it's coming rather late. Still:

If your only concern is the brk() vulnerability, you don't need to get
kernel sources from wherever and roll your own. I've seen this several
times now, and not yet a single message to the contrary.

No, Debian didn't leave Joe User out in the rain to get his own kernel
source. All you need is apt-getable. Even a kernel package if you don't
want to compile just now.

From
http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00212.html

 This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and
 2.6.0-test6 kernel tree. For Debian it has been fixed in version
 2.4.18-12 of the kernel source packages, version 2.4.18-14 of the i386
 kernel images and version 2.4.18-11 of the alpha kernel images.

cu,
Schnobs


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: No need for 2.4.23 (re compromise)

2003-12-05 Thread Vincent Lefevre

On 2003-12-05 12:19:13 +0100, Christian Schnobrich wrote:
 If your only concern is the brk() vulnerability, you don't need to get
 kernel sources from wherever and roll your own. I've seen this several
 times now, and not yet a single message to the contrary.
 
 No, Debian didn't leave Joe User out in the rain to get his own kernel
 source. All you need is apt-getable. Even a kernel package if you don't
 want to compile just now.

But this means downgrading to 2.4.18.

-- 
Vincent Lefèvre [EMAIL PROTECTED] - Web: http://www.vinc17.org/ - 100%
validated (X)HTML - Acorn Risc PC, Yellow Pig 17, Championnat International
des Jeux Mathématiques et Logiques, TETRHEX, etc.
Work: CR INRIA - computer arithmetic / SPACES project at LORIA


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: No need for 2.4.23 (re compromise)

2003-12-05 Thread Bill Moseley

On Fri, Dec 05, 2003 at 08:39:44PM +0900, Vincent Lefevre wrote:
  No, Debian didn't leave Joe User out in the rain to get his own kernel
  source. All you need is apt-getable. Even a kernel package if you don't
  want to compile just now.
 
 But this means downgrading to 2.4.18.

Right.  I asked what about the other kernel-source packages? and 
someone said that 2.4.18 was the only one in stable.

[EMAIL PROTECTED]:~$ cat /etc/apt/sources.list | egrep -v ^#

deb http://http.us.debian.org/debian/ woody main non-free contrib
deb-src http://http.us.debian.org/debian/ woody main non-free contrib
deb http://non-us.debian.org/debian-non-US woody/non-US main contrib non-free
deb-src http://non-us.debian.org/debian-non-US woody/non-US main contrib non-free
deb http://security.debian.org/ woody/updates main contrib non-free

[EMAIL PROTECTED]:~$ apt-cache search kernel-source-2.4
kernel-source-2.4.10 - Linux kernel source for version 2.4.10
kernel-source-2.4.14 - Linux kernel source for version 2.4.14
kernel-source-2.4.16 - Linux kernel source for version 2.4.16
kernel-source-2.4.17 - Linux kernel source for version 2.4.17
kernel-source-2.4.17-hppa - Linux kernel source for version 2.4.17 on HPPA
kernel-source-2.4.18-hppa - Linux kernel source for version 2.4.18 on HPPA
kernel-source-2.4.17-ia64 - Linux kernel source for version 2.4.17 on IA-64
kernel-source-2.4.18 - Linux kernel source for version 2.4.18
kernel-source-2.4.20 - Linux kernel source for version 2.4.20 with Debian patches

I'm using that last one, 2.4.20.


-- 
Bill Moseley
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: No need for 2.4.23 (re compromise)

2003-12-05 Thread Vincent Lefevre

On 2003-12-05 07:47:47 -0800, Bill Moseley wrote:
[...]
 kernel-source-2.4.20 - Linux kernel source for version 2.4.20 with
 Debian patches
 
 I'm using that last one, 2.4.20.

But I don't think it has been fixed, as there is no version from
the security updates:

greux:~ apt-show-versions kernel-source-2.4.20 -a
kernel-source-2.4.20install ok not-installed
No stable version
kernel-source-2.4.202.4.20-11   testing
kernel-source-2.4.202.4.20-11   unstable
kernel-source-2.4.20 not installed

compared to:

greux:~ apt-show-versions kernel-source-2.4.18 -a
kernel-source-2.4.18purge ok not-installed
kernel-source-2.4.182.4.18-14   stable
No testing version
No unstable version
kernel-source-2.4.18 not installed

-- 
Vincent Lefèvre [EMAIL PROTECTED] - Web: http://www.vinc17.org/ - 100%
validated (X)HTML - Acorn Risc PC, Yellow Pig 17, Championnat International
des Jeux Mathématiques et Logiques, TETRHEX, etc.
Work: CR INRIA - computer arithmetic / SPACES project at LORIA


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: No need for 2.4.23 (re compromise)

2003-12-05 Thread Bill Moseley

On Fri, Dec 05, 2003 at 05:20:28PM +0100, Vincent Lefevre wrote:
 On 2003-12-05 07:47:47 -0800, Bill Moseley wrote:
 [...]
  kernel-source-2.4.20 - Linux kernel source for version 2.4.20 with
  Debian patches
  
  I'm using that last one, 2.4.20.
 
 But I don't think it has been fixed, as there is no version from
 the security updates:
 
 greux:~ apt-show-versions kernel-source-2.4.20 -a
 kernel-source-2.4.20install ok not-installed
 No stable version
 kernel-source-2.4.202.4.20-11   testing
 kernel-source-2.4.202.4.20-11   unstable
 kernel-source-2.4.20 not installed

Oh, So maybe 2.4.20 source is not in stable after all.  I'm not clear
why apt-cache search is listing kernel-source-2.4.20:

From the manual:

   search search  performs  a full text search on all available package
  files for the regex pattern given. 

I assumed available meant the packages available via the listings in
sources.list. But trying apt-cache search kernel-source-2.4.20 on
another Stable machine with the same source.list returns nothing.  So
I guess available includes packages manually installed. 



Hum, I cannot remember installing that package, although it is 

  ii  kernel-source-2 2.4.20-8Linux kernel source for version 2.4.20 with De

my notes for the machine show I used

  wget ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.20.tar.bz2

so much for taking good notes.  I must have had some problem with the
kernel.org version and just copied the package from a Sid machine.  

Time to try out 2.4.23 from kernel.org.

-- 
Bill Moseley
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: No need for 2.4.23 (re compromise)

2003-12-05 Thread Vincent Lefevre

On 2003-12-05 09:14:01 -0800, Bill Moseley wrote:
 my notes for the machine show I used
 
   wget ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.20.tar.bz2
 
 so much for taking good notes.  I must have had some problem with the
 kernel.org version and just copied the package from a Sid machine.  
 
 Time to try out 2.4.23 from kernel.org.

BTW, is it possible to use the make-kpkg method with kernels from
kernel.org or is make-kpkg reserved for kernel-source-* packages?

-- 
Vincent Lefèvre [EMAIL PROTECTED] - Web: http://www.vinc17.org/ - 100%
validated (X)HTML - Acorn Risc PC, Yellow Pig 17, Championnat International
des Jeux Mathématiques et Logiques, TETRHEX, etc.
Work: CR INRIA - computer arithmetic / SPACES project at LORIA


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: No need for 2.4.23 (re compromise)

2003-12-05 Thread Tom

On Fri, Dec 05, 2003 at 07:03:08PM +0100, Vincent Lefevre wrote:
 BTW, is it possible to use the make-kpkg method with kernels from
 kernel.org or is make-kpkg reserved for kernel-source-* packages?

Yes, thank goodness.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: No need for 2.4.23 (re compromise)

2003-12-05 Thread Mark C

On Fri, 2003-12-05 at 15:47, Bill Moseley wrote:

 I'm using that last one, 2.4.20.

same here from the debian sources, but with a few added patches, 
there is no need to download a new kernel, just get the source you have
for the currently running kernel, apply this patch:

-- cut -
--- 1.31/mm/mmap.c  Fri Sep 12 06:44:06 2003
+++ 1.32/mm/mmap.c  Thu Oct  2 01:18:19 2003
@@ -1041,6 +1041,9 @@
if (!len)
return addr;
  
+   if ((addr + len)  TASK_SIZE || (addr + len)  addr)
+   return -EINVAL;
+
/*
 * mlock MCL_FUTURE?
 */
-- cut -

and recompile, this was taken originally from, Debian Planet.

Mark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: No need for 2.4.23 (re compromise)

2003-12-05 Thread Bill Moseley

On Sat, Dec 06, 2003 at 01:07:31AM +, Mark C wrote:

 On Fri, 2003-12-05 at 15:47, Bill Moseley wrote:

 

  I'm using that last one, 2.4.20.

 

 same here from the debian sources, but with a few added patches, 

 there is no need to download a new kernel, just get the source you have

 for the currently running kernel, apply this patch:



I already built 2.4.23.  Good to get my cpu a bit of exercise once in a 

while.



 

 -- cut -

 --- 1.31/mm/mmap.c  Fri Sep 12 06:44:06 2003

 +++ 1.32/mm/mmap.c  Thu Oct  2 01:18:19 2003

 @@ -1041,6 +1041,9 @@

 if (!len)

 return addr;

   

 +   if ((addr + len)  TASK_SIZE || (addr + len)  addr)

 +   return -EINVAL;

 +



So that's the brk bug?  Doesn't take much code to wreck havoc, does it.



|| (addr + len)  addr.  Hum.  So, wrap around overflow?





-- 

Bill Moseley

[EMAIL PROTECTED]




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: No need for 2.4.23 (re compromise)

No need for 2.4.23 (re compromise)

Re: No need for 2.4.23 (re compromise)

Re: No need for 2.4.23 (re compromise)

Re: No need for 2.4.23 (re compromise)

Re: No need for 2.4.23 (re compromise)

Re: No need for 2.4.23 (re compromise)

Re: No need for 2.4.23 (re compromise)

Re: No need for 2.4.23 (re compromise)

Re: No need for 2.4.23 (re compromise)

10 matches

Site Navigation

Mail list logo

Footer information