Re: No need for 2.4.23 (re compromise)
Mark C [EMAIL PROTECTED] writes: same here from the debian sources, but with a few added patches, there is no need to download a new kernel, just get the source you have for the currently running kernel, apply this patch: -- cut - --- 1.31/mm/mmap.c Fri Sep 12 06:44:06 2003 +++ 1.32/mm/mmap.c Thu Oct 2 01:18:19 2003 @@ -1041,6 +1041,9 @@ if (!len) return addr; + if ((addr + len) TASK_SIZE || (addr + len) addr) + return -EINVAL; + /* * mlock MCL_FUTURE? */ -- cut - and recompile, this was taken originally from, Debian Planet. With 2.4.21 I get: $ patch -p1 mm.patch patching file mm/mmap.c Hunk #1 FAILED at 1041. 1 out of 1 hunk FAILED -- saving rejects to file mm/mmap.c.rej In mmap.c.rej I find: ** *** 1041,1046 if (!len) return addr; /* * mlock MCL_FUTURE? */ --- 1041,1049 if (!len) return addr; +if ((addr + len) TASK_SIZE || (addr + len) addr) +return -EINVAL; + /* * mlock MCL_FUTURE? */ What am I doing wrong? Andreas Goesele -- Omnis enim res, quae dando non deficit, dum habetur et non datur, nondum habetur, quomodo habenda est. Augustinus, De doctrina christiana -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
No need for 2.4.23 (re compromise)
Hello, I'm quite behind on reading this list, so maybe someone else has already pointed this out, and anyway it's coming rather late. Still: If your only concern is the brk() vulnerability, you don't need to get kernel sources from wherever and roll your own. I've seen this several times now, and not yet a single message to the contrary. No, Debian didn't leave Joe User out in the rain to get his own kernel source. All you need is apt-getable. Even a kernel package if you don't want to compile just now. From http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00212.html This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and 2.6.0-test6 kernel tree. For Debian it has been fixed in version 2.4.18-12 of the kernel source packages, version 2.4.18-14 of the i386 kernel images and version 2.4.18-11 of the alpha kernel images. cu, Schnobs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: No need for 2.4.23 (re compromise)
On 2003-12-05 12:19:13 +0100, Christian Schnobrich wrote: If your only concern is the brk() vulnerability, you don't need to get kernel sources from wherever and roll your own. I've seen this several times now, and not yet a single message to the contrary. No, Debian didn't leave Joe User out in the rain to get his own kernel source. All you need is apt-getable. Even a kernel package if you don't want to compile just now. But this means downgrading to 2.4.18. -- Vincent Lefèvre [EMAIL PROTECTED] - Web: http://www.vinc17.org/ - 100% validated (X)HTML - Acorn Risc PC, Yellow Pig 17, Championnat International des Jeux Mathématiques et Logiques, TETRHEX, etc. Work: CR INRIA - computer arithmetic / SPACES project at LORIA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: No need for 2.4.23 (re compromise)
On Fri, Dec 05, 2003 at 08:39:44PM +0900, Vincent Lefevre wrote: No, Debian didn't leave Joe User out in the rain to get his own kernel source. All you need is apt-getable. Even a kernel package if you don't want to compile just now. But this means downgrading to 2.4.18. Right. I asked what about the other kernel-source packages? and someone said that 2.4.18 was the only one in stable. [EMAIL PROTECTED]:~$ cat /etc/apt/sources.list | egrep -v ^# deb http://http.us.debian.org/debian/ woody main non-free contrib deb-src http://http.us.debian.org/debian/ woody main non-free contrib deb http://non-us.debian.org/debian-non-US woody/non-US main contrib non-free deb-src http://non-us.debian.org/debian-non-US woody/non-US main contrib non-free deb http://security.debian.org/ woody/updates main contrib non-free [EMAIL PROTECTED]:~$ apt-cache search kernel-source-2.4 kernel-source-2.4.10 - Linux kernel source for version 2.4.10 kernel-source-2.4.14 - Linux kernel source for version 2.4.14 kernel-source-2.4.16 - Linux kernel source for version 2.4.16 kernel-source-2.4.17 - Linux kernel source for version 2.4.17 kernel-source-2.4.17-hppa - Linux kernel source for version 2.4.17 on HPPA kernel-source-2.4.18-hppa - Linux kernel source for version 2.4.18 on HPPA kernel-source-2.4.17-ia64 - Linux kernel source for version 2.4.17 on IA-64 kernel-source-2.4.18 - Linux kernel source for version 2.4.18 kernel-source-2.4.20 - Linux kernel source for version 2.4.20 with Debian patches I'm using that last one, 2.4.20. -- Bill Moseley [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: No need for 2.4.23 (re compromise)
On 2003-12-05 07:47:47 -0800, Bill Moseley wrote: [...] kernel-source-2.4.20 - Linux kernel source for version 2.4.20 with Debian patches I'm using that last one, 2.4.20. But I don't think it has been fixed, as there is no version from the security updates: greux:~ apt-show-versions kernel-source-2.4.20 -a kernel-source-2.4.20install ok not-installed No stable version kernel-source-2.4.202.4.20-11 testing kernel-source-2.4.202.4.20-11 unstable kernel-source-2.4.20 not installed compared to: greux:~ apt-show-versions kernel-source-2.4.18 -a kernel-source-2.4.18purge ok not-installed kernel-source-2.4.182.4.18-14 stable No testing version No unstable version kernel-source-2.4.18 not installed -- Vincent Lefèvre [EMAIL PROTECTED] - Web: http://www.vinc17.org/ - 100% validated (X)HTML - Acorn Risc PC, Yellow Pig 17, Championnat International des Jeux Mathématiques et Logiques, TETRHEX, etc. Work: CR INRIA - computer arithmetic / SPACES project at LORIA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: No need for 2.4.23 (re compromise)
On Fri, Dec 05, 2003 at 05:20:28PM +0100, Vincent Lefevre wrote: On 2003-12-05 07:47:47 -0800, Bill Moseley wrote: [...] kernel-source-2.4.20 - Linux kernel source for version 2.4.20 with Debian patches I'm using that last one, 2.4.20. But I don't think it has been fixed, as there is no version from the security updates: greux:~ apt-show-versions kernel-source-2.4.20 -a kernel-source-2.4.20install ok not-installed No stable version kernel-source-2.4.202.4.20-11 testing kernel-source-2.4.202.4.20-11 unstable kernel-source-2.4.20 not installed Oh, So maybe 2.4.20 source is not in stable after all. I'm not clear why apt-cache search is listing kernel-source-2.4.20: From the manual: search search performs a full text search on all available package files for the regex pattern given. I assumed available meant the packages available via the listings in sources.list. But trying apt-cache search kernel-source-2.4.20 on another Stable machine with the same source.list returns nothing. So I guess available includes packages manually installed. Hum, I cannot remember installing that package, although it is ii kernel-source-2 2.4.20-8Linux kernel source for version 2.4.20 with De my notes for the machine show I used wget ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.20.tar.bz2 so much for taking good notes. I must have had some problem with the kernel.org version and just copied the package from a Sid machine. Time to try out 2.4.23 from kernel.org. -- Bill Moseley [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: No need for 2.4.23 (re compromise)
On 2003-12-05 09:14:01 -0800, Bill Moseley wrote: my notes for the machine show I used wget ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.20.tar.bz2 so much for taking good notes. I must have had some problem with the kernel.org version and just copied the package from a Sid machine. Time to try out 2.4.23 from kernel.org. BTW, is it possible to use the make-kpkg method with kernels from kernel.org or is make-kpkg reserved for kernel-source-* packages? -- Vincent Lefèvre [EMAIL PROTECTED] - Web: http://www.vinc17.org/ - 100% validated (X)HTML - Acorn Risc PC, Yellow Pig 17, Championnat International des Jeux Mathématiques et Logiques, TETRHEX, etc. Work: CR INRIA - computer arithmetic / SPACES project at LORIA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: No need for 2.4.23 (re compromise)
On Fri, Dec 05, 2003 at 07:03:08PM +0100, Vincent Lefevre wrote: BTW, is it possible to use the make-kpkg method with kernels from kernel.org or is make-kpkg reserved for kernel-source-* packages? Yes, thank goodness. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: No need for 2.4.23 (re compromise)
On Fri, 2003-12-05 at 15:47, Bill Moseley wrote: I'm using that last one, 2.4.20. same here from the debian sources, but with a few added patches, there is no need to download a new kernel, just get the source you have for the currently running kernel, apply this patch: -- cut - --- 1.31/mm/mmap.c Fri Sep 12 06:44:06 2003 +++ 1.32/mm/mmap.c Thu Oct 2 01:18:19 2003 @@ -1041,6 +1041,9 @@ if (!len) return addr; + if ((addr + len) TASK_SIZE || (addr + len) addr) + return -EINVAL; + /* * mlock MCL_FUTURE? */ -- cut - and recompile, this was taken originally from, Debian Planet. Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: No need for 2.4.23 (re compromise)
On Sat, Dec 06, 2003 at 01:07:31AM +, Mark C wrote: On Fri, 2003-12-05 at 15:47, Bill Moseley wrote: I'm using that last one, 2.4.20. same here from the debian sources, but with a few added patches, there is no need to download a new kernel, just get the source you have for the currently running kernel, apply this patch: I already built 2.4.23. Good to get my cpu a bit of exercise once in a while. -- cut - --- 1.31/mm/mmap.c Fri Sep 12 06:44:06 2003 +++ 1.32/mm/mmap.c Thu Oct 2 01:18:19 2003 @@ -1041,6 +1041,9 @@ if (!len) return addr; + if ((addr + len) TASK_SIZE || (addr + len) addr) + return -EINVAL; + So that's the brk bug? Doesn't take much code to wreck havoc, does it. || (addr + len) addr. Hum. So, wrap around overflow? -- Bill Moseley [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]