On Thu, 2005-09-15 at 11:03 +0200, Moritz Muehlenhoff wrote: > Joey Hess wrote: > > Now that 2.6.12 is finally in testing and work is well underway to > > remove 2.6.8, I think we can switch to tracking security holes in the > > new kernel now. There are several items listed as unfixed in 2.6.8, would > > it be possible for someone to double check if any of these also still > > apply to 2.6.12? > > For many of these the fix is confirmed to be in mainline, but for a > few I could only find references to advisories from Red Hat and SuSE, > so we should double-check this. > > > # kernel-image-2.6.8-i386 (unfixed; bug #309308) for CAN-2005-2548 > > Fixed in linux-2.6 >
Specifically, in 2.6.9-rc2. > > # kernel-source-2.6.8 (unfixed; bug #295949) for CAN-2005-0449 > > This one is the infamous ABI breaking kernel vulnerability. > Probably fixed in mainline? > Yep; fixed in 2.6.11, I believe. It's definitely in 2.6.12 (look for ip_defrag_users in net/ip.h; that's the enum that defines the local queue types). > > # kernel-source-2.6.8 (unfixed; bug #322339) for CAN-2004-2302 > > Fixed in linux-2.6 2.6.10, according to the bug report. Verified that it's in 2.6.12. > > > # kernel-source-2.6.8 2.6.8-16sarge1 needed, have 2.6.8-16 for > > CAN-2005-1765, > > Fixed in linux-2.6 No longer relevant; the entire chunk of code was ripped out with http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1e01441051dda3bb01c455b6e20bce6d00563d82 > > > CAN-2005-1763, > > Double-check. > Couldn't find a reference yet that it's fixed in mainline. Indeed, it is: http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f6b8d4778c04148729cc0b0dcd335a4411c44276 > > > CAN-2005-1762, > > Fixed in linux-2.6. It's in 2.6.12: http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d1099e8a18960693c04507bdd7b9403db70bfd97 > > > CAN-2005-1761, > > Fixed in linux-2.6. How can you tell? The mitre description is absolutely useless. I fucking hate this stupid vendor-sec/mitre non-disclosure policy, it makes actually attempting to cross reference stuff so much harder than it needs to be. I don't see mention of it in Ubuntu's changelog, but Martin Pitt tells me the following: <pitti> CAN-2005-1767 <pitti> x86_64: Disable exception stack for stack faults <pitti> http://kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commitdiff;h=51e31546a2fc46cb978da2ee0330a6a68f07541e <pitti> sufficient patch: <pitti> - set_intr_gate_ist(12,&stack_segment,STACKFAULT_STACK); <pitti> + set_intr_gate(12,&stack_segment); <pitti> patch is for 2.4, but 2.6 also seems to be affected I suspect this is fixed in http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0a65800243742480b4b594b619b759749a3cfef4 If that is indeed the case, then it is fixed in 2.6.12. > > > CAN-2005-0757, > > Double-check. > Couldn't find a reference yet that it's fixed in mainline. > Oh good, another useless CAN entry. That turns out to be: http://svn.debian.org/wsvn/kernel/releases/kernel-2.4/source/kernel-source-2.4.27-2.4.27/2.4.27-11/debian/patches/168_fs_ext3_64bit_offset.diff?op=file&rev=0&sc=0 The equivalent lines of code start at line 730 in xattr.c in 2.6. I'll check this one out later. > > CAN-2005-0756 > > Double-check. > Couldn't find a reference yet that it's fixed in mainline. http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c4d1fcf3a2ea89b6d6221fa8b4588c77aff50995 > > > # kernel-source-2.6.8 2.6.8-16sarge2 needed, have 2.6.8-16 for CAN-2005-2555 > > Fixed in linux-2.6. Fixed in debian/patches-debian/2.6.12.6.patch, specifically. > > > # kernel-source-2.6.8 2.6.8-17 needed, have 2.6.8-16 for CAN-2005-1765, > > CAN-2005-1763, CAN-2005-1762, CAN-2005-1761, CAN-2005-1265, CAN-2005-0757, > > CAN-2005-0756 > > These are all duplications from the above, so already fixed as well. > Well, 1265 isn't; this is fixed in 2.6.12, however. So to summarize, the only questionable one is CAN-2005-0757. The rest are fixed in linux-2.6 2.6.12-6. _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
