[kernel-sec-discuss] r541 - patch-tracking

dann frazier dannf at debian.org
Wed Aug 16 16:30:30 UTC 2006 

On Wed, Aug 16, 2006 at 09:41:36AM +0000, Martin Pitt wrote:
> Author: mpitt
> Date: 2006-08-16 09:41:35 +0000 (Wed, 16 Aug 2006)
> New Revision: 541
> 
> Modified:
>    patch-tracking/CVE-2006-2445
> Log:
> CVE-2006-2445 needs another GIT commit to be fully fixed, update Ubuntu status
> 
> Modified: patch-tracking/CVE-2006-2445
> ===================================================================
> --- patch-tracking/CVE-2006-2445	2006-08-14 19:19:27 UTC (rev 540)
> +++ patch-tracking/CVE-2006-2445	2006-08-16 09:41:35 UTC (rev 541)
> @@ -3,6 +3,7 @@
>   http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8f17fc20bfb75bcec4cfeda789738979c8338fdc
>   http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=30f1e3dd8c72abda343bcf415f7d8894a02b4290
>   http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f53ae1dc3429529a58aa538e0a860d713c7079c3
> + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ca531a0a5e01e5122f67cb6aca8fcbfc70e18e0b
>  Description: 
>   Race condition in run_posix_cpu_timers in Linux kernel before 2.6.16.21
>   allows local users to cause a denial of service (BUG_ON crash) by causing one
> @@ -17,3 +18,7 @@
>  linux-2.6: released (2.6.16-15)
>  2.6.8-sarge-security: 
>  2.4.27-sarge-security: N/A
> +2.6.10-hoary-security: needed (only 4th GIT commit, first three applied in 2.6.10-34.21)
> +2.6.12-breezy-security: needed (only 4th GIT commit, first three applied in 2.6.12-10.35)

hey Martin,
 Not that it really matters atm, but note that these fields do not fit
the existing syntax - these fields should be:

kernel: status (version1, version2, ...) [patch1, patch2,...], status...

Of course, we have nothing at the moment that needs to regularly parse
these, and we don't have a way to express a partially fixed issue
(other than text in the Notes: section), so there's really not much of
a point in changing this till your next release.

fwiw, I've dealt with this situation in the past by doing something
like:

Notes:
 dannf> We need to apply patch3.patch before its done in sarge
2.6.8-sarge-security: needed [patch1.patch, patch2.patch]

Then later when its complete:
2.6.8-sarge-security: released (ver) [patch1.patch, patch2.patch, patch3.patch]

The fact that patch1.patch and patch2.patch were applied earlier than
"ver" isn't expressed here, but can easily be found by looking at the
package.

> +26.15-dapper-security: needed (only 4th GIT commit, first three
    ^ typo, fyi


-- 
dann frazier

More information about the kernel-sec-discuss mailing list