[kernel-sec-discuss] r1042 - active

[dann frazier]

On Tue, Nov 27, 2007 at 09:09:10PM +0000, jmm at alioth.debian.org wrote:
> Author: jmm
> Date: 2007-11-27 21:09:10 +0000 (Tue, 27 Nov 2007)
> New Revision: 1042
> 
> Modified:
>    active/CVE-2007-5904
>    active/CVE-2007-5908
> Log:
> updates
> 
> 
> Modified: active/CVE-2007-5904
> ===================================================================
> --- active/CVE-2007-5904	2007-11-26 00:19:58 UTC (rev 1041)
> +++ active/CVE-2007-5904	2007-11-27 21:09:10 UTC (rev 1042)
> @@ -10,6 +10,7 @@
>   http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=133672efbc1085f9af990bdc145e1822ea93bcf3
>  Ubuntu-Description: 
>  Notes: 
> + jmm> ABI breaker
>  Bugs: 
>  upstream: 
>  linux-2.6: 

I thought it would be too, but I did a linux-2.6 build w/ this patch
and the ABI-breakage test passed. I've been planning to include to do
an etch update this week that includes this change, so if you've shown
that it breaks the ABI, please point me to it asap.

> Modified: active/CVE-2007-5908
> ===================================================================
> --- active/CVE-2007-5908	2007-11-26 00:19:58 UTC (rev 1041)
> +++ active/CVE-2007-5908	2007-11-27 21:09:10 UTC (rev 1042)
> @@ -10,10 +10,10 @@
>  Notes: 
>   kees> this is not actually an exploitable security issue. there is no way to add clock sources that could trigger the overflow.
>  Bugs: 
> -upstream: 
> -linux-2.6: 
> -2.6.18-etch-security: ignored (2.6.18.dfsg.1-13etch5) "Not exploitable"
> -2.6.8-sarge-security: ignored (2.6.8-17sarge1) "Not exploitable"
> +upstream: N/A
> +linux-2.6: N/A
> +2.6.18-etch-security: N/A
> +2.6.8-sarge-security: N/A
>  2.4.27-sarge-security: N/A
>  2.6.15-dapper-security: N/A
>  2.6.17-edgy-security: N/A

Does this mean that you've found that the buggy code is not in any of
these kernels, or are you acking that its not exploitable? I've always
used 'ignored' in the latter case.

-- 
dann frazier