[Secure-testing-team] kernel update

Horms horms at debian.org
Fri Sep 16 07:24:20 UTC 2005 

On Thu, Sep 15, 2005 at 12:29:20PM -0400, Andres Salomon wrote:
> On Thu, 2005-09-15 at 11:03 +0200, Moritz Muehlenhoff wrote:
> > Joey Hess wrote:
> > > Now that 2.6.12 is finally in testing and work is well underway to
> > > remove 2.6.8, I think we can switch to tracking security holes in the
> > > new kernel now. There are several items listed as unfixed in 2.6.8, would
> > > it be possible for someone to double check if any of these also still 
> > > apply to 2.6.12?
> > 
> > For many of these the fix is confirmed to be in mainline, but for a
> > few I could only find references to advisories from Red Hat and SuSE,
> > so we should double-check this.
> >  
> > > # kernel-image-2.6.8-i386 (unfixed; bug #309308) for CAN-2005-2548
> > 
> > Fixed in linux-2.6
> > 
> 
> Specifically, in 2.6.9-rc2.
> 
> 
> > > # kernel-source-2.6.8 (unfixed; bug #295949) for CAN-2005-0449
> > 
> > This one is the infamous ABI breaking kernel vulnerability.
> > Probably fixed in mainline?
> > 
> 
> Yep; fixed in 2.6.11, I believe.  It's definitely in 2.6.12 (look for
> ip_defrag_users in net/ip.h; that's the enum that defines the local
> queue types). 
> 
> 
> > > # kernel-source-2.6.8 (unfixed; bug #322339) for CAN-2004-2302
> > 
> > Fixed in linux-2.6
> 
> 2.6.10, according to the bug report.  Verified that it's in 2.6.12.
> 
> > 
> > > # kernel-source-2.6.8 2.6.8-16sarge1 needed, have 2.6.8-16 for CAN-2005-1765,
> > 
> > Fixed in linux-2.6
> 
> No longer relevant; the entire chunk of code was ripped out with 
> http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1e01441051dda3bb01c455b6e20bce6d00563d82
> 
> 
> 
> > 
> > > CAN-2005-1763,
> > 
> > Double-check.
> > Couldn't find a reference yet that it's fixed in mainline.
> 
> Indeed, it is: 
> http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f6b8d4778c04148729cc0b0dcd335a4411c44276
> 
> 
> > 
> > > CAN-2005-1762,
> > 
> > Fixed in linux-2.6.
> 
> It's in 2.6.12:
> http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d1099e8a18960693c04507bdd7b9403db70bfd97
> 
> 
> > 
> > > CAN-2005-1761,
> > 
> > Fixed in linux-2.6.
> 
> How can you tell?  The mitre description is absolutely useless.  I
> fucking hate this stupid vendor-sec/mitre non-disclosure policy, it
> makes actually attempting to cross reference stuff so much harder than
> it needs to be.

Yes, this CAN number stuff is very frustrating. All the
details get hashed out in private, and then the information
about which patch fixes which bug which correlates
to which CAN is often lost.

> I don't see mention of it in Ubuntu's changelog, but Martin Pitt tells
> me the following:
> 
> <pitti> CAN-2005-1767
> <pitti> x86_64: Disable exception stack for stack faults
> <pitti>
> http://kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commitdiff;h=51e31546a2fc46cb978da2ee0330a6a68f07541e
> <pitti> sufficient patch:
> <pitti> -       set_intr_gate_ist(12,&stack_segment,STACKFAULT_STACK);
> <pitti> +       set_intr_gate(12,&stack_segment);
> <pitti> patch is for 2.4, but 2.6 also seems to be affected
> 
> I suspect this is fixed in 
> http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0a65800243742480b4b594b619b759749a3cfef4
> 
> If that is indeed the case, then it is fixed in 2.6.12.

My understanding is that the fix for 2.6 is indeed
0a65800243742480b4b594b619b759749a3cfef4 as Andreas suggests.
For 2.6.8 this required some other patches to make it
fly, its been in SVN for a while now.

51e31546a2fc46cb978da2ee0330a6a68f07541e, is as Martin Pitt's log
implies a cut down fix for 2.4. 

Someone on Vendor-sec confirmed this for me. 
I'm buggered if I can find the information
elsewhere.

> > > CAN-2005-0757,
> > 
> > Double-check.
> > Couldn't find a reference yet that it's fixed in mainline.
> > 
> 
> Oh good, another useless CAN entry.   That turns out to be:
> http://svn.debian.org/wsvn/kernel/releases/kernel-2.4/source/kernel-source-2.4.27-2.4.27/2.4.27-11/debian/patches/168_fs_ext3_64bit_offset.diff?op=file&rev=0&sc=0
> 
> The equivalent lines of code start at line 730 in xattr.c in 2.6.  I'll
> check this one out later.

I believe that was resolved in
http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=fd3562136303f9b47b74dbb8fa7349d3afe5c3e7;hp=3061b0a9e778056fccfe7e3ca9dda1f1faf0b410

It certainly does not seem to be present in 2.6.12

> > > CAN-2005-0756
> > 
> > Double-check.
> > Couldn't find a reference yet that it's fixed in mainline.
> 
> http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c4d1fcf3a2ea89b6d6221fa8b4588c77aff50995
> 
> 
> > 
> > > # kernel-source-2.6.8 2.6.8-16sarge2 needed, have 2.6.8-16 for CAN-2005-2555
> > 
> > Fixed in linux-2.6.
> 
> Fixed in debian/patches-debian/2.6.12.6.patch, specifically.
> 
> > 
> > > # kernel-source-2.6.8 2.6.8-17 needed, have 2.6.8-16 for CAN-2005-1765, CAN-2005-1763, CAN-2005-1762, CAN-2005-1761, CAN-2005-1265, CAN-2005-0757, CAN-2005-0756
> > 
> > These are all duplications from the above, so already fixed as well.
> > 
> 
> Well, 1265 isn't; this is fixed in 2.6.12, however.
> 
> So to summarize, the only questionable one is CAN-2005-0757.  The rest
> are fixed in linux-2.6 2.6.12-6.

A lot of these patches are broken out in the 2.6.8 tree,
from there its easy enough to interigate git, with or without
the git changelog number.

-- 
Horms

More information about the Secure-testing-team mailing list