[Secure-testing-team] kernel update

Thu Sep 15 16:29:20 UTC 2005

On Thu, 2005-09-15 at 11:03 +0200, Moritz Muehlenhoff wrote:
> Joey Hess wrote:
> > Now that 2.6.12 is finally in testing and work is well underway to
> > remove 2.6.8, I think we can switch to tracking security holes in the
> > new kernel now. There are several items listed as unfixed in 2.6.8, would
> > it be possible for someone to double check if any of these also still 
> > apply to 2.6.12?
> 
> For many of these the fix is confirmed to be in mainline, but for a
> few I could only find references to advisories from Red Hat and SuSE,
> so we should double-check this.
>  
> > # kernel-image-2.6.8-i386 (unfixed; bug #309308) for CAN-2005-2548
> 
> Fixed in linux-2.6
> 

Specifically, in 2.6.9-rc2.

> > # kernel-source-2.6.8 (unfixed; bug #295949) for CAN-2005-0449
> 
> This one is the infamous ABI breaking kernel vulnerability.
> Probably fixed in mainline?
> 

Yep; fixed in 2.6.11, I believe.  It's definitely in 2.6.12 (look for
ip_defrag_users in net/ip.h; that's the enum that defines the local
queue types). 

> > # kernel-source-2.6.8 (unfixed; bug #322339) for CAN-2004-2302
> 
> Fixed in linux-2.6

2.6.10, according to the bug report.  Verified that it's in 2.6.12.

> 
> > # kernel-source-2.6.8 2.6.8-16sarge1 needed, have 2.6.8-16 for CAN-2005-1765,
> 
> Fixed in linux-2.6

No longer relevant; the entire chunk of code was ripped out with 
http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1e01441051dda3bb01c455b6e20bce6d00563d82

> 
> > CAN-2005-1763,
> 
> Double-check.
> Couldn't find a reference yet that it's fixed in mainline.

Indeed, it is: 
http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f6b8d4778c04148729cc0b0dcd335a4411c44276

> 
> > CAN-2005-1762,
> 
> Fixed in linux-2.6.

It's in 2.6.12:
http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d1099e8a18960693c04507bdd7b9403db70bfd97

> 
> > CAN-2005-1761,
> 
> Fixed in linux-2.6.

How can you tell?  The mitre description is absolutely useless.  I
fucking hate this stupid vendor-sec/mitre non-disclosure policy, it
makes actually attempting to cross reference stuff so much harder than
it needs to be.

I don't see mention of it in Ubuntu's changelog, but Martin Pitt tells
me the following:

<pitti> CAN-2005-1767
<pitti> x86_64: Disable exception stack for stack faults
<pitti>
http://kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commitdiff;h=51e31546a2fc46cb978da2ee0330a6a68f07541e
<pitti> sufficient patch:
<pitti> -       set_intr_gate_ist(12,&stack_segment,STACKFAULT_STACK);
<pitti> +       set_intr_gate(12,&stack_segment);
<pitti> patch is for 2.4, but 2.6 also seems to be affected

I suspect this is fixed in 
http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0a65800243742480b4b594b619b759749a3cfef4

If that is indeed the case, then it is fixed in 2.6.12.

> 
> > CAN-2005-0757,
> 
> Double-check.
> Couldn't find a reference yet that it's fixed in mainline.
> 

Oh good, another useless CAN entry.   That turns out to be:
http://svn.debian.org/wsvn/kernel/releases/kernel-2.4/source/kernel-source-2.4.27-2.4.27/2.4.27-11/debian/patches/168_fs_ext3_64bit_offset.diff?op=file&rev=0&sc=0

The equivalent lines of code start at line 730 in xattr.c in 2.6.  I'll
check this one out later.

> > CAN-2005-0756
> 
> Double-check.
> Couldn't find a reference yet that it's fixed in mainline.

http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c4d1fcf3a2ea89b6d6221fa8b4588c77aff50995

> 
> > # kernel-source-2.6.8 2.6.8-16sarge2 needed, have 2.6.8-16 for CAN-2005-2555
> 
> Fixed in linux-2.6.

Fixed in debian/patches-debian/2.6.12.6.patch, specifically.

> 
> > # kernel-source-2.6.8 2.6.8-17 needed, have 2.6.8-16 for CAN-2005-1765, CAN-2005-1763, CAN-2005-1762, CAN-2005-1761, CAN-2005-1265, CAN-2005-0757, CAN-2005-0756
> 
> These are all duplications from the above, so already fixed as well.
> 

Well, 1265 isn't; this is fixed in 2.6.12, however.

So to summarize, the only questionable one is CAN-2005-0757.  The rest
are fixed in linux-2.6 2.6.12-6.