Joey Hess wrote:> Now that 2.6.12 is finally in testing and work is well underway to > remove 2.6.8, I think we can switch to tracking security holes in the > new kernel now. There are several items listed as unfixed in 2.6.8, would > it be possible for someone to double check if any of these also still > apply to 2.6.12?I''ll do. There''s some kernel related mail backlog from me as well, that I hope to address today or tomorrow. Cheers, Moritz
Now that 2.6.12 is finally in testing and work is well underway to remove 2.6.8, I think we can switch to tracking security holes in the new kernel now. There are several items listed as unfixed in 2.6.8, would it be possible for someone to double check if any of these also still apply to 2.6.12? # kernel-image-2.6.8-i386 (unfixed; bug #309308) for CAN-2005-2548 # kernel-source-2.6.8 (unfixed; bug #295949) for CAN-2005-0449 # kernel-source-2.6.8 (unfixed; bug #322339) for CAN-2004-2302 # kernel-source-2.6.8 2.6.8-16sarge1 needed, have 2.6.8-16 for CAN-2005-1765, CAN-2005-1763, CAN-2005-1762, CAN-2005-1761, CAN-2005-0757, CAN-2005-0756 # kernel-source-2.6.8 2.6.8-16sarge2 needed, have 2.6.8-16 for CAN-2005-2555 # kernel-source-2.6.8 2.6.8-17 needed, have 2.6.8-16 for CAN-2005-1765, CAN-2005-1763, CAN-2005-1762, CAN-2005-1761, CAN-2005-1265, CAN-2005-0757, CAN-2005-0756 -- see shy jo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050913/efde715a/attachment.pgp
On Thu, Sep 15, 2005 at 12:29:20PM -0400, Andres Salomon wrote:> On Thu, 2005-09-15 at 11:03 +0200, Moritz Muehlenhoff wrote: > > Joey Hess wrote: > > > Now that 2.6.12 is finally in testing and work is well underway to > > > remove 2.6.8, I think we can switch to tracking security holes in the > > > new kernel now. There are several items listed as unfixed in 2.6.8, would > > > it be possible for someone to double check if any of these also still > > > apply to 2.6.12? > > > > For many of these the fix is confirmed to be in mainline, but for a > > few I could only find references to advisories from Red Hat and SuSE, > > so we should double-check this. > > > > > # kernel-image-2.6.8-i386 (unfixed; bug #309308) for CAN-2005-2548 > > > > Fixed in linux-2.6 > > > > Specifically, in 2.6.9-rc2. > > > > > # kernel-source-2.6.8 (unfixed; bug #295949) for CAN-2005-0449 > > > > This one is the infamous ABI breaking kernel vulnerability. > > Probably fixed in mainline? > > > > Yep; fixed in 2.6.11, I believe. It''s definitely in 2.6.12 (look for > ip_defrag_users in net/ip.h; that''s the enum that defines the local > queue types). > > > > > # kernel-source-2.6.8 (unfixed; bug #322339) for CAN-2004-2302 > > > > Fixed in linux-2.6 > > 2.6.10, according to the bug report. Verified that it''s in 2.6.12. > > > > > > # kernel-source-2.6.8 2.6.8-16sarge1 needed, have 2.6.8-16 for CAN-2005-1765, > > > > Fixed in linux-2.6 > > No longer relevant; the entire chunk of code was ripped out with > http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1e01441051dda3bb01c455b6e20bce6d00563d82 > > > > > > > > CAN-2005-1763, > > > > Double-check. > > Couldn''t find a reference yet that it''s fixed in mainline. > > Indeed, it is: > http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f6b8d4778c04148729cc0b0dcd335a4411c44276 > > > > > > > CAN-2005-1762, > > > > Fixed in linux-2.6. > > It''s in 2.6.12: > http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d1099e8a18960693c04507bdd7b9403db70bfd97 > > > > > > > CAN-2005-1761, > > > > Fixed in linux-2.6. > > How can you tell? The mitre description is absolutely useless. I > fucking hate this stupid vendor-sec/mitre non-disclosure policy, it > makes actually attempting to cross reference stuff so much harder than > it needs to be.Yes, this CAN number stuff is very frustrating. All the details get hashed out in private, and then the information about which patch fixes which bug which correlates to which CAN is often lost.> I don''t see mention of it in Ubuntu''s changelog, but Martin Pitt tells > me the following: > > <pitti> CAN-2005-1767 > <pitti> x86_64: Disable exception stack for stack faults > <pitti> > http://kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commitdiff;h=51e31546a2fc46cb978da2ee0330a6a68f07541e > <pitti> sufficient patch: > <pitti> - set_intr_gate_ist(12,&stack_segment,STACKFAULT_STACK); > <pitti> + set_intr_gate(12,&stack_segment); > <pitti> patch is for 2.4, but 2.6 also seems to be affected > > I suspect this is fixed in > http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0a65800243742480b4b594b619b759749a3cfef4 > > If that is indeed the case, then it is fixed in 2.6.12.My understanding is that the fix for 2.6 is indeed 0a65800243742480b4b594b619b759749a3cfef4 as Andreas suggests. For 2.6.8 this required some other patches to make it fly, its been in SVN for a while now. 51e31546a2fc46cb978da2ee0330a6a68f07541e, is as Martin Pitt''s log implies a cut down fix for 2.4. Someone on Vendor-sec confirmed this for me. I''m buggered if I can find the information elsewhere.> > > CAN-2005-0757, > > > > Double-check. > > Couldn''t find a reference yet that it''s fixed in mainline. > > > > Oh good, another useless CAN entry. That turns out to be: > http://svn.debian.org/wsvn/kernel/releases/kernel-2.4/source/kernel-source-2.4.27-2.4.27/2.4.27-11/debian/patches/168_fs_ext3_64bit_offset.diff?op=file&rev=0&sc=0 > > The equivalent lines of code start at line 730 in xattr.c in 2.6. I''ll > check this one out later.I believe that was resolved in http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=fd3562136303f9b47b74dbb8fa7349d3afe5c3e7;hp=3061b0a9e778056fccfe7e3ca9dda1f1faf0b410 It certainly does not seem to be present in 2.6.12> > > CAN-2005-0756 > > > > Double-check. > > Couldn''t find a reference yet that it''s fixed in mainline. > > http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c4d1fcf3a2ea89b6d6221fa8b4588c77aff50995 > > > > > > > # kernel-source-2.6.8 2.6.8-16sarge2 needed, have 2.6.8-16 for CAN-2005-2555 > > > > Fixed in linux-2.6. > > Fixed in debian/patches-debian/2.6.12.6.patch, specifically. > > > > > > # kernel-source-2.6.8 2.6.8-17 needed, have 2.6.8-16 for CAN-2005-1765, CAN-2005-1763, CAN-2005-1762, CAN-2005-1761, CAN-2005-1265, CAN-2005-0757, CAN-2005-0756 > > > > These are all duplications from the above, so already fixed as well. > > > > Well, 1265 isn''t; this is fixed in 2.6.12, however. > > So to summarize, the only questionable one is CAN-2005-0757. The rest > are fixed in linux-2.6 2.6.12-6.A lot of these patches are broken out in the 2.6.8 tree, from there its easy enough to interigate git, with or without the git changelog number. -- Horms
* Andres Salomon:> How can you tell? The mitre description is absolutely useless. I > fucking hate this stupid vendor-sec/mitre non-disclosure policy,In most cases, MITRE does not have access to pre-disclosure information. They just hand out unique names, and update the database based on public data afterwards. However, it is true that they demand that CNAs (who can assign CANs) "must follow responsible disclosure practices that are accepted by a significant portion of the security community" -- whatever this means. Of course, you still receive a CAN assignment no matter how you disclose a vulnerability. That being said, it''s not the job of MITRE to explain the nature of vulnerabilities if upstream fails us. The CVE database only reflects what the vendors (or other respected data sources) publish. MITRE certainly does not mandate researchers or CNAs to keep issues secret.
On Fri, Sep 16, 2005 at 02:29:23PM +0200, Florian Weimer wrote:> * Andres Salomon: > > > How can you tell? The mitre description is absolutely useless. I > > fucking hate this stupid vendor-sec/mitre non-disclosure policy, > > In most cases, MITRE does not have access to pre-disclosure > information. They just hand out unique names, and update the database > based on public data afterwards. However, it is true that they demand > that CNAs (who can assign CANs) "must follow responsible disclosure > practices that are accepted by a significant portion of the security > community" -- whatever this means. Of course, you still receive a CAN > assignment no matter how you disclose a vulnerability. > > That being said, it''s not the job of MITRE to explain the nature of > vulnerabilities if upstream fails us. The CVE database only reflects > what the vendors (or other respected data sources) publish. MITRE > certainly does not mandate researchers or CNAs to keep issues secret.Unfortunately, in the case or kernel bugs, that disclosure is often not happenening in a useful way. This does greatly lessen the value of the CAN numbers as a way to refer to bug, because frankly it is far too often that it is hard to tell which bug/fix the CAN refers to. -- Horms
Joey Hess wrote:> Now that 2.6.12 is finally in testing and work is well underway to > remove 2.6.8, I think we can switch to tracking security holes in the > new kernel now. There are several items listed as unfixed in 2.6.8, would > it be possible for someone to double check if any of these also still > apply to 2.6.12?For many of these the fix is confirmed to be in mainline, but for a few I could only find references to advisories from Red Hat and SuSE, so we should double-check this.> # kernel-image-2.6.8-i386 (unfixed; bug #309308) for CAN-2005-2548Fixed in linux-2.6> # kernel-source-2.6.8 (unfixed; bug #295949) for CAN-2005-0449This one is the infamous ABI breaking kernel vulnerability. Probably fixed in mainline?> # kernel-source-2.6.8 (unfixed; bug #322339) for CAN-2004-2302Fixed in linux-2.6> # kernel-source-2.6.8 2.6.8-16sarge1 needed, have 2.6.8-16 for CAN-2005-1765,Fixed in linux-2.6> CAN-2005-1763,Double-check. Couldn''t find a reference yet that it''s fixed in mainline.> CAN-2005-1762,Fixed in linux-2.6.> CAN-2005-1761,Fixed in linux-2.6.> CAN-2005-0757,Double-check. Couldn''t find a reference yet that it''s fixed in mainline.> CAN-2005-0756Double-check. Couldn''t find a reference yet that it''s fixed in mainline.> # kernel-source-2.6.8 2.6.8-16sarge2 needed, have 2.6.8-16 for CAN-2005-2555Fixed in linux-2.6.> # kernel-source-2.6.8 2.6.8-17 needed, have 2.6.8-16 for CAN-2005-1765, CAN-2005-1763, CAN-2005-1762, CAN-2005-1761, CAN-2005-1265, CAN-2005-0757, CAN-2005-0756These are all duplications from the above, so already fixed as well. Cheers, Moritz
On Thu, 2005-09-15 at 11:03 +0200, Moritz Muehlenhoff wrote:> Joey Hess wrote: > > Now that 2.6.12 is finally in testing and work is well underway to > > remove 2.6.8, I think we can switch to tracking security holes in the > > new kernel now. There are several items listed as unfixed in 2.6.8, would > > it be possible for someone to double check if any of these also still > > apply to 2.6.12? > > For many of these the fix is confirmed to be in mainline, but for a > few I could only find references to advisories from Red Hat and SuSE, > so we should double-check this. > > > # kernel-image-2.6.8-i386 (unfixed; bug #309308) for CAN-2005-2548 > > Fixed in linux-2.6 >Specifically, in 2.6.9-rc2.> > # kernel-source-2.6.8 (unfixed; bug #295949) for CAN-2005-0449 > > This one is the infamous ABI breaking kernel vulnerability. > Probably fixed in mainline? >Yep; fixed in 2.6.11, I believe. It''s definitely in 2.6.12 (look for ip_defrag_users in net/ip.h; that''s the enum that defines the local queue types).> > # kernel-source-2.6.8 (unfixed; bug #322339) for CAN-2004-2302 > > Fixed in linux-2.62.6.10, according to the bug report. Verified that it''s in 2.6.12.> > > # kernel-source-2.6.8 2.6.8-16sarge1 needed, have 2.6.8-16 for CAN-2005-1765, > > Fixed in linux-2.6No longer relevant; the entire chunk of code was ripped out with http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1e01441051dda3bb01c455b6e20bce6d00563d82> > > CAN-2005-1763, > > Double-check. > Couldn''t find a reference yet that it''s fixed in mainline.Indeed, it is: http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f6b8d4778c04148729cc0b0dcd335a4411c44276> > > CAN-2005-1762, > > Fixed in linux-2.6.It''s in 2.6.12: http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d1099e8a18960693c04507bdd7b9403db70bfd97> > > CAN-2005-1761, > > Fixed in linux-2.6.How can you tell? The mitre description is absolutely useless. I fucking hate this stupid vendor-sec/mitre non-disclosure policy, it makes actually attempting to cross reference stuff so much harder than it needs to be. I don''t see mention of it in Ubuntu''s changelog, but Martin Pitt tells me the following: <pitti> CAN-2005-1767 <pitti> x86_64: Disable exception stack for stack faults <pitti> http://kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commitdiff;h=51e31546a2fc46cb978da2ee0330a6a68f07541e <pitti> sufficient patch: <pitti> - set_intr_gate_ist(12,&stack_segment,STACKFAULT_STACK); <pitti> + set_intr_gate(12,&stack_segment); <pitti> patch is for 2.4, but 2.6 also seems to be affected I suspect this is fixed in http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0a65800243742480b4b594b619b759749a3cfef4 If that is indeed the case, then it is fixed in 2.6.12.> > > CAN-2005-0757, > > Double-check. > Couldn''t find a reference yet that it''s fixed in mainline. >Oh good, another useless CAN entry. That turns out to be: http://svn.debian.org/wsvn/kernel/releases/kernel-2.4/source/kernel-source-2.4.27-2.4.27/2.4.27-11/debian/patches/168_fs_ext3_64bit_offset.diff?op=file&rev=0&sc=0 The equivalent lines of code start at line 730 in xattr.c in 2.6. I''ll check this one out later.> > CAN-2005-0756 > > Double-check. > Couldn''t find a reference yet that it''s fixed in mainline.http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c4d1fcf3a2ea89b6d6221fa8b4588c77aff50995> > > # kernel-source-2.6.8 2.6.8-16sarge2 needed, have 2.6.8-16 for CAN-2005-2555 > > Fixed in linux-2.6.Fixed in debian/patches-debian/2.6.12.6.patch, specifically.> > > # kernel-source-2.6.8 2.6.8-17 needed, have 2.6.8-16 for CAN-2005-1765, CAN-2005-1763, CAN-2005-1762, CAN-2005-1761, CAN-2005-1265, CAN-2005-0757, CAN-2005-0756 > > These are all duplications from the above, so already fixed as well. >Well, 1265 isn''t; this is fixed in 2.6.12, however. So to summarize, the only questionable one is CAN-2005-0757. The rest are fixed in linux-2.6 2.6.12-6.