Secure testing team - Mar 2006 - Kernel vulnerabilities in sarge-checks

Hi,

On Tuesday 22 March 2005 13:32, Dominic Hargreaves
wrote:
> I noticed that while kernel vulns appear as kernel-source packages,
> we are not tracking the various kernel-image packages. Should we
> not also be doing this?
I think for now (i.e. before the freeze) we can leave this to the 
kernel team. When we actually get near to release we should recheck 
all kernel images. As there are several images per architecture this 
would create a lot of bug reports and quite a bit of additional work 
for the kernel team and us.

Cheers,
Stefan

On Tue, Mar 22, 2005 at 02:24:49PM +0100, Stefan Fritsch wrote:
> I think for now (i.e. before the freeze) we can leave this to the 
> kernel team. When we actually get near to release we should recheck 
> all kernel images. As there are several images per architecture this 
> would create a lot of bug reports and quite a bit of additional work 
> for the kernel team and us.
In the interests of transparency I think it is important that we provide
an accurate picture of the current state of testing - and this means not
hiding vulnerabilities that exist in testing.

The additional work on the part of the kernel maintainers would be
limited to the adminstrivia of having bugs filed on their packages, and
as far as I can see this would mostly be restricted to one bug per arch
as most archs only have one source package for kernel-image. This is
surely something that should be done anyway.

The work is achievable on our side - and I''m offering to do it. If
there
is really opposition to filing the relevant bugs on kernel-image
packages (which sounds ludicruous to me when it comes to security
vulnerabilities) then we can simply not do that, but continue to track
things in sarge-checks.

Cheers,

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

On Tuesday 22 March 2005 16:10, Dominic Hargreaves
wrote:
> The additional work on the part of the kernel maintainers would be
> limited to the adminstrivia of having bugs filed on their packages,
> and as far as I can see this would mostly be restricted to one bug
> per arch as most archs only have one source package for
> kernel-image.
I didn''t think of the source packages. This would certainly reduce the 
number of filed bugs to a reasonable value.

I also noticed that most kernel-images build-depend either on 
kernel-tree-<version> or have a versioned build-dependency on 
kernel-source (The most notable exceptions are the 2.2 kernels).
This allows to determine with grep-dctrl which kernel-images need to 
be updated. Maybe someone with access to newraff can test my hacked 
version of checklist.

Cheers,
Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: checklist.new
Type: application/x-perl
Size: 3756 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050322/367f4d4d/checklist.bin

On Tue, Mar 22, 2005 at 11:41:38AM -0500, Andres Salomon wrote:
> Note that I just uploaded k-s-2.6.8 2.6.8-15, and have built i386
> images.  Once I verify the ABI hasn''t changed, I''ll
upload the i386
> images.  Please submit bugs on any security holes not fixed by -15.
Thanks for the update. I''ve clarified a few entries in sarge-checks,
and
I''ve also added some kernel-image-2.6.8-ia64 packages:

Log message:
Add kernel-image-2.6.8-ia64 packages that are build against
kernel-source-2.6.8-14.
Rationale: kernel-source-2.6.8 has entered testing;
kernel-image-2.6.8-ia64 is built but hasn''t entered testing yet.
This is the only kernel-image-2.6.8* package uploaded to build-dep on
kernel-tree-2.6.8-14 so far. Once packages start being built against
-15 we can start listing those too.

I''ve not filed any bugs yet as from your message I understand that it
may be stepping on some toes, and you have the -i386 packages in hand
at least.

Cheers,

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Stefan Fritsch wrote:
> I didn''t think of the source packages. This would certainly reduce
the
> number of filed bugs to a reasonable value.
> 
> I also noticed that most kernel-images build-depend either on 
> kernel-tree-<version> or have a versioned build-dependency on 
> kernel-source (The most notable exceptions are the 2.2 kernels).
> This allows to determine with grep-dctrl which kernel-images need to 
> be updated. Maybe someone with access to newraff can test my hacked 
> version of checklist.
I tried it on newraff, the old stable grep-dctrl on there does not have
support for -a though.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050322/50a6445c/attachment.pgp

On Wednesday 23 March 2005 02:31, Joey Hess wrote:
> I tried it on newraff, the old stable grep-dctrl on there does not
> have support for -a though.
Ok, next try. Now it should work with woody''s grep-dctrl. You need to 
point $sources to the sarge Sources file(s). This will create entries 
like:

kernel-image-2.6.8-sparc built from kernel-source-2.6.8 2.6.8-15 
needed, have 2.6.8-11

I have ignored all d-i kernel images. It is also easy to make the 
script display the kernel-images where the kernel-source version 
can''t be determined from the build-deps.

Cheers,
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: checklist.new
Type: application/x-perl
Size: 4425 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050323/031d7674/checklist.bin

On Thursday 24 March 2005 00:48, Micah Anderson wrote:
> On Wed, 23 Mar 2005, Joey Hess wrote:
> > Works ok, here''s the result:
> >
> > http://newraff.debian.org/~joeyh/testing-security.new.html
Very nice. Thanks.
> I assume that if we can cron this, then we can continue to make
> kernel-source entries in the CAN/list and this script will fill in
> the necessary kernel-image lines based on that?
That''s correct (for the kernel images that have a versioned 
build-dep). If we use this, I will file wishlist bugs for the 4 
remaining kernel images to include versioned build-deps.

Cheers,
Stefan

PS: I will be away and without net until ~Tuesday.

On Tue, 2005-03-22 at 12:32 +0000, Dominic Hargreaves
wrote:
> Hi,
> 
> I noticed that while kernel vulns appear as kernel-source packages, we
> are not tracking the various kernel-image packages. Should we not also
> be doing this? As an example, I note that there are many
> vulnerabilities fixed in kernel-source-2.6.8 2.6.8-14, but that
> kernel-image-2.6.8-i386 has still not been built against it (and neither
> has any bug been filed against it).
> 
> Cheers,
> 
Note that I just uploaded k-s-2.6.8 2.6.8-15, and have built i386
images.  Once I verify the ABI hasn''t changed, I''ll upload the
i386
images.  Please submit bugs on any security holes not fixed by -15.


-- 
Andres Salomon <dilinger@debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050322/3bf697d8/attachment.pgp

Dominic Hargreaves wrote:
> I noticed that while kernel vulns appear as kernel-source packages, we
> are not tracking the various kernel-image packages. Should we not also
> be doing this? As an example, I note that there are many
> vulnerabilities fixed in kernel-source-2.6.8 2.6.8-14, but that
> kernel-image-2.6.8-i386 has still not been built against it (and neither
> has any bug been filed against it).
The kernel team plans yet another release after -14 with more security
holes fixed and the one that caused the ABI change probably backed out,
and are not planning more uploads for -14 AFAIK, so I''ve held off
trying
to track it.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050322/2c0d9986/attachment.pgp

Dominic Hargreaves wrote:
> I noticed that while kernel vulns appear as kernel-source packages, we
> are not tracking the various kernel-image packages. Should we not also
> be doing this? 
Yes, but tracking this manually seems way to error-prone, as kernel-sources
for sid are in a steady flow.

I just wrote a little Python script to automatically generate a list of
vulnerable kernel image packages against the CAN list. I parses the CAN
list for kernel-source entries and all that remains to be done is to keep
a list which kernel on which arch is built against which kernel-source
package. Example:

i386 2.6.8 2.6.8-12
sparc 2.6.8 2.6.8-11

(Meaning that the 2.6.8 kernel for i386 was built against kernel-source
2.6.8.12 and sparc against 2.6.8-11).

It''s attached, comments welcome.

Cheers,
        Moritz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kernel-check.py
Type: text/x-python
Size: 1060 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050322/2777e96a/kernel-check.py
-------------- next part --------------
i386 2.6.8 2.6.8-12
sparc 2.6.8 2.6.8-11

Stefan Fritsch wrote:
> Ok, next try. Now it should work with woody''s grep-dctrl. You need
to
> point $sources to the sarge Sources file(s). This will create entries 
> like:
> 
> kernel-image-2.6.8-sparc built from kernel-source-2.6.8 2.6.8-15 
> needed, have 2.6.8-11
> 
> I have ignored all d-i kernel images. It is also easy to make the 
> script display the kernel-images where the kernel-source version 
> can''t be determined from the build-deps.
Works ok, here''s the result:

http://newraff.debian.org/~joeyh/testing-security.new.html

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050323/c50eddb9/attachment.pgp

On Tue, Mar 22, 2005 at 02:24:49PM +0100, Stefan Fritsch wrote:
> I think for now (i.e. before the freeze) we can leave this to the 
> kernel team. When we actually get near to release we should recheck 
> all kernel images. As there are several images per architecture this 
> would create a lot of bug reports and quite a bit of additional work 
> for the kernel team and us.
Just to add to my previous messages - some points that I didn''t address
earlier.

As far as waiting until the freeze goes: my take on that is that in
order to be ready for a freeze, one needs to get as much as possible
ready beforehand anyway. I haven''t spoken to the security team, but for
example one thing that might happen is that once their autobuilder is
finally ready they may want to test it with some kernel packages, and
having information available for them to use at that time hopefully
would help them. I''d like there to be information available on the
state of the archive at *all* times, not just once we''ve frozen.

I''ve taken on board your point about the kernel maintainers though. I
will for the time being assume that they are on top of things, and not
nag them.

Sorry if it seems like I ignored your response by going ahead and adding
things to the list anyway, but I hope I''ve explained my reasoning :)

Cheers,

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

On Tuesday 22 March 2005 19:10, Dominic Hargreaves
wrote:
> Sorry if it seems like I ignored your response by going ahead and
> adding things to the list anyway, but I hope I''ve explained my
> reasoning :)
I agree with you that we should track the kernel images if possible. I 
just (wrongly) assumed that this would require >50 bug reports. 

However, I think it would be best if we could automate this tracking 
as far as possible (see my other mail).

Cheers,
Stefan

On Tuesday 22 March 2005 20:03, Moritz Muehlenhoff
wrote:
> I just wrote a little Python script to automatically generate a
> list of vulnerable kernel image packages against the CAN list. I
> parses the CAN list for kernel-source entries and all that remains
> to be done is to keep a list which kernel on which arch is built
> against which kernel-source package.
Most of this list can be created automatically. It seems only

kernel-image-2.4.27-arm
kernel-image-2.4.27-m68k
kernel-patch-2.4.27-mips
kernel-patch-powerpc-2.4.27

(the latter two also create kernel-images) and the 2.2.25 images need 
to be tracked manually. Maybe we could file wishlist bugs for 
versioned build-deps.

BTW, wouldn''t it be enough to just display the kernel-source we need 
or should we list all the CANs again?

Cheers,
Stefan

I assume that if we can cron this, then we can continue to make
kernel-source entries in the CAN/list and this script will fill in the
necessary kernel-image lines based on that? Or is there a change that
needs to be made in the way we are processing and noting kernel CANs
in the list?

Micah


On Wed, 23 Mar 2005, Joey Hess wrote:
> Stefan Fritsch wrote:
> > Ok, next try. Now it should work with woody''s grep-dctrl. You
need to
> > point $sources to the sarge Sources file(s). This will create entries 
> > like:
> > 
> > kernel-image-2.6.8-sparc built from kernel-source-2.6.8 2.6.8-15 
> > needed, have 2.6.8-11
> > 
> > I have ignored all d-i kernel images. It is also easy to make the 
> > script display the kernel-images where the kernel-source version 
> > can''t be determined from the build-deps.
> 
> Works ok, here''s the result:
> 
> http://newraff.debian.org/~joeyh/testing-security.new.html
> 
> -- 
> see shy jo

Hi,

I noticed that while kernel vulns appear as kernel-source packages, we
are not tracking the various kernel-image packages. Should we not also
be doing this? As an example, I note that there are many
vulnerabilities fixed in kernel-source-2.6.8 2.6.8-14, but that
kernel-image-2.6.8-i386 has still not been built against it (and neither
has any bug been filed against it).

Cheers,

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)