Re: questioning lenny's vulnerability to CVE-2010-3301

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Sat, 18 Sep 2010 00:02:36 +0100 moog wrote:

> > The kernel was tagged at 2.6.26 a few days before this commit, so that
> > tag, and therefore the Debian package linux-2.6 version 2.6.26-25, do
> > not include this commit.  So based on Ben Hawkes' description of the
> > problem, I don't believe lenny is vulnerable to it, although squeeze
> > certainly is, as Ben's exploit code demonstrates.
> 
> I see <http://security-tracker.debian.org/tracker/CVE-2010-3301> has now
> been updated to say that lenny is not vulnerable.  Further to this, I
> would like to suggest that etch,etch(security), i.e. linux-2.6
> version 2.6.18.dfsg.1-26etch2, and etch-backports, i.e. linux-2.6
> version 2.6.26-21~bpo40+1, are not vulnerable either, for the same
> reason, namely that they predate the problematic commit.
> 
> (According to <http://sota.gen.nz/compat2/>, the commit reintroduced
> essentially the same vulnerabilty as CVE-2007-4573, but that was fixed
> in etch in version 2.6.18.dfsg.1-13etch4; see DSA-1381-2.)

etch is no longer supported, so any info there is very likely not up to
date. the etch entries need to be removed.  i'll fix that at some point.

> Finally, although 2.6.35-1~experimental.3 is described as fixed, I've
> now looked at the code and the LOAD_ARGS32 macro is still missing a
> setting of %eax so I believe it is still vulnerable.

that's a limitation of the tracker since its based on unstable.
anything greater than unstables 2.6.32-23 will be considered fixed.

mike