questioning lenny's vulnerability to CVE-2010-3301

To: debian-security-tracker@lists.debian.org
Subject: questioning lenny's vulnerability to CVE-2010-3301
From: moog <moog@sysdev.oucs.ox.ac.uk>
Date: Fri, 17 Sep 2010 20:06:56 +0100
Message-id: <[🔎] 4C93BC50.4080906@sysdev.oucs.ox.ac.uk>

Hi,

<http://security-tracker.debian.org/tracker/CVE-2010-3301> reports all
releases except experimental as being vulnerable.  However, according
to Ben Hawkes on <http://sota.gen.nz/compat2/>, the vulnerability
CVE-2010-3301 was introduced by this commit:

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.35.y.git;a=commitdiff;h=d4d67150165df8bf1cc05e532f6efca96f907cab

by removing the line:

          movl \offset+72(%rsp),%eax

from the LOAD_ARGS32 macro in arch/x86/ia32/ia32entry.S.

The kernel was tagged at 2.6.26 a few days before this commit, so that
tag, and therefore the Debian package linux-2.6 version 2.6.26-25, do
not include this commit.  So based on Ben Hawkes' description of the
problem, I don't believe lenny is vulnerable to it, although squeeze
certainly is, as Ben's exploit code demonstrates.

Thanks.

Reply to:

Follow-Ups:
- Re: questioning lenny's vulnerability to CVE-2010-3301
  - From: moog <moog@sysdev.oucs.ox.ac.uk>

Prev by Date: Re: DSA-2108-1 vs. tracker
Next by Date: Re: questioning lenny's vulnerability to CVE-2010-3301
Previous by thread: Re: DSA-2108-1 vs. tracker
Next by thread: Re: questioning lenny's vulnerability to CVE-2010-3301
Index(es):
- Date
- Thread