Re: CVE-2004-0887 in 2.4

[dann frazier <dannf@dannf.org>]

On Tue, 2006-01-31 at 10:28 +0900, Horms wrote:
> On Mon, Jan 30, 2006 at 06:35:29PM +0100, Bastian Blank wrote:
> > On Sun, Jan 29, 2006 at 10:59:54PM -0700, dann frazier wrote:
> > > I think I'll go ahead and put this into our tree & revert if it causes
> > > problems.
> > 
> > It is better to add it to the s390 patch.
> 
> Could you please explain why you think that is better.
> I'm not sure that I understand the merrits of adding a fix
> into the mish-mash of a much larger patch, rather than
> leaving it separate. Does it have (a negative) impact on other
> architectures?

Either way, we need to do an update of kernel-patch-2.4.27-s390 since
the s390 patch will conflict if we leave the patch in kernel-source.  

However, its more straightforward for me to leave it in kernel-source &
just rediff the s390 patch.  I don't know how to add a patch to the s390
patch package (other than merging it into the megadiff, of course).  I
don't think dh-kpatches can handle multiple diffs yet.

> > > The vulnerable code looks to be present in 2.4.27 as well, but I don't
> > > see a patch in either kernel-source-2.4.27 or the s390 patch package.
> > > I've tried my hand at porting it (below).  Should we apply it?  If so,
> > > where is the proper place to submit it upstream - direct to
> > > lkml/Marcelo?
> > 
> > 2.4 vanilla does not work for s390 and it is not longer supported by
> > ibm.
> 
> That may be true, but isn't 2.4.27 s390 still in Sarge?
> I guess we should addit to sarge2, but leave Marcelo out of the loop.

Sounds about right; I might notify Marcello anyway just to make picking
it up his option.  At minimum, his tree would be a good place for other
people to locate the backported patch should they need it - even though
I can't imagine who would...
-- 
dann frazier <dannf@dannf.org>