Re: Some new 2.4.27 security patches
- To: micah <micah@riseup.net>, debian-kernel@lists.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, dann frazier <dannf@dannf.org>, 343970@bugs.debian.org, 344036@bugs.debian.org
- Subject: Re: Some new 2.4.27 security patches
- From: Horms <horms@verge.net.au>
- Date: Wed, 8 Feb 2006 12:28:03 +0900
- Message-id: <[🔎] 20060208032801.GA30280@verge.net.au>
- Mail-followup-to: micah <micah@riseup.net>, debian-kernel@lists.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, dann frazier <dannf@dannf.org>, 343970@bugs.debian.org, 344036@bugs.debian.org
- In-reply-to: <[🔎] 20060208032625.GA30156@verge.net.au>
- References: <434EAE92.80901@riseup.net> <20051014073008.GW8848@verge.net.au> <[🔎] 20060208032625.GA30156@verge.net.au>
On Wed, Feb 08, 2006 at 12:26:27PM +0900, Horms wrote:
> On Fri, Oct 14, 2005 at 04:30:10PM +0900, Horms wrote:
> > > Also this patch:
> > > http://linux.bkbits.net:8080/linux-2.4/diffs/fs/xfs/xfs_inode.c@1.131?nav=index.html|src/|src/fs|src/fs/xfs|related/fs/xfs/xfs_dinode.h|cset@1.1448.45.6|hist/fs/xfs/xfs_inode.c
> > > ([XFS] Handle inode creation race) should also be applied since it
> > > appears to be a security issue.
> >
> > Fixed in 2.4.29-pre1
> > Patch: http://linux.bkbits.net:8080/linux-2.4/cset@1.1448.45.21?nav=index.html|src/|src/fs|src/fs/xfs|related/fs/xfs/xfs_inode.c
> > ChangeLog: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.29
> >
> > I'll get this into SVN for 2.4.27.
> > It does not seem to relate to 2.6 at all.
> >
> > > I am having trouble locating CAN numbers for these, does anyone know if
> > > there are any?
> >
> > I don't think there are any. Perhaps we should file for the 2nd one.
> > I noice that hlh was involved in that patch, perhaps
> > he can provide a slightly longer description.
>
> It turns out that this patch introduces a bug in the form of a missing
> symbol (#343970).
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343970
Sorry, this problem should be tracked as #344036 as per the
note I sent to #343970 earlier today.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=344036
> The fix for this is to add an additional patch, which was also included
> in 2.4.29-pre1
>
> http://linux.bkbits.net:8080/linux-2.4/cset@1.1448.45.8?nav=index.html|src/|src/fs|src/fs/xfs|src/fs/xfs/linux-2.4|related/fs/xfs/linux-2.4/xfs_vnode.h
>
> I have added this for inclusion in Sid's (trunk) 2.4.27-13.
>
> I have removed the original patch from sarge-security's 2.4.27-10sarge2
> as I believe that these patches are far to large for a security release.
> I don't believe they have been closely examined. And we don't even
> have a CVE for them. Should we add a patch-tracker entry for them
> and consider them for "sarge3"?
>
> --
> Horms
--
Horms
Reply to: