Bug#536148: linux-2.6: [regression] CVE-2009-1758 fixed in testing, but not in unstable

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#536148: linux-2.6: [regression] CVE-2009-1758 fixed in testing, but not in unstable
From: "Francesco Poli \(t1000\)" <frx@firenze.linux.it>
Date: Tue, 07 Jul 2009 23:11:38 +0200
Message-id: <[🔎] 20090707211138.5934.4689.reportbug@homebrew>
Reply-to: "Francesco Poli \(t1000\)" <frx@firenze.linux.it>, 536148@bugs.debian.org

Package: linux-2.6
Version: 2.6.30-1
Severity: grave
Tags: security
Justification: user security hole

Hello again Debian kernel team!

According to the security tracker [1], CVE-2009-1758 is fixed in
testing, but not in unstable.
It's fixed in testing because it was fixed in a stable (lenny) point
release, and stable packages updated in a point release are
automatically migrated to testing, whenever the version in testing
happens to be older than the updated stable one.

[1] http://security-tracker.debian.net/tracker/CVE-2009-1758

Having a fixed package in testing is great, but of course it also means
that the vulnerability should be fixed in unstable before the package
migrates from unstable to testing, or otherwise a regression will
happen!

As part of a triage effort [2], I personally tried to understand whether
CVE-2009-1758 is already fixed in linux-2.6/2.6.30-1, but I failed [3].

[2] see the following subthread for further details:
    http://lists.debian.org/debian-security-tracker/2009/07/msg00007.html
[3] see especially this message:
    http://lists.debian.org/debian-security-tracker/2009/07/msg00024.html

Please note that I didn't actually test linux-2.6/2.6.30-1 against
the vulnerability: I just searched for the link to the supposed fix in
the mitre CVE page and with the intention to take a look at the relevant
files in linux-2.6_2.6.30.orig.tar.gz, in order to see whether they
included the modifications...


I am filing this bug report, in order to make sure CVE-2009-1758 is
fixed in unstable, before linux-2.6 migrates to testing.

Please check whether CVE-2009-1758 is fixed in linux-2.6/2.6.30-1:
if the fix is already included, then this bug report may be safely
closed.
On the other hand, if linux-2.6/2.6.30-1 is vulnerable, then please
apply the fix that was used [4] to prepare linux-2.6/2.6.26-15lenny3
and upload a new Debian revision (linux-2.6/2.6.30-2) that fixes
the vulnerability.

[4] see http://security-tracker.debian.net/tracker/DSA-1809-1


Once again, thanks for all the great job you're doing on the kernel
packages!

Reply to:

Follow-Ups:
- Bug#536148: linux-2.6: [regression] CVE-2009-1758 fixed in testing, but not in unstable
  - From: Bastian Blank <waldi@debian.org>
- Bug#536148: marked as done (linux-2.6: [regression] CVE-2009-1758 fixed in testing, but not in unstable)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#536147: linux-2.6: [regression] CVE-2009-0029 fixed in testing, but not unstable
Next by Date: Processed: Re: Bug#536148: linux-2.6: [regression] CVE-2009-1758 fixed in testing, but not in unstable
Previous by thread: Processed: Re: Bug#536147: linux-2.6: [regression] CVE-2009-0029 fixed in testing, but not unstable
Next by thread: Bug#536148: linux-2.6: [regression] CVE-2009-1758 fixed in testing, but not in unstable
Index(es):
- Date
- Thread