Bug#562975: linux-2.6: patch for CVE-2009-3939

To: 562975@bugs.debian.org
Subject: Bug#562975: linux-2.6: patch for CVE-2009-3939
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Tue, 5 Jan 2010 22:47:48 -0500
Message-id: <[🔎] 20100105224748.0c29bbe2.michael.s.gilbert@gmail.com>
Reply-to: Michael Gilbert <michael.s.gilbert@gmail.com>, 562975@bugs.debian.org

> Actually, no Debian release contains a kernel version affected by
> CVE-2009-3889.

CVE-2009-3889 was fixed in upstream commit 66dca9b8 in linux 2.6.27, so
debian's 2.6.24 and 2.6.26 are affected, but 2.6.18 and 2.6.32 are not.
You can look at the dbg_lvl permissions, for example in the 2.6.32
kernel, to see that they are correctly restrictive, S_IWUSR.

> CVE-2009-3889 should be dealt with at the same time.  That covers the
> dbg_lvl parameter which is also world-writable.

For 2.6.32, CVE-2009-3939 will need to be patched separately since
CVE-2009-3889 is already fixed there.

As a minor aside, please include nnnnnn-submitter in your replies so
your bug reporters get CC'd.  I just happened to be looking at my
submitted bugs recently when I came across your messages.

Thanks,
Mike

Reply to:

Follow-Ups:
- Bug#562975: linux-2.6: patch for CVE-2009-3939
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Bug#545112: Errors in new firewire stack, DV camera don't work anymore
Next by Date: Processed: unmerging 545112, tagging 545112 ..., reassign 545112 to dvgrab, severity of 545112 is grave
Previous by thread: Bug#545112: Errors in new firewire stack, DV camera don't work anymore
Next by thread: Bug#562975: linux-2.6: patch for CVE-2009-3939
Index(es):
- Date
- Thread