[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#633561: pu: package kfreebsd-8/8.1+dfsg-8+squeeze1

2011/9/17 Adam D. Barratt <adam@adam-barratt.org.uk>:
>>   * Fix net802.11 stack kernel memory disclosure (CVE-2011-2480).
>>     (Closes: #631160)
>>     - 000_net80211_disclosure.diff
> This looks okay, although I think you meant #631161.

Yes, indeed #631161.

> Your last message
> in the log there says "uploaded to unstable, but the bug is still open
> with no fixed versions recorded.  Please could you clarify the status
> here?

#631161 was fixed with kfreebsd-8 8.2-3, but it closed the wrong bug
(same confusion you noted above).

#631160 was fixed with kfreebsd-9 as the bug log indicates.

>>   * Merge backported if_msk driver from 8-STABLE.  (Closes: #628954)
>>     - 000_msk_backport.diff
> This should be okay, assuming that the resulting driver has been tested
> on Squeeze systems.

Yes, it has been.

> A targetted fix would be preferable, but it sounds
> from the upstream report as if that's not particularly easy to
> accomplish.

Upstream won't help on this, they consider 8.1 deprecated in favour of
8.2 (from which this fix was obtained).

Besides, I wouldn't risk messing with the driver in this way.
Upstream have different policies than us, but they're familiar with
the codebase and know what they're doing.

>>   * Disable buggy 009_disable_duped_modules.diff.  It was disabling many
>>     more modules than built into kernel (e.g. all USB modules).
> A few queries here, I'm afraid.
> - What's the effect of re-enabling the (duplicate) building of the
> modules which were intended to be disabled?

Just wasted space.

> - Does this affect which modules end up in the udebs?
> - The changelog comment from when the patch was introduced says that it
> made a ~4MB difference to the size of the image.  As that was 2007, I'm
> assuming that the size difference is a fair bit larger now?

The difference today is roughly 8 MiB. However, one should note that
the ~4MB difference from 2007 is likely to have "saved" more size than
it should (since my patch disabled more modules than it should). I
wouldn't take it as reference.

> - If the impact of the patch was to disable all USB modules, why was it
> not disabled sooner?

The USB drivers most users care about have either never been built as
modules (e.g. umass), or only begun recently to be provided as modules
(e.g. ulpt).

Since freebsd-utils 8.2+ds1-1, devd is able to auto-load most USB
modules.  This allowed us to move some drivers (e.g. ulpt) off the
kernel, and at that point the problem was noticed.

Robert Millan

Reply to: