Re: Linux kernel vulnerabilities in unstable [was: Re: stable vs. testing: same versions, different status]

To: debian-security-tracker@lists.debian.org
Subject: Re: Linux kernel vulnerabilities in unstable [was: Re: stable vs. testing: same versions, different status]
From: Michael S Gilbert <michael.s.gilbert@gmail.com>
Date: Sun, 5 Jul 2009 21:41:15 -0400
Message-id: <[🔎] 8e2a98be0907051841g6649ac1cib5001693e417d546@mail.gmail.com>
In-reply-to: <[🔎] 20090705192303.e2c8ce9b.frx@firenze.linux.it>
References: <20090601175439.c68332fa.frx@firenze.linux.it> <20090628184817.7af4c7db.frx@firenze.linux.it> <8e2a98be0906291057g277700fdi67f4a46218b97baa@mail.gmail.com> <20090629201459.db92c4cd.frx@firenze.linux.it> <20090629143910.9ff76f9d.michael.s.gilbert@gmail.com> <20090630011244.1350bb13.frx@firenze.linux.it> <[🔎] 20090702124045.f8247b84.michael.s.gilbert@gmail.com> <[🔎] 20090704173308.ea286d6e.frx@firenze.linux.it> <[🔎] 20090704201604.bb366efd.michael.s.gilbert@gmail.com> <[🔎] 20090705192303.e2c8ce9b.frx@firenze.linux.it>

On 7/5/09, Francesco Poli wrote:
> http://security-tracker.debian.net/tracker/CVE-2009-0834
> commit 8776fc989b070d4a323793502365acae6851d936
> applied to upstream version 2.6.28.8
> see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.8
> fix present in upstream version 2.6.30: yes

confirmed.

> http://security-tracker.debian.net/tracker/CVE-2009-0835
> commit 1ab4bad21786384ff68dc6576d021acd4e42d8ce
> applied to upstream version 2.6.28.8
> see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.8
> fix present in upstream version 2.6.30: yes

confirmed.

> http://security-tracker.debian.net/tracker/CVE-2009-1242
> commit 16175a796d061833aacfbd9672235f2d2725df65
> applied to upstream version 2.6.29.1
> see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.29.1
> fix present in upstream version 2.6.30: yes

confirmed

> http://security-tracker.debian.net/tracker/CVE-2009-1338
> commit d25141a818383b3c3b09f065698c544a7a0ec6e7
> applied to upstream version 2.6.28
> see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28
> fix present in upstream version 2.6.30: yes

confirmed.

> http://security-tracker.debian.net/tracker/CVE-2009-1630
> commit ???
> applied to upstream version ???
> see ???
> fix present in upstream version 2.6.30: no?!?
>   help!  the fix seems to be
>   http://bugzilla.linux-nfs.org/show_bug.cgi?id=131
>   but fs/nfs/dir.c in linux-2.6_2.6.30.orig.tar.gz does not seem to be fixed
>   I could not even find the fix in linux-2.6_2.6.26-17.diff.gz: is this bug
>   really fixed in Debian stable and Debian testing?!?

upstream patch is 7ee2cb7f32b299c2b06a31fde155457203e4b7dd
and it is indeed integrated in 2.6.30.

> http://security-tracker.debian.net/tracker/CVE-2009-1633
> commit 7b0c8fcff47a885743125dd843db64af41af5a61
> commit 968460ebd8006d55661dec0fb86712b40d71c413
> commit 27b87fe52baba0a55e9723030e76fce94fabcea4
> applied to upstream version 2.6.29.4
> see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.29.4
> fix present in upstream version 2.6.30: it seems to be present

7b0c8fcff47a885743125dd843db64af41af5a61 confirmed.  you have to be
careful, this code has been changed since 2.6.29 and now does the
smart thing using UNICODE_NAME_MAX.

968460ebd8006d55661dec0fb86712b40d71c413 confirmed but should be
double checked.  this code has been completely refactored (and renamed
and some of it is now in cifs_unicode.c), but it doesn't look like the
original problematic code is still present.

27b87fe52baba0a55e9723030e76fce94fabcea4 confirmed but also slightly refactored.

i'm going to defer this one since there has been so much refactoring.

> http://security-tracker.debian.net/tracker/CVE-2009-1758
> commit ???
> applied to upstream version ???
> see ???
> fix present in upstream version 2.6.30: I don't know
>   help!  the fix seems to be
>   http://lists.xensource.com/archives/html/xen-devel/2009-05/msg00561.html
>   but arch/i386/kernel/entry-xen.S is not even present in
>   linux-2.6_2.6.30.orig.tar.gz

this is a xen patch, which i haven't really dealt with before.  i'll
have to ask around to figure out how xen is integrated.

tracker updated.

mike

Reply to:

Follow-Ups:
- Re: Linux kernel vulnerabilities in unstable
  - From: Francesco Poli <frx@firenze.linux.it>

References:
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Linux kernel vulnerabilities in unstable [was: Re: stable vs. testing: same versions, different status]
  - From: Francesco Poli <frx@firenze.linux.it>

Prev by Date: Re: Linux kernel vulnerabilities in unstable
Next by Date: Re: Linux kernel vulnerabilities in unstable
Previous by thread: Re: Linux kernel vulnerabilities in unstable
Next by thread: Re: Linux kernel vulnerabilities in unstable
Index(es):
- Date
- Thread