On Sat, 4 Jul 2009 20:16:04 -0400 Michael S. Gilbert wrote: > On Sat, 4 Jul 2009 17:33:08 +0200 Francesco Poli wrote: [...] > > Could someone check that linux-2.6/2.6.30-1 (currently in unstable) is > > really fixed w.r.t. to the above-mentioned CVEs and possibly update the > > security tracker to reflect reality? > > this kind of triage would really help out the kernel-sec team, but i > don't think i'll be able to find the time to do it myself soon. it > would be great if you could help out with this. it should be fairly > straightforward: > > 1. download the debian kernel source package from unstable > 2. find the relevant patch (this is the diff link on the git.kernel.org > page linked from the mitre CVE page) > 3. compare patch to debian kernel source and make sure that it is > present > 4. file RC bugs for unfixed issues and send a message with your findings Here are my findings: I need help from people more knowledgeable than me on a pair of CVEs... http://security-tracker.debian.net/tracker/CVE-2009-0834 commit 8776fc989b070d4a323793502365acae6851d936 applied to upstream version 2.6.28.8 see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.8 fix present in upstream version 2.6.30: yes http://security-tracker.debian.net/tracker/CVE-2009-0835 commit 1ab4bad21786384ff68dc6576d021acd4e42d8ce applied to upstream version 2.6.28.8 see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.8 fix present in upstream version 2.6.30: yes http://security-tracker.debian.net/tracker/CVE-2009-1242 commit 16175a796d061833aacfbd9672235f2d2725df65 applied to upstream version 2.6.29.1 see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.29.1 fix present in upstream version 2.6.30: yes http://security-tracker.debian.net/tracker/CVE-2009-1338 commit d25141a818383b3c3b09f065698c544a7a0ec6e7 applied to upstream version 2.6.28 see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28 fix present in upstream version 2.6.30: yes http://security-tracker.debian.net/tracker/CVE-2009-1630 commit ??? applied to upstream version ??? see ??? fix present in upstream version 2.6.30: no?!? help! the fix seems to be http://bugzilla.linux-nfs.org/show_bug.cgi?id=131 but fs/nfs/dir.c in linux-2.6_2.6.30.orig.tar.gz does not seem to be fixed I could not even find the fix in linux-2.6_2.6.26-17.diff.gz: is this bug really fixed in Debian stable and Debian testing?!? http://security-tracker.debian.net/tracker/CVE-2009-1633 commit 7b0c8fcff47a885743125dd843db64af41af5a61 commit 968460ebd8006d55661dec0fb86712b40d71c413 commit 27b87fe52baba0a55e9723030e76fce94fabcea4 applied to upstream version 2.6.29.4 see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.29.4 fix present in upstream version 2.6.30: it seems to be present http://security-tracker.debian.net/tracker/CVE-2009-1758 commit ??? applied to upstream version ??? see ??? fix present in upstream version 2.6.30: I don't know help! the fix seems to be http://lists.xensource.com/archives/html/xen-devel/2009-05/msg00561.html but arch/i386/kernel/entry-xen.S is not even present in linux-2.6_2.6.30.orig.tar.gz -- New location for my website! Update your bookmarks! http://www.inventati.org/frx ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgpUImkHsO6er.pgp
Description: PGP signature