Linux kernel vulnerabilities in unstable [was: Re: stable vs. testing: same versions, different status]

To: debian-security-tracker@lists.debian.org
Subject: Linux kernel vulnerabilities in unstable [was: Re: stable vs. testing: same versions, different status]
From: Francesco Poli <frx@firenze.linux.it>
Date: Sun, 5 Jul 2009 19:23:03 +0200
Message-id: <[🔎] 20090705192303.e2c8ce9b.frx@firenze.linux.it>
In-reply-to: <[🔎] 20090704201604.bb366efd.michael.s.gilbert@gmail.com>
References: <20090601175439.c68332fa.frx@firenze.linux.it> <20090610202239.9c146aba.frx@firenze.linux.it> <20090610164038.5ad21105.michael.s.gilbert@gmail.com> <20090614232545.267cdf41.frx@firenze.linux.it> <8e2a98be0906191036x32b8bf28vdce8b4a2c1070ea8@mail.gmail.com> <20090619201718.f1873870.frx@firenze.linux.it> <20090619143152.50c5f20e.michael.s.gilbert@gmail.com> <20090620003528.d8498909.frx@firenze.linux.it> <20090621214425.3fb6b211.michael.s.gilbert@gmail.com> <20090628184817.7af4c7db.frx@firenze.linux.it> <8e2a98be0906291057g277700fdi67f4a46218b97baa@mail.gmail.com> <20090629201459.db92c4cd.frx@firenze.linux.it> <20090629143910.9ff76f9d.michael.s.gilbert@gmail.com> <20090630011244.1350bb13.frx@firenze.linux.it> <[🔎] 20090702124045.f8247b84.michael.s.gilbert@gmail.com> <[🔎] 20090704173308.ea286d6e.frx@firenze.linux.it> <[🔎] 20090704201604.bb366efd.michael.s.gilbert@gmail.com>

On Sat, 4 Jul 2009 20:16:04 -0400 Michael S. Gilbert wrote:

> On Sat, 4 Jul 2009 17:33:08 +0200 Francesco Poli wrote:
[...]
> > Could someone check that linux-2.6/2.6.30-1 (currently in unstable) is
> > really fixed w.r.t. to the above-mentioned CVEs and possibly update the
> > security tracker to reflect reality?
> 
> this kind of triage would really help out the kernel-sec team, but i
> don't think i'll be able to find the time to do it myself soon.  it
> would be great if you could help out with this.  it should be fairly
> straightforward:
> 
> 1. download the debian kernel source package from unstable
> 2. find the relevant patch (this is the diff link on the git.kernel.org
> page linked from the mitre CVE page)
> 3. compare patch to debian kernel source and make sure that it is
> present
> 4. file RC bugs for unfixed issues and send a message with your findings

Here are my findings: I need help from people more knowledgeable than
me on a pair of CVEs...



http://security-tracker.debian.net/tracker/CVE-2009-0834
commit 8776fc989b070d4a323793502365acae6851d936
applied to upstream version 2.6.28.8
see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.8
fix present in upstream version 2.6.30: yes


http://security-tracker.debian.net/tracker/CVE-2009-0835
commit 1ab4bad21786384ff68dc6576d021acd4e42d8ce
applied to upstream version 2.6.28.8
see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.8
fix present in upstream version 2.6.30: yes


http://security-tracker.debian.net/tracker/CVE-2009-1242
commit 16175a796d061833aacfbd9672235f2d2725df65
applied to upstream version 2.6.29.1
see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.29.1
fix present in upstream version 2.6.30: yes


http://security-tracker.debian.net/tracker/CVE-2009-1338
commit d25141a818383b3c3b09f065698c544a7a0ec6e7
applied to upstream version 2.6.28
see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28
fix present in upstream version 2.6.30: yes


http://security-tracker.debian.net/tracker/CVE-2009-1630
commit ???
applied to upstream version ???
see ???
fix present in upstream version 2.6.30: no?!?
  help!  the fix seems to be
  http://bugzilla.linux-nfs.org/show_bug.cgi?id=131
  but fs/nfs/dir.c in linux-2.6_2.6.30.orig.tar.gz does not seem to be fixed
  I could not even find the fix in linux-2.6_2.6.26-17.diff.gz: is this bug
  really fixed in Debian stable and Debian testing?!?


http://security-tracker.debian.net/tracker/CVE-2009-1633
commit 7b0c8fcff47a885743125dd843db64af41af5a61
commit 968460ebd8006d55661dec0fb86712b40d71c413
commit 27b87fe52baba0a55e9723030e76fce94fabcea4
applied to upstream version 2.6.29.4
see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.29.4
fix present in upstream version 2.6.30: it seems to be present


http://security-tracker.debian.net/tracker/CVE-2009-1758
commit ???
applied to upstream version ???
see ???
fix present in upstream version 2.6.30: I don't know
  help!  the fix seems to be
  http://lists.xensource.com/archives/html/xen-devel/2009-05/msg00561.html
  but arch/i386/kernel/entry-xen.S is not even present in
  linux-2.6_2.6.30.orig.tar.gz





-- 
 New location for my website! Update your bookmarks!
 http://www.inventati.org/frx
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

Attachment: pgpUImkHsO6er.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Linux kernel vulnerabilities in unstable
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: Linux kernel vulnerabilities in unstable [was: Re: stable vs. testing: same versions, different status]
  - From: Michael S Gilbert <michael.s.gilbert@gmail.com>

References:
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Prev by Date: Re: DSA-1825-1 vs. tracker
Next by Date: Re: Linux kernel vulnerabilities in unstable
Previous by thread: Re: stable vs. testing: same versions, different status
Next by thread: Re: Linux kernel vulnerabilities in unstable
Index(es):
- Date
- Thread