Re: questioning lenny's vulnerability to CVE-2010-3301

[moog <moog@sysdev.oucs.ox.ac.uk>]

> The kernel was tagged at 2.6.26 a few days before this commit, so that
> tag, and therefore the Debian package linux-2.6 version 2.6.26-25, do
> not include this commit.  So based on Ben Hawkes' description of the
> problem, I don't believe lenny is vulnerable to it, although squeeze
> certainly is, as Ben's exploit code demonstrates.

I see <http://security-tracker.debian.org/tracker/CVE-2010-3301> has now
been updated to say that lenny is not vulnerable.  Further to this, I
would like to suggest that etch,etch(security), i.e. linux-2.6
version 2.6.18.dfsg.1-26etch2, and etch-backports, i.e. linux-2.6
version 2.6.26-21~bpo40+1, are not vulnerable either, for the same
reason, namely that they predate the problematic commit.

(According to <http://sota.gen.nz/compat2/>, the commit reintroduced
essentially the same vulnerabilty as CVE-2007-4573, but that was fixed
in etch in version 2.6.18.dfsg.1-13etch4; see DSA-1381-2.)

Finally, although 2.6.35-1~experimental.3 is described as fixed, I've
now looked at the code and the LOAD_ARGS32 macro is still missing a
setting of %eax so I believe it is still vulnerable.

Thanks.