Re: CVE-2013-2224 RHEL-specific?

To: Steven Chamberlain <steven@pyro.eu.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, Debian kernel maintainers <debian-kernel@lists.debian.org>, debian-security-tracker@lists.debian.org
Subject: Re: CVE-2013-2224 RHEL-specific?
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 05 Jul 2013 13:59:53 +0100
Message-id: <[🔎] 1373029193.22888.96.camel@deadeye.wl.decadent.org.uk>
In-reply-to: <[🔎] 51D697D2.8020101@pyro.eu.org>
References: <[🔎] 51D697D2.8020101@pyro.eu.org>

On Fri, 2013-07-05 at 10:54 +0100, Steven Chamberlain wrote:
> Hi,
> 
> I notice CVE-2013-2224 was marked in the security tracker as affecting
> only RHEL kernels, but I just wanted to double-check that:
> 
> The issue was allegedly introduced into RHEL by a backport of a mainline
> commit, to try to fix CVE-2012-3552:
> 
> > f6d8bd051c391c1c0458a30b2a7abcd939329259 (inet: add RCU protection to inet->opt)
> 
> But the Debian changelog[0] for 2.6.32-48squeeze3 (aka squeeze2)
> mentions something similar was done:
> 
> * inet: add RCU protection to inet->opt (CVE-2012-3552)
> 
> and the actual same commit was seemingly applied as a patch[1].
> 
> [0]:
> http://anonscm.debian.org/viewvc/kernel/dists/squeeze-security/linux-2.6/debian/changelog?revision=20073&view=markup
> 
> [1]:
> http://anonscm.debian.org/viewvc/kernel/dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/inet-add-RCU-protection-to-inet-opt.patch?view=markup&pathrev=19969

Our backport is different.

Ben.

-- 
Ben Hutchings
Tomorrow will be cancelled due to lack of interest.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- CVE-2013-2224 RHEL-specific?
  - From: Steven Chamberlain <steven@pyro.eu.org>

Prev by Date: CVE-2013-2224 RHEL-specific?
Next by Date: External check
Previous by thread: CVE-2013-2224 RHEL-specific?
Next by thread: Bug#717103: security-tracker: DSA-2722-1 vs. tracker
Index(es):
- Date
- Thread