Bug 112791 - Kernel 2.4.32 released, containing security fixes
Bug#: 112791 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: akorthaus@web.de
Component: Kernel
URL:  http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.32
Summary: Kernel 2.4.32 released, containing security fixes
Keywords:  
Status Whiteboard: [linux <2.4.32]
Opened: 2005-11-17 02:53 0000
Description:   Opened: 2005-11-17 02:53 0000 
Kernel 2.4.32 has been released, containing some security fixes like
[CAN-2005-0204] and the zlib issue. As far as I can see these issues have not
been fixed in vanilla-sources or hardened-sources. 

There is also a new grsec patch for hardened-sources, containing a lot of fixes:
http://grsecurity.net/news.php#grsec217

Apart from 2.4.32 release, shouldn't lead such security fixes to new -r ebuilds
of the latest 2.4 kernel versions (http://linux.exosec.net/kernel/2.4-hf/)? 

You can find the following (security-)issues in 2.4, since 2.4.31 release, which
 are not in the gentoo ebuilds (AFAIK):
http://linux.exosec.net/kernel/2.4-hf/2.4.31/2.4.31-hf8/CONTENTS

Sorry in advance if I'm wrong! 

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

------- Comment #1 From Gustavo Zacarias (RETIRED) 2005-11-29 12:24:25 0000 ------- 
vanilla-sources-2.4.32 bumped by me with dsd's authorization.

------- Comment #2 From Tim Yamin (RETIRED) 2005-12-23 17:30:38 0000 ------- 
Adding maintainers; {mips,openmosix,rsbac,xbox}-sources.

------- Comment #3 From Tim Yamin (RETIRED) 2006-01-02 15:09:57 0000 ------- 
Toggle status.

------- Comment #4 From Carsten Lohrke 2006-01-02 15:36:47 0000 ------- 
http://linux.exosec.net/kernel/2.4-hf/2.4.32/2.4.32-hf32.1/CHANGELOG

Shameless hint... ;) Or are those fixes considered too unimportant (a local DoS
at least) for a revision bump?

------- Comment #5 From Tim Yamin (RETIRED) 2006-01-03 11:55:40 0000 ------- 
Adding CCs; hardened and xbox: it may be beneficial if you add the backport
patches.

------- Comment #6 From Tim Yamin (RETIRED) 2006-01-03 11:57:05 0000 ------- 
sparc-sources 2.4.32-r1 and gentoo-sources 2.4.32-r1 resolve the issue with
backports.

------- Comment #7 From solar 2006-01-04 05:22:43 0000 ------- 
(In reply to comment #5)
> Adding CCs; hardened and xbox: it may be beneficial if you add the backport
> patches.

got a link to the patches broken out?

------- Comment #8 From Tim Yamin (RETIRED) 2006-01-04 06:52:54 0000 ------- 
> got a link to the patches broken out?

09-*.patch in the gentoo-sources-2.4.32-r2 patchball or here:
http://linux.exosec.net/kernel/2.4-hf/2.4.32/2.4.32-hf32.1/2.4.32-hf32.1.split.tgz

------- Comment #9 From solar 2006-01-05 09:32:07 0000 ------- 
Thanks Tim

hardened-sources-2.4.32-r1 is in the tree now with the 09* patches as ~arch.

------- Comment #10 From Tim Yamin (RETIRED) 2006-04-15 13:36:09 0000 ------- 
@cluster, kang: Any news on an update?

------- Comment #11 From Carsten Lohrke 2006-04-15 13:45:26 0000 ------- 
Tim, as you're updating the bug, it would be nice to see a new revision,
including the patches from

http://linux.exosec.net/kernel/2.4-hf/2.4.32/2.4.32-hf32.3/

------- Comment #12 From Tim Yamin (RETIRED) 2006-04-16 15:23:46 0000 ------- 
(In reply to comment #11)
> Tim, as you're updating the bug, it would be nice to see a new revision,
> including the patches from
> 
> http://linux.exosec.net/kernel/2.4-hf/2.4.32/2.4.32-hf32.3/

gentoo-sources-2.4.32-r3 in the tree. Maintainers please add the 09-* series of
patches from the tarball if possible.

The following maintainers still need to bump to 2.4.32:

kurobox-sources (@nerdboy, adding to CC)
openmosix-sources (@cluster, adding voxus to CC)
rsbac-sources (@kang)

Following maintainers please consider adding 09-* series of genpatches if
possible, some/most of them may already be in your patchset:

hardened-sources (solar)
sparc-sources (gustavoz)
xbox-sources (chrb/gimli)

------- Comment #13 From Tim Yamin (RETIRED) 2006-04-16 15:24:38 0000 ------- 
(In reply to comment #12)
> gentoo-sources-2.4.32-r3 in the tree. Maintainers please add the 09-* series of
> patches from the tarball if possible.

http://dev.gentoo.org/~plasmaroo/patches/kernel/gentoo-sources/gentoo-sources-2.4.32-r3.tar.bz2

------- Comment #14 From solar 2006-04-16 19:51:18 0000 ------- 
Thanks Tim.

hardened-sources-2.4.32 bumped to -r3 ~arch with the following new patches.
 09-07.CAN-2004-1058.patch                                                      
 09-08.fix-inode-overflow.patch
 09-09.fix-ptrace-self-attach-rule.patch                                        
 09-10.fix-sockaddr_in-leaks.patch                                              
 09-11.orinoco-CVE-2005-3180.patch                                              
 09-12.wan-sdla-leak.patch

------- Comment #15 From solar 2006-04-20 04:45:58 0000 ------- 
seems that only gentoo/hardened-sources are still maintained.

------- Comment #16 From Gustavo Zacarias (RETIRED) 2006-04-24 13:44:00 0000 ------- 
sparc-sources-2.4.32-r4 in and sparc stable.

------- Comment #17 From Carsten Lohrke 2006-05-07 07:02:16 0000 ------- 
There's a new hot fix release 

http://linux.exosec.net/kernel/2.4-hf/2.4.32/2.4.32-hf32.4/CHANGELOG

------- Comment #18 From Tim Yamin (RETIRED) 2006-05-11 13:41:34 0000 ------- 
gentoo-sources-2.4.32-r4 now in Portage and stable, thanks. New security
patches listed below; if you're on x86 note the tweak you'd probably have to do
with one of them:

* 09-13.vlan_ioctl-missing-checks.patch
* 09-14.netfilter-ipt_recent-memleak.patch
* 09-15.CVE-2006-1864.patch
* 09-16.CVE-2006-1524.patch
* 09-17.CVE-2006-1056-i386.patch <-- Do not use unless you have an lck
scheduler
* 09-17.CVE-2006-1056-i386.patch.orig <-- Use this instead (rename from .orig)

------- Comment #19 From Gustavo Zacarias (RETIRED) 2006-05-12 12:09:29 0000 ------- 
sparc-sources-2.4.32-r5 in as ~sparc for a couple of days.
You probably want 2.4.32-via-rhine-zero-pad-short-packets-1 in too for
hardened/gentoo-sources.
New patches for r5:
4013-vlan_ioctl_missing_checks.patch
4014_netfilter-ipt_recent-memleak.patch
4015_CVE-2006-1864-smbfs-escape-chroot.patch
4016_CVE-2006-1524-fix-shm-mprotect.patch
4017_via-rhine-zero-pad-short-packets.patch

------- Comment #20 From Tim Yamin (RETIRED) 2006-05-18 13:36:15 0000 ------- 
nerdboy: No response from you for a while, I've security masked
kurobox-sources. Please bump to 2.4.32 and then feel free to unmask. Contact on
IRC or mail if this is a problem.

carlo: Further -hf announcements please just open a new bug to me, thanks :)

All the other sources are fine now, changing bug status...

------- Comment #21 From Björn Tropf 2009-11-14 09:28:58 0000 ------- 
Reopen bug in order to add a valid whiteboard.