Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 207393
Alias:
Product:
Component:
Status: CLOSED
Resolution: FIXED
Assigned To: The Gentoo Linux Hardened Team <hardened@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Gordon Malm <gengor@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
hardened-sources-2.6.23-r7.ebuild hardened-sources-2.6.23-r7.ebuild text/plain Olivier Huber 2008-02-11 18:06 0000 745 bytes Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 207393 depends on: Show dependency tree
Bug 207393 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.




View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-01-25 15:59 0000 
Linux 2.6.23.13 was released on 2008-01-09 with a single serious fix (current
software possibly killing hardware) in the w83627ehf hardware monitoring
driver.  Atleast one of my machines uses this driver.

Linux 2.6.23.14 was released on 2008-01-14 with a fix for a serious security
flaw in the VFS layer.  An attacker could use this flaw to gain access to
arbitrary files and possibly gain elevated privileges.

http://www.securityfocus.com/bid/27280/info
http://lwn.net/Articles/265381/


I also want to say thank you hardened team for all your hard work.  I, and
others appreciate everything you do to make Hardened Gentoo awesome.  You guys
are my rock stars.

Reproducible: Always

------- Comment #1 From Gordon Malm 2008-01-25 16:10:39 0000 ------- 
Sorry for second post but I forgot to mention.. perhaps this VFS flaw be
considered for GLSA as well?  It is about as serious a flaw as can be and
everyone is affected.

------- Comment #2 From Gordon Malm 2008-01-29 17:17:46 0000 ------- 
Thank you for the quick addition to the tree.  I hate to be a bother but is
there any plans for a -r7 with the new grsec released Jan 23rd?  It contains a
potential fix for a deadlock in the signal logging code.  2.6.24 obviously
needs some time to stable & settle so personally, I'm hoping 2.6.23 will get
updates for awhile.

------- Comment #3 From Olivier Huber 2008-02-11 18:06:53 0000 ------- 
Created an attachment (id=143223) [details]
hardened-sources-2.6.23-r7.ebuild

I try to do it, but I think it need some testing and review.

------- Comment #4 From Kerin Millar 2008-02-11 18:43:22 0000 ------- 
I was notified of this bug just as I was about to file something similar!

Here's my offering: http://confucius.dh.bytemark.co.uk/~kerin.millar/

Changes:

* Bump to genpatches-base-2.6.23-9
* Ported grsecurity-2.1.11-2.6.23.14-200801231800 to 2.6.23.15
* Disables COMPAT_VDSO in x86/defconfig
* Removes bogus symbols ACPI_SLEEP_PROC_(FS|SLEEP) from x86_64/defconfig

Fixes (relative to 2.6.23-r6):

* CVE-2007-{6206,6434}
* CVE-2008-{0007,0009,0010,0600}

The port of grsecurity was straight forward except for a few hunks in
mm/mmap.c. For that I used the upstream PaX patch that's in testing for 2.6.24
as guidance. One difference I observed between my patch and Olivier's is that,
in mine, the call to security_file_mmap() takes precedence in
expand_downwards() as this is how it is implemented in the 2.6.24 patch.

Working for me so far:

Linux spoiler 2.6.23-hardened-r7 #1 SMP Mon Feb 11 11:24:33 GMT 2008 x86_64
Dual-Core AMD Opteron(tm) Processor 2212 HE AuthenticAMD GNU/Linux

... but not heavily tested as of yet.

------- Comment #5 From Olivier Huber 2008-02-11 19:15:24 0000 ------- 
> The port of grsecurity was straight forward except for a few hunks in
> mm/mmap.c. For that I used the upstream PaX patch that's in testing for 2.6.24
> as guidance. One difference I observed between my patch and Olivier's is that,
> in mine, the call to security_file_mmap() takes precedence in
> expand_downwards() as this is how it is implemented in the 2.6.24 patch.

I think you're right : I had no clue whether it should be before or after. Nice
work ;)

Bug closed ?

------- Comment #6 From solar 2008-02-11 19:42:06 0000 ------- 
(In reply to comment #4)
> I was notified of this bug just as I was about to file something similar!
> 
> Here's my offering: http://confucius.dh.bytemark.co.uk/~kerin.millar/
> 
> Changes:
> 
> * Bump to genpatches-base-2.6.23-9
> * Ported grsecurity-2.1.11-2.6.23.14-200801231800 to 2.6.23.15
> * Disables COMPAT_VDSO in x86/defconfig
> * Removes bogus symbols ACPI_SLEEP_PROC_(FS|SLEEP) from x86_64/defconfig
> 
> Fixes (relative to 2.6.23-r6):
> 
> * CVE-2007-{6206,6434}
> * CVE-2008-{0007,0009,0010,0600}
> 
> The port of grsecurity was straight forward except for a few hunks in
> mm/mmap.c. For that I used the upstream PaX patch that's in testing for 2.6.24
> as guidance. One difference I observed between my patch and Olivier's is that,
> in mine, the call to security_file_mmap() takes precedence in
> expand_downwards() as this is how it is implemented in the 2.6.24 patch.
> 
> Working for me so far:
> 
> Linux spoiler 2.6.23-hardened-r7 #1 SMP Mon Feb 11 11:24:33 GMT 2008 x86_64
> Dual-Core AMD Opteron(tm) Processor 2212 HE AuthenticAMD GNU/Linux
> 
> ... but not heavily tested as of yet.
>

this is in the tree as of 5 mins ago. Now it can be closed.
Thanks Kerin and others..

------- Comment #7 From Kerin Millar 2008-02-15 21:03:34 0000 ------- 
Closing as 2.6.23-r7 has been keyworded stable. Anyone interested in the next
release may wish to refer to bug 210026.

------- Comment #8 From Kerin Millar 2008-02-16 00:37:33 0000 ------- 
My apologies, my last comment was erroneous in that 2.6.23-r7 has only been
marked stable on amd64.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug