Linux 2.6.23.13 was released on 2008-01-09 with a single serious fix (current software possibly killing hardware) in the w83627ehf hardware monitoring driver. Atleast one of my machines uses this driver. Linux 2.6.23.14 was released on 2008-01-14 with a fix for a serious security flaw in the VFS layer. An attacker could use this flaw to gain access to arbitrary files and possibly gain elevated privileges. http://www.securityfocus.com/bid/27280/info http://lwn.net/Articles/265381/ I also want to say thank you hardened team for all your hard work. I, and others appreciate everything you do to make Hardened Gentoo awesome. You guys are my rock stars. Reproducible: Always
Sorry for second post but I forgot to mention.. perhaps this VFS flaw be considered for GLSA as well? It is about as serious a flaw as can be and everyone is affected.
Thank you for the quick addition to the tree. I hate to be a bother but is there any plans for a -r7 with the new grsec released Jan 23rd? It contains a potential fix for a deadlock in the signal logging code. 2.6.24 obviously needs some time to stable & settle so personally, I'm hoping 2.6.23 will get updates for awhile.
Created attachment 143223 [details] hardened-sources-2.6.23-r7.ebuild I try to do it, but I think it need some testing and review.
I was notified of this bug just as I was about to file something similar! Here's my offering: http://confucius.dh.bytemark.co.uk/~kerin.millar/ Changes: * Bump to genpatches-base-2.6.23-9 * Ported grsecurity-2.1.11-2.6.23.14-200801231800 to 2.6.23.15 * Disables COMPAT_VDSO in x86/defconfig * Removes bogus symbols ACPI_SLEEP_PROC_(FS|SLEEP) from x86_64/defconfig Fixes (relative to 2.6.23-r6): * CVE-2007-{6206,6434} * CVE-2008-{0007,0009,0010,0600} The port of grsecurity was straight forward except for a few hunks in mm/mmap.c. For that I used the upstream PaX patch that's in testing for 2.6.24 as guidance. One difference I observed between my patch and Olivier's is that, in mine, the call to security_file_mmap() takes precedence in expand_downwards() as this is how it is implemented in the 2.6.24 patch. Working for me so far: Linux spoiler 2.6.23-hardened-r7 #1 SMP Mon Feb 11 11:24:33 GMT 2008 x86_64 Dual-Core AMD Opteron(tm) Processor 2212 HE AuthenticAMD GNU/Linux ... but not heavily tested as of yet.
> The port of grsecurity was straight forward except for a few hunks in > mm/mmap.c. For that I used the upstream PaX patch that's in testing for 2.6.24 > as guidance. One difference I observed between my patch and Olivier's is that, > in mine, the call to security_file_mmap() takes precedence in > expand_downwards() as this is how it is implemented in the 2.6.24 patch. I think you're right : I had no clue whether it should be before or after. Nice work ;) Bug closed ?
(In reply to comment #4) > I was notified of this bug just as I was about to file something similar! > > Here's my offering: http://confucius.dh.bytemark.co.uk/~kerin.millar/ > > Changes: > > * Bump to genpatches-base-2.6.23-9 > * Ported grsecurity-2.1.11-2.6.23.14-200801231800 to 2.6.23.15 > * Disables COMPAT_VDSO in x86/defconfig > * Removes bogus symbols ACPI_SLEEP_PROC_(FS|SLEEP) from x86_64/defconfig > > Fixes (relative to 2.6.23-r6): > > * CVE-2007-{6206,6434} > * CVE-2008-{0007,0009,0010,0600} > > The port of grsecurity was straight forward except for a few hunks in > mm/mmap.c. For that I used the upstream PaX patch that's in testing for 2.6.24 > as guidance. One difference I observed between my patch and Olivier's is that, > in mine, the call to security_file_mmap() takes precedence in > expand_downwards() as this is how it is implemented in the 2.6.24 patch. > > Working for me so far: > > Linux spoiler 2.6.23-hardened-r7 #1 SMP Mon Feb 11 11:24:33 GMT 2008 x86_64 > Dual-Core AMD Opteron(tm) Processor 2212 HE AuthenticAMD GNU/Linux > > ... but not heavily tested as of yet. > this is in the tree as of 5 mins ago. Now it can be closed. Thanks Kerin and others..
Closing as 2.6.23-r7 has been keyworded stable. Anyone interested in the next release may wish to refer to bug 210026.
My apologies, my last comment was erroneous in that 2.6.23-r7 has only been marked stable on amd64.
