CVE-2014-4699 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4699): The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
Why so long? Patch on all distros available after 1 days, but on gentoo is 1 week or more? I'm sad..
(In reply to Andrey Kolbasenko from comment #1) > Why so long? Patch on all distros available after 1 days, but on gentoo is 1 > week or more? I'm sad.. That's not true? http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tag/?id=v3.15.4 http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-kernel/gentoo-sources/gentoo-sources-3.15.4.ebuild?view=log It looks like it happened after a day. I'm happy..
(In reply to Tom Wijsman (TomWij) from comment #2) > (In reply to Andrey Kolbasenko from comment #1) > > Why so long? Patch on all distros available after 1 days, but on gentoo is 1 > > week or more? I'm sad.. > > That's not true? > > http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tag/ > ?id=v3.15.4 > http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-kernel/gentoo- > sources/gentoo-sources-3.15.4.ebuild?view=log > > It looks like it happened after a day. I'm happy.. And what about other kernel branches being affected? Stable gentoo-sources (3.12.*) for example? And what's the situation with hardened-sources?
(In reply to cyberbat from comment #3) > And what about other kernel branches being affected? Stable gentoo-sources > (3.12.*) for example? And what's the situation with hardened-sources? For the other kernel branches, same story; the affected versions can be seen in the CVE link above, both recent stable and testing gentoo-sources versions LGTM. No idea about hardened-sources, are they affected? CC-ed them just in case...
(In reply to Tom Wijsman (TomWij) from comment #4) > (In reply to cyberbat from comment #3) > > And what about other kernel branches being affected? Stable gentoo-sources > > (3.12.*) for example? And what's the situation with hardened-sources? > > For the other kernel branches, same story; the affected versions can be seen > in the CVE link above, both recent stable and testing gentoo-sources > versions LGTM. > > No idea about hardened-sources, are they affected? CC-ed them just in case... I'm sure that affected version list in CVE link above is full. For example in 3.2 branch fix is applied only in 3.2.61 (https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.61, commit url: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-3.2.y&id=a0eb191eff753e790def174b3fbe66efadfd401d). It seems that all 3.2 versions before it are affected. According to CVE link 3.12.17 is affected, but I wasn't able to find fix for the bug in 3.12.18-3.12.24. So I think the 3.12 branch doesn't have version that have been fixed at all. So the last stable version of gentoo-sources is still vulnerable. And about hardened-sources, blueness has just pointed be that he has just stabilized unaffected versions of hardened-sources: 18 Jul 2014; Anthony G. Basile <blueness@gentoo.org> 6 -hardened-sources-3.14.11-r1.ebuild, -hardened-sources-3.14.12.ebuild, 7 -hardened-sources-3.15.4-r1.ebuild, -hardened-sources-3.15.5.ebuild, 8 -hardened-sources-3.2.60-r8.ebuild, -hardened-sources-3.2.60-r9.ebuild, 9 -hardened-sources-3.2.61.ebuild, hardened-sources-3.14.12-r1.ebuild, 10 hardened-sources-3.15.5-r1.ebuild, hardened-sources-3.2.61-r1.ebuild: 11 Stable on amd64 and x86, addresses CVE-2014-4699
I might argue that in the CVE link, the lists of affected versions or versions that fix the issue are not complete. If "commit b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a upstream." is the one fixing this issue, it is included in following versions (regarding 3.4, 3.10 and 3.12) : https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.97 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.47 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.25 And to recap, following versions (in 3.14 and 3.15) were listed in external sources as CONFIRM (and contain the same commit) : https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.11 https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.4 All five of these can currently be found in sys-kernel/gentoo-sources.
post ~ # emerge '=sys-kernel/gentoo-sources-3.12.25' Calculating dependencies... done! >>> Verifying ebuild manifests >>> Emerging (1 of 1) sys-kernel/gentoo-sources-3.12.25 * linux-3.12.tar.xz SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] >>> Downloading 'http://distfiles.gentoo.org/distfiles/genpatches-3.12-28.base.tar.xz' --2014-07-25 18:59:54-- http://distfiles.gentoo.org/distfiles/genpatches-3.12-28.base.tar.xz Resolving distfiles.gentoo.org... 64.50.233.100, 156.56.247.195, 140.211.166.134, ... Connecting to distfiles.gentoo.org|64.50.233.100|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2014-07-25 18:59:54 ERROR 404: Not Found. >>> Downloading 'http://gentoo.ussg.indiana.edu/distfiles/genpatches-3.12-28.base.tar.xz' --2014-07-25 18:59:54-- http://gentoo.ussg.indiana.edu/distfiles/genpatches-3.12-28.base.tar.xz Resolving gentoo.ussg.indiana.edu... 156.56.247.195 Connecting to gentoo.ussg.indiana.edu|156.56.247.195|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2014-07-25 18:59:57 ERROR 404: Not Found. >>> Downloading 'http://gentoo-distfiles.mirrors.tds.net/distfiles/genpatches-3.12-28.base.tar.xz' --2014-07-25 18:59:57-- http://gentoo-distfiles.mirrors.tds.net/distfiles/genpatches-3.12-28.base.tar.xz Resolving gentoo-distfiles.mirrors.tds.net... 216.165.129.135 Connecting to gentoo-distfiles.mirrors.tds.net|216.165.129.135|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2014-07-25 18:59:57 ERROR 404: Not Found. >>> Downloading 'http://ftp.halifax.rwth-aachen.de/gentoo/distfiles/genpatches-3.12-28.base.tar.xz' --2014-07-25 18:59:57-- http://ftp.halifax.rwth-aachen.de/gentoo/distfiles/genpatches-3.12-28.base.tar.xz Resolving ftp.halifax.rwth-aachen.de... 137.226.34.42 Connecting to ftp.halifax.rwth-aachen.de|137.226.34.42|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2014-07-25 18:59:57 ERROR 404: Not Found. >>> Downloading 'http://gentoo.osuosl.org/distfiles/genpatches-3.12-28.base.tar.xz' --2014-07-25 18:59:57-- http://gentoo.osuosl.org/distfiles/genpatches-3.12-28.base.tar.xz Resolving gentoo.osuosl.org... 64.50.233.100, 64.50.236.52 Connecting to gentoo.osuosl.org|64.50.233.100|:80... connected. HTTP request sent, awaiting response... 404 Not Found ----------------------- it's time to rename the branch "STABLE" to "NOT SO STABLE"..
Fix in 3.16, https://github.com/torvalds/linux/commit/b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a
