Summary: | Proposed hardened-sources-2.6.23-r7 ebuild (CVE-2007-{6206,6434}, CVE-2008-{0007,0009,0010,0600}) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Gordon Malm (RETIRED) <gengor> |
Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | VERIFIED FIXED | ||
Severity: | major | CC: | kfm |
Priority: | High | Keywords: | InVCS, SECURITY |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | hardened-sources-2.6.23-r7.ebuild |
Description
Gordon Malm (RETIRED)
2008-01-25 15:59:58 UTC
Sorry for second post but I forgot to mention.. perhaps this VFS flaw be considered for GLSA as well? It is about as serious a flaw as can be and everyone is affected. Thank you for the quick addition to the tree. I hate to be a bother but is there any plans for a -r7 with the new grsec released Jan 23rd? It contains a potential fix for a deadlock in the signal logging code. 2.6.24 obviously needs some time to stable & settle so personally, I'm hoping 2.6.23 will get updates for awhile. Created attachment 143223 [details]
hardened-sources-2.6.23-r7.ebuild
I try to do it, but I think it need some testing and review.
I was notified of this bug just as I was about to file something similar! Here's my offering: http://confucius.dh.bytemark.co.uk/~kerin.millar/ Changes: * Bump to genpatches-base-2.6.23-9 * Ported grsecurity-2.1.11-2.6.23.14-200801231800 to 2.6.23.15 * Disables COMPAT_VDSO in x86/defconfig * Removes bogus symbols ACPI_SLEEP_PROC_(FS|SLEEP) from x86_64/defconfig Fixes (relative to 2.6.23-r6): * CVE-2007-{6206,6434} * CVE-2008-{0007,0009,0010,0600} The port of grsecurity was straight forward except for a few hunks in mm/mmap.c. For that I used the upstream PaX patch that's in testing for 2.6.24 as guidance. One difference I observed between my patch and Olivier's is that, in mine, the call to security_file_mmap() takes precedence in expand_downwards() as this is how it is implemented in the 2.6.24 patch. Working for me so far: Linux spoiler 2.6.23-hardened-r7 #1 SMP Mon Feb 11 11:24:33 GMT 2008 x86_64 Dual-Core AMD Opteron(tm) Processor 2212 HE AuthenticAMD GNU/Linux ... but not heavily tested as of yet. > The port of grsecurity was straight forward except for a few hunks in
> mm/mmap.c. For that I used the upstream PaX patch that's in testing for 2.6.24
> as guidance. One difference I observed between my patch and Olivier's is that,
> in mine, the call to security_file_mmap() takes precedence in
> expand_downwards() as this is how it is implemented in the 2.6.24 patch.
I think you're right : I had no clue whether it should be before or after. Nice work ;)
Bug closed ?
(In reply to comment #4) > I was notified of this bug just as I was about to file something similar! > > Here's my offering: http://confucius.dh.bytemark.co.uk/~kerin.millar/ > > Changes: > > * Bump to genpatches-base-2.6.23-9 > * Ported grsecurity-2.1.11-2.6.23.14-200801231800 to 2.6.23.15 > * Disables COMPAT_VDSO in x86/defconfig > * Removes bogus symbols ACPI_SLEEP_PROC_(FS|SLEEP) from x86_64/defconfig > > Fixes (relative to 2.6.23-r6): > > * CVE-2007-{6206,6434} > * CVE-2008-{0007,0009,0010,0600} > > The port of grsecurity was straight forward except for a few hunks in > mm/mmap.c. For that I used the upstream PaX patch that's in testing for 2.6.24 > as guidance. One difference I observed between my patch and Olivier's is that, > in mine, the call to security_file_mmap() takes precedence in > expand_downwards() as this is how it is implemented in the 2.6.24 patch. > > Working for me so far: > > Linux spoiler 2.6.23-hardened-r7 #1 SMP Mon Feb 11 11:24:33 GMT 2008 x86_64 > Dual-Core AMD Opteron(tm) Processor 2212 HE AuthenticAMD GNU/Linux > > ... but not heavily tested as of yet. > this is in the tree as of 5 mins ago. Now it can be closed. Thanks Kerin and others.. Closing as 2.6.23-r7 has been keyworded stable. Anyone interested in the next release may wish to refer to bug 210026. My apologies, my last comment was erroneous in that 2.6.23-r7 has only been marked stable on amd64. |