Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 215546

Summary: Please include patch for the vmsplice local root exploit for kernels < 2.6.23-gentoo*
Product: Gentoo Security Reporter: Antek Grzymała (antoszka) <antoni>
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED WONTFIX    
Severity: enhancement CC: kernel
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://kerneltrap.org/mailarchive/linux-kernel/2008/2/10/804734
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 209460    
Bug Blocks:    

Description Antek Grzymała (antoszka) 2008-03-31 10:20:31 UTC 
The vmsplice local root exploit patch should be included for all affected gentoo-sources kernels in the tree.

I am currently stuck with kernels 2.6.22* because of the ioremap bug in all later kernels (see bugs: http://bugzilla.kernel.org/show_bug.cgi?id=10077 and http://bugzilla.kernel.org/show_bug.cgi?id=9955). Possibly there are a lot of other people forced to stick with the 2.6.22 kernel and there's no reason why the exploit should be patched only in >=2.6.23.

Reproducible: Always
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-31 12:50:09 UTC 
Please note that there are several bugs unfixed within the 2.6.22 version of gentoo-sources, among them bugs 158788, 171888, 188644, 196862, 198997, 199312, 199691, 199845, 200769, 202235, 202290, 209460 and 213811.

I'm pulling in the kernel team for advice, because it is fixed in gentoo-sources as far as the security policy is concerned, and this would only be an enhancement.
Comment 2 Daniel Drake (RETIRED) gentoo-dev 2008-03-31 13:19:59 UTC 
gentoo-sources-2.6.22 is no longer supported and will not be updated. gentoo-sources-2.6.24 is currently the only supported version.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-31 13:26:46 UTC 
Thanks for making that clear, Daniel.
Comment 4 Antek Grzymała (antoszka) 2008-03-31 13:29:00 UTC 
(In reply to comment #2)

> gentoo-sources-2.6.22 is no longer supported and will not be updated.

Then it should either be removed from the tree, masked or patched. It's a
simple fix, two minutes' worth of work. I think keeping unmasked insecure
packages is neither in Gentoo's interest nor the security policy.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-31 14:38:13 UTC 
(In reply to comment #4)
> (In reply to comment #2)
> 
> > gentoo-sources-2.6.22 is no longer supported and will not be updated.
> 
> Then it should either be removed from the tree, masked or patched. It's a
> simple fix, two minutes' worth of work. I think keeping unmasked insecure
> packages is neither in Gentoo's interest nor the security policy.

As far as our security policy goes, only the latest available ebuild for each source is supported. I see how that is not desirable for both developers and users, and we are working on improving that. Your help is very much appreciated there, please talk to me on irc or via mail.
Comment 6 Daniel Drake (RETIRED) gentoo-dev 2008-03-31 14:45:03 UTC 
If you have time, you should file bugs for any issues preventing you from running the latest kernel. We are then at least aware of the issues, can track them, and can maybe help solving them. When marking new kernels stable (and ending support for older ones) we always review outstanding regression bugs and base decisions from that. We can't consider regressions that nobody has told us about :)