Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 610824

Summary: gentoo-sources-4.10.0 removed from portage, but not vulnerable to CVE-2017-6074
Product: Gentoo Linux Reporter: Jordan Patterson <jordanp>
Component: Current packagesAssignee: Gentoo Linux bug wranglers <bug-wranglers>
Status: RESOLVED FIXED    
Severity: normal CC: josef64
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Jordan Patterson 2017-02-24 17:07:10 UTC
I just noticed that gentoo-sources-4.10.0 was removed as part of a commit removing 4.9.X kernels vulnerable to CVE-2017-6074.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e5b2e4113a2f1c694a5b0504feb1a2876c735b4

Was this a mistake?  4.10.0 is not vulnerable.

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/?h=v4.10

The commit "dccp: fix freeing skb too early for IPV6_RECVPKTINFO" fixes the vulnerability and is part of the release.
Comment 1 Ivan Grynko 2017-02-24 17:19:27 UTC
(In reply to Jordan Patterson from comment #0)
> I just noticed that gentoo-sources-4.10.0 was removed as part of a commit
> removing 4.9.X kernels vulnerable to CVE-2017-6074.
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=7e5b2e4113a2f1c694a5b0504feb1a2876c735b4
> 
> Was this a mistake?  4.10.0 is not vulnerable.
> 
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/?h=v4.10
> 
> The commit "dccp: fix freeing skb too early for IPV6_RECVPKTINFO" fixes the
> vulnerability and is part of the release.

Almost sure that it was curves hands
Comment 2 Mike Pagano gentoo-dev 2017-02-24 18:00:49 UTC
whoops

commit f694a4343554dd0bebd7d46f61dd752db81333fb
Author: Mike Pagano <mpagano@gentoo.org>                                                                                                           
Date:   Fri Feb 24 12:59:04 2017 -0500                                                                                                             
                                                                                                                                                   
    sys-kernel/gentoo-sources: Restore 4.10.0