Bug 616922

Summary:	Patch to fix CVE-2016-10229 is missing from Linux 4.1.39 (4.1.y latest)
Product:	Gentoo Security	Reporter:	Richard Yao (RETIRED) <ryao>
Component:	Kernel	Assignee:	Gentoo Kernel Security <security-kernel>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	alicef
Priority:	Normal	Keywords:	SECURITY
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Richard Yao (RETIRED) gentoo-dev

2017-04-29 02:27:48 UTC

Here is the CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229

Here is the referenced upstream patch:

https://github.com/torvalds/linux/commit/197c949e7798fbf28cfadc69d9ca0c2abbf93191

It is missing from 4.1.39 (I checked) and applies. sys-kernel/gentoo-sources-4.1.39 and sys-kernel/vanilla-sources-4.1.39 are both vulnerable.

Comment 1 Richard Yao (RETIRED) gentoo-dev

2017-04-29 02:33:47 UTC

I would like to notify the Linux 4.1.y maintainer about this, but there is bold red text saying not to disclose anything or commit anything, so please let me know what I should do.

Comment 2 Yury German Gentoo Infrastructure

2017-04-29 02:34:18 UTC


*** This bug has been marked as a duplicate of bug 615480 ***

Comment 3 Richard Yao (RETIRED) gentoo-dev

2017-04-29 03:36:24 UTC

I have notified the 4.1.y maintainer by email as per my discussion with Yury.

Comment 4 Arisu Tachibana Gentoo Infrastructure

2017-04-29 14:03:04 UTC

masked =vanilla-sources-4.1.39
https://github.com/gentoo/gentoo/commit/9f7aab68a74249534e48c2745b9f480f427859d1

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2017-04-29 22:31:20 UTC

Issue is public.

Maintainer was notified via LKML >14d ago.

Dupe of bug 615480.

*** This bug has been marked as a duplicate of bug 615480 ***