Bug 634874

Summary:	<sys-kernel/gentoo-sources-4.13.8: alsa: use-after-free in /dev/snd/seq (CVE-2017-15265)
Product:	Gentoo Security	Reporter:	Stefan Gast <stefan.gast>
Component:	Kernel	Assignee:	Gentoo Kernel Security <security-kernel>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15265
Whiteboard:
Package list:		Runtime testing required:	---

Description Stefan Gast 2017-10-20 15:24:34 UTC

Kernels before 4.13.8 are affected by CVE-2017-15265:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15265
http://seclists.org/oss-sec/2017/q4/58

4.13.8 has a patch for it, which also compiles with stable (amd64) sys-kernel/gentoo-sources-4.12.12:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.8&id=71c766e18dd3f321bd450ec7c0c20643b2c4b74e

(This is my first security related bug report here, so please tell me if I'm doing something wrong. Apologies for any mistakes in advance.)

Comment 1 Stefan Gast 2019-01-07 13:28:40 UTC

I guess this was overshadowed by the Spectre / Meltdown disaster last year. So let's check the currently oldest kernel versions in the tree for the patch:

sys-kernel/gentoo-sources-4.4.164: patched (commit 23709ae9b61429502fcd4686e7a97333f3b3544a)

sys-kernel/gentoo-sources-4.9.140: patched (commit 35b84860667ff081eee56b62f3db2a28ca8a3823)

sys-kernel/gentoo-sources-4.14.83: patched (commit 71105998845fb012937332fe2e806d443c09e026)

sys-kernel/gentoo-sources-4.19.8: patched (commit 71105998845fb012937332fe2e806d443c09e026)

sys-kernel/gentoo-sources-4.20.0: patched (commit 71105998845fb012937332fe2e806d443c09e026)

As there is no unpatched version of sys-kernel/gentoo-sources left in the tree, IMHO this is resolved for sys-kernel/gentoo-sources. I haven't checked the other sys-kernel/*-sources ebuilds.

Comment 2 John Helmert III archtester

2022-03-26 00:27:29 UTC

Fixed in 4.9.57, 4.14