Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 693478 (CVE-2019-15902)

Summary: <sys-kernel/gentoo-sources-{4.4.191,4.9.191,4.14.142,4.19.71}: Backporting error re-introduced Spectre vulnerability (CVE-2019-15902)
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: KernelAssignee: Gentoo Kernel Security <security-kernel>
Status: RESOLVED FIXED    
Severity: normal CC: hydrapolic
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
URL: https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
Whiteboard:
Package list:
sys-kernel/gentoo-sources-4.19.72 sys-kernel/gentoo-sources-4.14.143 sys-kernel/gentoo-sources-4.9.192 sys-kernel/gentoo-sources-4.4.192
Runtime testing required: ---

Description Thomas Deutschmann gentoo-dev Security 2019-09-04 11:05:55 UTC
A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-09-13 00:34:47 UTC
x86 stable
Comment 2 Agostino Sarubbo gentoo-dev 2019-09-13 09:22:22 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-09-13 12:01:33 UTC
ppc stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-09-13 12:03:13 UTC
ppc64 stable
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-09-13 15:49:50 UTC
arm stable
Comment 6 Ben Kohler gentoo-dev 2019-09-13 16:50:21 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-09-13 17:27:48 UTC
ia64 stable
Comment 8 Thomas Deutschmann gentoo-dev Security 2019-11-07 20:49:10 UTC
alpha & hppa marked stable due to arch team timeout under kernel project policy.