Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 215546 - Please include patch for the vmsplice local root exploit for kernels < 2.6.23-gentoo*
Summary: Please include patch for the vmsplice local root exploit for kernels < 2.6.23...
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL: http://kerneltrap.org/mailarchive/lin...
Whiteboard:
Keywords:
Depends on: CVE-2008-0009
Blocks:
  Show dependency tree
 
Reported: 2008-03-31 10:20 UTC by Antek Grzymała (antoszka)
Modified: 2008-03-31 14:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Antek Grzymała (antoszka) 2008-03-31 10:20:31 UTC
The vmsplice local root exploit patch should be included for all affected gentoo-sources kernels in the tree.

I am currently stuck with kernels 2.6.22* because of the ioremap bug in all later kernels (see bugs: http://bugzilla.kernel.org/show_bug.cgi?id=10077 and http://bugzilla.kernel.org/show_bug.cgi?id=9955). Possibly there are a lot of other people forced to stick with the 2.6.22 kernel and there's no reason why the exploit should be patched only in >=2.6.23.

Reproducible: Always
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-31 12:50:09 UTC
Please note that there are several bugs unfixed within the 2.6.22 version of gentoo-sources, among them bugs 158788, 171888, 188644, 196862, 198997, 199312, 199691, 199845, 200769, 202235, 202290, 209460 and 213811.

I'm pulling in the kernel team for advice, because it is fixed in gentoo-sources as far as the security policy is concerned, and this would only be an enhancement.
Comment 2 Daniel Drake (RETIRED) gentoo-dev 2008-03-31 13:19:59 UTC
gentoo-sources-2.6.22 is no longer supported and will not be updated. gentoo-sources-2.6.24 is currently the only supported version.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-31 13:26:46 UTC
Thanks for making that clear, Daniel.
Comment 4 Antek Grzymała (antoszka) 2008-03-31 13:29:00 UTC
(In reply to comment #2)

> gentoo-sources-2.6.22 is no longer supported and will not be updated.

Then it should either be removed from the tree, masked or patched. It's a
simple fix, two minutes' worth of work. I think keeping unmasked insecure
packages is neither in Gentoo's interest nor the security policy.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-31 14:38:13 UTC
(In reply to comment #4)
> (In reply to comment #2)
> 
> > gentoo-sources-2.6.22 is no longer supported and will not be updated.
> 
> Then it should either be removed from the tree, masked or patched. It's a
> simple fix, two minutes' worth of work. I think keeping unmasked insecure
> packages is neither in Gentoo's interest nor the security policy.

As far as our security policy goes, only the latest available ebuild for each source is supported. I see how that is not desirable for both developers and users, and we are working on improving that. Your help is very much appreciated there, please talk to me on irc or via mail.
Comment 6 Daniel Drake (RETIRED) gentoo-dev 2008-03-31 14:45:03 UTC
If you have time, you should file bugs for any issues preventing you from running the latest kernel. We are then at least aware of the issues, can track them, and can maybe help solving them. When marking new kernels stable (and ending support for older ones) we always review outstanding regression bugs and base decisions from that. We can't consider regressions that nobody has told us about :)