400671 – Please test and fast track sys-kernel/gentoo-sources-3.2.1-r2 stable and vanilla-sources-3.2.2

Bug 400671 - Please test and fast track sys-kernel/gentoo-sources-3.2.1-r2 stable and vanilla-sources-3.2.2

Summary: Please test and fast track sys-kernel/gentoo-sources-3.2.1-r2 stable and vani...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Keywording and Stabilization (show other bugs)
Hardware:	All Linux

Importance:	Normal critical (vote)
Assignee:	Gentoo Kernel Bug Wranglers and Kernel Maintainers

URL:
Whiteboard:
Keywords:	STABLEREQ

Depends on:	400871 404311
Blocks:	CVE-2012-0056
	Show dependency tree

Reported:	2012-01-25 01:39 UTC by Mike Pagano
Modified:	2012-02-18 19:38 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mike Pagano gentoo-dev

2012-01-25 01:39:19 UTC

Please test and stabilize sys-kernel/gentoo-sources-3.2.1-r2. This kernel contains the fix for the root exploit CVE-2012-0056 (Linux Local Privilege Escalation via SUID /proc/pid/mem Write).[1]



[1] http://blog.zx2c4.com/749

Comment 1 Maurizio Camisaschi (amd64 AT) 2012-01-25 17:27:53 UTC

amd64 is ok

Comment 2 Michael Harrison 2012-01-25 22:20:30 UTC

amd64 ok

Comment 3 Markos Chandras (RETIRED) gentoo-dev

2012-01-25 22:57:07 UTC

amd64 done. Thanks Maurizio and Michael

Comment 4 Mikle Kolyada (RETIRED) archtester

2012-01-26 06:10:01 UTC

Compile and run on my machine. No bugs. x86: ok

Comment 5 Jeff (JD) Horelick (RETIRED) gentoo-dev

2012-01-26 07:38:27 UTC

Archtested on x86: Everything seems fine.

Comment 6 Mike Pagano gentoo-dev

2012-01-26 13:13:08 UTC

Hi, I'm adding vanilla sources 3.2.2 to this list for the same reason. I just committed it.  My amd64 arch friends, adding you guys back for this. Thanks for being super responsive, as always.

Comment 7 Fabian Köster 2012-01-26 14:19:20 UTC

I do not understand why stabilizing 3.2 at a rush as sys-kernel/gentoo-sources-3.1.10-r1 also contains the fix for CVE-2012-0056, doesn't it?

Comment 8 Mike Pagano gentoo-dev

2012-01-26 14:45:21 UTC

Currently, there is no 3.1 or 3.2 stable vanilla kernel that is not affected by the exploit.

The only stable 3.1 is affected. So, users the latest stable vanilla kernel are running an exploitable kernel.  Is that enough reason for you?

Comment 9 Agostino Sarubbo gentoo-dev

2012-01-26 15:23:19 UTC

Mike, I guess Fabian means other.

As you wrote in your blog:
The following kernels now contain the fix:

gentoo-sources-3.2.1-r2

gentoo-sources-3.1.10-r1

gentoo-sources-3.0.17-r2

So, if I understand well, he means, why we stabilize also 3.2 series instead of stabilizing only 3.0 and 3.1?
Obvious I'm talking about gentoo-sources and not vanilla

Comment 10 Agostino Sarubbo gentoo-dev

2012-01-26 15:48:02 UTC

amd64 done also for vanilla.

Comment 11 Mike Pagano gentoo-dev

2012-01-26 18:20:17 UTC

(In reply to comment #9)
> Mike, I guess Fabian means other.
> 
> As you wrote in your blog:
> The following kernels now contain the fix:
> 
> gentoo-sources-3.2.1-r2
> 
> gentoo-sources-3.1.10-r1
> 
> gentoo-sources-3.0.17-r2
> 
> So, if I understand well, he means, why we stabilize also 3.2 series instead of
> stabilizing only 3.0 and 3.1?
> Obvious I'm talking about gentoo-sources and not vanilla


I'm not sure what you mean since gentoo-sources-3.1.10-r1 and gentoo-sources-3.0.17-r2 are already stable for everyone except for ppc and ppc64.

Comment 12 cyberbat 2012-01-26 18:41:48 UTC

(In reply to comment #11)
> > 
> > So, if I understand well, he means, why we stabilize also 3.2 series instead of
> > stabilizing only 3.0 and 3.1?
> > Obvious I'm talking about gentoo-sources and not vanilla
> 
> 
> I'm not sure what you mean since gentoo-sources-3.1.10-r1 and
> gentoo-sources-3.0.17-r2 are already stable for everyone except for ppc and
> ppc64.

Previous commentators asked whether we really need stabilizing gentoo-sources-3.2.1-r2 with sys-kernel/gentoo-sources-3.1.10-r1 already stable and not affected with CVE-2012-0056?

Just for me as example, I have to masked 3.2.1-r2 cause I need VirtualBox and don't want to install it from ~amd64.

Comment 13 Fabian Köster 2012-01-26 22:20:12 UTC

(In reply to comment #12)
> (In reply to comment #11)
> > > 
> > > So, if I understand well, he means, why we stabilize also 3.2 series instead of
> > > stabilizing only 3.0 and 3.1?
> > > Obvious I'm talking about gentoo-sources and not vanilla
> > 
> > 
> > I'm not sure what you mean since gentoo-sources-3.1.10-r1 and
> > gentoo-sources-3.0.17-r2 are already stable for everyone except for ppc and
> > ppc64.
> 
> Previous commentators asked whether we really need stabilizing
> gentoo-sources-3.2.1-r2 with sys-kernel/gentoo-sources-3.1.10-r1 already stable
> and not affected with CVE-2012-0056?
> 
> Just for me as example, I have to masked 3.2.1-r2 cause I need VirtualBox and
> don't want to install it from ~amd64.

That is what I meant. I understand the reason for stabilizing sys-kernel/vanilla-sources-3.2.1, but not for stabilizing sys-kernel/gentoo-sources-3.2.1-r2.

I am just wondering what the policy is. For me it does not matter as I can manually force running the patched 3.1.x versions.

Comment 14 Ihar Hrachyshka 2012-01-27 10:22:15 UTC

With this quick stabilization you broke builds for stable virtualbox-modules. Such rush was not needed for the case since we have 3.1.x kernel with CVE patch applied.

I think in this case the proper update scenario was not applied hence build error for virtualbox-modules.

The main question is: why archs confirmed this upgrade path without due consideration of possible failures?

Comment 15 Mike Pagano gentoo-dev

2012-01-27 19:29:44 UTC

Out of kernels drivers that fail to build have never stopped kernel stabilizations in Gentoo.

Comment 16 Jeroen Roovers (RETIRED) gentoo-dev

2012-01-29 15:36:21 UTC

HPPA won't go stable, as this kernel fails to boot the system. Marked -hppa.

Incidentally, I noticed that 3.1.10-r1 /is/ marked stable. Luckily that version appears to work. The thing is that 3.1.10-r1 went stable entirely without arch team testing, it seems, so the question remaining is why 3.2.* should probably be officially tested when 3.1.10 apparently wasn't.

Comment 17 Joe Jezak (RETIRED) gentoo-dev

2012-01-30 00:10:26 UTC

Marked ppc/ppc64 stable.

Comment 18 Jeroen Roovers (RETIRED) gentoo-dev

2012-02-02 17:55:24 UTC

(In reply to comment #16)
> HPPA won't go stable, as this kernel fails to boot the system. Marked -hppa.
> 
> Incidentally, I noticed that 3.1.10-r1 /is/ marked stable.

3.1.10 is now marked -hppa too. It's highly unreliable as compared to 3.1.6.

Comment 19 Jeroen Roovers (RETIRED) gentoo-dev

2012-02-02 18:22:03 UTC

(In reply to comment #18)
> (In reply to comment #16)
> > HPPA won't go stable, as this kernel fails to boot the system. Marked -hppa.
> > 
> > Incidentally, I noticed that 3.1.10-r1 /is/ marked stable.
> 
> 3.1.10 is now marked -hppa too. It's highly unreliable as compared to 3.1.6.

Could you put the 3.1/2100_proc-mem-handling-fix.patch patch in 3.1.6 too, please?

Comment 20 Jeroen Roovers (RETIRED) gentoo-dev

2012-02-03 16:42:50 UTC

(In reply to comment #19)
> Could you put the 3.1/2100_proc-mem-handling-fix.patch patch in 3.1.6 too,
> please?

Er, it was removed? What's happening here?

Comment 21 dehua.yang 2012-02-09 02:44:19 UTC

(In reply to comment #17)
> Marked ppc/ppc64 stable.

It has problems wrt #401617

Comment 22 Markus Meier gentoo-dev

2012-02-10 16:47:12 UTC

arm stable

Comment 23 Jeroen Roovers (RETIRED) gentoo-dev

2012-02-14 21:29:41 UTC

Stable for HPPA.

Comment 24 Jeff (JD) Horelick (RETIRED) gentoo-dev

2012-02-14 21:47:13 UTC

x86 stable, thanks Mikle

Comment 25 Raúl Porcel (RETIRED) gentoo-dev

2012-02-18 19:35:00 UTC

alpha/ia64/s390/sh/sparc stable