A 0-day local privilege escalation vulnerability has been identified by the perception point research team. I has been reported that a vulnerability in the keyring facility possibly leads to a local privilege escalation. For details please see the links below. CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0728 Report: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ Red Hat Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1297475 Reproducible: Always
As documented in the notes of the Debian security tracker [1], the URL to the commit fixing the issue, as well as the information that the vulnerability was introduced with v3.8-rc1. Thus all versions of sys-kernel/gentoo-sources currently marked as stable are affected. Upstream commit: https://git.kernel.org/linus/23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 Introduced in https://git.kernel.org/linus/3a50597de8635cd05133bd12c95681c82fe7b878 (v3.8-rc1) [1] https://security-tracker.debian.org/tracker/CVE-2016-0728
Two days and still no update? :/
My kernels just the way I like 'em: exploitable!
https://gitweb.gentoo.org/repo/gentoo.git/log/sys-kernel/gentoo-sources
(In reply to Mike Pagano from comment #4) > https://gitweb.gentoo.org/repo/gentoo.git/log/sys-kernel/gentoo-sources So the latest stable (4.1.12) is still vulnerable?
(In reply to Osiris from comment #5) > (In reply to Mike Pagano from comment #4) > > https://gitweb.gentoo.org/repo/gentoo.git/log/sys-kernel/gentoo-sources > > So the latest stable (4.1.12) is still vulnerable? Yep.
I'm sorry, it seemed like you said that as if it's ok. Could you clarify the plan?
Arches, please stabilize =gentoo-sources/gentoo-sources-3.12.52-r1 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 =gentoo-sources/gentoo-sources-3.14.58-r1 Stable target: alpha amd64 arm hppa ia64 sparc x86 =gentoo-sources/gentoo-sources-3.18.25-r1 Stable targets: alpha amd64 arm hppa ia64 sparc x86 =gentoo-sources/gentoo-sources-4.1.15-r1 Stable targets: alpha amd64 ia64 ppc ppc64 sparc x86
amd64 stable
Because of our policy (kernel side) I marked stable some ebuilds. The complete status of the gentoo-sources: 3.4 series: not vulnerable 3.10 series: marked stable 3.10.95 which contains the fix (https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.95) 3.12 series: marked stable 3.12.52-r1 3.14 series: marked stable 3.14.58-r1 except ppc/ppc64 which don't have a stable keyword on this series 3.18 series marked stable by Mikle. There aren't others 3.18 ebuilds with stable keywords. 4.0 series no fixed ebuild to be marked stable because is not anymore supported upstream 4.1 marked stable 4.1.15-r1 which contains the fix. WHAT IS STILL MISSING: arm needs to test 4.1.15-r1 NOTES: ppc/ppc64 does not really want to do 3.14 I don't see other stable ebuilds for 3.18, so I'm supposing we want to keep only amd64 as stable for this series.
(In reply to Agostino Sarubbo from comment #10) > Because of our policy (kernel side) I marked stable some ebuilds. So even kernel versions are now deemed "stable" while completely untested.
(In reply to Jeroen Roovers from comment #11) > (In reply to Agostino Sarubbo from comment #10) > > Because of our policy (kernel side) I marked stable some ebuilds. > > So even kernel versions are now deemed "stable" while completely untested. We don't need useless comments. Check the git log: commit 5144328e22cb546ebaf02b025aeacea9676f918a Author: Mike Pagano <mpagano@gentoo.org> Date: Wed Oct 28 20:04:40 2015 -0400 sys-kernel/gentoo-sources: Auto stabiize per policy and remove old, unsupported 3.12.X versions commit 6a2ceeb4b2368290fa4cf8c9ea5553ee3638b95c Author: Mike Pagano <mpagano@gentoo.org> Date: Wed Oct 28 19:54:01 2015 -0400 sys-kernel/gentoo-sources: Auto stablize per policy and remove old, unsupported 3.14.X versions ommit 5b87fd0881b4278b04c454cc6728c829fbd985e6 Author: Mike Pagano <mpagano@gentoo.org> Date: Wed Oct 28 19:50:13 2015 -0400 sys-kernel/gentoo-sources: Auto stabilize per policy. Clean up of old 3.10.X kernels. commit 6758f52aab10201d6d2f9cb96f612b14b09fb989 Author: Mike Pagano <mpagano@gentoo.org> Date: Mon Oct 26 08:05:53 2015 -0400 sys-kernel/gentoo-sources: Auto stabilize 4.0.9 as per policy. Bug #564166 If you have something to discuss about the policy, that's not the right place..
I am unsure if maybe 4.1.16 would be a better candidate as it looks to cover CVE-2015-7550 per: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.16 Thanks
I guess this is useless, but I am going to ask anyway: Why are arch teams still CC'd?
(In reply to Jeroen Roovers from comment #14) > I guess this is useless, but I am going to ask anyway: Why are arch teams > still CC'd? 3.18 needs stabilizing. Only amd64 has done it.
(In reply to Mike Pagano from comment #15) > (In reply to Jeroen Roovers from comment #14) > > I guess this is useless, but I am going to ask anyway: Why are arch teams > > still CC'd? > > 3.18 needs stabilizing. Only amd64 has done it. Add another useless comment: even with the backported patch that resolves this security bug, the automated stabilisation monkey business was not enough? Speaking for HPPA, no kernel/glibc combination is good enough right now, so 3.18 is right out. If you reaqlly want 3.18, then you will have to start accepting architecture specific patches again.
Either that or we call it the security theatre Ago's made it into and call it quits for arch teams.
(In reply to Jeroen Roovers from comment #16) > (In reply to Mike Pagano from comment #15) > > (In reply to Jeroen Roovers from comment #14) > > > I guess this is useless, but I am going to ask anyway: Why are arch teams > > > still CC'd? > > > > 3.18 needs stabilizing. Only amd64 has done it. > > Add another useless comment: even with the backported patch that resolves > this security bug, the automated stabilisation monkey business was not > enough? > > Speaking for HPPA, no kernel/glibc combination is good enough right now, so > 3.18 is right out. If you reaqlly want 3.18, then you will have to start > accepting architecture specific patches again. I don't know, maybe you're a good guy in real life. I'd like to give you the benefit of the doubt. But my interactions with you make me want to do less and less around here. Close it, keep it open, I honestly care less and less these days. I have no strength nor care left to argue.
(In reply to Mike Pagano from comment #18) > I don't know, maybe you're a good guy in real life. I'd like to give you the > benefit of the doubt. But my interactions with you make me want to do less > and less around here. > > Close it, keep it open, I honestly care less and less these days. > > I have no strength nor care left to argue. I'm sorry to hear that.
It's been almost 10 days since the vulnerability has been reported. The amd64 arch has been stabilized within 3-4 days. --> What's it going to take to get the x86 arch stabilized? <--
alpha/arm/ia64/ppc/ppc64/sparc/x86 have now 4.1.15-r1 stable. @mpagano. I don't see stable keyword for 3.18 series, so for now I guess is ok leave only amd64/x86 as stable. We will accept future stablereq for this series. You can cleanup now.
alpha@ out as per c#21
(In reply to Tobias Klausmann from comment #22) > alpha@ out as per c#21 other arches too.
Stable for HPPA (4.1.35).
Cleanup on affected sources complete. Kernel so no GLSA.