Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627924 - sys-kernel/tuxonice-sources : Hundreds of vulnerabilities
Summary: sys-kernel/tuxonice-sources : Hundreds of vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL:
Whiteboard: A0 [masked]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-15 11:52 UTC by Mike Pagano
Modified: 2018-01-06 12:07 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Pagano gentoo-dev 2017-08-15 11:52:21 UTC
The tuxonice-sources package is not being maintained anymore. I have reached out to the maintainer on IRC who has not responded.

The package has not received an update since: 2016-05-30

*This package installs kernel sources that contain known root exploits.*

There are a few bugs open, but even those are from 2014 at the latest.

Please consider this package for treecleaning.
Comment 1 Arfrever Frehtes Taifersar Arahesis 2017-08-15 15:19:32 UTC
TuxOnIce seems to be still maintained in https://github.com/NigelCunningham/tuxonice-kernel but it seems that easily downloadable patches for specific versions of kernel are no longer provided.

I have asked upstream:
https://github.com/NigelCunningham/tuxonice-kernel/issues/36
Comment 2 Mike Pagano gentoo-dev 2017-09-16 15:22:42 UTC
It's been a month. Did you get a response from upstream?  We are now on month 16 without any updates and these tuxonice kernels all have known exploits. Seems a disservice to our users to keep these in the repository.
Comment 3 Arfrever Frehtes Taifersar Arahesis 2017-09-18 06:26:45 UTC
I received no response in https://github.com/NigelCunningham/tuxonice-kernel/issues/36.

You can mask sys-apps/tuxonice-userui and sys-kernel/tuxonice-sources for deletion.
Comment 4 Patrice Clement gentoo-dev 2017-09-29 08:21:59 UTC
Hey 

Upstream responded, see:
https://github.com/NigelCunningham/tuxonice-kernel/issues/36#issuecomment-331230205

What's the next step now?
Comment 5 Mike Pagano gentoo-dev 2017-09-30 15:28:50 UTC
No one has said they will step up and maintain this.  We should at least mask all versions in the tree as everyone contains known exploits.
Comment 6 Mike Pagano gentoo-dev 2017-10-08 14:46:29 UTC
Security Team. Please mask and tree clean sys-kernel/tuxonices.
If someone steps up and updates these kernels, all the better, but it's been 18 months and this bug is almost 2 months old.

These kernels have not seen an update since May of 2016 and are vulnerable to hundreds of kernel CVEs.  In fact, 380 kernel CVEs have been issued in 2017 alone as seen here: 

http://www.cvedetails.com/vulnerability-list.php?vendor_id=33&product_id=47&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=2017&month=0&cweid=0&order=1&trc=380&sha=d80d3346f69d7155f090a2b7862af859427c62ef

Here's a list of just a few:

CVE-2017-1000380
CVE-2017-1000379
CVE-2017-1000377
CVE-2017-1000371
CVE-2017-1000370
CVE-2017-1000365
CVE-2017-1000364
CVE-2017-1000252
CVE-2017-1000251
CVE-2017-14954
CVE-2017-14497
CVE-2017-14489
CVE-2017-14340
CVE-2017-14156
CVE-2017-14140
CVE-2017-14106
CVE-2017-14051
CVE-2017-13715
CVE-2017-13695
CVE-2017-13694
CVE-2017-13693
CVE-2017-13686
CVE-2017-12762
CVE-2017-12168
CVE-2017-12154
CVE-2017-12153
CVE-2017-12146
CVE-2017-11600
CVE-2017-11473
CVE-2017-11472
CVE-2017-11176
CVE-2017-10911
CVE-2017-10810
CVE-2017-10663
CVE-2017-10662
CVE-2017-10661
CVE-2017-9986
CVE-2017-9985
CVE-2017-9984
CVE-2017-9605
CVE-2017-9242
CVE-2017-9211
CVE-2017-9150
CVE-2017-9077
CVE-2017-9076
CVE-2017-9075
CVE-2017-9074
CVE-2017-9059
CVE-2017-8925
CVE-2017-8924
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-08 14:56:44 UTC
concur with kernel team.

# Aaron Bauman <bman@gentoo.org> (8 October 2017)
# severely vulnerable and unmaintained sources.
# Masked for removal in 30 days. Bug #627924
sys-kernel/tuxonice-sources

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64745cf09285597b1c1376d6b011b6a51c429df7
Comment 8 Peter Gantner (a.k.a. nephros) 2017-11-19 12:07:18 UTC
There has been some activity on github by the maintainer again, bringing the code up to all the latest versions of the upstream kernel.

Perhaps the treecleaning can be postponed and the ebuild restored to the tree?
Comment 9 Mike Pagano gentoo-dev 2017-11-20 23:58:47 UTC
(In reply to Peter Gantner (a.k.a. nephros) from comment #8)
> There has been some activity on github by the maintainer again, bringing the
> code up to all the latest versions of the upstream kernel.
> 
> Perhaps the treecleaning can be postponed and the ebuild restored to the
> tree?

Someone has to step up to do the work...
Comment 10 Larry the Git Cow gentoo-dev 2018-01-06 12:02:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7dde116c5470e51a3125501b1db26010226cd92

commit a7dde116c5470e51a3125501b1db26010226cd92
Author:     Mikle Kolyada <zlogene@gentoo.org>
AuthorDate: 2018-01-06 12:00:03 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2018-01-06 12:01:57 +0000

    sys-kernel/tuxonice-sources: remove last rited package
    
    Bug: https://bugs.gentoo.org/627924

 sys-kernel/tuxonice-sources/Manifest               | 95 ----------------------
 sys-kernel/tuxonice-sources/metadata.xml           | 23 ------
 .../tuxonice-sources-3.10.100.ebuild               | 34 --------
 .../tuxonice-sources-3.10.101.ebuild               | 34 --------
 .../tuxonice-sources-3.12.56.ebuild                | 34 --------
 .../tuxonice-sources-3.12.58.ebuild                | 34 --------
 .../tuxonice-sources-3.12.60.ebuild                | 34 --------
 .../tuxonice-sources-3.14.64.ebuild                | 34 --------
 .../tuxonice-sources-3.14.67.ebuild                | 34 --------
 .../tuxonice-sources-3.14.70.ebuild                | 34 --------
 .../tuxonice-sources-3.18.28.ebuild                | 34 --------
 .../tuxonice-sources-3.18.31.ebuild                | 34 --------
 .../tuxonice-sources-3.18.34.ebuild                | 34 --------
 .../tuxonice-sources-3.4.110.ebuild                | 33 --------
 .../tuxonice-sources-3.4.111.ebuild                | 33 --------
 .../tuxonice-sources-3.4.112.ebuild                | 33 --------
 .../tuxonice-sources-4.1.19.ebuild                 | 34 --------
 .../tuxonice-sources-4.1.22.ebuild                 | 34 --------
 .../tuxonice-sources-4.1.24.ebuild                 | 34 --------
 .../tuxonice-sources/tuxonice-sources-4.2.8.ebuild | 34 --------
 .../tuxonice-sources/tuxonice-sources-4.3.6.ebuild | 34 --------
 .../tuxonice-sources-4.4.11.ebuild                 | 34 --------
 .../tuxonice-sources/tuxonice-sources-4.4.5.ebuild | 34 --------
 .../tuxonice-sources/tuxonice-sources-4.4.8.ebuild | 34 --------
 .../tuxonice-sources/tuxonice-sources-4.5.2.ebuild | 34 --------
 .../tuxonice-sources/tuxonice-sources-4.5.4.ebuild | 34 --------
 26 files changed, 931 deletions(-)}
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-01-06 12:07:40 UTC
Removed.